Security

Hundreds of thousands of engine immobilisers hackable over the net

Kiwi hacker finds brutal holes in location, tracking units


Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as "Response" sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit's relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet.

Temple (@skooooch) told the Kiwicon security confab in Wellington today the flaws allow attackers who log into any account -- including a universal demonstration account - to log into any of the 360,000 units ThinkRace claims it sold without need of a password.

"You just brute force everyone account, you can increment each one," Temple told Vulture South.

"You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

"Most people would wire it this way, that's the main point of it and the reason why mechanics sell it."

Lachlan Temple. Photo by Darren Pauli / The Register

Temple says consumers can wire the relay to the starter motor meaning it would not stop the car while in motion and instead would prevent it starting up once turned off.

He says consumers should throw out the units.

Attackers could also find user personal details including phone numbers which are registered in order for the device to issue alerts via an installed SIM card.

The GPS units and kid's watch. Photo Darren Pauli / The Register.

A microphone installed in the devices also allows attackers to eavesdrop on cars.

The same units are built into children's watches sold by ThinkRace and likely contain the same flaws allowing kids to be eavesdropped and tracked.

Temple will next turn his attention to more expensive tracking gadgets more likely used in commercial fleets. ®

Send us news
18 Comments

Korean eggheads crack Rhysida ransomware and release free decryptor tool

Great news for victims of gang behind the big British Library hit in October

Crims found and exploited these two Microsoft bugs before Redmond fixed 'em

SAP, Adobe, Intel, AMD also issue fixes as well as Google for Android

Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC

'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

Google open sources file-identifying Magika AI for malware hunters and others

Cool, but it's 2024 – needs more hype, hand wringing, and flashy staged demos to be proper ML

Apple promises to protect iMessage chats from quantum computers

Easy to defend against stuff that may never actually work – oh there we go again, being all cynical like

Zoom stomps critical privilege escalation bug plus 6 other flaws

All desktop and mobile apps vulnerable to at least one of the vulnerabilities

Fortinet's week to forget: Critical vulns, disclosure screw-ups, and <em>that</em> toothbrush DDoS attack claim

An orchestra of fails for the security vendor

QNAP vulnerability disclosure ends up an utter shambles

Two new flaws, one zero-day, countless different patches, but everything's fine!

Miscreants turn to ad tech to measure malware metrics

Now that's what you call dual-use tech

How to weaponize LLMs to auto-hijack websites

We speak to professor who with colleagues tooled up OpenAI's GPT-4 and other neural nets

Orgs are having a major identity crisis while crims reap the rewards

Hacking your way in is so 2022 – logging in is much easier

Election security threats in 2024 range from AI to … anthrax?

Unsettling reading as Presidents' Day approaches