Researchers at Pen Test Partners revealed in a proof of concept (PoC) that they were able to exploit vulnerabilities in two high-end "smart" alarms.
In their PoC, the pen testers debunked third-party car alarm vendors' claim to be the solution to key relay attacks on keyless-entry cars.
“We have shown that fitting these alarms can make your vehicle EVEN LESS SECURE! These alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result,” researchers wrote.
Despite reportedly having advertised that its solution was unhackable, attackers were able to hijack the app.
In fact, of the many alarms tested, researchers found security vulnerabilities in two system providers, Pandora and Viper. Pandora's Smart and Viper's SmartStart systems were found to have security flaws that allowed an attacker to, among other things, disable the alarm, unlock the car and in some cases kill the engine while the car was in drive.
Leveraging a vulnerability in the POST request on the Pandora alarm let the researchers reset the password. “After the password is reset, one can simply login to the app and obtain full functionality. This attack could also be used against admin users which could give access to multiple vehicles. There is significant data leakage online also.”
According to researchers, the vulnerabilities are rather “straightforward insecure direct object references (IDORs) in the API.
“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account.”
In the Viper Smart Start alarm, researchers were able to easily exploit an IDOR vulnerability in the "modify user" request, which allows an attacker to change user credentials and interact with the alarm while locking the legitimate user out of the account.