Defect in car security system aids carjackers, thieves

Since 2016, there have been multiple instances of attacks on keyless entry car-locks, and there's a burgeoning industry of expensive ($5000) aftermarket alarm systems that are billed as protecting your car from these radio attacks on its security.

Pen-Test Partners evaluated several of these systems and found that the two leading models, Pandora and Viper (AKA "Clifford") were very defective, with a mix of vulnerabilities that allow attackers to track cars in realtime, extract the car and its owner's details, disable the alarm, remotely enable/disable the immobilizer, stop the car while it's in motion, eavesdrop on the in-car mic, and even steal the car.

Pen-Test Partners attacked the companies' APIs, which allow their apps to communicate with and configure the in-car systems; by modifying the parameters in API calls, they were able to hijack users' accounts, changing the associated email and password. Once that is done, "Its possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors."

There's plenty of room for research on even more extravagant attacks: the alarm systems interface with cars internet networks over the CAN bus -- a common data infrastructure system that all the car's subsystems use to talk to each other.

Pen-Test Partners estimates that $150B worth of cars are exposed via these flaws -- about 3M high-end cars.

This is a superb example of how security systems can expose users to risk: once you design a system that treats the person using it as an adversary and a remote party as trusted, then, by design, a remote party who compromises the system can attack the person who's using it. Read the rest