Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

samsung-smaerthome.jpg

 

 

 

Credit:   Andy Greenberg, wired

Physical Backdoor | Remote Root Vulnerability in HID Door Controllers

If you’ve ever been inside an airport, university campus, hospital, government complex, or office building, you’ve probably seen one of HID’s brand of card readers standing guard over a restricted area. HID is one of the world’s largest manufacturers of access control systems and has become a ubiquitous part of many large companies’ physical security posture. Each one of those card readers is attached to a door controller behind the scenes, which is a device that controls all the functions of the door including locking and unlocking, schedules, alarms, etc.

In recent years, these door controllers have been given network interfaces so that they can be managed remotely. It is very handy for pushing out card database updates and schedules, but as with everything else on the network, there is a risk of remotely exploitable vulnerabilities. And in the case of physical security systems, that risk is more tangible than usual.

HID’s two flagship lines of door controllers are their VertX and Edge platforms. In order for these controllers to be easily integrated into existing access control setups, they have a discoveryd service that responds to a particular UDP packet. A remote management system can broadcast a “discover” probe to port 4070, and all the door controllers on the network will respond with information such as their mac address, device type, firmware version, and even a common name (like “North Exterior Door”). That is the only purpose of this service as far as I can tell. However, it is not the only function of this service. For some reason, discoveryd also contains functionality for changing the blinking pattern of the status LED on the controller. This is accomplished by sending a “command_blink_on” packet to the discoveryd service with the number of times for the LED to blink. Discoveryd then builds up a path to /mnt/apps/bin/blink and calls system() to run the blink program with that number as an argument.

And you can probably guess what comes next.

A command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system() call. Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device. To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device. Since the device in this case is a door controller, having complete control includes all of the alarm and locking functionality. This means that with a few simple UDP packets and no authentication whatsoever, you can permanently unlock any door connected to the controller. And you can do this in a way that makes it impossible for a remote management system to relock it. On top of that, because the discoveryd service responds to broadcast UDP packets, you can do this to every single door on the network at the same time!

Needless to say, this is a potentially devastating bug. The Zero Day Initiative team worked with HID to see that it got fixed, and a patch is reportedly available now through HID’s partner portal, but I have not been able to verify that fix personally. It also remains to be seen just how quickly that patch will trickle down into customer deployments. TippingPoint customers have been protected ahead of a patch for this vulnerability since September 22, 2015 with Digital Vaccine filter 20820.

 

 

Credit:  Ricky Lawshae

Industrial Control Systems (ICS/SCADA) and Cyber Security

It’s a cyber war out there! Is your company ready for battle?

Industry is slowly waking up to the fact that its facilities are in the crosshairs, the targets of cyber attacks by bad actors trying to exploit vulnerabilities in industrial control systems (ICSs) to steal intellectual property or damage critical equipment.

Whether caused by sophisticated hacking teams assembled by nation states, cyber criminal organizations, potential competitors, disgruntled or careless employees, or just bored teenagers in their bedrooms, cyber intrusions into industrial facilities now number in the hundreds of thousands every year. Even unintentional cyber incidents can cause damage.

The result can be more dangerous than stolen credit card numbers or government personnel information, because it can cause real physical damage like a destroyed or damaged power plant, water system, chemical plant, or oil and gas facility. Attacks like these could bring a region or even an entire nation to its knees. But even smaller-scale events, such as hackers taking over control of cars on a busy interstate, or manipulating the recipe controls at a food processing plant, could wreak havoc.

In exploring this issue, one fact stands out: industrial control systems were never designed to be secure. Many have also been in place for 20 or 30 years, long before cybersecurity became an issue. It’s no wonder that retrofitting this massive installed base to overcome 21st century cyber vulnerabilities can seem like an insurmountable task.

Digital threats, physical dangers

“Everyone’s concerned about viruses and worms, but Stuxnet never killed anyone,” says Joe Weiss of Applied Control Solutions, who has amassed a database of more than 750 actual control system cyber incidents. “Compromised industrial control systems, on the other hand, have caused significant electrical outages, environmental and equipment damage, and even killed people.”

Weiss is managing director of the ISA99 committee, which helped develop the ISA/IEC 62443 series of standards on industrial automation and control systems security. “IT people are focused on vulnerabilities from information loss, but it’s the impact of ICS failures on equipment, people and the environment that matters to industrial control professionals,” he says. “Not every ICS cyber vulnerability is critical. We need to focus on what can affect control system operation so that end users can prioritize threats to system reliability and safety.”

Weiss sees his role as waking industry up to the real dangers it faces from compromised control systems. “Industry is a backwater when it comes to cybersecurity,” he says. “We don’t have the systems, the training or the technologies to address it because too many people still don’t believe it’s real.”

He takes a broader view of cybersecurity than many people, citing the emissions fraud at Volkswagen, where software was intentionally manipulated to falsify test results. “Industrial control lies more and more within the digital world,” he says. “Anything that changes the intent of the control system function, whether or not it’s with malicious intent, is a cyber issue.”

The enemy is often us

Companies may think they’re safe if their manufacturing systems are not connected to the Internet, but it turns out the biggest threat comes from their own employees.

“There’s no such thing as an air gap,” says Ben Orchard, applications engineer at Opto 22, referring to control systems that aren’t connected to the Internet. “Malicious software (malware) is chiefly introduced into control systems by employees, vendors or contractors who plug devices like an infected smartphone into a computer’s USB port to charge it or bring in a corrupted thumb drive.”

Since people are the biggest weakness in any security system, Orchard recommends disabling or even filling in non-essential USB ports with epoxy. Other basics include only executing software that’s been cryptographically signed by a trusted source, locking down the operating system so that no email or web browsing is allowed, and constant monitoring of control network traffic.

If you’re looking for proven practices to improve the cybersecurity of your facilities or production systems, Orchard recommends the ones developed by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security. The guidelines address best practices like defense-in-depth, security zoning and encryption.

“They’ve done an astoundingly good job of assembling logical, practical, real-world advice,” he emphasizes. In particular, Orchard recommends downloading the first document in the series, “Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies” (see “More Sources for Security Guidance,”).

Help is a call away

Automation suppliers are actively engaged in the cyber battle. Vendors are continually adding new levels of security to their products and providing a range of customer education and support services.

Honeywell Process Solutions has fielded a team of more than 85 experts who can provide vendor-agnostic risk analysis, perform forensics, and help customers establish security policies, says Mike Baldi, cybersecurity architect for the company. Honeywell has also created a lab in Georgia to demonstrate and validate security solutions for customers, as well as train its own engineers.

Honeywell’s industrial cybersecurity risk manager software for continuous monitoring provides real-time, continuous monitoring of threats, vulnerabilities and risks specific to a control system, providing immediate notification of weaknesses in security.

“We’ll always be chasing evildoers,” Baldi says, “so advanced analytics are crucial, not just to analyze the latest attack but to identify patterns in these attacks that can guide us to the best solutions. It’s essential that companies analyze threat risk, test solutions at installation and maintain security over the life of a system.”

Turning control security on its head

Bedrock Automation is a company that’s making waves in the world of industrial control with a revolutionary platform that integrates an inside-out, bottom-up approach to cybersecurity.

“The cybersecurity issue was the catalyst for the creation of our new control platform. It’s software-defined automation,” says Albert Rooyakkers, CTO and engineering vice president for Bedrock.

Cybersecurity concerns were the catalyst for Bedrock Automation’s new control platform.

The company says the Bedrock system—created by a team of engineering experts from the automation and semiconductor industries—can function as a PLC, DCS, RTU or safety system. Bedrock is using independent system integrators and high-tech distributors as its channels to the market.

“This platform unification was the big breakthrough, something the major automation suppliers have never been able to achieve,” Rooyakkers says. “The incremental security improvements they’ve been doing for years are not likely to work because there are too many gaps to patch. It’s like taking a stick to a gunfight.”

According to research firm Frost & Sullivan, which cited the company’s work with its 2015 Best Practices Award for Industrial Control System Innovation, “Bedrock Automation has designed a control system with layered and embedded cybersecurity features, starting at the transistor level using secure microcontroller technology that includes secure memory, hardware accelerators and true random number generators.”

Rooyakkers adds, “ICS security in the cyber age will require a complete rethinking of control system design. Standards and best practices are being developed, but it will take a generation at the current pace of progress to achieve the level of security industry needs today.”

Hardening hardware and software

Given that most companies can’t afford a wholesale replacement of their existing control systems, many automation vendors are focused on making incremental improvements to harden their software and hardware.

Among the latest cybersecurity introductions by Emerson Process Management for its DeltaV control platform is a suite of cybersecurity software products from Intel Security’s McAfee Labs, including traditional antivirus, centralized whitelisting of applications allowed to run, security information and event management (SIEM) to perform analytics on events on everything from firewalls to operator stations, and network monitoring to identify unusual network communications.

“We’ve been hardening the control system with every DeltaV release,” says Neil Peterson, DeltaV product marketing director. “With the addition of SIEM, for example, you now have a tool that can manage the cybersecurity health of the control system as a whole, alerting you to unusual circumstances that need to be checked out. These include unauthorized communication attempts on your firewall and failed log-on attempts.”

There’s no silver bullet for cybersecurity, says Rick Gorskie, manager of Emerson’s asset strategy and management program. “Security requires a multilayered approach that combines technology, practices and people,” he says. “That furnace meltdown at a German steel mill purportedly started when someone clicked on a phishing email infected with malware, which allowed hackers to make their way down the network to attack the blast furnace.”

Gorskie says incidents like that are why he’s received more customer questions about security in the past year than in the previous 20 years. “We’re getting more board-level interest than ever before, and they’re starting to fund some serious projects because they want to avoid shutdowns,” Peterson adds. “Security is very hard and it requires shared responsibility. We develop systems with locks, but it requires ongoing vigilance to keep them secure. You can’t set it and forget it.”

More than networks

“Security is more than a network issue,” says Clark Case, security platform leader for Rockwell Automation. “Content (intellectual property) protection, tamper detection, user authentication and access control are just as important.”

While user concerns vary by industry and customer, Case says, “machine builders who ship their equipment offshore are particularly concerned about IP protection, so we’re releasing software licensing technology so they can control access to their source code.”

Rockwell has introduced a number of products and services to help customers design, deploy and maintain more secure control systems, according to Case. The company’s FactoryTalk AssetCentre software, for example, lets users see who is making changes to the control system and what changes have been made, including which machine the changes were made on and who was logged on at the time.

“We’re also making our controllers more secure in the design and manufacturing process so that they’re resilient to standard attacks,” Case adds. In addition to fielding a security incident response team for its products, Rockwell works closely with security groups like ICS-CERT.

“Companies need to step back and take a broader look at system risks—what bad things can be done, and how best to address them,” Case says. “Companies doing the best at mitigating cybersecurity risks have people on staff who are responsible for control system security. Fortunately, there are a growing number of operations technology people with the required skillsets.”

Different worlds

Cybersecurity is that much more important in manufacturing. “When there’s a breach in the IT world, you can take the system down and fix it,” explains Jeff Caldwell, chief architect for cybersecurity at Belden. “But in the industrial world, you have to continue to operate when there’s a problem. You can’t have power plants shutting down or planes falling from the sky. Industry’s primary concerns are resilience, uptime and safety. Cybersecurity is just a segment of that.”

Belden promotes a safe networking architecture that includes every device connected to those networks. “Consequently, we’ve developed cybersecurity solutions for all seven layers of the ISO stack,” Caldwell says.

Key elements of this architecture include security zoning; system change management; intrusion radiation protection to identify, halt and report invalid and anomalous traffic; security sentinels at every network juncture; layer 2 deep packet inspection in front of PLCs and RTUs as well as between security zones; authentication for user and administrator access; encryption of VPN traffic information; and secure wireless.

Belden recently acquired TripWire, a company that specializes in system change management, as part of a cybersecurity product portfolio that includes Tofino layer 2 firewalls with industrial protocol deep packet inspection.

Being knowledgeable about industrial protocols is essential to any control system security solution, Caldwell says. “IT uses gigantic signature files to identify patterns that indicate security problems, but that doesn’t work in the industrial world where communications often flow over serial cables that can’t carry large files,” he says. “Let’s face it: The IT world has failed at control system security. You just can’t jam IT solutions onto control systems and make them work. Only 20 percent of industrial cyber incidents are intentional, and disgruntled employees cause half of those. Just 10 percent come from hackers. That’s why it’s critical to protect against everything.”

This is not a test

“Most manufacturers have some degree of security preparedness in place, but it’s unknown whether these steps are enough to repel a full-scale targeted assault on a facility,” cautions Richard Clark, technical marketing specialist for SCADA cybersecurity at Schneider Electric Software, which includes InduSoft and Wonderware. “It seems more likely, as has been demonstrated in several modeling and public test sessions by ICS-CERT at Idaho National Lab, that such an attack would be successful because most engineers and IT personnel would not know how to react properly to such an event.”

Manufacturers need to ask themselves what damage could be caused at their facility if a targeted attack succeeded and their production system was shut down for weeks, Clark says. “These are the type of what-if scenarios that are frequently never explored. Few security managers or engineering teams have performed a single-point failure analysis of their facility, and even fewer have ever done a formal risk assessment using the results of the analysis,” he says. “This is especially irresponsible since there are excellent tools to help them find answers to these questions and determine if they are dedicating enough resources to safeguarding their facilities from a breach or control system malfunction.”

Clark says forward-looking security engineers and IT personnel have begun using automation to assist them in preventing attacks, combining security solutions to create what is known as defense-in-depth. These layers of disparate security measures can virtually surround critical assets and infrastructure.

“Once customers make the effort to begin to understand the nature of these threats to their facilities, products and employees, the safer and more operationally efficient they will become,” he says.


More Sources for Security Guidance

ICS-CERT Guidelines >>https://ics-cert.us-cert.gov/Recommended-Practices

Belden Security Blogs >>http://www.belden.com/blog/industrialsecurity/index.cfm

Schneider Electric/InduSoft Security eBooks >>https://www.smashwords.com/books/view/509999

NIST Cybersecurity Framework Gap Analysis Tool >>https://www.us-cert.gov/forms/csetiso

PBS Nova Program on Cybersecurity >>http://video.pbs.org/video/2365582515/

ISA 99/ISA/IEC 62443 Guidelines >>http://isa99.isa.org/ISA99%20Wiki/Home.aspx

 

 

 

Credit:  , automationworld

iOS 9 Hack: How to Access Private Photos and Contacts Without a Passcode

 

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your device. However, it’s pretty easy for anyone to access your personal photographs and contacts from your iPhone running iOS 9 in just 30 seconds or less, even with a passcode and/or Touch ID enabled.

 

Just yesterday, the Security firm Zerodium announced a Huge Bug Bounty of 1 Million Dollars for finding out zero-day exploits and jailbreak for iPhones and iPads running iOS9. Now…

 

A hacker has found a new and quite simple method of bypassing the security of a locked iOS device (iPhone, iPad or iPod touch) running Apple’s latest iOS 9 operating system that could allow you to access the device’s photos and contacts in 30 seconds or less. Yes, the passcode on any iOS device running iOS 9.0 is possible to bypass using the benevolent nature of Apple’s personal assistant Siri.

 

Here’s the List of Steps to Bypass Passcode:

You need to follow these simple steps to bypass passcode on any iOS device running iOS 9.0:
  1. Wake the iOS device and Enter an incorrect passcode four times.
  2. For the fifth time, Enter 3 or 5 digits (depending on how long your passcode is), and for the last one, press and hold the Home button to invoke Siri immediately followed by the 4th digit.
  3. After Siri appears, ask her for the time.
  4. Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.
  5. Now double tap on the word you wrote to invoke the copy & paste menu, Select All and then click on “Share“.
  6. Tap the ‘Message‘ icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.
  7. Select “Create New Contact,” and Tap on “Add Photo” and then on “Choose Photo“.
  8. You’ll now be able to see the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.

Video Demonstration

You can also watch a video demonstration (given below) that shows the whole hack in action.
It isn’t a remote flaw you need to worry about, as this only works if someone has access to your iPhone or iOS device. However, such an easy way to bypass any locked iOS device could put users personal data at risk.

How to Prevent iOS 9 Hack

Until Apple fixes this issue, iOS users can protect themselves by disabling Siri on the lock screen from Settings > Touch ID & Passcode. Once disabled, you’ll only be able to use Siri after you have unlocked your iOS device using the passcode or your fingerprint.
Credit: 

 

3D Imaging System in Driver-less Cars Can Be Hacked

google-driverless-car1

The laser navigation system and sensors of driverless cars can be easily exploited by hackers as they can trick them into getting paralyzed thinking about a probable collision with another person, car or hurdle.

Lidar 3D Imaging System is vulnerable to hack attacks. It is a system used by autonomous vehicles to create an image of the surroundings and navigate through the roads. However, research reveals that a cheap low-power laser attack lets hackers trick this system into thinking that something is blocking their way and forcing the vehicle to slow down, stop and/or take elusive action.

Driverless-Car-hack

The University of Cork’s Computer Security Group’s former researcher Jonathan Petit identified this vulnerability of the well-known laser powered navigation system while trying to discover the cyber vulnerabilities of self-directed vehicles.

Petit’s research will be presented at the Black Hat Europe security conference that is due in November this year. He explained that the combo of a pulse generator and a low-power laser let him record encrypted or non-coded laser pulses emitting from the high-profile Lidar system.

These pulses can later be replicated with a laser to produce fake objects that can easily trick a driverless car into thinking that there is an obstacle present at the front.

While speaking to IEEE Spectrum, Petit stated:

“I can take echoes of a fake car and put them at any location I want. And I can do the same with a pedestrian or a wall. I can spoof thousands of objects and basically carry out a denial-of-service attack on the tracking system so it’s not able to track real objects.”

He further added that the primary basis of the vulnerability lies in the fact that some driverless cars have poor quality input systems. This means such cars can make wrong decisions if these are fed incorrect data of surrounding environment and/or the road.

“If a self-driving car has poor inputs, it will make poor driving decisions,” said Petit.

However, one wonders that Lunar laser ranging technology is the most expensive and technically advanced one that is currently available in the market, then how can these commit mistakes?

In response to this, Petit says that autonomous cars can be hacked easily and cheaply as

“You can easily do it with a Raspberry Pi or an Arduino. It’s really off the shelf.”

The research reveals that driverless cars are not fully reliable and have inherent security related issues regardless of the fact that the technology has been cleared after being tested on UK roads.

We can comprehend that excessive insertion of connected technology into vehicles nowadays is making our cars prone to risks and threats from hackers.

History of vulnerability in vehicles: 

In this Black Hat USA 2015 session, two security researchers namely Charles Millerand Chris Valasek will gave a presentation about their discoveries related to the security vulnerability they found in the on-board infotainment system of all the vehicles manufactured by Fiat Chrysler Automobiles, leaving more than 470,000 vehicles vulnerable to these similar hacking attempts.

Using this vulnerability, both of these hackers managed to remotely take control over the vehicle, which allowed them to manipulate the vehicle’s brakes, acceleration, entertainment system and what not.

Another hacker demonstrated how hackers could locate, unlock and start GM cars with a hacked mobile app and how to hack Corvette with a text message.

During the same the DefCon and BlackHat security conferences researchers also exposed how hackers could easily exploit the vulnerabilities found within the Megamos Crypto to start the vehicle without any key, and the vulnerability could be exploited within 60 minutes!

 

 

 

Credit: 

Self-driving Cars Hacked Using a Simple Laser and a Raspberry Pi

Wake-up call for driverless-car makers to solve this glaring security problem. Self-driving cars are easy to hack with a modified laser pointer.

A security researcher has discovered that self-driving cars with laser-powered sensors that detect and avoid obstacles in their paths can easily be fooled by a line-of-sight attacker using a laser pointer to trick those sensors into detecting and avoiding obstacles that don’t actually exist.

Self-driving or driverless cars are widely predicted to be the next big innovation in automotive technology — indeed, it’s possible that today’s infants will come of age in a world where “driving your own car” is as obsolete as horse-and-buggy combos are now.

Google has already developed and tested a semi-driverless car (which still requires a licensed and alert human driver as a failsafe in case anything goes wrong). Various car manufacturers including Lexus, Mercedes and Audi are developing self-driving prototypes of their own. But, of course, driverless cars with wireless computer controls are as vulnerable to hacking as any other Internet-connected device – and have a few other vulnerabilities as well.

google-self-driving-car-wb

 

Lidar systems

Driverless cars use laser ranging systems, known as “lidar” (a riff off of “radar”), to detect obstacles and navigate their way through them. Radar, which was originally a semi-acronym for RAdio Detection And Ranging, “sees” things by sending out radio waves, then measuring whether and how many of those waves reflect back after bouncing off of various objects. Lidar does the same thing with lasers, which are narrower and far more precise than the radio waves used in radar.

Jonathan Petit, a scientist at the software-security company Security Innovation, told IEEE Spectrum that he was able to fool the lidar systems of self-driving cars with a device he made out of only $60 worth of off-the-shelf technology.

“I can take echoes of a fake car and put them at any location I want. And I can do the same with a pedestrian or a wall.” Petit made his device using a low-powered laser and a pulse generator, although he said “you don’t need the pulse generator when you do the attack. You can easily do it with a Raspberry Pi or an Arduino. It’s really off the shelf.”

Once he made this device, Petit could use it to create from a lidar’s perspective the illusion of a car, wall or pedestrian while he was anywhere from 20 to 350 meters (roughly 65 to 1,500 feet) away from the lidar system. Perhaps even more disturbingly, Petit could carry out these attacks on a lidar-equipped car without the car’s passengers even being aware of it.

The good news is that, according to Petit, there is a way for car or lidar manufacturers to solve this problem. “A strong system that does misbehavior detection could cross-check with other data and filter out those that aren’t plausible,” he said. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.

Petit plans to formally present his findings at the Black Hat Europe security conference this November.

 

 

Credit:  Jennifer Abel

Car Hacking | Report reveals security flaw in immobilizers

Over 100 models at risk from wireless attacks; study was hidden for two years

A security flaw in Volkswagen, Volvo and Fiat cars could allow hackers to remotely start and steal vehicles without having a key, a report has revealed.

