Vulnerabilities in Smart Alarms Can Let Hackers Hijack Cars
Vulnerabilities in third-party car alarms managed via their mobile applications were uncovered by security researchers at Pen Test Partners. The security flaws reportedly affect around 3 million cars that use these “smart” internet-of-things (IoT) devices. Here’s what you need to know about these vulnerabilities.
[RELATED NEWS: Vulnerability in Key Fob Can Let Hackers Open Subaru Cars]
What are the vulnerabilities about?
The vulnerabilities are insecure direct object references (IDORs) in the application programming interfaces (APIs) of the applications that manage the smart alarms’ features. An IDOR occurs when an unsecure application exposes a value, data, or reference to an internal component implemented by the application. An IDOR can, for example, leak information stored in an application’s back-end.
In the smart alarms’ case, the IDORs in the APIs don’t properly validate requests made to the applications. The vulnerabilities affecting the smart alarms have been disclosed to and fixed by the affected vendors.
What is the impact of the vulnerabilities?
According to the researchers, the IDORs in the APIs can let hackers carry out various actions, many of which are actually part of the smart alarms’ safety features. These include:
- Modifying and overwriting parameters (e.g., personally identifiable information like email address and passwords) to determine the car’s location, steal data stored in the application, lock the user out of his access to the alarm, and hijack the account registered to the smart alarm.
- Stopping the car’s engine while in motion. This functionality is included or supported in the application’s API, meaning this can be carried out once the account is taken over.
- Eavesdropping on drivers via the SOS function, which has the microphone enabled when SOS mode is used.
- Sending custom or hacker-specified controller area network (CAN) messages, which means directly communicating with components connected to a car’s host computer. This functionality, however, is vehicle-specific.
[Trend Micro Research: High-Tech Highways: Cyberattacks Against Internet-Connected Transportation Systems]
What do these vulnerabilities mean for the internet of things (IoT)?
Hacking smart cars via their proprietary apps isn’t new. As early as 2015, Trend Micro’s own research on car hacking showed how an unsecure application can leak sensitive information and even lock drivers out of their access to the application. There have also been other security issues in mobile applications that can let hackers snoop on personal data, illicitly access the car’s host computer, and even hijack the car.
[Expert Insights: Understanding Vulnerabilities in Connected Cars]
Indeed, car hacking is no longer a proof of concept. As cars become smarter — with features like infotainment, Wi-Fi connectivity, keyless entries, and even additional driver safety relying on the internet — their attack surfaces become broader. When exploited, these security gaps put users’ data privacy and physical safety at risk.
Fortunately, car manufacturers recognize these issues. In fact, many of them, along with software and third-party application and service providers, are taking the initiative to promptly patch vulnerabilities and adopt industry-wide best practices to further secure smart cars.
Originally this article was published here.
For over 30 years, Trend Micro’s unwavering vision has been to make the world safe for exchanging digital information. Security is our entire focus, and it shows. This single-minded passion has inspired our innovations that keep up with the bad guys despite a changing IT landscape, riskier user behavior, and constantly evolving threats.