Written by Ana Magazinius, RISE Viktoria.
Immobilizers are used to make sure that only the owner of a car, using a correct key fob, can start their vehicle. If the car is stolen the owner can connect to it via the immobilizer and make sure that it cannot be started again.
However, hackers from Pen Test Partners (https://www.pentestpartners.com/) have now demonstrated that they can immobilize cars that use SmarTrack tool from Global Telemetrics, and that they can do so permanently without the owner being alerted about it. Further, the hack makes it impossible for anyone else but the hackers to activate the car again without removing the immobilizer completely. How? As it turns out, the immobilizer could be turned on (and the car off) by sending a simple request via a browser. The SmarTrack systems did not check that the commands were sent by an authorized user. This issue has now been fixed, and the vulnerability attributed to developers that had too little focus on security.
More detailed information can be found at Forbes and Pen Test Partners’ own website.
