Connected cars are the hottest area in the world of automotive. Securing those vehicles from cyber attacks and remote takeovers should be equally as hot. Two researchers found that in some cars, a number of applications in connected to a particular server and through this server it is possible to exploit a weakness that allows those vehicles to be hijacked. This server is managed by telematics company CalAmp.
According to the researchers, this server runs a number of popular applications such as Viper SmartStart, which allows users to control certain aspects of the vehicle through a mobile device. Being able to locate, lock and unlock the car, as well as starting the call, can all be done through this application.
The researchers found that the Viper vehicle application would connect to 2 servers, one of which is Viper’s and the other CalAmp’s. Using credentials from the Viper application, the researchers had complete access to CalAmp’s server.
“We could do a lot of stuff — pretty much any scenario that we could think of was disastrous, like mass stealing cars or turning off vehicle via panic button when going with a high speed” one researcher stated.
With this vulnerability, criminals could easily locate a vehicle that utilized the company’s system, unlock it, start it, and drive away in their easily stolen car.
CalAmp closed the hole created after the researchers’ inquiry, the company spokesman noted:
“CalAmp takes the matter of IT and data security seriously. Once we received the bug report, our team promptly investigated and developed a patch to address it. We believe that this matter has been resolved without issue.”