Click For Photo: https://techcrunch.com/wp-content/uploads/2019/03/keys-hero.jpg?w=601
Two popular car alarm systems have fixed security vulnerabilities that allowed researchers to remotely track, hijack and take control of vehicles with the alarms installed.
The systems, built by Russian alarm maker Pandora and California-based Viper — or Clifford in the U.K., were vulnerable to an easily manipulated server-side API, according to researchers at Pen Test Partners, a U.K. cybersecurity company. In their findings, the API could be abused to take control of an alarm system’s user account — and their vehicle.
Alarm - Systems - Account - Password - API
It’s because the vulnerable alarm systems could be tricked into resetting an account password because the API was failing to check if it was an authorized request, allowing the researchers to log in.
Although the researchers bought alarms to test, they said “anyone” could create a user account to access any genuine account or extract all the companies’ user data.
Researchers - Cars - Flaws
The researchers said some three million cars globally were vulnerable to the flaws, since fixed.
In one example demonstrating the hack, the researchers geolocated a target vehicle, track it in real-time, follow it, remotely kill the engine and force the car to stop, and unlock the doors. The researchers said it was “trivially easy” to hijack a vulnerable vehicle. Worse, it was possible to identify some car models, making targeted hijacks or high-end vehicles even easier.
Findings - Researchers - In-car - Microphone - Built-in
According to their findings, the researchers also found they could listen in on the in-car microphone, built-in as part of the Pandora alarm system for making calls to the...
Wake Up To Breaking News!