Ironically, smart car alarms expose millions of cars to remote hijacking

Smart car

Aftermarket car alarms developed by Pandora and Viper have been found to be vulnerable to remote exploitation, allowing potential attackers to hijack and spy on their owners ‘ vehicles.

In the smartphone apps used to control the alarm systems developed by Pandora and Viper (known as Clifford in the UK), two of the world’s most popular smart car alarms, the exploitable software flaws have been found.

The smartphone application has already been downloaded over 3,000,000 times, taking into account Viper’s claims on the SmartStart alarm system website designed to help customers “start, control, and locate” their cars from “virtually anywhere.”

Locate and hijack cars by pressing a button

The researchers from Pen Test Partners who uncovered these flaws say that’ the vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API,’ and’ only by tampering with parameters can you update the email address registered in the account without authentication, send a reset password to the modified address (i.e. To make matters worse, enormous amounts of personal identifiable information were exposed to the flaws observed in the car alarm APIs.

  1. The car to be geo-located in real time
  2. The car type and owner’s details to be identified
  3. The alarm to be disabled
  4. The car to be unlocked
  5. The immobiliser to be enabled and disabled
  6. In some cases, the car engine could be ‘killed’ whilst it was driving
  7. One alarm brand allowed drivers to be ‘snooped’ on through a microphone
  8. Depending on the alarm, it may also be possible to steal vehicles

In addition, “It should also be noted that you do not need to buy either of these products to have an account on the system. Both products allow anyone to create a test / demo account. With that demo account, you can access any genuine account and retrieve its details,” the researchers said.

While Pen Test Partners gave the two companies behind the vulnerable smart car alarm systems only seven days to fix security issues due to the high likelihood that criminals were already aware of them and might exploit them in the wild, both Pandora and Viper responded and patched them very quickly, much faster than the researchers expected.

“Pandora’s UK representative responded in about 48 hours and had their Moscow-based HQ take action quickly. The IDOR was fixed overnight and we confirmed that the following morning. Viper responded faster, but took a little longer to fix the vulnerability. That one is also confirmed as fixed.”

The Pen Test Partners security researchers also provided a’ conservative’ estimate of the number of cars possibly affected by the problems they found, stating that’ the manufacturers inadvertently exposed about 3 million cars to theft and their users to hijack’ and’ $150 trillion of vehicles were exposed.’

Automotive software and apps vulnerable to hacking

This is not the first time and it will be willful. For example, Tesla’s electric cars were found to be vulnerable in 2016, with car thieves being able to hack and steal a Tesla by infecting the owner’s Android smartphone with a strain of malware and using it to control the Tesla Android App and then their car.

A Dutch cyber-security firm discovered during April 2018 that several in-vehicle infotainment (IVI) systems used by some Volkswagen Group cars were exposed to remote hacking.

BMW announced in May that researchers from the Tencent Keen Security Lab have started working on a number of firmware updates designed to patch 14 security issues found in cars from BMW I Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series.

In Tesla Model X cars, the same researchers were also able to identify several vulnerabilities that would have enabled attackers to control vehicles remotely, forcing the car to brake while in motion or controlling its lights, in-vehicle displays, and when stationary, open its doors and trunk.

An electronics designer discovered a security flaw in several Subaru models ‘ key fob system during October 2017, an issue that could likely be abused to hijack customer cars and that the automaker refused to patch when contacted.

Two buffer overflows in the TCU (telematics control unit) components (2 G modems)–CVE-2017-9647 and CVE-2017-9633–affected BMW, Nissan, Ford and Infiniti during the summer of 2017, the TCUs using S-Gold 2 (PMB 8876) cellular baseband chipsets.

Mazda cars were also found vulnerable, with the Mazda MZD Connect infotainment system being easily hackable by plugging into the dashboard of the car in a USB flash drive. Mazda car owners successfully used this “feature” to alter the infotainment systems of their vehicles-installing new apps and adjusting settings.

To put it all into perspective, as detailed in a study conducted by Ponemon Institute-when it comes to testing vulnerabilities of software-about 63 percent of all automotive companies will test less than half of the software, hardware and other technologies they develop.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.