Want To Hack Into A Car? Got $60?

Yup, that is all it takes.

Eric Evenchick will present at Blackhat Asia a $60, open source, car hacking tool (see article).  You have to provide your own USB and OBD2 cables.  With Eric’s CANCard and his library of Python based scripts, you can hack around in your car (or maybe someone else’s) and see what kind of havoc you can wreak.

Before you panic, your car is not likely to be hacked because the car companies have one thing going for them.  Diversity.

Unlike your Windows computer or iPhone, there is a huge amount of variability between cars – between cars from different companies, between cars of the same company but different models and between cars of the same model but different years,

That means that any hack you make might only work on a 2014 Ford Taurus – and not on a 2013 Taurus or 2014 Ford Escape and certainly not on a 2010 Chrysler 300.  Or it might.  It’s a crapshoot.

That also probably explains why it takes so long to get a new car from design to production – the designers insist on reinventing the wheel with every car.  Ever notice how many auto light bulbs or wipe blades there are in an auto parts store.

Still, for $60 plus a couple of cables you too can mess with someone’s car.  That has to increase the likelihood of people messing around.  And when they mess around they will find stuff.

Depending on the car companies attitude when the hackers tell them about their problems, it could enhance reliability and security.

On the other hand, it may be hard for auto makers to patch your window control without having you bring the car into the dealership, which is expensive.  BMW very proudly patched a security hole in their telematics system (that is sort of a fancy term for a cell phone built into your car and all the stuff that is connected to  – like GM OnStar or Ford Sync) without having owners bring their cars in.  High end cars are more likely to have telematics – but it is still an option in most cases.

And, if car companies can call your car and patch your window control, can hackers do it also?

Or maybe the hackers will decide to publicly disclose the security hole to embarrass the car companies into action.

Or maybe, they will report what they find to the National Transportation Safety Board.

These last two options probably will keep car executives up at night.

A bit scary.


Facebooktwitterredditlinkedinmailby feather

Stingray Tracking Devices – Who’s Got Them

The ACLU put together an interesting web page (see here).  By surfing the web, they have put together a map with information – as best they have at the moment – of what states are using Stingrays to track citizens and what states are not. I say citizens and not crooks because a Stingray will collect data on every cell phone in say a 1 or 2 square mile area, as long as their cell phone is on.  What we don’t know is the specifics of that.  For example, does it just collect data for one carrier at a time or any phone, any carrier?



The map is interactive – if you click on a state, it will give you links to web pages with articles about some agency’s use of Stingrays.

In addition to listing what state agencies are using Stingrays, the web page also links to federal agencies (such as the FBI, DEA and Secret Service, among others) that have solicitations for procuring Stingray devices.

I think the cat is out of the bag.  I am sure that there is some crook somewhere that does not know about the use of cell phone trackers, AKA Stingray, but certainly every big time crook is aware of it.  And I think most citizens also understand that a cell phone is a homing beacon for them and the only way to stop that is to remove the battery (yes, turning it off doesn’t work – the baseband radio may still be on.  Sorry iPhone users).

Amazon has a couple of dozen different Faraday bags to stick your phone and other electronic goodies in to contain the radio waves and shield it from EMPs (electro magnetic pulses).  I guess it is a big business.

It would be nice if department and agencies would explain how they use them and how they manage the data that they capture for citizens who are not suspected of any wrong doing.

Facebooktwitterredditlinkedinmailby feather

Android Allows App Hijacking On Install

A couple of months ago I wrote about an iPhone bug that allows users to unintentionally install rogue iPhone Apps (see post).

Well now Android users are getting hit with a similar attack.  Ars technica is reporting that they have found an Android Installer hijacker (see article).

Like the iPhone bug, it only works if you install an app from somewhere other than the Google Play store.  Like the iPhone bug, the vulnerability allows the user to think they are installing App A when in fact they are installing App B.  The mechanics of how it works is different than the Apple bug, but both are related to inadequate validation of the installers at install time.

The bug was patched in Android 4.3_r0.9, but apparently some versions of 4.3 are still vulnerable.  Android 4.4 and Lollipop (5.0) are not vulnerable.

Unfortunately like some other Android bugs, this means about 900 million phones or 49% of all Android users are vulnerable.

If you steer clear of third party app stores you will not have a problem, even if you are running a vulnerable version of the Andoid OS.

Facebooktwitterredditlinkedinmailby feather

Another SSL Attack – But Don’t Panic

SSL and TLS, the security protocols that protect most of our banking and ecommerce transactions is a complicated beast – more so due to the the many options it offers.

ars technica in an article titled “Noose around Internet’s TLS system tightens with two new decryption attacks”, discussed a paper presented at Black Hat Asia that describes a new attack, dubbed the Bar Mitzvah attack (do researchers have contests to come up with strange names?) due the the fact that it has been around for 13 years.

As ars reports, RC4, named after cypto pioneer Ron Rivest of RSA, has been  known to be weak for years.  But weak is a relative term.  One attack, from 2013 required the attacker to see 17 billion encryptions of the same text to reveal SOME of the data in the encrypted stream.

Now researchers have improved that attack.  With only 67 million encryptions, they can recover passwords 50% of the time.

Now a new attack, presented at Black Hat Asia and dubbed the Bar Mitzvah attack, attackers need to sample around a billion encryptions to recover a credit card number.

RC4 is used by around 30 percent of internet TLS (Https) traffic.

As I said above, SSL and its newer cousin TLS have many options.  Some say too many options.  While these attacks don’t seem to present a huge problem if the first attack went from 17 billion encryptions to 67 million in a year, what will next year bring.

The simple solution – like we did for the FREAK attack earlier this year – is to disable known weak ciphers.  But this must be done on the server side for web sites to know they are secure and there is no way for the customer of a bank, for example, to easily know that the banks have disabled these older weaker protocols.  With the FREAK attack, one method of delivery would be for a user of a public WiFi router to be forced to use the weak protocols as a result of a man in the middle attack at that public WiFi access point.

This is why I recommend to NEVER do your banking over a hotel or coffee shop WiFi.  There is a new attack today against a very popular hotel WiFi system (see news here ) for which there is a patch.  However, the researchers who revealed the attack did not say, for security reasons, which hotels of which chains run that system and users have no way of knowing if the hotel has applied the patch.

All this means that IT shops need to spend more time and effort caring and feeding the security components of their server farms.


Facebooktwitterredditlinkedinmailby feather

EU-US Privacy Safe Harbor May Be In Jeopardy

Max Schrems, whom I have written about before (see post) is continuing his fight against Facebook.  He first took his battle to the Irish Data Protection Commissioner (DPC) since Facebook Europe is based in Ireland, but the DPC declined to take the case, because, it said, it had no legal requirement to do so (meaning this is a hot potato and I don’t want to be associated with it).

Schrems next took the case to the European Court Of Justice in Luxemburg where a decision is expected on June 24th.

The basic argument is that since the NSA, according to Snowden documents, can look at EU resident’s data, the Safe Harbor agreement written 15 years ago is a sham and does not protect EU citizens data that is stored in the U.S.  In general, U.S. companies don’t argue that they have not been able to stop the NSA from looking at their stuff and it appears, some companies may even have cooperated with the NSA, but the U.S. companies business model sort of require that they consolidate the data somewhere and moving U.S. data to Europe doesn’t work for them either.

IF, and it is a big if, the ECJ rules that the safe harbor agreement between the EU and US violates EU law, that will mean that companies like Facebook, Microsoft and Google (and probably hundreds or thousands of other companies)  who routinely take EU data and move it to the US will no longer have a safe harbor to move the data to the U.S. and would be subject to EU privacy lawsuits.  Since EU law is much stricter than U.S. law, U.S. companies do not want this to happen.   I assume they are planning for the worst in case.

The EU and US have negotiating a new agreement for years, but it doesn’t seem like it is making much progress.  IF the court rules the safe harbor provision violates EU law, everyone will get real motivated to come up with a new agreement very quickly, I suspect.

Next chapter comes out on June 24.


Facebooktwitterredditlinkedinmailby feather

Radio Shack Puts Its Customer Database Up For Sale

Remember when you bought that phone or USB cable at Radio shack and they asked for your name and email address?  CBS is reporting that Radio Shack listed that as an asset in their bankruptcy and has put it up for sale.

That means your name, address, phone number and purchase information is up for sale to the highest bidder.   That is, assuming the bankruptcy judge agrees.  They have agreed in the past with some stipulations.

That would be info on 117 million customers.

One rub – Radio Shack’s privacy policy says that they won’t sell or rent your personally identifiable information to anyone at any time.

AT&T is not happy because the current highest bidder is the company planning to buy half the stores and co-brand them with Sprint.  AT&T doesn’t want Sprint to have their customer list.

The AGs in Texas and New York aren’t happy either.

Unfortunately, federal bankruptcy law likely will trump these objections. If the judge says yes, there may be lawsuits.

One thing you can do is, when you go into a store and they ask for your information, say no.  With few exceptions (buying a cell phone, unfortunately, is one of them since they are extending you credit) you do not have to cough up your info.  It is fun to watch the clerk’s reaction when you say NO in response to the request for information.  It is clear that some stores do not train their staff for that answer.  Other stores just move along.  I have seen many clerks enter some information after I said no – garbage in, garbage out.

What Radio Shack is doing – selling customer data – is not that unusual.  It is just that they usually try to do it away from the street lights in a dark alley.  Radio Shack is doing it under the spotlight of the bankruptcy court.


Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed