By gaining access to the vehicles, hackers can not only locate them but also open their doors and even turn off the engine while the owner is driving.
Two popular car alarm companies are facing problems with their products. Viper and Pandora are famous for their alarms that cost thousands of dollars, and promise greater safety for the owner of the vehicle.
These applications work in such a way that they allow the owner to control their vehicles through a cellphone, which makes everything more practical. But a vulnerability in the system could allow hackers to find such vehicles, unlock the doors, and in some cases even turn off the engine while they are on the move – In total, 3 million cars have been exposed.
It is worth mentioning that before the vulnerability was reported to Pandora its website claimed to have “unhackable” security. In the screenshot below researchers exposed how they successfully located the car before unlocking it.
The vulnerabilities were discovered by the team of researchers at Pen Test Partners. When questioned, Viper said that as soon as it was notified, it began working on a fix for the problem. Pandora has not spoken, but on its website, there is information that says they “use a code of dialogue that is impossible to hack.”
Ken Munro of Pen Test Partners, said his team did not need much work to break into the alarm system because the Pandora application system leaves a great opening for it. In their analysis, researchers discovered that the notification interface of both applications was not properly made for update requests, including a request to change the password or the email address.
Moreover, researchers only sent the request for a change to a specific URL and it was possible to change the victim’s account information without being notified that something happened. Once with account access, it was possible to fully control the alarm.
Pandora’s alarm system also contained a microphone that allowed hackers to hear audio from inside the car in real time.
“A conservative estimate suggests that $150 Billion worth of vehicles were exposed. These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety, researchers concluded.
The good news is that at the time of publishing this article both companies had fixed the life threating vulnerabilities in their apps – At least that is what both companies are claiming.
This, however, is not the first time when experts have exposed critical vulnerabilities in smart technology for vehicles. Last year, researchers at KU Leuven University, Belgium successfully demonstrated unlocking of Tesla wireless key fobs in 2 seconds and steal the vehicle before the owner could notice.
Moreover, in 2015, a security researcher who goes by the name Samy Kamkar built a gadget that enabled him to hack into any GM vehicles, track their location and unlock their doors without raising any suspicion to owners.