I had a Viper alarm with these features installed in my car back in 2012 and immediately noticed that while their iOS app used SSL to talk to the API, it never actually validated the certificate, and was trivial to set up a man-in-the-middle proxy to grab a user's auth token and make requests as them. According to their reply their devs weren't able to replicate it, which told me all I needed to know about their ability to write secure software. It's good to hear they responded quickly in this instance, but I'm not sure I'd ever trust their devices again.
So, vulnerable web apps exploited to attack internet connected cars? you'd think they'd learn from Nissan like two years ago?<p><a href="https://jalopnik.com/how-the-nissan-leaf-can-be-hacked-via-web-browser-from-1761044716" rel="nofollow">https://jalopnik.com/how-the-nissan-leaf-can-be-hacked-via-w...</a>
This where -- literally -- the rubber hits the road and we need extreme regulatory oversight over cybersecurity in cars. I don't like fearmongering but can you imagine what would happen if a terrorist group got hold of an exploit like this??
So many ‘security’ companies making coding mistakes that there’s simply no excuse for.<p>How are these companies remaining in business? Call yourself unhackable and then don’t bother to even authenticate API requests... mind bogggles.