Serious vulnerabilities found in high-end car alarms could have been exploited to remotely hack millions of vehicles, including to track them, immobilise them and spy on their owners.
Researchers at UK-based penetration testing and cybersecurity firm Pen Test Partners have analyzed smart alarm systems from Pandora and Viper (known in the UK as Clifford), which are estimated to have been installed on roughly 3 million vehicles around the world. These alarms are designed to prevent relay attacks, which have often been used to steal luxury vehicles, and they allow owners to track their vehicle’s location, remotely start and stop the engine, and lock and unlock their doors via a mobile application.
These car alarms are advertised as being highly secure and, before this research was conducted, Pandora even claimed its products were “unhackable.”
Pen Test Partners has not only analyzed the mobile app provided by Pandora and Viper to customers, but it also installed alarms provided by these vendors on several vehicles to test the real-world impact of the flaws it had found.
An analysis of the APIs used by the Pandora and Viper mobile apps revealed that they were affected by insecure direct object reference (IDOR) vulnerabilities. These type of security flaws are easy to exploit and they typically allow an attacker to gain access to other users’ accounts simply by changing the value of a parameter in a request.
In the case of the APIs used by these car alarms, Pen Test Partners researchers discovered that an attacker could have exploited the vulnerabilities to send a malicious request that changes a user’s password for the mobile app (in the case of Viper), and change the email address of an account, which also allowed an account takeover by initiating a password reset procedure with the attacker’s address.
Once the attacker gained access to a user’s account, they could have conducted a wide range of activities. They could obtain information on the vehicle, so if a car thief hacked the app it made it easier for them to identify valuable targets. They could also track the vehicle’s location in real time.
In an attack scenario described by the researchers, an attacker tracks the vehicle and drives behind it. The hacker then sets off the alarm while the car is in motion to get the driver to pull over. Once the car stops, they can use the app to enable the immobiliser, unlock the doors and physically hijack the car.
Both the Viper and the Pandora systems allow the user to kill the engine while the car is in motion — a feature that can be useful in case the car has been stolen. A hacker may have also been able to abuse this feature, but the researchers only managed to kill the engine on a car equipped with the Viper alarm.
The Pandora alarm also includes a microphone that is used for SOS calls. The API flaw could have been exploited to access this microphone and snoop on passengers.
Worryingly, both alarms can send custom CAN messages, which are designed to allow microcontrollers and other devices present in a vehicle to communicate. The CAN bus standard provides access to critical vehicle functionality and sending malicious messages can have serious consequences. The researchers claim it may be possible to launch an attack via the API but they are still analyzing this potential vector.
Both Viper and Pandora were notified and they quickly patched the vulnerabilities. Pen Test Partners only gave the vendors 7 days to take action due to the critical severity of the flaws and the risks they posed. Pandora no longer advertises its products as “unhackable” on its website.
“These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed,” the researchers explained. “These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety.
Pen Test Partners has published a blog post detailing its findings, along with a video showing the hacking methods in action.
This is not the first time Pen Test Partners has targeted cars. A few years ago, its researchers demonstrated that hackers could exploit vulnerabilities in the mobile application for the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) to remotely control some of the car’s features.
Related: Hackers Can Hijack, Sink Ships