10 March 2019, 9:09 am

Security holes found in big brand car alarms

Security flaws in three specialist car alarms have left vehicles vulnerable to being stolen or hijacked, say researchers.
The bugs were found in alarm apps by Clifford, Viper, and Pandora. The alarms are on three million vehicles.
The security researchers exploited the bugs to activate car alarms, unlock a vehicle’s doors and start the engine via an insecure app.
The expose has prompted the firms to upgrade security to remove the flaws.
Alarms ‘unhackable’
The research was carried out for the BBC’s Click technology programme by security consultants Pen Test Partners, which has a long track record of uncovering software flaws.
The firm focussed on two well-known firms that produce alarms that can be accessed and controlled via smartphone apps – Pandora and Clifford (known in the US as Viper).
The research found that Pandora, which had advertised its system as “unhackable”, allowed a user to reset account passwords for any account.
Pandora now no longer makes the claim that its system is unhackable.
The password flaw allowed researchers significant access to the app. They could:
 to take control of the smart alarm remote access app
 track any vehicle in real time
 remotely activate the alarm
 open the door locks
 start a vehicle’s engine
 The ethical hackers also looked at smart alarms produced by Clifford, which is the market leader in third-party alarms in the UK.
 The team found that it was possible to use a legitimate account to access other users’ profiles and to then change the passwords for those accounts and take control.
 “I could look on the system and look for a nice Lamborghini or a Porsche, locate one close to where I am, go and start that car if no one’s around, open the doors and drive away” said Chris Pritchard, a security consultant at Pen Test Partners.

BBC