Security flaws in car alarms could put 3 million vehicles at risk

Millions of vehicles worldwide could be at risk from criminals exploiting their connected car alarms, risking exposing the owner’s details, disabling the alarm, unlocking the car or even having the engine remotely stopped.

That’s according to Pen Test Partners, a cyber security and penetration testing firm. It tested two well-known brands of alarm, which use a companion smartphone app for control and access. They were Pandora and Viper (known as Clifford in the UK) that between them, are fitted to three million vehicles.

The firm’s interest was piqued in Pandora as the vendor described its alarm as ‘unhackable’. Despite the lofty claim, PTP found that it was possible to update the email address associated with the account without proper authentication, send a password reset email, and gain access.

Once in, hackers were able to locate and follow a vehicle, cause it to stop and unlock the doors. “Hijack of the car and driver is trivially easy,” the firm wrote in its report.

The same vulnerability was found in Viper/Clifford alarms, and the firm noted that it’s not even necessary to buy either product to gain access – test and demo accounts can be created by anybody.

“In both cases, one can select a vehicle of interest,” wrote the firm. They then demonstrated how it was possible to locate the car in real-time, and follow it in a chase vehicle, before setting the alarm’s siren and flashers off.

“The driver now pulls over to investigate. We set the immobiliser, so they can’t drive off. We have already removed their access to the alarm account, so they can’t reset the immobiliser.

“We can also clone the alarm key fob using the app… now we can unlock the doors to the car.”

Other vulnerabilities included the Pandora alarm’s built-in microphone, which can be used to listen in to conversations in the car and, even killing the car’s engine remotely was possible.

However, the ‘scary’ part, according to the firm, is to do with the way the alarms are fitted. They’re wired to the vehicle’s CAN bus, which is a chip that interfaces with other systems in the car. It’s vehicle-specific, but the firm found that they could remotely modify the cruise control speed in several big-selling vehicles.

Since PTP exposed the vulnerabilities, Directed, the parent brand for the Viper and Clifford system, admitted the flaws could have exposed customer accounts. It added that it did not believe any data had been accessed, and said the flaw had now been fixed.

Pandora said it had made changes to the code and upgraded security to remove the ‘pain point’.