Security flaws in three specialist car alarms have left vehicles vulnerable to being stolen or hijacked, say researchers.
The bugs were found in alarm apps by Clifford, Viper, and Pandora. The alarms are on three million vehicles.
The security researchers exploited the bugs to activate car alarms, unlock a vehicle's doors and start the engine via an insecure app.
The expose has prompted the firms to upgrade security to remove the flaws.
Alarms 'unhackable'
The research was carried out for the BBC's Click technology programme by security consultants Pen Test Partners, which has a long track record of uncovering software flaws.
The firm focussed on two well-known firms that produce alarms that can be accessed and controlled via smartphone apps - Pandora and Clifford (known in the US as Viper).
The research found that Pandora, which had advertised its system as "unhackable", allowed a user to reset account passwords for any account.
Pandora now no longer makes the claim that its system is unhackable.
The password flaw allowed researchers significant access to the app. They could:
- to take control of the smart alarm remote access app
- track any vehicle in real time
- remotely activate the alarm
- open the door locks
- start a vehicle's engine
The apps were taken apart by the ethical hackers
The ethical hackers also looked at smart alarms produced by Clifford, which is the market leader in third-party alarms in the UK.
The team found that it was possible to use a legitimate account to access other users' profiles and to then change the passwords for those accounts and take control.
"I could look on the system and look for a nice Lamborghini or a Porsche, locate one close to where I am, go and start that car if no one's around, open the doors and drive away" said Chris Pritchard, a security consultant at Pen Test Partners.
Account compromised
Directed, the parent company for the Viper and Clifford brands, admitted that "customers' accounts could have been accessed without authorisation... as a result of a recent update".
It added that the company did not believe any data had been accessed without authorisation.
The security flaw has now been fixed.
"Directed is committed to providing safe and secure products but no system can be 100% safe," it told Click.
In a statement, Russia-based Pandora Alarms, which also sells products in the UK, said: "We have made changes to the code and upgraded security. The pain point has been removed."
The researchers demonstrated how the apps could be exploited
It advised that the key fob provided to owners with the alarms "would override any remote access through the app".
Tech mistakes
Security expert Professor Alan Woodward from the University of Surrey's Centre for Cyber-Security said it was "disappointing" to see relatively simple flaws introduced by companies in the business of security.
"You would have thought any company claiming security as their core business would have done a thorough penetration test on the system as a whole," he said. "It's hard not to conclude that it was not done here."
He added: "The problems were within the direct control of the company. I fear that security researchers are yet again the only ones holding these manufacturers to account."
Prof Woodward said it had become a trend for companies to spend a great deal of time on the "front end" of the apps that users see, but pay less attention to the "back end" which leaves the programmes open to security flaws.
"It should be the companies paying for this, not researchers doing it as a sideline," he said.
Latest Stories
-
Morocco proposes family law reforms to improve women’s rights
1 minute -
Bawumia could have conceded defeat earlier – Omane Boamah
6 minutes -
Upper East, North East: PURC receives 591 complaints, resolves 550 in 2024
12 minutes -
Mozambique prison riot leaves 33 dead as civil unrest grips country
14 minutes -
Mahama vows to champion prosperity for youth and vulnerable
18 minutes -
Implement people-centred policies – Yagbonwura advises Mahama
18 minutes -
My team was against conceding early in elections – Bawumia
26 minutes -
CNML partners E&P to construct 4-kilometre bypass road in Talensi
27 minutes -
Jazz In January Festival here again
28 minutes -
4-year-old cured leper walks again after Bawumia sponsored her special surgery
4 hours -
Dorcas Affo-Toffey, earns dual Master’s Degrees in Energy, Sustainable Management, and Business Administration
5 hours -
T-bills auction: Government got GH¢21.5bn in November 2024, lower than target
8 hours -
Ghana to return to single digit inflation in quarter one 2026
8 hours -
Panama’s president calls Trump’s Chinese canal claim ‘nonsense’
9 hours -
Manmohan Singh, Indian ex-PM and architect of economic reform, dies at 92
9 hours