Every day millions of us rely on tech to protect our cars from thieves. Immobilizers, for instance, ensure only the owner of the right key fob can start the vehicle.
But now that technology has become a security threat, after hackers told Forbes they could lock down up to 25,000 cars at once. It’s all thanks to a vulnerability (now fixed) that made it frighteningly simple to quickly take remote control of a car’s immobilizer and prevent drivers from starting their vehicle.
Your car’s immobilizer is supposed to be used for good. If a crook steals your car, it’s possible for you to connect to the immobilizer, which tracks the vehicle and allows you to stop anyone from turning on the engine.
But with one particular immobilizer – the U.K.-made SmarTrack tool from Global Telemetrics – an easy-to-hack vulnerability meant it was simple for researchers at Pen Test Partners to turn on the immobilizer permanently, without the customer knowing a thing.
To prove it was possible, the researchers from British cybersecurity company Pen Test Partners hacked the vehicle of one of their own employees, disabling his car whilst they were in the U.K. and he was in Greece, not long before he was due to head to a wedding.
‘We own your immobilizer’
Ken Munro, cybersecurity researcher and partner at Pen Test Partners, first described the hack to Forbes at the DEF CON convention in Las Vegas.
He found that it was possible to turn the immobilizer on and the car off by sending a simple request via a browser. Once he’d entered the command, it took less than a second for the immobilizer to be triggered.
It was as if Munro was acting as one of the SmarTrack call center employees who were permitted to turn the immobilizer on. SmarTrack systems just weren’t correctly checking that the commands were being sent by an authorized user, Munro said.
Munro warned that it would be impossible for anyone to start the car again with the immobilizer fitted. The only option would be to have the tech removed entirely, he added. “We now control the immobiliser, so only we can de-immobilize the car.”
And, if the hacker turned the immobilizer on when the car is moving, it would simply prevent the car from running as soon as the engine stopped. As Munro noted, that could be “quite nasty” if the car has an auto start and stop function (such a feature is found in many modern models to help cut emissions in traffic).
Munro was also critical of Thatcham Research, the industry body which had given accreditation to the SmarTrack devices, saying it was safe to use. “People buy these devices thinking that the accreditation means something. We’ve shown that in some cases, fitting a theft tracker makes your car less secure,” Munro said.
Thatcham said that it accredits security products against a minimum set of requirements, including alarm and driver identification functionality. “The process also includes an attack test where the system on the vehicle needs to resist physical deactivation for two minutes,” the spokesperson added. “We do not, however, test the security of the vehicle system or the surrounding ecosystem.”
Fortunately for SmarTrack customers, the flaws have now been addressed. “All potential vulnerabilities have now been resolved,” a Global Telemetrics spokesperson said. “Our customers can be assured that no password or personal details were compromised by this process and there are no security or safety concerns with any of our products.
“Security has always been and remains of paramount importance to us and as a result of the contact from Pen Test Partners we now have reassessed our ongoing security improvement project to ensure we remain market leaders in security and safety.”
To deal with the issues, Global Telemetrics brought in cybersecurity consultancy Hedgehog Security. Peter Bassill, founder of Hedgehog, confirmed that what Munro claimed to have found was accurate.
Of the ability to shut down 25,000 cars at once, Bassill said: “It’s one of those assertions security researchers make… but there’s certainly capability where that could’ve happened… it certainly would’ve taken longer than one line of code, but the art of the possible is certainly possible.”
He said the vulnerabilities were likely down to developers writing code without enough attention to security. But Bassill has been working with new developers on the SmarTrack team to patch the vulnerabilities and set up processes to make sure issues are fixed quickly in the future.
But, as Bassill and Munro are warning, there are many immobilizers being used in millions of cars across the world. With many similar devices potentially containing security weaknesses, something we use every day without thought could very quickly become the latest weapon in a hacker’s arsenal.
-Thomas Brewster; Forbes