Tag Archives: Security

The Unpatchable Bug In All Modern Cars

We have seen a number of hacks of cars including the hack of a Jeep driving down the highway at 60 miles an hour – from miles away – on 60 Minutes, but now researchers have come up with a new attack – one that cannot be patched.

The CAN bus or Controller Area Network bus, is the main communications highway in all cars built, at least, in the last 25 years.  The standard, designed in 1983 and in use since 1989 has not really changed very much since then.

In 1983 no one really worried about hackers so the bus has no security, no authentication and no encryption.

Today, almost every single car and light truck is controlled by the CAN buses in it.

Researchers from Trend Micro, Politecnico di Milano and Linklayer Labs discovered that you can overwhelm the bus with error messages.

Right now, today, the attack requires local access to your car.  That was the case with the Jeep attack – until attackers figured out how to do it remotely.

The attack injects error messages onto the bus which can, eventually, cause devices like the anti-lock brake controller or the airbag system to go offline and deactivate.  Since almost all car functions from the brakes to the engine control are computerized and attached to one of the CAN buses, if you can cause those devices to go offline, you will disable those functions.

Worse yet, without redesigning the CAN bus protocol, there is very limited remediation that car manufacturers can make.  On top of that, it is UNLIKELY that any cars currently on the road will ever be fixed because this is not a bug – it is, basically,  a feature.

SO, next time you get into your car… Well, I am not what you can do.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

How are public restrooms and public computers alike?

There is an article in Slate that suggests that we should treat public computers like we treat public restrooms – very cautiously.

I had never made that analogy before, but I do like it.

Both public restrooms and public computers may harbor germs and viruses.  Both may have been frequented in the recent past by people of dubious character and you don’t know what you might catch if you visit either one of them.

The article talks about hackers installing key logging software on hotel business center computers, thereby grabbing every keystroke you type – including userids and passwords, of course.  The article is based on a US Secret Service advisory from early July 2014, so I am guessing that the Secret Service found some infected computers.  Obviously, this type of attack is not limited to Hotels – schools, libraries and any other place where shared computers are available are susceptible to this kind of attack.

I know that on those rare occasions that I use public computers, I sort of touch them gingerly and would never use them for anything important – like online banking or paying bills for example.

The article says, and I would agree with it, that it is not hard to install such software on most business center computers, although it is also fairly easy to make it more difficult to do.  (It is impossible to make something bullet PROOF.  On the other hand, bullet RESISTANT is definitely possible).  In the old days, you just stuck a wedge on the parallel port and came back later to retrieve it.  Now all you do is log on to your internet connection and harvest the data.

Unfortunately, there is not the equivalent of the sheet of tissue paper to put down before you use the public computer, so beware.

M

Facebooktwitterredditlinkedinmailby feather

iOS devices safe – well sort of

It was reported yesterday that there are undocumented services in iOS that allow  someone to bypass all of Apple’s security and encryption features.  The researcher did not say that  either Apple or the NSA were using these features, but….

The researcher, Jonathan Zdziarski, reported his findings at the HOPE/X conference in New York.  According to Zdziarski, the data collected is of a personal nature and the hooks to do this are not documented in any Apple documentation.

Apparently, once a device has been booted in iOS 7, the data can be accessed, even if the device is locked.

The researcher claims that several forensic software firms, such as Cellbrite and Elcomsoft either have discovered these features or were informed about them and may be using them to suck data  out of your device.

Now here is the really interesting question —

Is Apple the only vendor that has this form of back door – whether it be accidental or on purpose?

I, for one, are not going to say that Apple is in bed with the Feds, but it will be interesting to hear what their response to this is.  No response, in my opinion, is tantamount to admitting they did this on purpose.  If they say “trust us”, DO NOT.

M

Facebooktwitterredditlinkedinmailby feather