Slashdot Mirror
'Smart' Car Alarm App Could Allow 3 Million Cars To Be Unlocked Remotely (cnet.com)
"Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine," reports CNET:
The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found in alarm systems made by Viper [known as Clifford in the U.K.] and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands...
Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added...
Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said.
ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".
Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added...
Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said.
ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".
Must be some RUSSIANS!
captcha: shiver
"Pandora went so far as to say that its smart alarm systems were "unhackable." (This claim has since been whipped off the vendor's website.)" - WHIPPED off the website? Wow, harsh?
Is your car running? Then you better go to prison! A-Hahahahaa, oooh, Trump treason joke. You'll get it soon enough. (seriously.)
"President" Trump level smart. "Vladimir Putin is my friend, why not just let him touch my penis on TV like that? What's the worst that could happen?" - There's an app for that, unfortunately it only runs on ADX Florence hardware.
Keep it simple. Security is difficult. You don't add security features. If you show people all the things they can do with your security app, you're doing it wrong. Complexity is the enemy.
Recently "retired" congressman Darryl Issa (R-Vista) was the wealthiest ($280M+) member of the House of Representatives as a result of sales of auto alarms, including Viper (notorious in previous versions for saying "Protected by Viper, stand back" or some such nonsense when someone got too close.)
I once saw the viper get a car destroyed. Someone, lat's call him Angry Young Man was walking through a parking lot when he passed within 3 feet of a car with the Viper installed. It started going into the car alarm version of the internet tough guy speech about how it was the Viper and you needed to step away from the car.
AYM, who was about to walk harmlessly by, turned and yelled "OH YEAH, WELL FUCK YOU!!!" He then began kicking the grille in, smashing the headlights, etc repeating "FUCK YOU" over and over. By the time I left he was working on the windshield.
With my foot up your dumb ass.
How is a car alarm going to get licensed to conceal carry a gun? You 'merkins and your guns. Still haven't learned after a couple hundred years. No wonder you live in a shithole. You deserve what you get.
Typical Indian shovelware.
cocospy is one of the millions playing, creating and exploring the endless possibilities of Roblox. click on https://cocospy.com/snapchat-s...
cocospy is one of the millions playing, creating and exploring the endless possibilities of Roblox. click on https://cocospy.com/snapchat-s...