The report, titled ‘Dismantling Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobilizer’, was recently released after a Volkswagen court injunction blocking its publication was lifted after two years.

Cars are only supposed to start if the key is present in the car. But the report says anti-theft systems on some models can be hacked – allowing the car to be simply driven away.

Report authors Roel Verdult, Flavio Garcia and Baris Ege wrote: “We were able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes.”

The hackers were able to eavesdrop on the signals sent between the cars’ immobilizers and their keys.

Cars from Porsche, Ferrari, Audi, Bentley, Lamborghini and Alfa Romeo are among those that use the same transponders that the experts hacked.

Car hacking: could it happen to you?

The researchers are calling for their findings to be taken into account by car companies that use radio-frequency identification (RFID) technology, so necessary security measures can be put in place. But unlike a recent security flaw discovered on the Tesla Model S, the latest security risk cannot be fixed by a simple software upgrade.

The researchers who uncovered the flaw believe their findings should be made public and used as an incentive for car manufacturers to increase their cyber-security efforts.

The manufacturers, on the other hand, prefer to keep the discussion under wraps.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If successful in its efforts, research of this nature would become illegal.

In a statement, Volkswagen said: “In this connection, Volkswagen does not make available information that might enable unauthorized individuals to gain access to its vehicles.

“In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”

 

You can download the full report here

 

 

Credit: Simon Davis

Researchers Hack Car via Insurance Dongle

Small devices installed in many automobiles allow remote attackers to hack into a car’s systems and take control of various functions, researchers have demonstrated.

 

Researchers at the University of California in San Diego analyzed commercial telematic control units (TCU) to determine if they are vulnerable to cyberattacks.

TCUs are embedded systems on board a vehicle that provide a wide range of functions. The products offered by carmakers, such as GM’s OnStar and Ford’s Sync, provide voice and data communications, navigation, and allow users to remotely control the infotainment systems and other features.

Aftermarket TCUs, which connect to the vehicle through the standard On-Board Diagnostics (OBD) port, can serve various purposes, including driving assistance, vehicle diagnostics, security, and fleet management. These devices are also used by insurance companies that offer safe driving and low mileage discounts, and pay-per-mile insurance.

Researchers have conducted tests on C4E dongles produced by France-based Mobile Devices. These TCUs, acquired by the experts from eBay, are used by San Francisco-based car insurance firm Metromile, which offers its per-mile insurance option to Uber.

Aftermarket TCUs are mostly used for data collection, but the OBD-II port they are connected to also provides access to the car’s internal networks, specifically the controller area network (CAN) buses that are used to connect individual systems and sensors.

“CAN is a multi-master bus and thus any device with a CAN transceiver is able to send messages as well as receive. This presents a key security problem since as we, and others, have shown, transmit access to the CAN bus is frequently sufficient to obtain arbitrary control over all key vehicular systems (including throttle and brakes),” researchers explained in their paper.

The experts have identified several vulnerabilities in the Mobile Devices product, including the lack of authentication for remotely accessible debug services, the use of hard-coded cryptographic keys (CVE-2015-2906) and hard-coded credentials (CVE-2015-2907), the use of SMS messages for remotely updating the dongle, and the lack of firmware update validation (CVE-2015-2908).

In their experiments, researchers managed to gain local access to the system via the device’s USB port, and remote access via the cellular data interface that provides Internet connectivity and via an SMS interface.

In a real-world demonstration, the experts hacked a Corvette fitted with a vulnerable device simply by sending it specially crafted SMS messages. By starting a reverse shell on the system, they managed to control the windshield wipers, and apply and disable brakes while the car was in motion. The experts said they could have also accessed various other features.

Corvette hacked via insurance dongle

The remote attacks only work if the attacker knows the IP address of the device or the phone number associated with the SIM card used for receiving SMS messages. However, researchers determined that Internet-accessible TCUs can be identified by searching the web for strings of words unique to their web interface, or by searching for information related to the Telnet and SSH servers. Thousands of potential TCUs were uncovered by experts using this method.

As for the the SIM phone numbers, researchers believe many of them are sequentially assigned, which means an attacker might be able to obtain the information by determining the phone number for one device.

Researchers have reported their findings to Mobile Devices, Metromile, and Uber. Wired reported that Mobile Devices developed a patch that has been distributed by Metromile and Uber to affected products.

Mobile Devices told the researchers and the CERT Coordination Center at Carnegie Mellon University that many of the vulnerabilities have been fixed in newer versions of the software, and claimed that the attack described by experts should only work on developer/debugging devices, not on production deployments.

