A white hat hacker group called Pen Test Partners recently announced that it had managed to exploit some unfavourable vulnerabilities that appeared in car alarm apps, with the result being able to open the vehicles, listening to what the drivers are saying and also shut down the engine while it’s still running.
According to the group’s founder, Ken Munro, an ad that stated an alarm system could not be hacked is what made them investigate. And as a result, Pandora, which was the vendor that claimed in the ad, removed the mention from their website.
What did the White Hat Hackers find out?
During the tests, the hackers managed to find the vulnerabilities that were easy to discover. These loopholes allowed them to access user profiles. All was possible through a ‘modify user’ code request that was adequately checked for a validation purpose.
After gaining access to the system, the whole account was under the control of the hackers. This means that while you are busy enjoying your favourite puzzle games as you wait for your kids to return from school, someone might be snooping around the system and also making some changes like modifying the system registered email account or changing some passwords.
Because of gaining access to the account of a user, the hacker can easily extract then entire user data. It’s sad to know that the testers even managed to stop the vehicle when it wanted to, and it also opened doors, thereby allowing an easy hijack. Alarms can be controlled, and the lights can be flashed while the care is in motion. It was even possible to clone the alarm key fob so a smartphone could then be used to unlock the vehicle without a key whenever desired.
Although different vehicles were identified as being at risk, these include Toyota Fortuner, RAV4 and Toyota Prius 50, Range Rover Sport, Mazda 6. However, the most disturbing of the vulnerabilities discovered was in Pandora, which enabled the researcher to listen to the occupants of the vehicles through the enabling of the microphone included for emergency phone calls.
What should you do about it?
The good news is that Pen Test Partners discovered the vulnerabilities. The vendors were quickly contacted before the details of the existing loopholes were released. Weaknesses are present in the software system do the vendor can promptly change the coding. Flaws are now being fixed in Pandora and Viper.
The bad news is that the researchers didn’t perform a full interface coding test since this will require additional authorisation. But according to Munro, this means that some other vulnerabilities might also be present in the software. Due to this, it is always a great idea to stay up to date to what is being reported in the news about your car model and your car alarm system. While most manufacturers invest a vast fortune in preventing hacking, sometimes the problems they are preventing might pop up.
It’s impossible to know if or not people with selfish interest hacked some vehicles. So I will advise all owner of vehicles using car alarm app systems that they should investigate and also get their cars checked.
Let’s know what you think about this article by using the comment section below.