A flaw in a connected alarm system exposed vehicles to remote hacking
Car hacking has become a major focus in the security community in recent years, as more vehicles are hooked up to the cellular internet. But while convenient to control your car from your phone, it’s also opened up new points for attack — which could have real-world consequences. You might not even realize you’re a Calamp user.
Many apps, including the vehicle tracking app Viper SmartStart, which lets users locate, start, and control their car from their phone, connects to the outside world using a Calamp modem to its cloud-based servers. The researchers found that the Viper mobile app, while secure, was connecting to two different servers — one used by Viper, and another run by Calamp. Using the same credentials as the app, the researchers were also able to log in and gain complete access to the Calamp server, the researchers said in their write-up.
By querying the database, Stykas said it was possible to find a car by looking up nearby latitude and longitude coordinates, reset the password, unlock the driver’s side door, start the engine, and drive away.