Yes, Your vehicle could be hacked.
According to PenTest Partners, the car security alarm can be hacked and to allow your engine to be stopped while driving. These word look like scary bu its true, it might be possible to steal vehicles as a result.
Following Critical security flaws to be allowed.
- The car to be geo-located in real time
- The car type and owner’s details to be identified
- The alarm to be disabled
- The car to be unlocked
- The immobiliser to be enabled and disabled
- In some cases, the car engine could be ‘killed’ whilst it was driving
- One alarm brand allowed drivers to be ‘snooped’ on through a microphone
- Depending on the alarm, it may also be possible to steal vehicles
Researched finds two vendors Viper and Pandora, which is the biggest car alarm brands.
How to find Car Alarm Vulnerability?
The vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API.
Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account.
It’s possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors. Hijack of the car and driver is trivially easy.
Before the start to hack, security team noticed that Pandora claims their alarms are unhackable, and its motivate to researchers for try something out.The vulnerability allows an attacker to see geo location in real time, ability to lock and unlock the car, also can take control of the vehicle.
Researchers said, these alarms are expensive and the manufacturers had inadvertently exposed around 3 million cars to theft and their users are vulnerable. Car alarm vendors need to be take it seriously.
Car alarm vendors said that, the vulnerabilities have been patched after security researchers reported.