Vulnerabilities in third-party car alarms managed via their mobile applications were uncovered by security researchers at Pen Test Partners. The security flaws reportedly affect around 3 million cars that use these “smart” internet-of-things (IoT) devices. Here’s what you need to know about these vulnerabilities.
The vulnerabilities are insecure direct object references (IDORs) in the application programming interfaces (APIs) of the applications that manage the smart alarms’ features. An IDOR occurs when an unsecure application exposes a value, data, or reference to an internal component implemented by the application. An IDOR can, for example, leak information stored in an application’s back-end.
In the smart alarms’ case, the IDORs in the APIs don’t properly validate requests made to the applications. The vulnerabilities affecting the smart alarms have been disclosed to and fixed by the affected vendors.
According to the researchers, the IDORs in the APIs can let hackers carry out various actions, many of which are actually part of the smart alarms’ safety features. These include:
Modifying and overwriting parameters (e.g., personally identifiable information like email address and passwords) to determine the car’s location, steal data stored in the application, lock the user out of his access to the alarm, and hijack the account registered to the smart alarm.
Stopping the car’s engine while in motion. This functionality is included or supported in the application’s API, meaning this can be carried out once the account is taken over.
Eavesdropping on drivers via the SOS function, which has the microphone enabled when SOS mode is used.
Sending custom or hacker-specified controller area network (CAN) messages, which means directly communicating with components connected to a car’s host computer. This functionality, however, is vehicle-specific.
What do these vulnerabilities mean for the internet of things (IoT)?
Hacking smart cars via their proprietary apps isn’t new. As early as 2015, Trend Micro’s own research on car hacking showed how an unsecure application can leak sensitive information and even lock drivers out of their access to the application. There have also been other security issues in mobile applications that can let hackers snoop on personal data, illicitly access the car’s host computer, and even hijack the car.
Indeed, car hacking is no longer a proof of concept. As cars become smarter — with features like infotainment, Wi-Fi connectivity, keyless entries, and even additional driver safety relying on the internet — their attack surfaces become broader. When exploited, these security gaps put users’ data privacy and physical safety at risk.
Fortunately, car manufacturers recognize these issues. In fact, many of them, along with software and third-party application and service providers, are taking the initiative to promptly patch vulnerabilities and adopt industry-wide best practices to further secure smart cars.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).