Security flaws in three specialist car alarms have left vehicles vulnerable to being stolen or hijacked, say researchers.
The bugs were found in alarm apps by Clifford, Viper, and Pandora. The alarms are on three million vehicles.
The security researchers exploited the bugs to activate car alarms, unlock a vehicle's doors and start the engine via an insecure app.
The expose has prompted the firms to upgrade security to remove the flaws.
The research was carried out for the BBC's Click technology programme by security consultants Pen Test Partners, which has a long track record of uncovering software flaws.
The firm focussed on two well-known firms that produce alarms that can be accessed and controlled via smartphone apps – Pandora and Clifford (known in the US as Viper).
The research found that Pandora, which had advertised its system as "unhackable", allowed a user to reset account passwords for any account.
Pandora now no longer makes the claim that its system is unhackable.
The password flaw allowed researchers significant access to the app. They could:
- to take control of the smart alarm remote access app
- track any vehicle in real time
- remotely activate the alarm
- open the door locks
- start a vehicle's engine
The apps were taken apart by the ethical hackers
The ethical hackers also looked at smart alarms produced by Clifford, which is the market leader in third-party alarms in the UK.
The team found that it was possible to use a legitimate account to access other users' profiles and to then change the passwords for those accounts and take control.
"I could look on the system and look for a nice Lamborghini or a Porsche, locate one close to where I am, go and start that car if no one's around, open the doors and drive away" said Chris Pritchard, a security consultant at Pen Test Partners.
Directed, the parent company for the Viper and Clifford brands, admitted that "customers' accounts could have been accessed without authorisation… as a result of a recent update".
It added that the company did not believe any data had been accessed without authorisation.
The security flaw has now been fixed.
"Directed is committed to providing safe and secure products but no system can be 100% safe," it told Click.
In a statement, Russia-based Pandora Alarms, which also sells products in the UK, said: "We have made changes to the code and upgraded security. The pain point has been removed."
The researchers demonstrated how the apps could be exploited
It advised that the key fob provided to owners with the alarms "would override any remote access through the app".
Security expert Professor Alan Woodward from the University of Surrey's Centre for Cyber-Security said it was "disappointing" to see relatively simple flaws introduced by companies in the business of security.
"You would have thought any company claiming security as their core business would have done a thorough penetration test on the system as a whole," he said. "It's hard not to conclude that it was not done here."
He added: "The problems were within the direct control of the company. I fear that security researchers are yet again the only ones holding these manufacturers to account."
Prof Woodward said it had become a trend for companies to spend a great deal of time on the "front end" of the apps that users see, but pay less attention to the "back end" which leaves the programmes open to security flaws.
"It should be the companies paying for this, not researchers doing it as a sideline," he said.
- Korle-Bu doctor poisons colleague’s water with HIV blood
- #FixTheCountry: Convenors of protest disappointed in Supreme Court over hearing scheduled for June
- EC must review processes leading to 2020 election results collation – Akoto Ampaw
- National security cloned #FixTheCountry protester’s mobile phone – Baker-Vormawor alleges
- Prince Misizulu named next Zulu king amid family feud
- Blunt and Blay: Real reason why the Church won’t allow a Muslim student to fast in a ‘Mission School’
- 20 arrested in Atewa forest aren’t national security operatives – Oppong Nkrumah
- Akufo-Addo has not lived up to expectation – Kofi Bentil
- Ghana loses $200m to untapped online forex trading market
- #FixTheCountry organisers exhibited ‘bad faith’ during National Security meeting – Godfred Dame
Vehicle towing cost to be borne by insurance industry – NIC Commissioner
#FixTheCountry campaigners are being prevented from crying after they’ve been punched in the gut – Kwakye Ofosu
May 9 stadium disaster: Persons With Disabilities join in 20th anniversary celebration
#FixTheCountry: Injunction obtained by police was in order – Attorney General
Asantehene marks 71st birthday with May 9 remembrance
Some of the taxes imposed on citizens are a nuisance – Kofi Bentil
Pastor Allen Caiquo releases ‘Finally’ ahead of ‘Priest & King’ EP
#FixTheCountry organisers exhibited ‘bad faith’ during National Security meeting – Godfred Dame
Blaq Jerzee recruits Marioo, Eddy Kenzo on ’Sokoma’ track
13 types of guys who stay single and don’t ever find lasting love
Blunt and Blay: Real reason why the Church won’t allow a Muslim student to fast in a ‘Mission School’
I have no regrets participating in ‘OccupyFlagstaffHouse’ protest – Kofi Bentil
Neymar signs new Paris St-Germain contract
National security cloned #FixTheCountry protester’s mobile phone – Baker-Vormawor alleges
Akufo-Addo has not lived up to expectation – Kofi Bentil