- Car alarms by British vendors Pandora and Clifford were discovered to have an IDOR flaw in their alarms’ API.
- This can enable attackers to stop cars when running, as well as help them steal vehicles.
While car alarms are meant for providing sound safety in keyless cars, it may not be fully safe against cyber attacks. One recent PoC exploit by security firm Pen Test Partners showed that certain car alarms were having critical vulnerabilities that allowed anyone to take complete control of compromised vehicles. As a consequence, these vehicles could easily be stolen.
The big picture
- A serious security flaw existed in car alarms made by Pandora and Clifford. The vulnerability was an Insecure Direct Object References (IDOR) present in the API
- It was present in the backend of the alarm’s app, which was provided by a third-party.
- A ‘modify user’ request in the IDOR flaw was not correctly validated leading to the flaw.
- Altering these parameters in the API can bypass authentication in email addresses. Once performed, attackers can simply take over the email address through password resets.
- Compromised accounts can now be used to perform tasks such as geo-locating vehicles, stop them or even unlock/lock its doors etc.,
- Other details such as the model and make of the vehicle could also be ascertained.
Why this matters - It was discovered that this IDOR flaw could possibly allow attackers to kill the engine when the vehicle is in motion.
“Except, using the account takeover vulnerability in the mobile app, one could kill the engine of any car fitted with these alarms. The functionality wasn’t present in the Viper mobile app UI, but was supported in the API,” the blog by Pen Test Partners pointed out.
The firm’s experts also observed that the microphones present in the alarm were also vulnerable and could be snooped. Apart from this, the messaging interface in Pandora alarms had severe security issues in their functionality, which were specific to each car. All in all, Pen Test Partners have informed these vendors of the issue, and have permitted seven days to either mitigate it or remove the flawed API.