Security Flaws in Smart Car Alarms Could Enable Vehicle Theft

Experts from Pen Test Partners have investigated the “smart” car alarm systems produced by Viper (known as Clifford in the UK) and Pandora. The researchers were motivated in part by a statement previously published on Pandora’s website, where the company claimed its smart products were “unhackable” (this bold claim has since been removed from the site).

According to the Pen Test Partners report, Viper and Pandora unintentionally put more than 3,000,000 vehicles at risk of theft due to vulnerabilities in their products. The researchers quickly discovered that the manufacturers’ APIs were insecure because they used unsafe direct object references. By simply changing parameters, an attacker could, without authentication, change the email address linked to an account, send a password reset request to the new address, and then take control of the account. Not only customers of these vulnerable products are at risk—Viper and Pandora also offer free demo accounts to anyone interested.

As a result, a hacker could:

• Learn the car model and owner information
• Track the vehicle in real time
• Disable the alarm and unlock the car
• Start or stop the engine
• Enable or disable the immobilizer

In some cases, an attacker could even stop the engine while the car is moving or eavesdrop on the victim through the microphone. Additionally, the researchers found that, when paired with certain models—Mazda 6, Range Rover Sport, Kia Quoris, Toyota Fortuner, Mitsubishi Pajero, Toyota Prius 50, and RAV4—the car alarm APIs have undocumented features that allow remote adjustment of the cruise control speed.

The video below demonstrates the vulnerabilities discovered by the experts in practice.