The flaws could be exploited by attackers to disable the alarm, as well as track and unlock the vehicles using it, or to start and stop the engine even when the car was moving. The experts also demonstrated that it is possible to snoop on drivers’ conversations through a microphone that is built into one of the car alarm systems,
“These alarms can expose you to hijack, may allow your engine to be stopped whilst driving and it may even be possible to steal vehicles as a result.” reads the report published by Pen Test Partners.
“After purchasing and fitting several high-end ‘smart’ alarms to our cars, costing us ~$5,000, we discovered that two of the largest aftermarket alarm systems have critical security flaws that allow:
The researchers discovered that the APIs for both applications failed to authenticate requests allowing attackers to take over customers’ accounts due to insecure direct object references (IDORs) issues.
“Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account,” continues the experts.
Once the attacker had control over the account, they were able to the associated vehicle. Experts also discovered that it was possible for both car alarm systems to create a test account that they used to hack into a genuine account.
“Both products allow anyone to create a test/demo account. With that demo
Pen Test Partners reported the flaws to both companies and they have fixed them in a matter of days.
“We’ve seen easy to exploit IDORs in IoT APIs on many occasions. This is the first time we’ve seen them lead to a potential attack on this scale before. ” conclude the expert.
“These alarms are expensive and are typically fitted