Security flaws in three specialist car alarms have left vehicles vulnerable to being stolen or hijacked, say researchers.
The bugs were found in alarm apps by Clifford, Viper, and Pandora. The alarms are on three million vehicles.
The security researchers exploited the bugs to activate car alarms, unlock a vehicle's doors and start the engine via an insecure app.
The expose has prompted the firms to upgrade security to remove the flaws.
The research was carried out for the BBC's Click technology programme by security consultants Pen Test Partners, which has a long track record of uncovering software flaws.
The firm focussed on two well-known firms that produce alarms that can be accessed and controlled via smartphone apps - Pandora and Clifford (known in the US as Viper).
The research found that Pandora, which had advertised its system as "unhackable", allowed a user to reset account passwords for any account.
Pandora now no longer makes the claim that its system is unhackable.
The password flaw allowed researchers significant access to the app. They could:
- to take control of the smart alarm remote access app
- track any vehicle in real time
- remotely activate the alarm
- open the door locks
- start a vehicle's engine
The apps were taken apart by the ethical hackers
The ethical hackers also looked at smart alarms produced by Clifford, which is the market leader in third-party alarms in the UK.
The team found that it was possible to use a legitimate account to access other users' profiles and to then change the passwords for those accounts and take control.
"I could look on the system and look for a nice Lamborghini or a Porsche, locate one close to where I am, go and start that car if no one's around, open the doors and drive away" said Chris Pritchard, a security consultant at Pen Test Partners.
Directed, the parent company for the Viper and Clifford brands, admitted that "customers' accounts could have been accessed without authorisation... as a result of a recent update".
It added that the company did not believe any data had been accessed without authorisation.
The security flaw has now been fixed.
"Directed is committed to providing safe and secure products but no system can be 100% safe," it told Click.
In a statement, Russia-based Pandora Alarms, which also sells products in the UK, said: "We have made changes to the code and upgraded security. The pain point has been removed."
The researchers demonstrated how the apps could be exploited
It advised that the key fob provided to owners with the alarms "would override any remote access through the app".
Security expert Professor Alan Woodward from the University of Surrey's Centre for Cyber-Security said it was "disappointing" to see relatively simple flaws introduced by companies in the business of security.
"You would have thought any company claiming security as their core business would have done a thorough penetration test on the system as a whole," he said. "It's hard not to conclude that it was not done here."
He added: "The problems were within the direct control of the company. I fear that security researchers are yet again the only ones holding these manufacturers to account."
Prof Woodward said it had become a trend for companies to spend a great deal of time on the "front end" of the apps that users see, but pay less attention to the "back end" which leaves the programmes open to security flaws.
"It should be the companies paying for this, not researchers doing it as a sideline," he said.
Have your say
More Technology Headlines
- How to post to multiple social networks
- Mobile industry records over 2,000 fibre cuts in H1 2019
- Huawei announces three new phones amid continued uncertainty
- Apple recalls older 15-inch MacBook Pros because the batteries could catch fire
- Companies without data protection certificates risk losing license
- Inlaks to launch “thehatch” Innovation Lab with a Hackathon
- Homemade plane built by South African teens makes historic flight
- Facebook unveils plans for its own cryptocurrency
- Huawei smartphone sales hit amid US curbs
- Huawei delays launch of foldable Mate X, blames Samsung not Trump
- 2 KNUST female students convert old playing device into diagnostic equipment
- Instagram will leave deepfake video of Mark Zuckerberg
- Samsung patent shows rollable phone displays
- Facebook will pay you to let it track what you do on your phone
- Ghana organises data upload challenge, hackathon