While car alarms are meant for providing sound safety in keyless cars, it may not be fully safe against cyber attacks. One recent PoC exploit by security firm Pen Test Partners showed that certain car alarms were having critical vulnerabilities that allowed anyone to take complete control of compromised vehicles. As a consequence, these vehicles could easily be stolen.
The big picture
Why this matters - It was discovered that this IDOR flaw could possibly allow attackers to kill the engine when the vehicle is in motion.
“Except, using the account takeover vulnerability in the mobile app, one could kill the engine of any car fitted with these alarms. The functionality wasn’t present in the Viper mobile app UI, but was supported in the API,” the blog by Pen Test Partners pointed out.
The firm’s experts also observed that the microphones present in the alarm were also vulnerable and could be snooped. Apart from this, the messaging interface in Pandora alarms had severe security issues in their functionality, which were specific to each car. All in all, Pen Test Partners have informed these vendors of the issue, and have permitted seven days to either mitigate it or remove the flawed API.
Publisher