Recently BBC television news featured a brief documentary about the hacking of protective passwords for Pandora and Viper car alarm systems. It should be said at the outset that the manufacturers of these products say that any shortcomings have now been remedied. The story, however, is still important in that the digital world we have come to rely may not be as perfectly secure as we might like to believe.
Pandora is Hacked
Reportedly, the Pandora system could be hacked on the basis of a “password flaw” and the BBC and other online articles report that (prior to correction) the following could be achieved by a malicious hacker, quote:
- Take control of the smart alarm remote access app
- Obtain some personal details relating to the vehicle’s own
- Track the subject vehicle in real time (there’s an invasion of your privacy!)
- On one (unspecified) brand, listen to conversations in the vehicle “through a microphone” (Is horrible or what?)
- Activate the alarm
- Open the vehicle doors
- Start the engine
The BBC program quotes a cooperating technical consultant (“good guy hacker”) as saying that, in relation to the Viper system, a malicious hacker could pick something exotic – Lamborghini or Porsche for example – open the vehicle’s doors, start the engine and go for a ride. In those circumstances whether the vehicle gets a new identity, is broken up for parts or is taken to some other country where vehicle registration is less than strict, is of course anyone’s guess. The outcomes of actual hacking do not appear to have surfaced in internet or news reports. It looks like the problems have been identified and the software upgraded early enough to prevent any significant consequences.
The initial weak security control has been attributed to the manufacturers focus on software usability with less intense scrutiny on issues surrounding password protection.
Statements from Pen Test
Much of the BBC commentary has been based on technical work done in relation to the above mentioned brands by the UK tech firm Pen Test Partners. To read click here.
Pen Test has their own technical discussion posted, which concludes:
- We’ve seen easy to exploit IDORs in IoT APIs on many occasions. This is the first time we’ve seen them lead to a potential attack on this scale before.
- One would expect that a manufacturer of alarms, designed to make our vehicles more secure, would have carried out a degree of due diligence prior to taking their products to market.
- These alarms are expensive and are typically fitted to high-end vehicles, often those with keyless entry. A conservative estimate suggests that $150 Billion worth of vehicles were exposed.
- These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety
- Before we contacted them, the manufacturers had inadvertently exposed around 3 million cars to theft and their users to hijack.
Road Rules by Cedric Hughes and Leslie McGuffin