Security researchers from Pen Test Partners discovered vulnerabilities in alarm systems by Pandora and Viper. The two companies are among the biggest names in the smart car alarm business, and the security flaw may have left up to 3 million cars open to attacks by hackers. Smart car alarms offer the convenience of locking and unlocking cars using a smartphone app and they also alert users when anyone tries to break in.
While Viper did not respond to the security report, Pandora claims that the company uses dialog code making attacks impossible. However, Ken Munro, founder of Pen Test Partners, revealed that attackers did not need to hack the alarm system itself to gain access as there are loopholes in the mobile apps to take advantage of.
The report states that both smart alarm manufacturers failed to implement proper authentication methods in the API. Simply requesting a password change via a host URL allow the security researchers to break into the authentication system and change user passwords. The entire process can be replicated without users finding out making it a very dangerous exploit.
According to Pen Test Partners, the alarm systems are typically seen in high-end cars only which are not difficult to identify. The exploits can allow hackers to shut down the engine of a car, lock doors, track vehicles and unlock doors. With Pandora’s alarm systems coming equipped with microphones, hackers can even tune in to conversations happening inside the cars. Pandora and Viper have still not patched the alarm systems, leaving millions of users exposed to attacks despite the warnings by the security researchers.
What do you think about the security flaws found in Pandora and Viper smart alarm systems? Let us know in the comments below and share your thoughts below or on our socials at Facebook and Twitter.