Car Trackers Could Let Hackers Track and Immobilize Vehicles

Statistics show that car trackers contribute significantly to lowering the car theft rate. The rate drops as much as 40% in countries where such devices are mandatory. But when developers ignore basic security practices, bad actors can use them to track vehicles, suppress alarms or steal personal information.

Security researchers from Pen Test Partners tested the SmarTrack, LoJack/Tracker and TrackStar devices used across Europe and found they did not verify whether commands come from a trusted source. In one case, this could even let an attacker immobilize a car mid-traffic and make it impossible to start again.

All three car tracking systems come with mobile apps that help owners set up geo-fences, enable alerts when the vehicle is moved, or track it in real time. The app server of all these devices had trouble checking whether a command came from an authorized party. This could be exploited to affect thousands of cars.

In the case of LoJack/Tracker, the experts managed to hijack an account after noticing that the client identification value was incremental and they could change the email address for any account. This could let them trigger a password reset that would deliver the details to the attacker’s address.

Once in control, the hacker can track in real time any vehicle fitted with a LoJack/Tracker device, and delete theft alerts straight from the app when the car moves outside the geo-fence area defined by the owner.

An equally serious flaw was discovered in the TrackStar system, which also used incremental values for users’ accounts. That number gives “access to login, telephone number of all users, and allows you to remove all devices that are associated with the device,” the researchers note.

This also allows attackers to add a new device, which offers the password for the mobile app and “full mobile access to all cars.” Car thieves would be able to remove the geo-fences as well as locate cars and track users in real time.

SmarTrack is the only tracker of the three with a car immobilization function that prevents the car from driving. The command comes from an authorized call center at the request of the owner or police. Cars fitted with this device would no longer start after receiving the immobilize command; the owner must physically remove the immobilizer to start the car.

Because they weren’t verifying that commands were sent by authorized users, SmarTrack devices complied as if instructions came from a call center employee sanctioned to activate the immobilizer. A worrying part is that thousands of cars could be stopped in traffic by a request through a web browser.

Speaking to Forbes, Ken Munro of Pen Test Partners said that an attacker could shut down in an instant as many as 25,000 vehicles with auto start and stop function. All of them could be frozen while waiting for the green light, for example.

The researchers privately disclosed the issues to the vendors of these devices and adequate fixes were rolled out.

Image credit: pixel2013