Saturday, December 2, 2023

Hack the Car in Real Time – Car Alarm Flaw let Hackers Remotely Hijack 3 Million Vehicles Globally

Researchers discovered a serious Vulnerability in famous vendors car alarm system that allows attackers to hijack the car remotely and kill the engine while driving, even steal the car.

These alarms available in the market for $5,000, that already fitted in several high-end cars and the critical vulnerabilities were discovered in two leading alarm vendors Viper and Pandora manufactured alarm systems.

Also, Pandora has since taken the claim off their web site as ‘unhackable’ and also said that they never faced any security breachs.

Penetration Testers discovered the critical vulnerability in direct object references (IDORs) in the Pandora alarm system API.

This vulnerability allows to tamper the user account let attacker update the email address registered to the account without authentication, send a password reset to the modified address to compromise the account.

Researchers said “Another Smart Start alarm Viper vulnerability is an IDOR on the ‘modify user’ request. Although all of the other APIs are correctly checking for authorization, the /users/Update/xxxxx request is not being properly validated.”

This vulnerability resides in API system allows attackers to interact with the alarm system by issue a malicious request to change any users password and login.

Image indicate the password change operation

Similarly, Pandora vulnerability is an IDOR on a POST request: on the ‘email’ JSON parameter.

Post request for overwrite the existing email 

So once the email will be overwritten then the attacker possibly change the user password on Pandora vehicle alarm system and simply login to the app and obtain full functionality.

Lets Hijack the Car

Researchers demonstrate the process of hijacking the car once they take over the vulnerable alarm management accounts and currently This flaw affects up to 3 million vehicles globally.

They took the famous Range Rover car which installed with the alarm system. below image indicate the app control interface.

Real time car location

PentestPartners researchers said “track the car in real time and The driver now pulls over to investigate. We set the immobiliser, so they can’t drive off. We have already removed their access to the alarm account, so they can’t reset the immobiliser.”

In this case, once the attackers found the car then they can use the unlock future in the mobile app to unlock the car door and against start the engine.

Researchers also discovered that attackers could kill the engine on the Viper equipped car whilst it was in motion.

“Promotional videos from Pandora indicate this is possible too, though it doesn’t appear to be working on our car.”

Also there are many functionalities can be obtained by the attacker from this car alarm app and they perform the following actions,

  • The car to be geo-located in real time
  • The car type and owner’s details to be identified
  • The alarm to be disabled
  • The car to be unlocked
  • The immobiliser to be enabled and disabled
  • In some cases, the car engine could be ‘killed’ whilst it was driving
  • One alarm brand allowed drivers to be ‘snooped’ on through a microphone
  • Depending on the alarm, it may also be possible to steal vehicles

“These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed”. Researchers said.

“This serious flaw has been reported already to the concern vendors and gave them 7 days to take down or fix the vulnerable APIs”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

PASTA – A New Car Hacking Tool Developed by Toyota to Test The Security Vulnerabilities

Moscow’s Cable Car System Hacked Within Two Hours After it Opened

Beware – Dangerous IoT Attacks Leads Some One to Hack and Control Your Car

CarsBlues Bluetooth Hack Allows Hackers to Access Text Messages, Call Logs and More


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles