back to article No guns or lockpicks needed to nick modern cars if they're fitted with hackable 'smart' alarms

Researchers have discovered that "smart" alarms can allow thieves to remotely kill your engine at speed, unlock car doors and even tamper with cruise control speed. British infosec biz Pen Test Partners found that the Viper Smart Start alarm and products from vendor Pandora were riddled with flaws, allowing an attacker to …

  1. DaLo
    Facepalm

    'the company boasted their security was "unhackable"'

    When will they ever learn.

    1. imanidiot Silver badge

      When the Titanic finally pulls into the New York harbour.

    2. ACcc

      Every time...

      "You keep using that word, I do not think it means what you think it means"

      1. Spamfast Bronze badge
        Happy

        Re: Every time...

        "You keep using that word, I do not think it means what you think it means"

        It's not inconceivable that the car alarm just responds, "As you wish." if you talk to it the right way, you mean?

      2. dajames Silver badge
        Pirate

        Re: Every time...

        "You keep using that word, I do not think it means what you think it means"

        My car's quite safe ... it's protected by dread pirate robots ...

    3. theModge

      well....if any publicity is good publicity you could argue that declaring your product to be unhackable was akin to free pen-testing.

      I mean I'm not sure I'd like to be famous as the "The person who makes shite software" but if I was planning on say, changing my name and emigrating it might work.

  2. GlenP Silver badge

    Some of those Landrovers didn't need anything fancy to break in, just a good bang on the passenger door so the catch on the window fell over, slide* open the window, reach in and unlock.

    *I still think it was a retrograde step when they fitted winding handles to car windows.

    1. imanidiot Silver badge

      Aren't those latches usually stuck solid, requiring a screwdriver to open them even on a good day? Or am I thinking of the wrong thing here? (I've only ever been in a series 2A, which has the push, rotate and pull out knobby latches on the windows)

      1. GlenP Silver badge

        They seemed to vary with age & model. I'm not even certain the ones on my S3 were original.

      2. caffeine addict Silver badge

        Had those on my IIa and never had a problem with them.

        Shame the old beast effectively recycled itself without permission.

        1. The Quiet One

          My father in law once watched a likely lad in South London trying and failing to open his Series 2a, that was already unlocked...... Eventually the miscreant gave up and walked off into the night.

          1. Yet Another Anonymous coward Silver badge

            I assume you descend Tom Cruise like on wires from above, pull out your battery powered mini circular saw and cut through the canvas top and get inside that way

          2. Chris G Silver badge

            I had a big red battery isolator key under the dashon my old IIA, it went in with me at nights or if parked anywhere a bit iffy.

            One of my mates had a '54. Series I that had no ignition key, just a big round starter button on the floor like the original Mini one. A neighbor told him he had seen a young would be thief go in through the unlocked door and spend quite some time looking for the ignition then giving up and walking of.

            The ignition was a toggle switch on the centre dash.

  3. Alister Silver badge

    Land Rover Defenders

    Not one of those vehicles on the photo is a Land Rover Defender.

    And all you need to get into one of those and drive away is a small screwdriver.

    1. imanidiot Silver badge
      Joke

      Re: Land Rover Defenders

      That's because you'll probably find all the other tools you need to make it go in the back :)

      1. Alister Silver badge

        Re: Land Rover Defenders

        That's because you'll probably find all the other tools you need to make it go in the back :)

        No other tools required, both the door locks and ignition switch can be operated with a screwdriver.

        1. katrinab Silver badge
          Coat

          Re: Land Rover Defenders

          The tools required to repair the thing so that it will work.

          1. imanidiot Silver badge
            Coat

            Re: Land Rover Defenders

            ^^ What Katrinab said ^^

          2. Anonymous Coward
            Anonymous Coward

            Re: Land Rover Defenders

            Oh Hahaha.

            All three of the vehicles shown are probably older than you are, and yet are still going strong.

            Don't confuse the crappy modern Land Rovers with the real thing.

            1. katrinab Silver badge

              Re: Land Rover Defenders

              The middle one is a bit younger than me

            2. 10forcash Bronze badge

              Re: Land Rover Defenders

              Don't confuse the crappy modern Land Rovers with the real thing.

              The same was said when the S.IIA came out....

              They were wrong then as well. I have driven 'modern' LandRovers for the last twenty years, in climates from -52 deg. C. to +50 deg. C. in terrain ranging from the French Alps, Balkans, North, Middle and Southern Africa, and also parts of the near & middle east. The vehicles have proved themselves just as capable, hardy and rugged as the original design intention - but better looking, more comfortable, efficient and capable than earlier iterations. Yes, we always stopped to help out the less fortunate when stuck, broken down or otherwise 'delayed' whether in a LandRover, Land Cruiser, or indeed a Merc. 190!

              So think and behave like a Luddite if you wish, I think if you actually experienced the vehicles, your prejudice would be somewhat diminished.

              1. Alister Silver badge

                Re: Land Rover Defenders

                @10forcash

                Not sure who you are aiming your comments at, but I've owned and driven Series 2A, Series 3, early (pre Defender) One-Ten, later Ninety, Range Rover P38, Discovery 1 and Discovery 2.

                I don't have a prejudice, but I'm well aware that more modern Land Rovers have a very poor reputation for electrical reliability, and there have been various quality issues (TDV6 engine for example).

                1. tcmonkey
                  Unhappy

                  Re: Land Rover Defenders

                  Thanks for reminding me of the electrical system on the P38... I think I now must go to the pub and drink until I forget who I am.

                  1. Jeffrey Nonken Silver badge

                    Re: Land Rover Defenders

                    Nostalgia just isn't what it used to be.

                2. 10forcash Bronze badge

                  Re: Land Rover Defenders

                  Care to expand on the 'electrical reliability issues'? i'm not really seeing any more (or less) issues than the other Marques I deal with.... TDV6 - 2.7 or 3.0? there are some 'early life' issues with 3.0 and some issues with 2.7 timing belt tensioner mountings on the oil pump failing after timing belt change, again, nothing more than other manufacturers, and those engines are built primarily at DDC by Ford under licence from PSA. My TDV6 has 157k miles on it, aside from sheduled maintenance and a couple of EGR valves replaced early life (Valeo!) no problems. The only significant problems with L319/320 were the early air suspension compressors failing - built by Hitachi in Japan....

            3. imanidiot Silver badge

              Re: Land Rover Defenders

              I am well aware they're all older than me. I'm also well aware that they run fine MOST of the time. And then suddenly you find yourself at the side of the road filing points, hand cranking a 2 1/4 L 4-pot petrol engine because the starter solenoid gave up (It CAN be done, I've never managed) or rewiring the headlights because the wires just gave up.

              I've also experienced trying to swap a fuel tank with an original replacement part, and finding it didn't fit because it was literally an INCH too long. The seller wasn't even surprised when we came back, just walked into the back with a tape measure and found one that fell into the other side of the tolerance range. Apparently half an inch of tolerance on the length of the tank and half an inch of tolerance on the placement of the frame extensions isn't uncommon on a Series IIA...

              1. Alister Silver badge

                Re: Land Rover Defenders

                I've also experienced trying to swap a fuel tank with an original replacement part, and finding it didn't fit because it was literally an INCH too long.

                Ah, the joys of Britpart :)

              2. Chris G Silver badge

                Re: Land Rover Defenders

                Ah, memories. I have rebuilt both the carb and the distributor on the roadside on my 2 1/4l IIa, with a leatherman supertool.

                As for crank starting, I did that for several weeks one year while broke and between jobs and couldn't afford to repair it, It had uprated half shafts, a new tilt from Derbyshire LandRovers and never let me down when it counted, even pulling two horses in a trailer through axle deep mud and shit.

              3. Anonymous Coward
                Anonymous Coward

                Re: Land Rover Defenders

                At least you can work on the ignition system on the side of the road if it gives problems.

                With current machines its a case of call recovery and look forward to a painful bill for changing single use parts and of course... computer diagnostics.

          3. MiguelC Silver badge

            Re: Land Rover Defenders

            “Explaining a joke is like dissecting a frog. You understand it better but the frog dies in the process.”

            E. B. White

    2. EvilDrSmith

      Re: Land Rover Defenders

      Yes, but the police will soon track you down; all they have to do is follow the trail of oil (On a Landie, the oil leak is a sign of life)

    3. Fruit and Nutcase Silver badge

      Re: Land Rover Defenders

      An opportunity to remind owners of Land Rover owners in the south of England in need of spare locks or other assorted bits...

      http://www.4x4sparesday.co.uk/events/newbury-4x4-vintage-spares-day

  4. deadlockvictim Silver badge

    Zombie cars

    I wonder how far off we are from driverless cars, namely cars whose systems have been hacked and are at the mercy of someone not inside the car? They'd be indispensable in robbing banks, hit-jobs and the like.

    Or do all of these cars still need a meatbag present to press the accelerator?

    1. BBRush
      Thumb Up

      Re: Zombie cars

      Simple solution to this: Make ever car permanently convertible. If someone does hack your car, simply climb out and let it go on its merry way.

    2. vtcodger Silver badge

      Re: Zombie cars

      Or do all of these cars still need a meatbag present to press the accelerator?

      Probably not. I don't think there has been a purely mechanical connection between the gas pedal and the delivery of fuel to the cylinder(s) since carburetors went away several decades ago. Remember Codger's Law -- if it isn't mechanical it can (and probably will) be hacked.

    3. Wilco

      Re: Zombie cars

      Any car with cruise control doesn't need any fleshy meat sack to press anything

    4. theModge

      Re: Zombie cars

      Sack of meat may be required to steer? I realise everything has power steering, but I'm not sure it could be steered on that alone?

      1. Yet Another Anonymous coward Silver badge

        Re: Zombie cars

        Power steering can be overridden from the software - was even demonstrated remotely on the Jeep hack.

        The safety rules do require that you have mechanical steering if the power steering fails, how you achieve that depends on the model

    5. TechnicalBen Silver badge
      Terminator

      Re: Zombie cars

      I think there was a documentary Disney made about that one.

      1. AMBxx Silver badge

        Re: Zombie cars

        I think I'll stick to manual gears. Seems to be the only way to override the computers.

      2. AdamT

        Re: Zombie cars

        "Maximum Overdrive" ? Not sure if that was Disney though. Awesomely bad movie. Or perhaps an awesome bad movie. I'm conflicted. I remember it being terrible but I also remember quite enjoying it.

  5. Valerion

    I always used to scoff

    When watching a movie and someone hacked into a car and remotely controlled it.

    Seems I was wrong to do so.

    1. Sudosu

      Re: I always used to scoff

      Maximum Overdrive?

      Now where's my ACDC playlist...

  6. caffeine addict Silver badge

    Both Pandora and Viper had fixed the offending IDORs before PTP went public.

    How? By doing a recall? Emailing users to update firmware? Or through an OTA update? Because none of those sound like great options...

    1. ThatOne Silver badge

      Usually those updates are made silently when you bring your car to an authorized dealer for something else. Obviously if you don't, you're out of luck...

      Speaking of bugs, for every bug they find there are probably a dozen they didn't find yet. So can I have a car without such a "theft facilitating device" please?...

    2. d3vy Silver badge

      "How? By doing a recall? Emailing users to update firmware? Or through an OTA update? Because none of those sound like great options..."

      I'd guess none of the above.

      What is described in the article is not a direct hack of the alarm on the car but of an API which allows account management and other features, allowing you to take over the users account and then control the alarm.

      I very much doubt that changing the users email address is done via an API hosted on some kit in the car (Though given the scale of the f*ck ups involved I wont rule it out :) ).

      So they managed to get access to the users account and from there they were able to sign into the app and control the alarm from there.

      Same with the API for cruise control etc, its very unlikely that the end users app communicates directly with the car, rather it will send to a central service which (in theory) does the security checks before issuing the command to the car via some unpublished API (Probably even less secure because they assume no one knows about it!)

      1. caffeine addict Silver badge

        The app likely needs indirect access to the canbus for things like lights and immobiliser, but it surely has no access to the cruise control.

        Rather, this is most likely a two stage thing - convincing the API you are the owner, then using the alarm app as a vector to attack the canbus, which in turn...

        But then, the way car systems are made, who the hell knows...

        1. d3vy Silver badge

          I'm willing to bet you can do an unauthenticated post with {cruiseSpeed:5000} and the car will try to do it!

  7. Steve Graham
    Big Brother

    "Your security is in the cloud."

    This is another of those systems where the architecture is based on a central, internet-connected server, for no good reason. (See also: smart homes, smart assistants, smart burglar alarms, smart locks...).

    If my phone could replicate the wireless key fob and unlock the car, that would be cool. If my phone has to contact a remote server, which sends a message across the network to tell the car to unlock, that's inherently fragile and insecure. Good for collecting information on customer behaviour though.

    1. tony2heads
      Coat

      Re: "Your security is in the cloud."

      As a colleague's t-shirt says:

      There is no cloud, it's just somebody else's computer

      coat: it's the one with the KEY in the pocket

  8. Flak
    Holmes

    (The Internet of) Things can only get better...

    Much to learn:

    1) Don't ever throw the 'unhackable' gauntlet down to a global tech audience.

    2) See point 1...

    Elementary, Watson!

  9. Tikimon Silver badge
    Devil

    Instant spy movie device!

    This suggests a plot trick suitable for a Bond film. Jimmy is driving around in his modern Smart Connect Austin. Yes, really! I'm sure the "Q" who plugged an infected USB drive into the main network in front of everyone would think this was a marvelous idea and that the admin password "MhasAtinyDick" is strong. Anyway, the Evil Overlord's minions hack the car. They eavesdrop to learn what Bond knows about them and which porn he's watching on the in-vehicle entertainment system. Not like they really WANT to know that, but you get it all when you're hacking data. They track his location and send incorrect navigation info to the car, directing him to where they have an attack team waiting. When he unwittingly drives into the ambush, the evil minions disable the engine, unlock the doors, and change the system to show a Benny Hill episode. While Bond is distracted trying to get the Japanese tentacle clip back on, the evil minions jump him. When Bond turns up missing they'll ask Q to locate the car. He will then discover the password has been changed and Bond's subscription to Pornhub has been canceled.

    Hey, I'd rent that on DVD.

    1. TechnicalBen Silver badge
      Coffee/keyboard

      You think to small.

      IIRC the GitS reboot series had the entire cities cars hacked for their processing power. They caused a masive gridlock. Just think of the bitcoin you could mine!

  10. Mark 85 Silver badge

    Nothing "smart" about "smart" locks.

    The more functionality in them, the more they are vulnerable. Is there really a need for any comms between the fob/car and the Internet as this seems to be a disaster waiting to happen for the lock/car owner? I guess being connected and hip overrides common sense and security every single time.

    1. Yet Another Anonymous coward Silver badge

      Re: Nothing "smart" about "smart" locks.

      Potentially it could increase security

      Most fob systems do a challenge response but just cycle through a list of predictable seeds (my Japanese car just increments integers)

      Having both get a list of crypto keys from a central site which also monitors how many failed attempt the car has detected and other suspicious behaviour could be good.

      Of course allowing you to reset the key fob on the web site with just an email or sms isn't quite so good.

  11. doublelayer Silver badge

    Suggested addition to dictionaries

    I humbly suggest the following additions to all dictionaries. I release these definitions into the public domain in the hope that they will be recorded for those who are unaware:

    Unhackable:

    : /ˈst(j)upɪd/

    Adj.

    1. Nonexistent or imaginary: We have a normal computer and an unhackable one.

    2. Extremely insecure: The company has built an unhackable lock.

    3. Destroyed or rendered nonfunctional: The plane carrying the machine crashed from a great height, and therefore both have been rendered unhackable.

    My [noun] is unhackable:

    Phrase

    1. I am an idiot.

    2. My [noun] is probably a lot worse than its competitors.

    3. My [noun] won't pass a standard penetration test.

    4. My [noun] won't pass a non-penetration security test either.

    5. My [noun] might not pass a safety, fitness for purpose, or functionality test either, while we're on the subject.

    6. Unless you can physically obtain one of my [noun]s, it probably doesn't even exist outside my marketing documentation.

    Note: Unlike other definitions which use or logic, I.E. usually only one definition applies to a specific occurrence of the term, the preceding phrase definition uses and logic across all definitions.

  12. DougS Silver badge

    And here is yet another example why

    Any car I buy will have any type of built-in cellular, wifi etc. communication disabled

    1. Anonymous Coward
      Anonymous Coward

      Re: And here is yet another example why

      good luck with that. You may even invalidate your insurance by doing so if your car has a tracker (Thatcham Level 5 or above).

      Going through the torture of getting insurance for my new motor at the moment.

      1. DougS Silver badge

        Re: And here is yet another example why

        So you do it in a way that could be blamed on the dealer service, like yanking out the wire that powers it, as it was snagged when performing maintenance...

    2. Dr_N Silver badge

      Re: And here is yet another example why

      Just order a fleet/business)rental version. Many manufacturers are leaving the connected parts out of those models.

  13. A.P. Veening

    Pandora

    Am I the only one questioning the wisdom of calling it Pandora? Or is the story of Pandora completely forgotten?

    1. Version 1.0 Silver badge

      Re: Pandora

      If you remember, all the evils and miseries were let out of Pandora's box ... but the reason that we didn't all leap off the cliff was that false hope was let loose into the world too ... unhackable right ?

  14. 10forcash Bronze badge

    The problerm isn't the architecture in the vehicles - most 'modern, connected vehicles' use FlexRay rather than CANBus, FlexRay behaves more like a packet switched network, only sending (or more accurately, modules only listen 'in turn' based on the timing packets) data to the modules that need to know, whereas CANBus is more like having a Token Ring network. FlexRay networks usualy have a security module, variously called 'Firewall', 'Gateway', 'Vehicle Connectivity' or 'Keyless Vehicle' {an oxymoron] modules, these quite properly validate signals received against stored values and authorise the specific modules to carry out the required actions.

    Where this all falls down is when Programmers design & implement API's in isolation, preferring to run them past Marketing rather than Engineering....

    Where insecurity HAS to be baked into the vehicle, it's generally the 'consumer focus groups' to blame, wanting features such as Keyless Entry (!), powered tailgates where you can wave a foot around under the rear of the car so you don't have to put your shopping / dog / child down to get your keys out - much better to pirouette around on a frozen car park.... All this means the vehicle is effectively an antenna farm to rival the old LF one near Rugby just so some entitled prick doesn't have to push a button on a key and then have to suffer the ignominity of turning a key blade in an actual lock!

  15. Nick Kew Silver badge
    Facepalm

    ... an unauthenticated corner of the service's API ...

    Um, does that mean what it appears to?

    API, as in a published interface?

    Unauthenticated, as in free of encumbrances like a client cert or a password to access it?

    Hmmm.

  16. anthonyhegedus Silver badge

    Benevolent hackers could enable the indicator controls on Audis and BMWs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019