Saturday, February 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Smart ‘unhackable’ car alarms open the doors of 3 million vehicles to hackers

March 8, 2019
in Internet Security
Smart ‘unhackable’ car alarms open the doors of 3 million vehicles to hackers
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Calling a product “smart” and “unhackable’ does not magically make it so, as two of the largest vendors of car alarms in the world have now found out.

Viper — known as Clifford in the United Kingdom — and Pandora Car Alarm System, which cater for at least three million customers between them, recently became the topic of interest to researchers from Pen Test Partners.

You might also like

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

Chrome will soon try HTTPS first when you type an incomplete URL

Go malware is now common, having been adopted by both APTs and e-crime groups

On Friday, the cybersecurity researchers published their findings into the true security posture of these so-called smart alarms and found them falling woefully short of the vendors’ claims.

Not only could compromising the smart alarms result in the vehicle type and owner’s details to be stolen, but the car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised, and the immobilizer to be hijacked.

In some cases, cyberattacks could also result in the car engine being killed during use, which in a real-world scenario could result in serious injury or death.

Both companies claimed their products were “smart,” and Pandora went so far as to say that its smart alarm systems were “unhackable.” (This claim has since been whipped off the vendor’s website.)


Pen Test Partners

As shown in the video below, such bold assertions will only entice cybersecurity experts to prove you wrong.

What makes the situation even worse is how easy it was for Pen Test Partners to refute these lofty statements.

The discovery of simple, relatively straightforward vulnerabilities in the products’ API, known as insecure direct object references (IDORs), permitted the researchers to tamper with vehicle parameters, reset user credentials, hijack accounts, and more.

In Viper’s case, a third-party company called CalAmp provides the back-end system. A security flaw in the ‘modify user’ API parameter leads to improper validation, which in turn permits attackers to compromise user accounts.

The research team found that the same bug could be used to compromise the vehicle’s engine system.

See also: How automakers are tackling connected vehicle vulnerability management

“Promotional videos from Pandora indicate this is possible too, though it doesn’t appear to be working on our car,” Pen Test Partners said. “The intention is to halt a stolen vehicle. Except, using the account takeover vulnerability in the mobile app, one could kill the engine of any car fitted with these alarms. The functionality wasn’t present in the Viper mobile app UI, but was supported in the API.”

When it comes to Pandora, the IDOR is based on a POST request which also results in account compromise, alongside substantial data leaks. There was another attack vector of interest in this product, too, based on the Pandora alarm’s ability to make SOS calls in cases of emergency.

In order to send out cries for help, the alarm is fitted with a microphone — and due to the API security flaw, this component can be accessed and enabled remotely for snooping purposes.

CNET: Facebook Messenger bug revealed who you had conversations with

Given the severity of these security problems and the three million customers potentially impacted, Pen Test Partners chose to scrap its standard 90-day disclosure period in favor of a week.

To their credit, Pandora and Viper responded quickly and managed to fix the vulnerable APIs within the time period on offer.

The lesson here is that despite a lack of evidence that real-world attacks are taking place against vehicle owners, it may only be a matter of time before security flaws in our connected cars become a risk to driver safety.

TechRepublic: Termite and EarthWorm testing tool weaponized to create multi-platform botnet

Cybersecurity is not a laughing matter and any company which claims to offer “unhackable” devices is only opening itself up to mockery — but rather that, than a future lawsuit when a lack of due security diligence results in accidents or injury.

“One would expect that a manufacturer of alarms, designed to make our vehicles more secure, would have carried out a degree of due diligence prior to taking their products to market,” the researchers concluded. “These alarms did not add any additional security to protect against key relay attacks, and before they were fixed they actually exposed the owners to additional attacks and compromised their safety.”

Previous and related coverage

Credit: Source link

Previous Post

Financial information in the machine learning age | FinTech

Next Post

Learning Deep Learning – Becoming Human: Artificial Intelligence Magazine

Related Posts

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
Chrome will soon try HTTPS first when you type an incomplete URL
Internet Security

Chrome will soon try HTTPS first when you type an incomplete URL

February 27, 2021
Go malware is now common, having been adopted by both APTs and e-crime groups
Internet Security

Go malware is now common, having been adopted by both APTs and e-crime groups

February 27, 2021
Why your diversity and inclusion efforts should include neurodiverse workers
Internet Security

Why your diversity and inclusion efforts should include neurodiverse workers

February 26, 2021
Attorney-General urged to produce facts on US law enforcement access to COVIDSafe
Internet Security

Attorney-General urged to produce facts on US law enforcement access to COVIDSafe

February 26, 2021
Next Post
Learning Deep Learning – Becoming Human: Artificial Intelligence Magazine

Learning Deep Learning – Becoming Human: Artificial Intelligence Magazine

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
The Ethereum Virtual Machine (EVM)
Data Science

The Ethereum Virtual Machine (EVM)

February 27, 2021
Healthcare leaders debunk 3 myths about machine learning
Machine Learning

Providence exec explains the differences, their healthcare applications

February 27, 2021
Future Tech: Artificial Intelligence and the Singularity | by Jason Sherman | Feb, 2021
Neural Networks

Future Tech: Artificial Intelligence and the Singularity | by Jason Sherman | Feb, 2021

February 27, 2021
Chrome will soon try HTTPS first when you type an incomplete URL
Internet Security

Chrome will soon try HTTPS first when you type an incomplete URL

February 27, 2021
Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid February 27, 2021
  • The Ethereum Virtual Machine (EVM) February 27, 2021
  • Providence exec explains the differences, their healthcare applications February 27, 2021
  • Future Tech: Artificial Intelligence and the Singularity | by Jason Sherman | Feb, 2021 February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates