autoevolution

Hacker Finds Vulnerability Allowing Him to Lock Down Up to 25,000 Cars at Once

Most modern cars are fitted with an immobilizer that prevents the engine from starting unless the correct transponder car key is present, which is proven to have lowered the rate of car thefts by 40%.
Hacker reveals immobilizer vulnerability that allows him to shut down up to 25,000 cars at once 4 photos
Audi RS3 PIN code immobilizerAudi RS5 PIN code immobilizerAudi RS5 PIN code immobilizer
In case your car is stolen, you can connect to the immobilizer to track the vehicle and shut off the engine, so that the thief is left without the thing he came for. At DefCon 2019 in Las Vegas, a team of researchers proved how one small vulnerability offered a potential attacker the possibility to remotely control a vehicle. They boast it allowed them to control up to 25,000 cars, virtually locking them down even when the rightful owner was driving.

Speaking with Forbes magazine, cybersecurity researcher Ken Muro of Pen Test Partners, says the vulnerability was spotted in the British SmarTrack tool from Global Telemetrics. It has since been issued a fix, so car owners with this specific brand of immobilizer no longer have anything to worry on this account.

The vulnerability allowed the hacker to turn on the immobilizer permanently with a simple request via web browser. Munro and his partners used one of their colleagues’ car for the test, while they were in the U.K. and he was in Greece, attending a wedding.

“Once he'd entered the command, it took less than a second for the immobilizer to be triggered. It was as if Munro was acting as one of the SmarTrack call center employees who were permitted to turn the immobilizer on. SmarTrack systems just weren't correctly checking that the commands were being sent by an authorized user, Munro said,” Forbes notes.

With the immobilizer turned on, it was impossible for anyone to start the car again, unless the immobilizer was removed altogether. Munro says the consequences of this happening in traffic with vehicles with auto start and stop function could be “quite nasty.”

After disclosing the vulnerability and talking about it at the Las Vegas event, Global Telemetrics issued a fix. They say customers can rest assured their password or personal details have not been compromised and that “there are no security or safety concerns with any of our products.”

Cybersecurity consultancy Hedgehog Security was brought in to address the issue, with founder Peter Bassill telling Forbes that Munro’s claim that they could have locked down up to 25,000 cars at once because of the vulnerability is somewhat of an exaggeration. “It's one of those assertions security researchers make... but there's certainly capability where that could've happened... it certainly would've taken longer than one line of code, but the art of the possible is certainly possible,” Bassill says.

 
 
 
 
 

Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories