Contact Contact Us

3 Million Vehicles can be Hijacked via Car Alarm Apps
TRANSPORT INDUSTRY

Up to three million vehicles installed with the Viper or Pandora car alarms could be hacked remotely due to an insecure direct object reference vulnerability at the associated applications. A hacker can take over a user account by initiating a password reset with any email address as the login ID. Due to improper authentication when changing login credentials, the new password would be issued to the newly furnished email address and therefore compromising the account. A hacker with access to the account can remotely start/stall engine, lock/unlock vehicle, and initial car alarm. The victim's privacy is also compromised as the vehicle’s location can be tracked via the application and in-car conversations can be recorded. Following responsible disclosure, Viper and Pandora have swiftly fixed the vulnerability at its application to prevent potential abuse.

References:
[1] Gone in Six Seconds? Exploiting Car Alarms

Ensign InfoSecurity Singapore
30A Kallang Place
#08-01
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883