In one case in point demonstrating the hack, the experts geolocated a target car or truck, tracked it in real time, followed it, remotely killed the engine and forced the automobile to avoid, then unlocked the doors. The researchers said it was “trivially convenient” to hijack a vulnerable car or truck. Worse, it had been possible to identify some car models, producing targeted hijacks or high-end vehicles even better. According with their findings, the researchers also found they could listen in on the in-car microphone, built-in within the Pandora alarm program to make calls to the emergency services or roadside assistance. Ken Munro, founder of Pen Evaluation Partners, told TechCrunch this is their “biggest” project. The researchers contacted both Pandora and Viper with a seven-moment disclosure period, given the severe nature of the vulnerabilities. Both companies responded quickly to repair the flaws. When reached, Viper’s Chris Pearson confirmed the vulnerability has been fixed. “If used for malicious needs, [the flaw] could let customer’s accounts to end up being accessed without authorization.” Viper blamed a recently available system update by a good service agency for the bug and said the problem was “quickly rectified.” “Directed [which owns Viper] believes that no buyer data was uncovered and that no accounts had been accessed without authorization through the short time this vulnerability existed,” explained Pearson, but furnished no evidence to the way the company found that conclusion. In an extended email, Pandora’s Antony Noto challenged many of the researcher’s findings, summated: “The system’s encryption had not been cracked, the remotes where not hacked, [and] the tags were not cloned,” he said. “A software glitch allowed short-term access to the device for a brief period of time, which includes now been addressed.” The study follows work this past year by Vangelis Stykas on the Calamp, a telematics provider that serves as the basis for Viper’s cellular app. Stykas, who after joined Pen Test Partners and in addition worked on the automobile alarm job, found the application was employing credentials hardcoded in the iphone app to get on a central database, which provided anyone who logged in remote control of a connected vehicle.
TechMojis.com