Car Alarm Hacks 3 Million Vehicles

Pen testing isn’t about evaluating inks. It is short for penetration testing — someone ensuring a system’s security by trying to break in or otherwise attack it. A company called Pen Test Partners made the news last week by announcing that high-end car alarm systems made by several vendors have a critical security flaw that could make the vehicles less secure. They claim about three million vehicles are affected.

The video below shows how alarms from Viper/Clifford and Pandora have a simple way to hijack the application. Once they have access, they can find the car in real time, control the door locks, and start or stop the car engine. They speculate a hacker could set off the alarm from a nearby chase car. You’d probably pull over if your alarm started going off. They can then lock you in your car, approach, and then force you out of the car.

Apparently, some of the alarms even have microphones so you could listen in on what’s happening in a target’s car. Starting the engine would allow you to burn gas or fill someone’s garage with carbon monoxide, too.

What started all this? The team noticed that Pandora claims their alarms are “unhackable.” That’s hard for a hacker to ignore, of course. According to the posting:

Amazingly, the vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API.

Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account.

For the Viper alarms, the modify user request isn’t validated at the server, so if you form the right HTTP request, you can change any user’s password. The Pandora system lets you change the user’s e-mail address to your own. Then you can reset the password and that’s that. In some cases, it appears that control of the alarm would allow you to send commands on the CAN bus and that could allow you to have a tremendous amount of control of the car.

As ethics demand, the group notified the vendors and supposedly the holes have been plugged. Sometimes you hear about a hack that requires some very exotic work, but these were trivially simple. It is unknown if anyone ever used these hacks in a bad way, but it was certainly a real possibility.

As more things are network controllable, security gets more and more important. Bad enough to lose your information, but real-world hacks can threaten your property or even your life.

30 thoughts on “Car Alarm Hacks 3 Million Vehicles

  1. I’m sorry, but this is another example of ‘sounds interesting, but isn’t’. Notice that when they demo’d the starting of the car, they didn’t actually drive it anywhere. That is because they still need a key to actually do anything with the car. They also didn’t mention that cars have timers to limit how long they run for in this state.

    For the consumer, yes, it is unfortunate that they can unlock the doors and possible steal your stuff; however, thieves currently will just break your window and steal stuff. In regards to trying to waste your gas by running your car, really? In regards to trying to kill you in your home, this is possible; however: a) vehicles limit how long they will run in this state, b) attached garages have building code requirements, c) this would be murder and since you could track down the hacker that should be a pretty big deterrent.

    I do hope the company fixes their issues with the app, though.

    1. a) But does it limit how many times you can start the car? c) but could they track you if the unit controlling the car is small, automated, has a battery, and sits on a public WiFi?

    2. Yes it seems they spent significantly more time extrapolating unlikely nightmare exploit scenarios than they did the actual hack. Though it does speak to how a lot of the piled on, not so useful features in the app become tools to misuse the car.

    3. Linked article also lists models on which the engine can be killed remotely and the cruise control set though the API. Fun times for script kiddies, but seems serious enough to me.

      1. Read the article and even more annoyed…. A love the part about $150 Billion worth of vehicles are exposed… Seriously?

        In regards to killing a driving vehicle, they didn’t prove that was working, they just said that they thought they saw something in the API…

        In regards to cruise control, all a driver has to do is step on the brake pedal to disengage and this. (though this could definitely surprise someone) Most vehicles have limits around cruise control for safety re asons. (e.g. someone has to engage it, it can only be engaged in situations over a certain speed, newer vehicles with forward collision alert will disable cruise, etc.)

        CAN Messaging – While they made a big deal about this, they really didn’t expound on anything useful they did with it. Assume this is anther script kiddie wet dream. (e.g. I could flood the CAN bus and DoS your engine kinda thing, but that would assume a lot of other variables)

        Once again, shame on these vendors for shitty security in their product, but there’s a lot of exaggeration in here.

        1. You seem to have some issue with the work.

          You say: “In regards to killing a driving vehicle, they didn’t prove that was working, they just said that they thought they saw something in the API…”

          Yet directly in the linked post: “We discovered we could kill the engine on the Viper equipped car whilst it was in motion.”

          You say: “CAN Messaging – While they made a big deal about this, they really didn’t expound on anything useful they did with it.”

          All the post says is that these devices are directly connected to CAN bus. Not gateway, no filters. You are entirely reliant on the security of the alarm from bad things being on there now.

    4. Hi! I’m responsible for the team that carried out this research.

      For the remote start to work, you need to have a means to bypass the immobiliser.

      This is either achieved using a dedicated immobiliser bypass – which can either clone a key or exploit a long standing vulnerability, or by literally leaving a key in the vehicle.

      What is the timer based on?

      1. It will be built into the remote start module. Viper is typically a 12 minute default; however, it can be changed up to 60 minutes. Perhaps there is something in the API to alter that as well now?

        OEM remote start functionality is very similar, typically defaulting to around 10 minutes. (For GM, you can change this by reprogramming the ECU for those OnStar hackers out there… :) )

          1. The timer is for *IDLE* to ensure that you don’t leaver it running after a remote start session. The remote start wouldn’t need the key.

            To drive the car, you would need a key. (e.g. if this is an older vehicle that uses a physical key, it needs to be inserted and turn to Run position; otherwise, the steering column will not unlock. If this is a newer vehicle that is keyless, this *may* vary on the OEM, but it *should* be pinging for the remote and verifying that the fob is present…… )

            For the car in your demo video were you able to drive it around with nothing other than the app?

          2. If you hack the telematics transport you can certainly start the vehicle but the remote start unit itself will not allow the vehicle to move (it detects brake pedal activation and gear position) so an attack does not result in vehicle theft.

      1. The relay attack works by extending the range of the remote so that the car detects the actual remote.

        Once you get in the car, press the brake pedal, and then the start button, the car will be in ‘RUN’ mode. Once the car is in RUN mode, you *do not* need a key. This is a safety feature. Depending on the exact vehicle, once the key “leaves” the car, you will get a warning message. If you try to turn off the vehicle, most makes/models will warn you that the key is not present and will then force you to confirm that you want to turn the car off. This is again a safety feature to ensure you don’t get stranded.

        When someone uses this range extension attack, they can get the car into “RUN” mode, drive it off to wherever they want; however, once they turn it off, it is now stuck and they won’t be able to start it again. If they have friends at a dealership, they can get new keys made / learned to the vehicle using factory tools, etc. (In many cases they have the tools for this purpose already) Alternatively, they could just drive the car to their ‘evil lair’ and strip it down for parts…

        1. “Once the car is in RUN mode, you *do not* need a key. This is a safety feature. ”

          Bullsh*t
          This is not a safety feature this is a marketing feature.

          Car’s have needed keys for a very long time to run.
          Before it was as a physical key, then it became a box that needed to be inserted into the dash and now it’s something that stays in your pocket.

          The reason why these key’s are not needed for RUN is to save on battery life.
          If the key needed to be polled every 20 seconds to ensure the key was still with the car, those fobs would need to be charged up every few days.
          Customer feedback would have been that they dont like that idea.

          So instead of good security where the key is required, we ended up with crap security so people dont have to charge their keyfobs.

    5. Several cars do not need a key to be physically inserted into anything in order to drive the car. The bypass mechanism which allows the remote start to happen would generally also bypass the “you need a car to drive” thing.

      However, most of those cars also have a “depress brake to enter gear” – or, if a manual, you need to hit the clutch to (reasonably) shift into gear. The systems I’ve set up 1) get connected to the brake and/or clutch so they shut down with that pedal is depressed and 2) have RPM sensing so the can tell if the engine is running – and will shut off on an overrev situation. So they (where “they” is “remote start systems made in the last couple of decades”) do have several redundant controls which should prevent the car from driving away while under remote start control.

