So-called smart car alarms are supposed to make vehicles more difficult to steal, but newly published research has found that alarms made by two companies actually make stealing a car easier.

The research, released Friday, comes via Pen Test partners, which studied a range of third-party smart car alarms for security vulnerabilities.

Smart car alarm models under the Viper brand, made by U.S. firm Directed Electronics Inc., and Pandora Car Alarms, made by a Russian company called Experimental Engineering Factory, were found to be easily hackable.

The vulnerabilities stem from the way systems from both companies use apps to communicate with the alarm system. Taking advantage of an unauthenticated application programming interface and an indirect direct object request, the security researchers easily reset the password on the alarms, giving them full control.

In addition to allowing a potential hacker to steal a given vehicle by unlocking doors and disabling both the alarm and vehicle immobilizer, the access also allows the owner’s details to be stolen, the vehicle to be tracked and even microphones in the vehicle to be compromised.

Worse still, the access could be used to take control of a vehicle while it was being driven, meaning a hacker could cause a vehicle to come to a halt, potentially causing an accident.

Both companies have since moved to patch the security vulnerabilities, but drivers who do not update the software behind the smart car alarms are still vulnerable.

Jason Haddix, vice president of researcher growth at the crowdsourced security platform Bugcrowd Inc., told SiliconANGLE that auto vulnerabilities bring cybersecurity into the daily lives of every consumer.

“Connected devices, such as smart alarms in cars, collect a great deal of information about the people that use them, giving attackers a view into when you leave for work, where you are and when you arrive home,” Haddix said. “And we’re still at the beginning of the adoption curve.”

Noting that Pandora claims that its alarms are impossible to hack, Haddix added that “everything is hackable, and organizations must take proactive security measures to identify and patch their vulnerabilities before they are exploited by the bad guys.”

Photo: comedynose/Flickr