Pen testing isn’t about evaluating inks. It is short for penetration testing — someone ensuring a system’s security by trying to break in or otherwise attack it. A company called Pen Test Partners made the news last week by announcing that high-end car alarm systems made by several vendors have a critical security flaw that could make the vehicles less secure. They claim about three million vehicles are affected.
The video below shows how alarms from Viper/Clifford and Pandora have a simple way to hijack the application. Once they have access, they can find the car in real time, control the door locks, and start or stop the car engine. They speculate a hacker could set off the alarm from a nearby chase car. You’d probably pull over if your alarm started going off. They can then lock you in your car, approach, and then force you out of the car.
Apparently, some of the alarms even have microphones so you could listen in on what’s happening in a target’s car. Starting the engine would allow you to burn gas or fill someone’s garage with carbon monoxide, too.
What started all this? The team noticed that Pandora claims their alarms are “unhackable.” That’s hard for a hacker to ignore, of course. According to the posting:
Amazingly, the vulnerabilities are relatively straightforward insecure direct object references (IDORs) in the API.
Simply by tampering with parameters, one can update the email address registered to the account without authentication, send a password reset to the modified address (i.e. the attacker’s) and take over the account.
For the Viper alarms, the modify user request isn’t validated at the server, so if you form the right HTTP request, you can change any user’s password. The Pandora system lets you change the user’s e-mail address to your own. Then you can reset the password and that’s that. In some cases, it appears that control of the alarm would allow you to send commands on the CAN bus and that could allow you to have a tremendous amount of control of the car.
As ethics demand, the group notified the vendors and supposedly the holes have been plugged. Sometimes you hear about a hack that requires some very exotic work, but these were trivially simple. It is unknown if anyone ever used these hacks in a bad way, but it was certainly a real possibility.