Hacking Your Car – It Is Not So Hard

Probably many of you saw the 60 Minutes segment on hacking your car (see video here).  In the 60 Minutes segment, the researcher/hacker was able to turn on the wipers and washers, blow the horn and disable the brakes in that demonstration.  Here is a link to a conversation with the guys who did the 60 Minutes hack (See link.  This is a podcast and the part that you may be interested in starts right at 1:00:00 into the video and lasts about 45 minutes)

The NY Times reported about a team of researchers from the University of Washington and the University of California at San Diego who took over the basic functions of a car, including control of the engine, remotely.  They delivered their report to the National Academy of Sciences last week.

These particular attacks compromised the telematics systems of these cars – basically a glorified old cell phone system – and took over the cars.

BMW just patched a particular bug a few weeks ago (see post).  They were very proud that they patched this vulnerability in only 9 months and sent the patch over this cell phone connection so you didn’t have to take the car to the dealer to fix it.  Is it likely that a hacker could do the same thing – you decide?

Today cars have as many as 50 computers in them, most all of which are connected to a “Car Area Network”.  Effectively, very similar to the LAN in your office, this CAN Bus (technically CAN stands for controller area network) was designed by Bosch in 1983 and published as a standard in 1986 (see reference).  The current version, 2.0, was released in 1991.  That would make the standard almost 25 years old.  Think about the cell phone you had 25 years ago.  Would you want to use that today?

The CAN Bus has no security at all and is very slow (think of accessing the Internet today over a dialup modem from 25 years ago).  That is what your car is doing.

In June 2013, Michael Hastings, a reporter in L.A. who wrote some pretty controversial articles was killed in a single car accident.  The car exploded in flames and crashed into a tree (it is unclear which order that occurred in) and the accident happened with such force that it threw the engine 50 yards from the car (see article).

Could someone who was unhappy with Michael’s reporting have hacked the car?  In the old days you would just attach a bomb to the car.  That leaves evidence.  Assuming that really happened in this case, there would be no evidence.  Those 50 computers in his Mercedes don’t generate log files like your PC can (but probably does not).  Way too much overhead.

Richard Clarke, who worked in the State Department under President Reagan, headed up counterterrorism efforts under Presidents Bush 1, Bush 2 and Clinton and was a special advisor to President George W. Bush on cyberterrorism, said (see quote):

I’m not a conspiracy guy. In fact, I’ve spent most of my life knocking down conspiracy theories,” said Clarke, who ran afoul of the second Bush administration when he criticized the decision to invade Iraq after 9/11. “But my rule has always been you don’t knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can’t prove it.”  

Just to be clear, Clarke is NOT saying that Hastings’ car was hacked, just that it was possible.  Given what we saw on 60 Minutes, that would be hard to argue with.

Also, if that occurred, it would be very unlikely that there was any evidence left behind to prove or disprove the fact.  The circuit boards likely burned up in the ensuing fire.

Could a nation state execute an attack like this – absolutely.  No question.  Richard Clarke said that it was very unlikely that the L.A. police department had the expertise to figure out if the car was hacked – assuming they had any inclination to do so.

I wrote about Senator Markey’s questioning of auto manufacturers on the subject of security (see post) a few weeks ago and only one manufacturer out of 20 responded with anything that remotely dealt with the issue.

What needs to happen is a redesign of the CAN Bus – Bosch has done some work in that area (like CAN FD 1.0) and it can coexist with the old protocols, but adding security would break everything that is already deployed.

That redesign probably won’t happen until a catastrophe occurs.

If you car does not have telematics (like GM’s On Star, Toyota’s Safety Connect, Ford’s Sync, Mercedes MBrace or other systems), then the hacker would have to have physical access to your car.  That could be as simple as getting you to play an infected DVD – not very complicated – but the hack shown on 60 Minutes would not have worked.

Finally, there is a privacy concern.  For example, these hackers could turn on the in car microphone and eavesdrop on you – the NSA might be very interested in doing that to terrorists.

I don’t know if the 60 Minutes piece is enough to get the car makers in gear (to avoid the threat of Congress “helping” them), but let’s hope so.

 

Mitch

Facebooktwitterredditlinkedinmailby feather

Another Small Office/Home Office Router FATAL Vulnerability

Security researchers at the International Conference On Cyber Security And Cyber Law reported that they have found a fatal security hole in a wide variety of SOHO Internet Routers.

As is often the case, the researchers discovered this problem accidentally while examining the code of a router for a completely different problem (see the researcher’s blog here).

