'Unhackable' smart vehicle alarms could be used to steal expensive cars, warn researchers

Some smart car alarms can come with serious vulnerabilities

Researchers at UK security firm Pen Test Partners claim that a number of supposedly smart car alarms come with serious security vulnerabilities - security flaws that could make it easy for hackers to steal high-end cars.

Pen Test Partners carried out the research for the BBC's Click technology programme. The research team spent about $5,000 to buy and install smart alarms on cars to demonstrate their proof of concept.

They examined several third-party smart car alarms for security flaws and found that smart alarms offered by two firms in particular - Pandora and Viper (known as Clifford in the UK) - are easily hackable, exposing almost three million cars to theft.

The alarm systems, rather than improving security, actually enable attackers to take control of connected cars via their accompanying smartphone apps

The team found that the vulnerabilities in products being offered by Pandora and Viper are easy to find. By exploiting those vulnerabilities, the researchers were able to activate and deactivate the alarms, unlock car doors and even start or kill the engine remotely.

Exploiting the flaws also enabled researchers to trace the location of the vehicle in real time and to identify the make and model.

Both Viper and Pandora had claimed that their products were "smart", and Pandora went as far as to describe its alarm system as "unhackable".

According to researchers, the alarm systems, rather than improving security, actually enable attackers to take control of connected cars via their accompanying smartphone apps.

The apps' APIs failed to appropriately authenticate requests to change the email address or password

The vulnerabilities, called insecure direct object references (IDORs), are embedded in the products' API and permit anyone to modify system parameters, change user credentials, and hijack accounts. For Viper, a third-party firm called CalAmp provides the back-end system.

The researchers also claimed that the apps' APIs failed to appropriately authenticate requests to change the email address or password, enabling third parties to take full control of the account.

"Both products allow anyone to create a test/demo account. With that demo account it's possible to access any genuine account and retrieve their details," the researchers revealed.

Both products allow anyone to create a test/demo account. With that demo account it's possible to access any genuine account

Pen Test Partners team reported the vulnerabilities to both companies, giving them a week to fix or take down the vulnerable APIs.

Pandora's representative responded in around 48 hours, and the flaws were fixed within 24 hours. Viper also fixed the highlighted vulnerabilities within a few days.