Vulnerabilities in third-party car alarms managed via their mobile applications were uncovered by security researchers at Pen Test Partners. The security flaws reportedly affect around 3 million cars that use these “smart” internet-of-things (IoT) devices. Here’s what you need to know about these vulnerabilities.
[RELATED NEWS: Vulnerability in Key Fob Can Let Hackers Open Subaru Cars]
The vulnerabilities are insecure direct object references (IDORs) in the application programming interfaces (APIs) of the applications that manage the smart alarms’ features. An IDOR occurs when an unsecure application exposes a value, data, or reference to an internal component implemented by the application. An IDOR can, for example, leak information stored in an application’s back-end.
In the smart alarms’ case, the IDORs in the APIs don’t properly validate requests made to the applications. The vulnerabilities affecting the smart alarms have been disclosed to and fixed by the affected vendors.
According to the researchers, the IDORs in the APIs can let hackers carry out various actions, many of which are actually part of the smart alarms’ safety features. These include:
[Trend Micro Research: High-Tech Highways: Cyberattacks Against Internet-Connected Transportation Systems]
Hacking smart cars via their proprietary apps isn’t new. As early as 2015, Trend Micro’s own research on car hacking showed how an unsecure application can leak sensitive information and even lock drivers out of their access to the application. There have also been other security issues in mobile applications that can let hackers snoop on personal data, illicitly access the car’s host computer, and even hijack the car.
[Expert Insights: Understanding Vulnerabilities in Connected Cars]
Indeed, car hacking is no longer a proof of concept. As cars become smarter — with features like infotainment, Wi-Fi connectivity, keyless entries, and even additional driver safety relying on the internet — their attack surfaces become broader. When exploited, these security gaps put users’ data privacy and physical safety at risk.
Fortunately, car manufacturers recognize these issues. In fact, many of them, along with software and third-party application and service providers, are taking the initiative to promptly patch vulnerabilities and adopt industry-wide best practices to further secure smart cars.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.