Security flaws found in smart car alarms

Researchers at Pen Test Partners, a U.K. cybersecurity company, found that the smart alarm systems, built by Russian alarm maker Pandora and California-based Viper (or Clifford in the U.K.), were vulnerable to an easily manipulated server-side API. In their findings, posted Friday, the API could be abused to take control of an alarm system's user account — and their vehicle.

For the Viper alarms, the modify user request isn't validated at the server, so if you form the right HTTP request, you can change any user's password. The Pandora system lets you change the user's e-mail address to your own. Then you can reset the password and that's that. In some cases, it appears that control of the alarm would allow you to send commands on the CAN bus and that could allow you to have a tremendous amount of control of the car.

Not only could compromising the smart alarms result in the vehicle type and owner's details to be stolen, but the car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised, and the immobilizer to be hijacked.

"I could look on the system and look for a nice Lamborghini or a Porsche, locate one close to where I am, go and start that car if no one's around, open the doors and drive away" said Chris Pritchard, a security consultant at Pen Test Partners.

The researchers contacted both Pandora and Viper with a seven-day disclosure period, given the severity of the vulnerabilities. Both companies responded quickly to fix the flaws. In a statement, Pandora Alarms said:

"We have made changes to the code and upgraded security. The pain point has been removed."

Read more -here-