Smart alarms left 3 million cars vulnerable to hackers who could turn off motors

Ring the alarm.

Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine.

The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday.

The problems were found in alarm systems made by and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands. Like other smart devices, smart car alarms offer people convenience, allowing owners to find their cars from a distance and unlock their doors from their phones .

Pen Test Partners said it reached out to Viper and Pandora in late February and the companies fixed the security issues in less than a week. They had discovered the flaws last October.

Watch this: Biggest hacks of 2018

03:26

In a statement from Directed Electronics, which owns Viper, the company said it didn't believe the vulnerability was used maliciously. 

"We immediately worked with our service provider to diagnose and correct this security issue. After investigation, we concluded that this vulnerability was an unintentional result of a recent system update made by our service provider," the company said in a statement.

Pandora did not respond to a request for comment. 

Like smart locks, TVs and cameras, smart car alarms are susceptible to cyberattacks and security flaws. The growth of smart devices, which integrate connected technology into everyday devices, has made the internet of things an easy target and created a new type of security threat. 

On Pandora's website, the company boasts it "uses a dialog code it is impossible to hack it -- nobody did it yet and for sure nobody will."
But Ken Munro, founder of Pen Test Partners, figured out that his team didn't need to hack the smart alarm itself because the Pandora app left a large opening. The researcher found a similar problem with Viper's app.

Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address.

Munro said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened.

Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said.

Safety risk

Potential attackers could also use the apps' API to target specific types of cars, the security researcher added.

"Typically these alarms are fitted to expensive vehicles," he said in a message. "One can hunt down all the supercars."

In a demo, Munro tracked down a test Range Rover on which his team had installed Viper's smart car alarm system. The vehicle was moving at 54 miles per hour when the team chased it down in a separate car. They used an app belonging to the driver and set off the car's alarms remotely.
When the surprised driver, who knew the alarm had been installed but didn't know how Munro's team would use it, pulled over, Munro cut off the car's engine using the app. The engine cutoff was originally a security feature to stop stolen cars from being driven off, but Munro's team found it could also cut off an engine while a car is still moving.

"The safety implications of this are very concerning," Munro said in a blog post.

Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
The vulnerabilities didn't take much for Pen Test Partners to find, but had massive potential to cause harm, Munro said.
"So simple, so serious," he said.

Originally published March 7 at 11:06 p.m. PT. 
Updated March 8 at 6:06 a.m. PT: Added Viper's response.