You’ve heard about the connected “smart home,” right? But how about the connected smart car? Similar to our connected homes, the perks of a connected car provide us with incredible convenience. Some of these smart systems even allow us to remotely unlock and start a car from our smartphones.
But similar to anything that’s powered by software and is perpetually tethered to the internet, connected cars are susceptible to cyberattacks. And this increasing number of connected cars on the road has led to a new kind of danger: remote smart car hacks.
Now, two of the most popular smart car alarm systems in the world, one of which claims to be “unhackable,” were put to the test. You won’t believe how vulnerable these systems really are.
Flaws discovered in smart car alarm systems
Two popular smart car alarms are not as “unhackable” as previously thought. Security researchers found major security vulnerabilities that could allow hackers to do scary stuff like unlock a car, disable the alarm, track the vehicle, steal the owner’s information and even kill the engine.
Researchers from Pen Test Partners found the issues in systems made by two of the most popular car alarm brands in the world, Viper and Pandora Car Alarm System.
How popular are these smart car alarms? Well, the two companies have at least 3 million customers between them. These high-end car alarms are not cheap either, costing at least $5,000 for each installation.
Car alarms unhackable? Not exactly
But what spurred Pen Test Partners to probe the two popular smart car alarm systems? The researchers said that one of the car alarm vendors, Pandora, boasted that their system’s security is “unhackable.”
Bad move. That bold claim piqued the interest of the researchers at Pen Test Partners and they decided to put it, together with Viper’s system, to the test. (The claim has since been taken down from Pandora’s website.)
Huge security holes
Based on Pen Test Partners’ test, both Pandora’s and Viper’s Application Programming Interface (API) for their smartphone apps did not authenticate requests properly.
By modifying a few parameters on the API, a hacker can update a user’s registered email address without authentication, reset the password and completely take over the account.
With these flaws, an attacker can potentially track a car’s location, unlock its doors and even cause it to stop completely. Note: Pandora’s car alarm systems also have microphones that hackers can take over to listen in to live audio.
And the biggest danger? This can all be done remotely. Click here to watch Pen Test Partners’ video demonstration.
Are fixes on their way?
Pen Test Partners said that they informed both Viper and Pandora about the security flaws in late February. Since these vulnerabilities can affect 3 million vehicles with dire consequences, they chose to skip the standard 90-day disclosure period and shortened it to a week.
Thankfully, both Viper and Pandora responded quickly and fixed the issues within that time period. If you have one of these smart car alarm systems installed in your car, please update your app and your firmware as soon as possible.
Additionally, to ensure your smart car alarm app is adequately protected, change the default password and always use strong and unique credentials (never reuse your passwords from other services). Enable two-factor authentication (2FA) whenever available and always keep your app up-to-date.
For further reading: Do you have a hackable car? Here’s how to protect yourself
Bonus podcast: Half of Americans draw the line on self-driving cars
Americans love their cars. In the past, it was all about style and horsepower. Now, it’s all about the technology inside of a vehicle and what it can do. But is there a limit to how much technology is really acceptable? Listen to this podcast for Kim’s take on the issue.