Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles - Security Boulevard
Friday, April 23, 2021
  • Palo Alto Networks Tightens Integration with Asset Discovery Tool
  • China Silently Hacked Gov’t and Defense for a Year or More
  • 7 Types of Phishing: How to Recognize Them & Stay Off the Hook
  • Trend Micro Transforms Channel Program to Advance Cloud Security and Services
  • Creating Users Through Automation – Integromat Integration Tutorial

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Events
    • Upcoming Events
    • Upcoming Webinars
    • On-Demand Events
    • On-Demand Webinars
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • MediaOps Inc.
    • DevOps.com
    • Container Journal
    • Digital Anarchist
    • SweetCode.io
  • Media Kit

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Identity & Access SBN News Security Bloggers Network 

Home » Cybersecurity » Identity & Access » Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles

Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles

by David Bisson on March 8, 2019

Two smart car alarm systems suffered from critical security vulnerabilities that affected upwards of three million vehicles globally.

Accelerate Your Security Journey Within The Cloud
Join experts on 4/27 at Spectrum Virtual Summit for insights & advice to help you in your cloud sec journey

Researchers at Pen Test Partners independently assessed the security of products developed by Viper and Pandora, two of the world’s largest and most well-known vendors of smart car alarms. With both systems, they found insecure direct object references (IDORs) in the API. These vulnerabilities essentially allowed the researchers to update the email address associated with each car alarm system’s account, send a password reset to the altered address and thereby take over the account.

Subsequently, the researchers found that they could abuse a user’s account to cause all kinds of trouble. First, they leveraged their access to locate a car in real-time ad follow it using a chase vehicle. They then remotely set off the car alarm siren and flashers, which caused the driver to pull over and investigate. Once the driver exited the car, the researchers activated the immobiliser, effectively preventing them from driving off. They then cloned the key fob to be used with their mobile phone, unlocked the target vehicle’s doors and drove away with it.

Source: Pen Test Partners

That wasn’t the end of their discoveries, however. The research team at Pen Test Partners found it could remotely access Pandora’s microphone, a feature which enables drivers to make SOS calls, and thereby silently listen to individuals inside an affected vehicle. It even found a way to abuse a featured designed to halt a stolen vehicle.

As it explains in a blog post:

We discovered we could kill the engine on the Viper equipped car whilst it was in motion. Promotional videos from Pandora indicate this is possible too, though it doesn’t appear to be working on our car…. [U]sing the account takeover vulnerability in the mobile app, (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/vulnerabilities-in-two-smart-car-alarm-systems-affected-3m-vehicles/

March 8, 2019March 8, 2019 David Bisson car alarm, Cyber Security, Latest Security News, Password, vulnerability
  • ← RSA Conference 2019 Highlights: Top 5 cybersecurity products announced
  • How to (better) Secure APIs in an Open Banking Partnership – Part One →

TechStrong TV – Live

Watch latest episodes and shows

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

U.S. Takes Aim at Russia’s Cyber Ops Ecosystem
Web Application Security’s Lost Year
Diversity in the Cybersecurity Workforce
Wait, What? Nvidia/ARM Sale on Hold—for Security Reasons
Online Ed is the New Corporate Threat Vector
DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle
Ransomware Decoded: Preventing Modern Ransomware Attacks
10 Major Cyber Attacks Witnessed Globally in Q1 2021
Details on the Unlocking of the San Bernardino Terrorist’s iPhone
America’s History of Mistreatment of Black Service Members

Upcoming Webinars

Mon 26

The Kubernetes Network (Security) Effect

April 26 @ 9:00 am - 10:00 am
Mon 26

Application Security: Moving at the Speed of DevOps

April 26 @ 1:00 pm - 2:00 pm
Wed 28

Cyber Attacks From the Open Source Perspective

April 28 @ 1:00 pm - 2:00 pm
Thu 29

Hack My Java Application: How Snyk and Red Hat Help Developers Stay Performant and Secure

April 29 @ 11:00 am - 12:00 pm
May 05

Managing Permissions and Entitlements is at the Core of a Zero Trust Model in the Cloud

May 5 @ 3:00 pm - 4:00 pm
May 12

The COVID-19 Conundrum: Deep Dive into Cloud Threats

May 12 @ 3:00 pm - 4:00 pm
May 17

Are We There Yet? The State of Cloud Native Application Security

May 17 @ 9:00 am - 10:00 am

More Webinars

Download Free eBook

7 Must-Read eBooks for Security Professionals

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

When a Ripple Becomes a Wave: Cyberattack Fallout
Application Security Cloud Security Cybersecurity Data Security Incident Response Industry Spotlight Security Boulevard (Original) Threats & Breaches 

When a Ripple Becomes a Wave: Cyberattack Fallout

April 23, 2021 Isaac Kohen | 11 hours ago 0
Navigating Cybersecurity Gaps in Uncertain Times
CISO Suite Cloud Security Cybersecurity Data Security Endpoint Industry Spotlight Mobile Security Network Security Security Boulevard (Original) 

Navigating Cybersecurity Gaps in Uncertain Times

April 22, 2021 Rich Itri | Yesterday 0
3 Keys to Defending Active Directory
Analytics & Intelligence CISO Suite Cybersecurity Data Security Identity & Access Industry Spotlight Security Boulevard (Original) Threat Intelligence Threats & Breaches 

3 Keys to Defending Active Directory

April 21, 2021 Carolyn Crandall | 2 days ago 0

Top Stories

China Silently Hacked Gov’t and Defense for a Year or More
Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security DevOps Featured Governance, Risk & Compliance Identity & Access Incident Response Malware Mobile Security Network Security News Security Awareness Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

China Silently Hacked Gov’t and Defense for a Year or More

April 23, 2021 Richi Jennings | 2 hours ago 0
Wait, What? Nvidia/ARM Sale on Hold—for Security Reasons
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Data Security Endpoint Featured Governance, Risk & Compliance IoT & ICS Security Mobile Security Network Security News Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Wait, What? Nvidia/ARM Sale on Hold—for Security Reasons

April 20, 2021 Richi Jennings | 3 days ago 0
U.S. Fingers Putin’s Cozy Bear for SolarWinds Attacks
Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security Endpoint Featured Governance, Risk & Compliance Incident Response IoT & ICS Security Malware Network Security News Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

U.S. Fingers Putin’s Cozy Bear for SolarWinds Attacks

April 16, 2021 Richi Jennings | Apr 16 0

Security Humor

Vintage comic     via     the comic delivery system monikered   Randall Munroe   resident at   XKCD  !

Vintage XKCD ‘Circuit Diagram’

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy
  • DMCA Compliance Statement

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2021 MediaOps Inc. All rights reserved.
Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.