Welcome back, my budding cyber warriors!
Automobile or car hacking is the cutting-edge of the cyber security world right now. With the advent of digital systems in automobiles and other vehicles and the soon-to-be autonomous driving cars, this field is rife with potential cyber security issues that will significantly impact our society and safety. This is precisely why I began this series and will be teaching the upcoming Car Hacking course (part of the Subscriber PRO package).
In previous tutorials in this section on automobile hacking, we have;
Background
Do to the well-known vulnerabilities in the key fob used by many cars, people have been purchasing car alarm system to compensate for this vulnerability. Many of these key fobs can be hacked using relay attacks as outlined here. As a result, car alarm vendors have been selling high-end (some as much as $5000) car alarm systems to compensate for this risk and billing themselves as "unhackable" (that's like waving a red cape before a bull to a hacker). As it turns out, many of these alarm systems are actually easier to hack than the key fob or other digital systems on the vehicle.
Recently, Pentest Partners was able to demonstrate that they could take control of these systems with little more than parameter tampering (a trivial web app hacking technique) of the email/user reset option.
Below is screenshot of one of the companies offering these alarm systems app. As you can see, this app enables the user to lock/unlock, geo-locate and start/stop this car remotely. If an attacker can modify the user on this app, then they and not the legitimate owner, could do all things.
Parameter Tampering
When the folks at Pentest Partners chose the "modify user" option on the Viper alarm system, they found that this request was not properly validated as seen below. As a result, they could simply send a POST request to modify the user and password and take control of the vehicle. This can be done with a proxy such as BurpSuite, Paros Proxy or Tamper Data. The legitimate user is then locked out of their own car and the hacker can take control of the vehicle.
As you can see below, the user's email and password were changed to that of the attacker and now the attacker can unlock/lock and start/stop the vehicle at will.
Pandora
On a similar system from the company Pandora, this same lack of validation was found among their "modify user" option. Here, the hacker can simply modify the field "email" with their own email address and use a "id" number to send a request to change the user and password.
As you can see below, the hackers are able to change the email address and password of the user and take control of the vehicle.
Conclusion
Automobile or vehicle hacking is the cutting-edge of cyber security as transportation systems become increasingly digital. Manufacturers of these vehicles are making the same mistakes that were common 15 years ago among traditional IT systems. These alarm systems manufacturer made a very basic mistake in not validating the user modify function enabling the attacker to take control of the "protected" vehicle by simple parameter tampering.
Keep coming back for more Automobile Hacking!