Security

Hundreds of thousands of engine immobilisers hackable over the net

Kiwi hacker finds brutal holes in location, tracking units

By Darren Pauli

18 SHARE

Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as "Response" sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit's relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet.

Temple (@skooooch) told the Kiwicon security confab in Wellington today the flaws allow attackers who log into any account -- including a universal demonstration account - to log into any of the 360,000 units ThinkRace claims it sold without need of a password.

"You just brute force everyone account, you can increment each one," Temple told Vulture South.

"You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

"Most people would wire it this way, that's the main point of it and the reason why mechanics sell it."

Lachlan Temple. Photo by Darren Pauli / The Register

Temple says consumers can wire the relay to the starter motor meaning it would not stop the car while in motion and instead would prevent it starting up once turned off.

He says consumers should throw out the units.

Attackers could also find user personal details including phone numbers which are registered in order for the device to issue alerts via an installed SIM card.

The GPS units and kid's watch. Photo Darren Pauli / The Register.

A microphone installed in the devices also allows attackers to eavesdrop on cars.

The same units are built into children's watches sold by ThinkRace and likely contain the same flaws allowing kids to be eavesdropped and tracked.

Temple will next turn his attention to more expensive tracking gadgets more likely used in commercial fleets. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

Keep Reading

Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them

Can't fix flaws if you don't look for them

Google halts Chrome, Chrome OS releases to avoid shipping flawed code, prioritizes security fixes amid coronavirus crunch

Updated COVID-19 raises risk of software bugs due to staff schedule shifts

Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

Switchzilla closes off 18 CVE-listed holes, get to work

Google's OpenSK lets you BYOSK – burn your own security key

Now there's no excuse

American intelligence follows British lead in warning of serious VPN vulnerabilities

Now if only they'd accept the Queen back again...

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps...

Semmle's flaw-finding queries can be shared and used on multiple projects

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed

Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

MediaTek chipset flaw already exploited in the wild

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them

Switchzilla says remote networking gear has a grab-bag of holes

Google security crew sheds light on long-running super-stealthy iOS spyware operation

Updated Project Zero dissects years-long surveillance campaign

Tech Resources

10 Critical Issues to Cover in Your Vendor Security Questionnaires

In today’s perilous cyber world, it’s crucial for companies to assess and monitor the security of their vendors, suppliers and business partners. Failing to do so can be risky, because hackers frequently steal sensitive enterprise data by targeting the third parties to which enterprises are connected.

2020 CrowdStrike Global Threat Report

The 2020 Global Threat Report is one of the industry's most highly anticipated reports on today's most significant cyber threats and adversaries.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?

The Data-Driven Case for CI

What does a high performing technology delivery team look like? How do you know if your team is doing well?