Researchers Hack Third-Party Car Alarms To Take Control Of Vehicles

Researchers have discovered security bugs in high-end third-party car alarms that could allow an attacker to steal cars, remotely stop their engines while in motion or, in some cases, even eavesdrop via microphones inside the vehicle.

UK-based Pen Test Partners said the results were surprising, since the devices in question are sold as ways to make cars more secure.

“We have shown that fitting these alarms can make your vehicle even less secure,” Pen Test Partners partner Ken Munro wrote in an advisory.

The firm said it installed several of the high-end alarms in order to carry out practical attack demonstrations, but it said the attacks could be carried out without owning one of the devices.

Account hack

Attackers could also exploit the bugs to geo-locate cars in real time, identify the car type and the owner’s details, and disable or enable the immobiliser.

In one scenario, researchers detailed how several remote functions could be used by attackers to locate a car, approach it, cause the owner to pull over, open the doors and hijack the vehicle.

Munro said the issues affect up to 3 million vehicles around the world.

Pen Test Partners began the research after seeing that one of the vendors, Moscow-based Pandora, advertised its alarms as “unhackable”.  The claim has since been removed from Pandora’s website.

The firm also tested alarms from Directed, whose alarms are branded Clifford in the UK and Viper in the US. Directed and Pandora are two of the biggest car alarm makers.

In both cases, Pen Test found it was able to carry out a relatively straightforward hack, bypassing the firms’ back-end security to change the email address of the vehicle’s online account to one under the attacker’s control.

The attacker could then reset the password and take over the account.

“After the password is reset, one can simply login to the app and obtain full functionality,” Munro wrote. “This attack could also be used against admin users which could give access to multiple vehicles.”

In both cases, an attacker could use a test or demo account to carry out the attack on another user, meaning it isn’t necessary to own the product.

Vehicle hijack

Munro said that using either of the hacked alarms, an attacker could geo-locate a vehicle they wished to steal, follow it, and then remotely set the alarm siren and flashers off, causing the driver to pull over.

The attacker could then set the immobiliser, preventing the driver from leaving, and could open the car’s doors using the smartphone, take the car keys from the driver and hijack the vehicle.

In the Viper’s case the car engine could be stopped while it was in motion, a feature intended to stop stolen vehicles.

Pandora alarms include a microphone enabling SOS calls, and researchers were able to eavesdrop on this remotely.

They also found features that could allow an attacker to remotely change a vehicle’s cruise control speed on some models.

Security upgrade

Pen Test informed both alarm makers and both responded quickly, fixing the issues involved.

The firm said there was a “high chance” that professional criminals were already aware of the bugs.

Munro said he was surprised that the security-oriented firms had not carried out “due diligence”  before bringing their products to market.

Directed said the account access bug had been introduced in a recent update and that it was not aware of the issues having been exploited.

“Directed is committed to providing safe and secure products but no system can be 100 percent safe,” the company told the BBC.

Pandora Alarms said it had made changes to its code and upgraded security.  “The pain point has been removed,” it said in a statement.

Connected device risk

Munro added that the findings are worrying for “Internet of Things” connected devices, most of which are far less security-conscious than the smart car alarms.

“Manufacturers need to build security in to their products from day one, or risk creating a society where more and more everyday objects are open to attack by nation states, criminals and others with bad intentions,” Munro commented.

The risks of connected devices extend beyond household gadgets and consumer vehicles, with operational systems, including critical infrastructure, increasingly being linked to cloud-based networks.

National Cyber Security Centre (NCSC) head Ciaran Martin said last year that a major attack on UK critical infrastructure was a question of “when, not if”.