Security holes found in the big brand car alarms


Multimedia playback is not supported on your device

Media captionWATCH: Security vulnerabilities detected in third-party smart car alarms

According to researchers, security flaws in three specialized car alarms have made vehicles vulnerable to theft or piracy.

The bugs were found in alarm applications of Clifford, Viper and Pandora. Alarms are on three million vehicles.

Security researchers exploited the bugs to activate car alarms, unlock vehicle doors, and start the engine through an insecure app.

The exhibition prompted companies to upgrade security to eliminate loopholes.

Alarms "unshakable"

The research was conducted for the BBC's Click Technology program by security consultants, Pen Test Partners, who has extensive experience in discovering software vulnerabilities.

The company has focused on two well-known companies that produce accessible and controllable alarms via smartphone applications: Pandora and Clifford (known in the US as the Viper).

The research revealed that Pandora, who had announced that his system was "unshakable", was allowing a user to reset the passwords of an account.

Pandora no longer claims that his system is inaccessible.

The password flaw has allowed researchers to significantly access the application. They could:

  • take control of the remote access application intelligent alarm
  • track any vehicle in real time
  • activate the alarm remotely
  • open the locks
  • start the engine of a vehicle
  • Legend

    Applications have been dismantled by ethical hackers

    The ethical hackers also looked at the smart alarms produced by Clifford, the market leader for third-party alarms in the UK.

    The team found that it was possible to use a legitimate account to access other users' profiles, and then change the passwords for these accounts and take control of them.

    "I could look at the system and look for a nice Lamborghini or a Porsche, locate one near me, go start this car if nobody is, open the doors and leave," said Chris Pritchard, security consultant at Pen test partners.

    Compromised account

    Directed, the parent company of the brands Viper and Clifford, admitted that "the accounts of the customers could have been consulted without authorization … thanks to a recent update".

    He added that the company did not believe that data would have been accessed without authorization.

    The security breach has now been corrected.

    "Directed is committed to providing safe and secure products, but no system can be 100% safe," he told Click.

    In a statement, Pandora Alarms, based in Russia, which also sells products in the UK, said: "We have made changes to the code and improved security.The problem has been removed."


    Researchers demonstrated how applications can be exploited

    He said that the keychain provided to homeowners with the alarms "would cancel any remote access through the application".

    Technical errors

    Professor Alan Woodward, a security expert at the Center for Cyber ​​Security at the University of Surrey, said it was "disappointing" to see relatively simple flaws introduced by companies in the field of security. security.

    "You would have thought that any company that claims safety is its core business would have done a thorough penetration test of the entire system," he said. "It's hard not to conclude that this has not been done here."

    He added: "The problems were under the direct control of the company, and I fear that security researchers are still the only ones who hold these manufacturers accountable."

    Professor Woodward said that businesses tend to spend a lot of time in "the forefront" applications viewed by users, but to pay less attention to "the background ", leaving programs open to security vulnerabilities.

    "It should be the companies that pay for it, not the researchers who do it on the sidelines," he said.

    The full BBC Click vulnerability alarms car survey is broadcast on BBC News Channel, iPlayer and BBC World News this Saturday and Sunday.