Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles

Two smart car alarm systems suffered from critical security vulnerabilities that affected upwards of three million vehicles globally.

Sponsorships Available

Researchers at Pen Test Partners independently assessed the security of products developed by Viper and Pandora, two of the world’s largest and most well-known vendors of smart car alarms. With both systems, they found insecure direct object references (IDORs) in the API. These vulnerabilities essentially allowed the researchers to update the email address associated with each car alarm system’s account, send a password reset to the altered address and thereby take over the account.

Subsequently, the researchers found that they could abuse a user’s account to cause all kinds of trouble. First, they leveraged their access to locate a car in real-time ad follow it using a chase vehicle. They then remotely set off the car alarm siren and flashers, which caused the driver to pull over and investigate. Once the driver exited the car, the researchers activated the immobiliser, effectively preventing them from driving off. They then cloned the key fob to be used with their mobile phone, unlocked the target vehicle’s doors and drove away with it.

That wasn’t the end of their discoveries, however. The research team at Pen Test Partners found it could remotely access Pandora’s microphone, a feature which enables drivers to make SOS calls, and thereby silently listen to individuals inside an affected vehicle. It even found a way to abuse a featured designed to halt a stolen vehicle.

As it explains in a blog post:

We discovered we could kill the engine on the Viper equipped car whilst it was in motion. Promotional videos from Pandora indicate this is possible too, though it doesn’t appear to be working on our car…. [U]sing the account takeover vulnerability in the mobile app, (Read more...)