If you have a car, there’s a good chance it has a car alarm. But did you know that a hacker can simply hack car alarms, and take off with your precious vehicle?

We’ve already seen how ridiculously easy it is to hack medical equipment, and so-called “smart” cities. This time we’ll see how simple it is to hack something a little less critical; car alarms.

Researchers at British penetration testing and security services firm Pen Test Partners had a look at the security of two of the largest aftermarket car alarm vendors, Viper and Pandora. Like with the medical equipment and smart cities hacks we’ve discussed earlier, both Viper and Pandora had a basic security flaw in their products. The insecure direct object reference (IDOR) vulnerability allowed an attacker to hijack and take complete control of user accounts. The IDOR is a kind of vulnerability this is typically covered in any Internet Security 101 class.

Now that the hacker has control of your Viper or Pandora car alarm, what can they do?

Superuser.

Both Viper and Pandora let the user see where the car is located on a map in real time. This makes it easy to find the vehicle. Next, the manufacturer’s phone apps will let the user unlock the car with a single click. Once the car is unlocked, whoever controls the account can enter the car, start the engine with another click in the phone app, and drive off.

Having a car alarm from Viper and Pandora installed could actually make your car considerably easier to steal than if the car alarm wasn’t installed.

But you can use the hijacked user accounts for more than just stealing cars. Pen Test Partners realized they were able to kill the engine Viper equipped cars whilst they were moving. A malicious user could easily use this to cause accidents.

If you want to eavesdrop on the conversations in a Pandora equipped car, this is possible. The Pandora alarm has the ability to make SOS calls, and the microphone can be enabled remotely.

Unhackable!

Pandora painted a huge, red bull’s eye on themselves by advertising their products as “unhackable”. Like we all know by now, nothing is unhackable. The best you can hope for is that you’ve been able to make it hard enough to break into that hackers don’t bother with you, but instead move on to an easier target.

As with medical equipment and smart city hardware, the basic problem with these car alarms is that they are connected to the internet. They don’t have to be. The minute you connect something to the internet, it’s a target for someone. Please stop connecting stuff to the internet.

Both Pandora and Viper have now fixed the IDOR vulnerability that Pen Test Partners used to hijack user accounts. But there might be other vulnerabilities that can be used to hijack user accounts. And other car alarm manufacturers might have the similar issues.