What the researcher found is that, in the firmware of the router, an administrator level userid and password was hard coded and that userid/password combination was  super/super.

Hard coded.  Doesn’t show up on the list of userids in the user interface.  This means that you cannot delete it.

Worse yet, by default, administration from the Internet (or hacker) side of the router is turned ON.  You can, if you are familiar with the router, disable this feature, at least.

The link above has a list of routers manufacturers and models that have found to be affected, but it does not mean that there are not others.

The researchers did a scan of the public Internet and found about 200,000 affected (or infected) routers.  They think that likely 500,000 routers are affected, but in reality, who knows.

This really is the same issue that I spoke about the other day – software supply chain issues (see post).  Just like with Superfish who needed some SSL software, all these router manufacturers likely needed some firmware, so they went out into the marketplace and found this code that would work and put it in their routers.  Likely no testing to speak of and probably no vulnerability assessment.  Since they are not liable for any problems (read the software license agreement), their liability is pretty low.  Legally, they don’t even have to issue a patch.

While it is technically possible that a few of the affected manufacturers may release a firmware update that removes this problem, you really don’t know if or when they will.

Whether hackers, the NSA, the Chinese government or anyone else was already aware of the problem is, of course, unknown.

Having this userid and password allows them to control your router and from there, every device on your network and every bit that transits your Internet connection in either direction.

These are really inexpensive routers, so my suggestion is that, if you have one, to disconnect it from the Internet, take it out to your driveway and run it over with your car.   Then buy a new, brand name router.  Of course, being a brand name router does not mean it won’t have vulnerabilities (after all, Lenovo brought us Superfish), but it does mean they are more likely to patch it if it becomes public and hurts their brand name (again, like Lenovo).

There are also open source solutions that are likely more secure, but those are probably for the more geeky among us.

Another day, another vulnerability.

Sigh!

Thanks to Steve Gibson at Gibson Research for bringing this up (see link).

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Simple Advice For Improving Your CyberSecurity Hygiene

While tips and tricks won’t make your organization bulletproof, it will help make you bullet resistant.  Here is a list from Boston Business News that is simple and right on.

1. IT Risk Assessment.  You MUST start with a risk assessment and if you are up for it, I would recommend a business risk assessment.  IT risk is just part of business risk and if you have not conducted an overall business risk assessment in the last 12 months, I recommend one.

2. Network vulnerability testing – simple and relatively inexpensive these days.  You should do one from the outside of your network and also one on the inside.  Networks are like M&Ms – crunchy on the outside and gooey on the inside.  You don’t want to make the hacker’s life easy if they get in by making your network’s insides any more gooey than you have to.

3. Vendor management – if you have vendor’s that access your network – or even that you just trade documents and emails – that may be your biggest exposure.  It was for Target and Home Depot and those did not turn out well.  You should have cybersecurity standards for your vendors and then make sure that they actually comply.

4. Security awareness training – it is NOT a silver bullet, but most breaches do not start with the bad guys breaking down your front door and holding a gun to your system administrator’s head.  99% of the time, users do something that gives the bad guy a foot hold.  If you can reduce that to 50% of the time, you are way ahead of the game. And this is NOT a one time effort.  Sorry.  EVERY SINGLE MONTH.  OR DAY.

5. Incident response plan – you REALLY need to have a plan for what you are going to do when you have a breach.  Notice I did not say if.  Scrambling around after the breach will make you look like Sony and that was not pretty.

If your eyes are rolling back towards the back of your head right now, you need assistance executing these five tasks.  Contact me.

Mitch

Facebooktwitterredditlinkedinmailby feather

Medical ID Fraud A Challenging Problem

The Medical Identity Fraud Alliance (MIFA) and the Ponemon Institute released their fifth annual study on Medical ID fraud.

Short version of the results:  It is very costly, time consuming and complicated for consumers to resolve medical ID fraud and only 10 percent of the respondents to the study report achieving a completely satisfactory conclusion to the incident.

A copy of the report is available from Ponemon at this address.

Some of the report’s key findings are:

  1. 65% of the medical ID theft victims had to pay an average of $13,500 to resolve the crime.
  2. Only 10% of respondents reported achieving a completely satisfactory conclusion to the incident.
  3. Those who resolved the crime spent an average of 200 hours to resolve the issue
  4. Many respondents felt that medical ID fraud had a negative impact on their reputation due to having to discuss very personal subjects with a variety of people.

