Security

Hundreds of thousands of engine immobilisers hackable over the net

Kiwi hacker finds brutal holes in location, tracking units

By Darren Pauli

18 SHARE

Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion.

The gadgets are rebranded white box units from Chinese concern ThinkRace that allow users to attach to their cars to enable remote tracking, engine immobilisation, microphone recording, geo-fencing, and location tracking over a web interface.

In Australia the units badged as "Response" sell for about A$150 at electronics chain JayCar or through some mechanics who offer to install the devices.

One of the unit's relay leads is commonly attached to car fuel pumps as a means to remotely-immobilise stolen vehicles.

But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet.

Temple (@skooooch) told the Kiwicon security confab in Wellington today the flaws allow attackers who log into any account -- including a universal demonstration account - to log into any of the 360,000 units ThinkRace claims it sold without need of a password.

"You just brute force everyone account, you can increment each one," Temple told Vulture South.

"You could disable someone's car if they have wired the relay, so if that happened on a freeway that is pretty dangerous.

"Most people would wire it this way, that's the main point of it and the reason why mechanics sell it."

Lachlan Temple. Photo by Darren Pauli / The Register

Temple says consumers can wire the relay to the starter motor meaning it would not stop the car while in motion and instead would prevent it starting up once turned off.

He says consumers should throw out the units.

Attackers could also find user personal details including phone numbers which are registered in order for the device to issue alerts via an installed SIM card.

The GPS units and kid's watch. Photo Darren Pauli / The Register.

A microphone installed in the devices also allows attackers to eavesdrop on cars.

The same units are built into children's watches sold by ThinkRace and likely contain the same flaws allowing kids to be eavesdropped and tracked.

Temple will next turn his attention to more expensive tracking gadgets more likely used in commercial fleets. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

Switchzilla closes off 18 CVE-listed holes, get to work

American intelligence follows British lead in warning of serious VPN vulnerabilities

Now if only they'd accept the Queen back again...

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps...

Semmle's flaw-finding queries can be shared and used on multiple projects

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed

Google security crew sheds light on long-running super-stealthy iOS spyware operation

Updated Project Zero dissects years-long surveillance campaign

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Google security engineer says she was fired for daring to remind Googlers they do indeed have labor rights

Web giant claims she broke rules with pro-union popup code – fellow techies reckon that's rubbish

Google shores up G Suite against hapless users in the enterprise: App whitelist, physical security keys, and more

Notable omission from list of trusted stuff? Microsoft Outlook

GitHub gathers friends for a security code cleanse to scrub that software up to spec

Rallies partners and shares tools to reduce software bugs

Sure is quiet from Adobe. No security fixes this month? Great job. Oh no, wait, what's that stampede sound...

If you thought Reader, Acrobat, Experience Manager were skipping October's Patch Tuesday, think again

Whitepapers

Who Needs Malware?

Learn how fileless techniques work and why they present such a complex challenge.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

EMA Report: Network Detection and Response in the Cloud Comes of Age

"ExtraHop's new Reveal(x) Cloud SaaS offering for AWS takes the deployment burden away from AWS customers, enabling fast service provisioning and instant asset discovery, and providing threat detection, investigation, and response."