Security

Hundreds of thousands of engine immobilisers hackable over the net

Kiwi hacker finds brutal holes in location, tracking units


Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as "Response" sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit's relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet.

Temple (@skooooch) told the Kiwicon security confab in Wellington today the flaws allow attackers who log into any account -- including a universal demonstration account - to log into any of the 360,000 units ThinkRace claims it sold without need of a password.

"You just brute force everyone account, you can increment each one," Temple told Vulture South.

"You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

"Most people would wire it this way, that's the main point of it and the reason why mechanics sell it."

Lachlan Temple. Photo by Darren Pauli / The Register

Temple says consumers can wire the relay to the starter motor meaning it would not stop the car while in motion and instead would prevent it starting up once turned off.

He says consumers should throw out the units.

Attackers could also find user personal details including phone numbers which are registered in order for the device to issue alerts via an installed SIM card.

The GPS units and kid's watch. Photo Darren Pauli / The Register.

A microphone installed in the devices also allows attackers to eavesdrop on cars.

The same units are built into children's watches sold by ThinkRace and likely contain the same flaws allowing kids to be eavesdropped and tracked.

Temple will next turn his attention to more expensive tracking gadgets more likely used in commercial fleets. ®

Send us news
18 Comments
Get our Security newsletter

Keep Reading

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

DevOps to DevOops: Docker Hub proves so secure that 430 Docker images out of 2,500 have no vulnerabilities

As for the rest, you're on your own

Alarming news: ADT to flog Nest smart home kit after Google ploughs $450m into corporate security dinosaur

Resell agreement set up amid plans to build next gen of home automation and security gear

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Google's home security package flies the Nest, Chocolate Factory pledges software support – for now

In brief Plus: Immigration lawyers for Mountain View breached, SonarQube hack worse than thought, and more

Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them

Can't fix flaws if you don't look for them

Google halts Chrome, Chrome OS releases to avoid shipping flawed code, prioritizes security fixes amid coronavirus crunch

Updated COVID-19 raises risk of software bugs due to staff schedule shifts

Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

Switchzilla closes off 18 CVE-listed holes, get to work

Here's US Homeland Security collaring a suspected arsonist after asking Google for the IP addresses of folks who made a specific search

Don't worry, says the internet giant, this doesn't happen too often

Google's OpenSK lets you BYOSK – burn your own security key

Now there's no excuse

Tech Resources

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.

The Ransomware Hunt that Unearthed a Historic Banking Trojan

The Sophos Managed Threat Response (MTR) team provides customers with swift, human-led responses to the nastiest threats and most sophisticated adversaries.