      1. *Many* cars no longer require physical keys to be inserted. The remotes have two modes active/passive. When you press a button, it is active in that it emits a signal typically to the RKE/RFA module to do something. (e.g. unlock doors / lock doors / remote start / trunk / etc.) In Passive Mode, the vehicle is *pinging* to detect key fobs. If the fob receives the signal and sends the proper response to the RKE/RFA the vehicle will know a key is present and will allow you to start / drive the car, etc.

        In regards to the modern 3rd party remote start / alarm systems, I’m not 100% sure how they interface with cars. They may be simply emulating the Active “remote start” command to the RKE or it could be a combination of hardwiring into the BCM / Passive mode. (As most modern vehicles have remote start functionality, it would seem emulating the active signal would be “easier”) When you hit the brake, I would imagine the remote starter is no longer emulating a key which would then force the car to see a handshake between a real key or it would shut down.

        For older cars, it would simply emulate the key / bypass immobilizer fooling the BCM, but the key was needed since you couldn’t do much without unlocking the steering column, etc. Depending on the exact system it might even look at the output of the key cylinder to verify that a key was in the cylinder, etc.

        1. Many car alarms with remote start and imobillisor keys require a physical key to be placed in a box inside the vehicle hidden behind the dash etc.
          The messaging from the key is then relayed to the car when the alarm remote start function is triggered.

          Nothing beats the hidden switch connected to powering something vital.
          I have a magnet on my keyring and there is a spot on the dash with a reed behind it.
          Totally unmarked. Thus suggesting no alarm and a fault.
          Good luck starting my car. It’ll need to be towed.

    6. Correct me if I’m wrong but if this hack gets you access to the CAN bus it’s pretty much game over isn’t it? You don’t need a key if you can unlock over CANbus – after all, new keys are coded by the dealer using the CANbus…

      And yes they hyped the nightmare scenarios a bit, but that’s the only way security research like this gets the mainstream media (and everyday folks) to pay any attention. Hackers have cracked some obscure security standard? Yawn! Hackers can get into your noodz? OMFG panic fix it fix it!

  2. “it is unfortunate that they can unlock the doors and possible steal your stuff; ”

    or unlock your doors during the evening, hide in the back seat, re-lock the doors, and when you come back to your car, they not only have your “stuff”, they have YOU.

    1. Really?

      a) You can easily break into a car without this “hack”. Cars are not that secure.
      b) I think I’d be alert enough to know someone is in my back seat.

      1. So apparently it does happen…https://www.aol.com/article/news/2017/03/03/woman-abducted-stabbed-by-man-hiding-in-backseat-of-her-car/21872895/
        Maybe it was an elaborate scheme by this woman – I didn’t follow up that far.

        a) easy AND undetectable (ie no broken windows) varies from easy to very difficult depending on car.

        b) again depending on the car (and it’s size) this is easy to very difficult. I’d find it easy given the size of my backseats (unless the would be criminal was an infant), but very difficult and time consuming if one had a three seat SUV or something with a cargo area with one of those covers that ironically enough are there to hide belongings to prevent theft. I doubt that you check your backseat thoroughly enough to state absolutely that there was never a time you would have missed someone hiding back there before starting to drive. How about that time you had that stuff in the back? Did you check underneath it? Does your seat fold down to access the trunk? You check the trunk every time, or confirm the mechanism isn’t altered to allow it to be simply pushed open from the trunk?

        Are these situations unlikely? Yep. Should a company do a LOT better with cyber (and every other type of) security, especially in a product that is intended to make your possession more secure? Without a doubt.

        1. Any tow truck driver / police officer / locksmith / or anyone with an eBay/Amazon account can get tools to easily open doors w/o breaking windows, etc. A lot of people also (surprisingly) leave their doors unlocked……. Even if the car is locked and the attacker can’t get inside, they can literally just hide by the car. A knife wielding person bent on attacking you isn’t going to give if they can’t get in your car….

          In regards to your comment about the company being more secure, I’ve literally stated that in every reply. I’m simply stating that we don’t need to get over dramatic about the impact of some of these vulnerabilities.

          I guess its cool if you want to get your story covered on a bunch of websites, but ……..

