Hackers Can Hijack Cars with Alarm Apps

AlphaAtlas

[H]ard|Gawd
Joined
Mar 3, 2018
Messages
1,713
Security researchers from Pen Test Partners claim they've found serious security vulnerabilities in high end car alarm services from Viper and Pandora. In a quick demonstration, the researchers showed an potential attacker could pull up behind a moving vehicle with one of the commercial security systems installed, set off the alarm, disable the engine, unlock the doors, then drive off with it in a matter of minutes. On top of that, the researchers say they could geolocate vehicles, pull up owner and car details, and in some cases, adjust cruise control speed or snoop on drivers through a microphone. The researchers say the exploits affect up to 3 million vehicles around the world, and confirmed that the vulnerabilities they found were quickly fixed by the manufacturers, but note that they "have no idea if there are other vulnerabilities in the API."

Check out the researchers' video here.

Amazingly, the vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API. Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker's) and take over the account. It's possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors. Hijack of the car and driver is trivially easy. We found the flaws prior to fitting the alarms, but wanted to purchase and fit them to our vehicles for a full proof of concept.
 
I just got letters from our HOSPITAL system about our data being breached. Anyone who thinks their info or devices are safe are in la la land.
 
Like having a nuclear power plant functions remotely accessible, why does a car alarm have access to cruise control?

The CAN bus was standardized well before connected cars became a thing so security wasn't a high priority. If someone had physical access to your ODB2 port, they pretty well owned the car. The main security concern was obscuring the error codes to keep the owners coming back to the authorized dealer service bays. Now all of this connected crap is added to that same unsecured core CAN network. Chrysler had a similar deal a few years back with millions of Jeep products.

Getting security made part of the CAN standard is probably going to take government mandates which seem unlikely.
 
Sometimes you gotta roll the hard six and not network shit that doesn't need to be networked.
 
Good, now we can take control of a Volkswagen to crash it into one of those Amazon automated delivery robots, then hack a quad-copter delivery bot to haul our stolen goods to an intermediate location that we hacked the locks on, to then be picked up by a guy on a rented electric scooter to be dropped off at our homes. Free shit! :p
 
Back
Top