Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Hundreds of thousands of engine immobilisers hackable over the net

Kiwi hacker finds brutal holes in location, tracking units

Darren Pauli Fri 11 Dec 2015  //  06:31 UTC

Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as "Response" sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit's relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet.

Temple (@skooooch) told the Kiwicon security confab in Wellington today the flaws allow attackers who log into any account -- including a universal demonstration account - to log into any of the 360,000 units ThinkRace claims it sold without need of a password.

"You just brute force everyone account, you can increment each one," Temple told Vulture South.

"You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

"Most people would wire it this way, that's the main point of it and the reason why mechanics sell it."

Lachlan Temple. Photo by Darren Pauli / The Register

Temple says consumers can wire the relay to the starter motor meaning it would not stop the car while in motion and instead would prevent it starting up once turned off.

He says consumers should throw out the units.

Attackers could also find user personal details including phone numbers which are registered in order for the device to issue alerts via an installed SIM card.

The GPS units and kid's watch. Photo Darren Pauli / The Register.

A microphone installed in the devices also allows attackers to eavesdrop on cars.

The same units are built into children's watches sold by ThinkRace and likely contain the same flaws allowing kids to be eavesdropped and tracked.

Temple will next turn his attention to more expensive tracking gadgets more likely used in commercial fleets. ®
Send us news
18 Comments

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

Go, go InSpectre Gadget

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Delinea Secret Server customers should apply latest patches

Attackers could nab an org's most sensitive keys if left unaddressed

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Out of the PAN-OS and into the firewall, a Python backdoor this way comes

Exploit code for Palo Alto Networks zero-day now public

Race on to patch as researchers warn of mass exploitation of directory traversal bug

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

'I want to buy a car. That's all'

Japanese government rejects Yahoo<i>!</i> infosec improvement plan

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app

Old Windows print spooler bug is latest target of Russia's Fancy Bear gang

Putin's pals use 'GooseEgg' malware to launch attacks you can defeat with patches or deletion

Intel's neuromorphic 'owl brain' swoops into Sandia labs

Hala Point system crams more than a thousand neurochips into a 6U chassis to tackle real-time AI