back to article Hundreds of thousands of engine immobilisers hackable over the net

Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion. The gadgets are rebranded white box units from Chinese concern ThinkRace …

  1. Anonymous Coward
    Anonymous Coward

    Probably a TLA/FLA-mandated Backdoor

    so they can rid themselves of turbulent priests.

    1. Voland's right hand Silver badge

      Re: Probably a TLA/FLA-mandated Backdoor

      Hanlon's razor + Occam razor say: Embedded Hardware Vendor doing software. Nothing more, nothing less. That pretty much defines and exemplifies incompetence to the Nth degree with regard to security and the use of the Internet. They just, plain, do not get it.

      In any case, all you need to know about the gadget is that it is advertised using professional SPAM off bulletproof hosting (at least in the UK) along with renewables, eye surgery and cold calling confidence courses.

  2. Anonymous Coward
    Anonymous Coward

    being in motion over the internet

    "But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet."

    I would have expected that driving all over the internet was illegal in the first place, so it's a good idea someone came up with the way of stopping these miscreants!

    1. Mark 85

      Re: being in motion over the internet

      Doesn't the Google car do that? All over Google Maps and stopping at Google Advertisers?

    2. maffski

      Re: being in motion over the internet

      'I would have expected that driving all over the internet was illegal in the first place, so it's a good idea someone came up with the way of stopping these miscreants!'

      No, it's fine. Otherwise it wouldn't be called the 'Information Superhighway' would it?

      1. ecofeco Silver badge

        Re: being in motion over the internet

        "No, it's fine. Otherwise it wouldn't be called the 'Information Superhighway' would it?"

        Well played sir. Well played.

  3. Jimmy2Cows Silver badge

    Wait... what?

    The same units are built into children's watches sold by ThinkRace...

    They built a fuel pump cut-out into a kid's watch...?

    1. Christoph

      Re: Wait... what?

      Marvellous idea - if the kid is running around and screaming you can send a command to shut them down and put them to sleep.

  4. Anonymous Coward
    Anonymous Coward

    A false wig and some comedy glasses won't stop angry mechanics tracking him down

    1. Dan Wilkie

      You sir, have just made my friday!

  5. tony2heads

    why the mike?

    Why would an engine immobiliser need a microphone?

    Come to that, why did the watch need a microphone?

    1. Fraggle850

      Re: why the mike?

      Why the mike? Duh! It's so that the hacker can get extra lulz listening to you swear as your car inexplicably cuts out when you're doing 70 on the motorway.

      1. Danny 14

        Re: why the mike?

        bad guys ALWAYS spill their entire plan as soon as they can, so the microphone will pick that up! Columbo will use that recording later as he already knew the criminals identity and needed to pad for another hour.

        1. ecofeco Silver badge

          Re: why the mike?

          You say that in jest, but you might be surprised at just how many crooks DO talk about their plans. It is THE number one way most are caught.

    2. HinD

      Re: why the mike?

      i am the developer in a gps tracking company. Most of the gps tracking systems work using an embedded GSM module, which means you can call the tracker using your cellphone and receive a sms with the current position and speed of your vehicle. Sometimes clients want to know if the driver has a hitchiker in the cabin, thus the microphone capability. However, The microphone is not embedded into the device, it is a separate accessory.

      Actually gps tracking systems are pretty weakly secured, pretty much any gps tracking devices i have worked with had no security whatsoever enabled. Its not that it doesnt have the capability, its just that nobody takes the time to configure the tracker correctly. Same goes for the servers. They pretty much accept anything they receive trough an specified tcp or udp port, try to extract position and then save the whole string of data as-is onto a database, which leaves them wide open for sql injections

  6. Anonymous Blowhard

    Did the manufacturers throw a bucket of blue paint over Mr. Temple for exposing their mistakes?

  7. ecofeco Silver badge

    My first thought

    My first thought was "Who is the bag lady or the badly dressed drag queen?"

  8. The First Dave

    My thought was "What's the tacky medallion all about?"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like