The report, about 40 pages long, has some interesting specifics as well –

  • 68% of the respondents are not confident that their health care providers security measures will protect their medical records.
  • About half of the respondents think that electronic health records (mandated by the ACA) increases their risk of being a medical ID victim.
  • In case of the theft of a respondent’s medical records, 80% want to be reimbursed for costs, 40% want the organization to notify them promptly and 28% want the organization to provide medical ID theft protection.

NOTE: organizations are not legally required to reimburse you (you can try to sue them) and there is  no such thing as medical ID theft protection.  This is all very different than credit card fraud and likely part of the reason that stolen medical records are extremely profitable to crooks.

  • While the rate of medical ID theft is relatively low (about 1% of the respondents), it has doubled in the last 5 years.
  • Approximately 60% of the respondents said their medical ID was stolen to get treatments, prescriptions or obtain government benefits.
  • 53% of the respondents said that a provider’s negligence caused or contributed to the theft while 30% were unsure.  Only 17% did not think the provider was part of the problem.
  • 47% of the respondents said that either a family member used their ID without permission or they shared personal information with someone they know (50/50 split), so a large part of the crime – but only half – is committed by someone the victim knows.
  • 69% of the respondents are either not familiar with or never heard of HIPAA and the privacy standards – even though everyone has to sign a HIPAA statement prior to getting healthcare.
  • Lastly, when asked why they don’t check their health records for accuracy, the respondents answered this way: 53% did not know how to, 39% trust their provider to do it, 35% said their records are not easily available, 33% said it never occurred to them and 25% said they didn’t care.

The last bullet is the most telling one, which puts medical ID fraud where credit card fraud was about 40 years ago.

Hopefully, we can make up the gap in less than another 40 years.

Mitch

Facebooktwitterredditlinkedinmailby feather

Own A PC By Giving Them A Blu-Ray Movie

The Register is reporting that there are a couple of ways a hacker can take over a PC just by having you insert a Blu-Ray disc.

The first method exploits a poor software design in PowerDVD, the free DVD player software that is loaded on many PCs.  It allows the hacker to exploit a bug in Java to run an arbitrary executable.

This “feature” will allow a hacker to place an executable on a Blu-Ray disc and have it run on start-up, even if Windows is set to block that.

The other takes advantage of Blu-Ray debug code to do some fancy footwork and it will let a hacker again run an arbitrary executable.

You can stop the first exploit by uninstalling PowerDVD (which I don’t really like much as a DVD player anyway), but I don’t have a way to stop the second exploit.

We have seen that a hacker can own your car with a DVD, so why not your computer?

Maybe you should watch your movies on a DVD player instead.  Sorry! 🙂

Mitch

Facebooktwitterredditlinkedinmailby feather

Fingerprint Instead Of Password – You May Want To Reconsider

I came across an item today that stunned me.  The Wall Street Journal and Findlaw reported on a case from late last year where a Virginia State judge ruled that an arrestee may have to offer up his fingerprint to unlock his phone – the Fifth Amendment does not apply.

Now before everyone goes crazy on me, this is a Virginia state judge and this has not been appealed as far as I know, so it has no implications outside the Commonwealth of Virginia.

As Marcia Hoffman, the well known privacy attorney, formerly with the EFF and now in private practice in San Francisco said in wired, the Fifth Amendment protects testimony.  Fortunately or unfortunately, the founding fathers did not understand about the Internet or DNA or a lot of modern things.  Marcia explained that evidence is only testimonial when it reveals the contents of your mind.  Courts have said for a long time that defendants have to give DNA samples, voice samples, fingerprints, etc. even though any of those might be used to convict someone.

The Supremes, those wonderful old folks in black robes, decided in the 1980s that there is a difference between being forced to give up the key to a safe vs. revealing the combination to a safe.  Strange, but true.  I do believe that the courts have also ruled that if you won’t give up the combination to the safe, they can call a locksmith.  If the safe is locksmith proof, you are golden, otherwise, not so much so.

That doesn’t mean that the cops don’t need a search warrant, but in this case, I am sure that the judge in Virginia would be more than willing to sign one.

Other judges, like one in Colorado, have said that passwords are not protected by the Fifth Amendment either.  In that case, the order was not appealed because the defendant’s ex-husband provided the cops with a list of possible passwords, one of which apparently workd.

So this is a dicey business – encrypt or decrypt at your own peril.

It is only a matter of time before one of these cases gets appealed and we will have a somewhat more consistent interpretation of the Constitution.  For the moment, you just have to toss a coin for your answer.

Of course, with the Apple fingerprint sensor, they should be able to take the fingerprints that they collected when they booked the guy and use them to unlock the phone. 🙂

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed