‘Smart’ Doesn’t Mean ‘Unhackable’

smart devices aren't unhackable

Many vendors will tell you that their smart device is unhackable. However, in reality, that’s unlikely to be true.

When we talk about smart devices in this context, we’re not talking smartphones, but rather the myriad devices that make up the Internet of Things. All those gadgets we can’t possibly live without.

All of these smart devices have one similar characteristic; they all have poor security.

Alarming security issues

A recent article on BullGuard’s blog highlights the myth of the unhackable smart device. They wrote that:

Two of the world’s largest car alarm manufacturers recently proved this point, albeit inadvertently.

Viper, known as Clifford in the UK, and Pandora Car Alarm Systems have something like three million customers between them. Some security researchers recently tested these smart car alarms.

The results don’t inspire confidence. They discovered straightforward vulnerabilities in both alarms’ APIs, which knit together a vehicle’s existing smart features with the smart alarms.

The researchers probed these vulnerabilities and were able to tamper with existing smart parameters, reset user credentials, and hijack accounts and more.

  • The vehicle type and owner’s details could be stolen, a car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised, and the immobilizer hijacked. 
  • In Viper’s case, a security flaw in the API parameter led to improper validation, which provided attackers with the ability to compromise user accounts. The research team found that the same bug could also be used to compromise the vehicle’s engine system. 
  • The Pandora alarm can be used to make SOS calls in cases of emergency. This is why it is fitted with a microphone. But because of the flaw, the microphone could be used for snooping. 
  • In Pandora’s case, cyber attacks could also result in the car engine being killed during use.  It’s designed for use if a car is stolen, which makes sense, as long as it isn’t hacked. But in the hands of an attacker, it could be deadly. Imagine hurtling down a motorway, the engine suddenly cuts out, and there’s a 44-ton truck sitting right behind you.

To the misfortune of Pandora, it claimed on its website that its smart alarms were unhackable. That said once the researchers informed the company it swiftly deleted this grandiose claim from its website.

Also, both companies responded quickly and fixed the vulnerable APIs as soon as they were informed, which is encouraging.

We may not be seeing real-world cyber attacks on cars yet, but given the pace of smart device adoption, it’s something any sensible person wouldn’t bet against.

 

MPM Computer Consultancy provides IT Services, Support and Training to sole traders and small businesses in Ipswich, Bury St Edmunds, and surrounding villages. 

Source:BullGuard