A tidal wave of smart devices, or shorthand for Internet of Things devices, is crashing all around us. They are here and this new wave of technology will eventually become ubiquitous.
But don’t believe it when a vendor says their smart devices are unhackable. There are many ways of characterising smart devices and one of them is poor security.
Two of the world’s largest car alarm manufacturers recently proved this point, albeit inadvertently.
Viper, known as Clifford in the UK, and Pandora Car Alarm Systems have something like three million customers between them. Some security researchers recently tested these smart car alarms.
The results don’t inspire confidence. They discovered straightforward vulnerabilities in both alarms’ APIs, which knit together a vehicle’s existing smart features with the smart alarms.
The researchers probed these vulnerabilities and were able to tamper with existing smart parameters, reset user credentials, hijack accounts and more.
- The vehicle type and owner's details could be stolen, a car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised and the immobilizer hijacked.
- In Viper's case, a security flaw in the API parameter led to improper validation, which provided attackers with the ability to compromise user accounts. The research team found that the same bug could also be used to compromise the vehicle's engine system.
- The Pandora alarm can be used to make SOS calls in cases of emergency. This is why it is fitted with a microphone. But because of the flaw the microphone could be used for snooping.
- In Pandora’s case, cyberattacks could also result in the car engine being killed during use. It’s designed for use if a car is stolen, which makes sense, as long as it isn’t hacked. But in the hands of an attacker it could be deadly. Imagine hurtling down a motorway, the engine suddenly cuts out and there’s a 44 ton truck sitting right behind you.
To the misfortune of Pandora it claimed on its website that its smart alarms were unhackable. That said once the researchers informed the company it swiftly deleted this grandiose claim from its website.
Also both companies responded quickly and fixed the vulnerable APIs as soon as they were informed, which is encouraging.
We may not be seeing real world cyberattacks on cars yet, but given the pace of smart device adoption it’s something any sensible person wouldn’t bet against.