Best Phones Just for you to buy. Get them.
In one case in point demonstrating the hack, the experts geolocated a target car or truck, tracked it in real time, followed it, remotely killed the engine and forced the car to stop, then unlocked the doors. The researchers said it had been “trivially convenient” to hijack a vulnerable motor vehicle. Worse, it was possible to recognize some car models, producing targeted hijacks or high-end vehicles even better. According with their findings, the experts also found they may listen in upon the in-car microphone, built-in within the Pandora alarm program to make calls to the emergency services or perhaps roadside assistance. Ken Munro, founder of Pen Evaluation Companions, told TechCrunch this is their “biggest” project.
The researchers contacted both Pandora and Viper with a seven-evening disclosure period, given the severe nature of the vulnerabilities. Both businesses responded quickly to fix the flaws. When reached, Viper’s Chris Pearson confirmed the vulnerability has been fixed. “If used for malicious purposes, [the flaw] could let customer’s accounts to be accessed without authorization.” Viper blamed a recent system update by a good service agency for the bug and said the problem was “quickly rectified.” “Directed [which owns Viper] believes that no client data was exposed and that no accounts had been accessed without authorization through the short time this vulnerability existed,” explained Pearson, but presented no evidence to the way the company found that conclusion. In an extended email, Pandora’s Antony Noto challenged many of the researcher’s findings, summated:
“The system’s encryption had not been cracked, the remotes where not hacked, [and] the tags weren't cloned,” he said. “A software glitch allowed non permanent access to these devices for a short period of time, which has now been addressed.” The study follows work this past year by Vangelis Stykas on the Calamp, a telematics provider that serves as the foundation for Viper’s cellular app. Stykas, who later joined Pen Test Partners and in addition worked on the automobile alarm project, found the app was applying credentials hardcoded in the iphone app to log in to a central database, which gave anyone who logged in remote control of a connected vehicle.