They no longer build cars like they used to. It’s no surprise why vintage cars continue to appeal to many people, because the darned things can be hotwired but can’t be hacked. It’s already been reported that more advanced vehicles can be hacked, taken over and allow the attacker to run the vehicle into a ditch or shut down the vehicle in the middle of nowhere and leave the driver vulnerable.
This time, another vulnerability has sprung up that allows hackers to control vehicles through their Smart Car Alarm systems. This vulnerability could affect up to three million smart car alarm users worldwide.
About three million vehicles have Smart Car Alarm Systems from brans Pandora and Viper. Two brands of smart car alarms identified by researchers of Pen Test Partners as being vulnerable to hackers.
Once hacked, the hackers can disable the car alarms, shut down the vehicle, access vehicle and owner information, disable real-time location tracking and unlock the car itself. They even demonstrated on video how it can be done so there’s no denying from any company that their products are unhackable. Nowadays, there seems to be no such thing.
For Viper, their vulnerability stems from an improperly validated ‘modify user’ API parameter which allows hackers to change both login and password information. In Pandora’s case, an internal POST request can allow hackers to also change the user’s email and password allowing hackers to gain control of the vehicle.
Fortunately, Pandora and Viper have managed to issue patches within the prescribed disclosure period. This and other related articles should serve as a warning for customers to have their firmware patched.
Nothing is unhackable to those who are as determined as hackers. New security techniques just come off as new challenges for them. It’s just a matter of time and staying one step ahead.