Security flaws in three specialist car alarms have left vehicles vulnerable to being stolen or hijacked, say researchers.

The bugs were found in alarm apps by Clifford, Viper, and Pandora. The alarms are on three million vehicles.

The security researchers exploited the bugs to activate car alarms, unlock a vehicle's doors and start the engine via an insecure app.

The expose has prompted the firms to upgrade security to remove the flaws.

Alarms 'unhackable'

The research was carried out for the BBC's Click technology programme by security consultants Pen Test Partners, which has a long track record of uncovering software flaws.

The firm focussed on two well-known firms that produce alarms that can be accessed and controlled via smartphone apps - Pandora and Clifford (known in the US as Viper).

The research found that Pandora, which had advertised its system as "unhackable", allowed a user to reset account passwords for any account.

Pandora now no longer makes the claim that its system is unhackable.

The password flaw allowed researchers significant access to the app. They could:

• to take control of the smart alarm remote access app
• track any vehicle in real time
• remotely activate the alarm
• open the door locks
• start a vehicle's engine

The apps were taken apart by the ethical hackers

The ethical hackers also looked at smart alarms produced by Clifford, which is the market leader in third-party alarms in the UK.

The team found that it was possible to use a legitimate account to access other users' profiles and to then change the passwords for those accounts and take control.

"I could look on the system and look for a nice Lamborghini or a Porsche, locate one close to where I am, go and start that car if no one's around, open the doors and drive away" said Chris Pritchard, a security consultant at Pen Test Partners.

Account compromised

Directed, the parent company for the Viper and Clifford brands, admitted that "customers' accounts could have been accessed without authorisation... as a result of a recent update".

It added that the company did not believe any data had been accessed without authorisation.

The security flaw has now been fixed.

"Directed is committed to providing safe and secure products but no system can be 100% safe," it told Click.

In a statement, Russia-based Pandora Alarms, which also sells products in the UK, said: "We have made changes to the code and upgraded security. The pain point has been removed."

The researchers demonstrated how the apps could be exploited

It advised that the key fob provided to owners with the alarms "would override any remote access through the app".

Tech mistakes

Security expert Professor Alan Woodward from the University of Surrey's Centre for Cyber-Security said it was "disappointing" to see relatively simple flaws introduced by companies in the business of security.

"You would have thought any company claiming security as their core business would have done a thorough penetration test on the system as a whole," he said. "It's hard not to conclude that it was not done here."

He added: "The problems were within the direct control of the company. I fear that security researchers are yet again the only ones holding these manufacturers to account."

Prof Woodward said it had become a trend for companies to spend a great deal of time on the "front end" of the apps that users see, but pay less attention to the "back end" which leaves the programmes open to security flaws.

"It should be the companies paying for this, not researchers doing it as a sideline," he said.