Your new post is loading...
A bug that allowed two researchers to gain access to the backend systems of a popular internet-connected vehicle management system could have given a malicious hacker everything they needed to track the vehicle's location, steal user information, and even cut out the engine.
In a disclosure this week, the researchers Vangelis Stykas and George Lavdanis detailed a bug in a misconfigured server run by Calamp, a telematics company that provides vehicle security and tracking, which gave them "direct access to most of its production databases."
Car hacking has become a major focus in the security community in recent years, as more vehicles are hooked up to the cellular internet. But while convenient to control your car from your phone, it's also opened up new points for attack -- which could have real-world consequences.
You might not even realize you're a Calamp user. Many apps, including the vehicle tracking app Viper SmartStart, which lets users locate, start, and control their car from their phone, connects to the outside world using a Calamp modem to its cloud-based servers.
The researchers found that the Viper mobile app, while secure, was connecting to two different servers -- one used by Viper, and another run by Calamp.
Using the same credentials as the app, the researchers were also able to log in and gain complete access to the Calamp server, the researchers said in their write-up.
"You could easily exploit it and as we had full access to the database," said Stykas in an email. "We could do a lot of stuff -- pretty much any scenario that we could think of was disastrous, like mass stealing cars or turning off vehicle via panic button when going with a high speed," he said.
By querying the database, Stykas said it was possible to find a car by looking up nearby latitude and longitude coordinates, reset the password, unlock the driver's side door, start the engine, and drive away.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cars
A bug that allowed two researchers to gain access to the backend systems of a popular internet-connected vehicle management system could have given a malicious hacker everything they needed to track the vehicle's location, steal user information, and even cut out the engine.
In a disclosure this week, the researchers Vangelis Stykas and George Lavdanis detailed a bug in a misconfigured server run by Calamp, a telematics company that provides vehicle security and tracking, which gave them "direct access to most of its production databases."
Car hacking has become a major focus in the security community in recent years, as more vehicles are hooked up to the cellular internet. But while convenient to control your car from your phone, it's also opened up new points for attack -- which could have real-world consequences.
You might not even realize you're a Calamp user. Many apps, including the vehicle tracking app Viper SmartStart, which lets users locate, start, and control their car from their phone, connects to the outside world using a Calamp modem to its cloud-based servers.
The researchers found that the Viper mobile app, while secure, was connecting to two different servers -- one used by Viper, and another run by Calamp.
Using the same credentials as the app, the researchers were also able to log in and gain complete access to the Calamp server, the researchers said in their write-up.
"You could easily exploit it and as we had full access to the database," said Stykas in an email. "We could do a lot of stuff -- pretty much any scenario that we could think of was disastrous, like mass stealing cars or turning off vehicle via panic button when going with a high speed," he said.
By querying the database, Stykas said it was possible to find a car by looking up nearby latitude and longitude coordinates, reset the password, unlock the driver's side door, start the engine, and drive away.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cars