Car alarms with security flaws put 3 million vehicles at risk of hijack

[InfoSec News <alerts () infosecnews org>]

https://techcrunch.com/2019/03/07/car-alarms-flaw-hijack/

By Zack Whittaker
TechCrunch
March 7, 2019

Two popular car alarm systems have fixed security vulnerabilities that allowed 
researchers to remotely track, hijack and take control of vehicles with the 
alarms installed.

The systems, built by Russian alarm maker Pandora and California-based Viper 
(or Clifford in the U.K.), were vulnerable to an easily manipulated server-side 
API, according to researchers at Pen Test Partners, a U.K. cybersecurity 
company. In their findings, posted Friday, the API could be abused to take 
control of an alarm system’s user account — and their vehicle.

It’s because the vulnerable alarm systems could be tricked into resetting an 
account password because the API was failing to check if it was an authorized 
request, allowing the researchers to log in.

Although the researchers bought alarms to test, they said “anyone” could create 
a user account to access any genuine account or extract all the companies’ user 
data.

The researchers said some three million cars globally were vulnerable to the 
flaws (since fixed).

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_