  3. I’ve spent a lot of time building these aftermarket devices. They bypass the immobilizer systems. Meaning, starting the vehicle is just like starting with a regular key. They prevent theft by shutting down when the brake is pressed.

    This is trivial to bypass. Meaning if you can activate the start, that is a much much more difficult task that bypassing the brake switch.

    And if you really really wanted to you could now just use an old fashion hot wire to keep the ignition engaged. And if there’s a starter kill or fuel cut off, this is just a relay.. This is bypassable.

    Point is, this attack is significant and theft could be possible.

    1. *IF* you find a car using one of these
      *IF* you can hack up the API
      *IF* you have the time alone with the car to get into it and “hotwire” the remote starter / vehicle without being noticed
      It may be serious.
      *IF* your assumptions about how *these particular systems* work are correct. (For example w/ certain GM vehicles & the Viper kit it is leveraging GMLAN messaging to initiate the “out of the box” remote start functionality and would require a real key to be present when the drive puts his foot on break/presses the start button or it will shut off. In this case hotwiring the Viper brake pedal sensor would be meaningless, though that could work for other vehicles)

      On the other hand, someone can come up with a flat bed under the guise of a towing company and just haul your vehicle away to wherever they want and its gone.

      Once again, I’m definitely not trying to excuse crappy software design by these companies, but lets not blown this out of proportion…

  4. Any tow truck driver / police officer / locksmith / or anyone with an eBay/Amazon account can get tools to easily open doors w/o breaking windows, etc. A lot of people also (surprisingly) leave their doors unlocked……. Even if the car is locked and the attacker can’t get inside, they can literally just hide by the car. A knife wielding person bent on attacking you isn’t going to give if they can’t get in your car….

    In regards to your comment about the company being more secure, I’ve literally stated that in every reply. I’m simply stating that we don’t need to get over dramatic about the impact of some of these vulnerabilities.

    I guess its cool if you want to get your story covered on a bunch of websites, but ……..

    1. The lady doth protest too much, methinks. Can you elaborate on what your involvement is with aftermarket car alarms?

      To break into most modern vehicles, I would need to:
      1. Locate the target vehicle
      2. Disable the alarm
      3. Access the passenger compartment
      4. Bypass the immobiliser
      5. Start the vehicle.

      We would call this an attack chain. From an attackers perspective, if security controls around any of these fail, our car theft becomes easier. We don’t need the entire chain to fail (even though it did), we just need the attack to become feasible without too high a cost. If steps 1-3 are enabled by this attack, I can now comfortably sit in the passenger compartment and spend time performing steps 4-5. This is a serious erosion of security.

      For the vehicles tested, the remote start allowed the vehicle to be driven away. On speaking with another researcher in the US (working on another system), he can bypass controls designed to stop the engine. So these controls you mention are ineffective.

      These alarms are designed to make it harder to steal your car. They made it easier. This is a very simple fact, which I can’t see any way of disputing.

      1. Slimjim and a slidehammer still works on most models. You’re living in a fantasy world. This article takes advantage of the techno-illiterate. No difference between this article and MOMO.

        Cyborgibbons is elite haxxor
        He does not forgive
        He does not forget
        Expect Cyborgibbons in your driveway launching an attack on your ’06 Honda

        1. This strawman you have put up is barely worth responding to, but it’s worth it for other people reading the comments.

          Slimjims don’t work on “most models”. Slimjims haven’t worked on most cars for a long time. You’ve already shown yourself to be about 10 years behind.

          We aren’t talking about 12 year old cars here. These alarms get fitted to high end vehicles, which are where car thieves in the UK focus their efforts as it is where the profit is.

          Car thieves use some of the most advanced electronic attacks we see.

          There are relay boxes:

          I mean – they could just use a slimjim, right? Must be #FakeNews!

          Then there are the attacks to add fobs to vehicles either by ODB-II or CAN:
          https://www.extremetech.com/extreme/132526-hack-the-diagnostics-connector-steal-yourself-a-bmw-in-3-minutes

          I mean, why aren’t they just using a slide hammer?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.