However, researchers noted that they discovered the vulnerabilities on recent production devices and they had not found the newer versions of software that should patch the security holes.

This is not the first time someone has taken control of a car using insurance dongles. In January, a researcher demonstrated that a device from Progressive Insurance used in more than two million vehicles was plagued by vulnerabilities that could have been exploited to remotely unlock doors, start the car, and collect engine information.

White hat hackers demonstrated on several occasions this summer that connected cars can be hacked. Charlie Miller and Chris Valasek remotely hijacked a Jeep, ultimately forcing Fiat Chrysler to recall 1.4 million vehicles to update their software. Last week, researchers reported finding several vulnerabilities in Tesla Model S, but they applauded the carmaker for its security architecture.

In July, senators Ed Markey and Richard Blumenthal introduced new legislation, the Security and Privacy in Your Car (SPY Car) Act, in an effort to establish federal standards to secure cars and protect drivers’ privacy.

 

 

Credit:  Eduard Kovacs

It’s official: North America out of new IPv4 addresses

Remember how, a decade ago, we told you that the Internet was running out of IPv4 addresses? Well, it took a while, but that day is here now: Asia, Europe, and Latin America have been parceling out scraps for a year or more, and now the ARIN wait list is here for the US, Canada, and numerous North Atlantic and Caribbean islands. Only organizations in Africa can still get IPv4 addresses as needed. The good news is that IPv6 seems to be picking up the slack.

ARIN, the American Registry for Internet Numbers, has now activated its “IPv4 Unmet Requests Policy.” Until now, organizations in the ARIN region were able to get IPv4 addresses as needed, but yesterday, ARIN was no longer in the position to fulfill qualifying requests. As a result, ISPs that come to ARIN for IPv4 address space have three choices: they can take a smaller block (ARIN currently still has a limited supply of blocks of 512 and 256 addresses), they can go on the wait list in the hopes that a block of the desired size will become available at some point in the future, or they can transfer buy addresses from an organization that has more than it needs.

“If you take a smaller block, you can’t come back for more address space for 90 days,” John Curran, CEO of ARIN, told Ars. “We currently have nearly 500 small blocks remaining, but we handle 300 to 400 requests per month, [so] those remaining small blocks are going to last between two and four weeks.”

Doesn’t this allow for strategic behavior, where each ISP tries to request a block slightly smaller than the requests already on the wait list? “The wait list is a last resort as very little address space is returned to ARIN,” Curran said. “Trying to figure out how to game the wait list is not strategic. Trying to figure out how to use IPv6 for new customers is strategic.”

“ISPs will have to get used to the transfer market. If you need IPv4 addresses, go there,” Curran continued. “But I’m not sure how long a market is going to be around. Seven billion people with smartphones and home connections, a connection at work, then add Google, YouTube, Facebook, Bing… Four billion addresses, even with a perfectly working market, isn’t going to work in the future.”

IPv4 address markets

We spoke to Janine Goodman, vice president of Avenue4, a broker of IPv4 addresses, about what to expect in the short term.

“IPv6 is going to happen, that’s the direction it’s going,” she said. “But it’s going to take a while. Organizations are not ready to turn to IPv6 tomorrow; this will take a few years. A transfer market allows for the transition from IPv4 to IPv6 in a responsible way, not a panicked way.”

“The price for blocks of IPv4 addresses of 65,536 addresses (a /16) or smaller is about $7 to $8 per address in the ARIN region. In other regions, which have fewer addresses out there, the price tends to be a little higher,” Goodman said. “We expect the IPv4 market to be around for at least three to five years. During that time, the price per address will likely go up and then finally come back down as IPv6 is being widely deployed.”

Goodman stressed that buyers of addresses should make sure they are “clean” and have a known history. There have been reports of address sales where the addresses turned out to be in ongoing use after completion of the transaction.

ARIN CEO Curran also suggested that buyers do their due diligence. “With a car, the car and the registration are two different things. Not so with IP addresses: the registration in the whois database is the only thing,” he said. However, ARIN will only modify its whois records if the buyer of the addresses has a documented need for the amount of address space in question. As such, prospective buyers can pre-qualify with ARIN and then go out and buy the address space that covers their documented needs for the next two years, or they can find a seller of address space first and then come to ARIN to make sure they qualify.

Bring on the IPv6!

The Internet Engineering Task Force (IETF) saw the eventual depletion of IP addresses looming in the early 1990s, so they set out to solve the problem and came up with a new version of the Internet Protocol. The old IP has version number 4; the new version is 6. IPv6 increases the length of IP addresses to no fewer than 128 bits—sort of like increasing phone numbers from 10 to 40 digits. As a result, the number of available IPv6 addresses is, for all practical purposes, unlimited.

