I had a Viper alarm with these features installed in my car back in 2012 and immediately noticed that while their iOS app used SSL to talk to the API, it never actually validated the certificate, and was trivial to set up a man-in-the-middle proxy to grab a user's auth token and make requests as them. According to their reply their devs weren't able to replicate it, which told me all I needed to know about their ability to write secure software. It's good to hear they responded quickly in this instance, but I'm not sure I'd ever trust their devices again.
While I agree with everything above, it can be humbling to consider the huge amount of people already in control of that car (at the car company, software partner, hosting partner, phone maker) but extending that trust to the local network amounts to an inexcusable security problem.
It is interesting that having legitimate control over a certificate makes this a desired feature rather than a huge security problem. The real world may not be all that black and white.
Yeah, I agree. I probably won't own another system like this from any manufacturer as long as I can avoid it. Luckily my car came out just before all the OEMs started putting these cellular modems in them that are attached directly to the CAN bus.
I don't think it was the bug itself that bothered me so much as their response, I sent them an extremely clear email with the exact steps I took and screenshots showing how other apps responded to my fake cert with error/warning dialogs which was escalated directly to the engineering team and they seemed to have no idea what I was describing or why it was an issue. I assumed at that point the issues went a little deeper than what I had uncovered, and it seems from this post I wasn't too far off the mark.
