An Interest In:
Web News this Week
- March 29, 2024
- March 28, 2024
- March 27, 2024
- March 26, 2024
- March 25, 2024
- March 24, 2024
- March 23, 2024
Defect in car security system aids carjackers, thieves
Since 2016, there have been multiple instances of attacks on keyless entry car-locks, and there's a burgeoning industry of expensive ($5000) aftermarket alarm systems that are billed as protecting your car from these radio attacks on its security.
Pen-Test Partners evaluated several of these systems and found that the two leading models, Pandora and Viper (AKA "Clifford") were very defective, with a mix of vulnerabilities that allow attackers to track cars in realtime, extract the car and its owner's details, disable the alarm, remotely enable/disable the immobilizer, stop the car while it's in motion, eavesdrop on the in-car mic, and even steal the car.
Pen-Test Partners attacked the companies' APIs, which allow their apps to communicate with and configure the in-car systems; by modifying the parameters in API calls, they were able to hijack users' accounts, changing the associated email and password. Once that is done, "Its possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors."
There's plenty of room for research on even more extravagant attacks: the alarm systems interface with cars internet networks over the CAN bus -- a common data infrastructure system that all the car's subsystems use to talk to each other.
Pen-Test Partners estimates that $150B worth of cars are exposed via these flaws -- about 3M high-end cars.
This is a superb example of how security systems can expose users to risk: once you design a system that treats the person using it as an adversary and a remote party as trusted, then, by design, a remote party who compromises the system can attack the person who's using it. Read the rest
Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/l0IyShoW00E/pandora-and-viper.html