'Smart' Car Alarm App Could Allow 3 Million Cars To Be Unlocked Remotely (cnet.com) 27
"Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine," reports CNET:
The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found in alarm systems made by Viper [known as Clifford in the U.K.] and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands...
Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added...
Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said.
ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".
Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added...
Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said.
ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".
Re:Holy shit they got website whips now? ( (Score:5, Insightful)
Unhackable = "We don't understand security"
The Viper is a security threat (Score:2)
I once saw the viper get a car destroyed. Someone, lat's call him Angry Young Man was walking through a parking lot when he passed within 3 feet of a car with the Viper installed. It started going into the car alarm version of the internet tough guy speech about how it was the Viper and you needed to step away from the car.
AYM, who was about to walk harmlessly by, turned and yelled "OH YEAH, WELL FUCK YOU!!!" He then began kicking the grille in, smashing the headlights, etc repeating "FUCK YOU" over and ove
Re: (Score:2)
So a mentally unbalanced young man can come unglued hearing synthesized voices and becomes a criminal.
Not sure there is a lesson here other than another justification for concealed carry, probably best someone put that two-legged animal down
Re: (Score:2)
Perhaps the alarm system shouldn't annoy everyone who walks near the car, especially in a parking lot. I'm guessing the AYM probably wasn't a stranger to minor criminal charges, but from the car owner's perspective, it would have been better if the alarm system had just kept quiet unless someone actually messed with the car.
Re: (Score:2)
So people have a right to destroy things that annoy them? or do only criminals who should be in jail do that?
Re: (Score:2)
I made no such claim. I claimed only that because the viper was more interested in self promotion and a bit of theater than it was in actual security, it attracted a bad actor who would have otherwise walked by without incident, just as he did with all of the other cars that remained silent.
It's well and good to learn some self defense, but if you then go to a dive bar and yell "I'm the biggest badass in this bar!" repeatedly, right or wrong you're going to get your ass kicked. It's a stupid strategy.
Cocospy App (Score:1)