Hacking smart car alarm systems

March 18, 2019

Information security specialists at Pen Test Partners have hijacked a car — using its alarm. What is more, the security systems that the researchers hacked — Pandora and Viper SmartStart — are widely used: Researchers estimate that about 3 million cars have them installed.

Convenient, but are they safe?

In theory, smart antitheft systems are more than just alarms. They can assist even if the vehicle has already been stolen. For example, they can track it, cut off the engine, and lock the doors before the police arrive. And all this is done through an app in your smartphone. Convenient? You bet! Safe? As manufacturers claim, such systems were designed to enhance car security many times over.

But now it’s not just your car that might get stolen.

Having hijacked your account and logged into the app in your name, a cybercriminal gains access to a mass of data and all smart alarm functions. A simple change of password will lock you out of the system. The attacker will then be able to:

  • Track all vehicle movements,
  • Enable and disable the alarm system,
  • Lock and unlock the car doors,
  • Enable and disable the immobilizer, an antitheft tool that prevents the engine from starting,
  • Cut the engine — in some cases even while the car is moving.

In the case of Pandora alarms, the cybercriminal can also eavesdrop on conversations inside the vehicle through the antitheft system’s microphone, which is intended for emergency calls. Remember that you cannot fight back, because only the attacker has access to the system. Doesn’t sound too great, does it?

Smart hijacking in seconds

The research team discovered that hijacking a smart alarm user account is not only possible, but not that hard either. To steal a Viper or Pandora account, there is no need even to purchase the alarm itself (which can be a pricey $5,000). At the time of the study, all someone had to do to gain access to the system was register an account on the website or in the app — and use it to gain access to any other account.

The problems in both systems are similar, relating to how the app interacts with the server. The attack mechanism is slightly different. In the case of Viper, the intruder can change any user credentials by sending a special request to the server where the data is stored.

The Pandora system is a bit more discerning in that it does not allow just anyone to reset the password; however, a cybercriminal can change the e-mail address linked to the profile without authorization, and then use this to legitimately (from the system’s point of view) request a password reset.

What to do?

First, don’t panic. The researchers, of course, informed the manufacturers of their findings. The manufacturers reacted quickly and closed all loopholes in just a few days.

But before the study was carried out, vehicles with smart alarms were in effect less secure than those without. And by no means do all IoT developers respond to cybersecurity experts’ recommendations with the same alacrity and efficiency. So our advice, as ever, is to be cautious about smart solutions, especially when security systems are in play.