The trouble is that, of course, old systems can only handle the IPv4 with its 32-bit addresses. That problem has pretty much been solved in the intermediate decade, and today virtually all operating systems can handle 128-bit IPv6 addresses—although some applications can’t or don’t handle them properly.

The main issue remaining is that most networks simply haven’t enabled IPv6 yet. Although turning on IPv6 is not as hard as some people think, it’s not entirely trivial either in larger networks. Internet Service Providers, routers, firewalls, load balancers, and DNS servers must all be IPv6-ready and be reconfigured. And then there are all those little (and not so little) homegrown applications that keep businesses running. In almost all cases, a new IPv6 numbering plan is required, and DHCP works differently with IPv6 than with IPv4.

So for a long time, the number of Internet users who had IPv6 connectivity in addition to IPv4 connectivity, as well as the fraction of total Internet traffic that is IPv6, were rounding errors. Google’s statistics showed that only a few tenths of a percent of its users from 2009 to 2011 had IPv6 connectivity; that number reached one percent only at the end of 2012. A year ago, it hit 3.5 percent. Today, it stands between 6.5 (weekdays) and 7.5 percent (weekends).

Things get more interesting as we look at Google’s stats for individual countries. In early 2013, the US and Belgium weren’t notable players in the IPv6 adoption game, at 2.17 and 0.04 percent, respectively. Today, Belgium is the world leader at nearly 35 percent, and the US is third just behind Switzerland (both have about 21 percent adoption). According to Akamai’s numbers, seven countries now have IPv6 adoption rates above ten percent: Belgium, Switzerland, the US, Peru, Germany, Luxembourg, and Portugal—Greece will be the eighth very soon. Sixteen countries have more than five percent IPv6 deployment, and 32 countries have at least one percent.

Remarkably, neighboring countries may differ by an order of magnitude. The US is at nearly 21 percent, but Canada has only 0.5 percent IPv6 users. Belgium has nearly 35 percent, but the Netherlands has just three percent. Ireland is at 2.4 percent; the UK is at 0.2 percent.

Per-country IPv6 deployment

Per-country IPv6 deployment

Don’t be too alarmed by the colors of Google’s IPv6 deployment map. White means no IPv6, while darker shades of green mean more IPv6. Red is bad, as it not only indicates very little IPv6 but also that IPv6 is slower than IPv4. Orange means that there is significant IPv6 deployment, but IPv6 connectivity is slower than IPv4 connectivity. However, IPv6 packets often take just two hundredths of a second longer than IPv4 packets, which isn’t ideal but not as alarming as the orange coloring suggests.

However, there are also places, such as Belgium or Russia, where on average IPv6 is actually faster than IPv4. One explanation for this could be that “good” ISPs also tend to be the ones that have IPv6 deployed. Routing paths over worse-performing ISPs that are available to IPv4 packets aren’t available to IPv6 packets, so those have no other choice than to flow through better performing ISPs. But in places where IPv6 deployment is lacking, there’s always the risk that the ISP providing the shortest path doesn’t run IPv6, so IPv6 packets need to follow a longer path, slowing down communication.

So it looks like a future where the Internet remains largely IPv4-only, with more and more invasive translation devices that let more and more users share a single IPv4 address, is not the most likely outcome. We now know that getting a tenth of a country’s Internet users on IPv6 within a year is doable. And as someone smart recently said about ISPs adopting IPv6, referring to Metcalfe’s Law, “If everyone is doing it, you have to do it, too.”

 

 

Credit: 

Google | Project Vault

Google’s Project Vault Is A Secure Computing Environment On A Micro SD Card, For Any Platform

 

Project Vault is a secure computer contained entirely on a micro SD sized device. Google’s ATAP said the micro SD format made sense because there’s already advanced security features on your phone, contained in the SIM card, which protects the things important to carriers. Vault is designed to be an equivalent, but designed to project a user’s important content.

They went with the micro SD form factor so that they could have more data throughput to project video, and they wanted storage (Vault has 4GB of data storage on board) and they wanted modularity, so you could take it wherever you wanted.

Onboard the Vault itself is an ARM processor running ARTOS, a secure operating system focused on privacy and data security. It also has an NFC chip and an antenna (for proving that you are in control and that it’s correctly authorized). Finally, there’s a suite of cryptographic services, including hashing, signing, batch encryption and a hardware random number generator.

 

 

Vault provides two-factor auth in a way that’s easy enough for anyone to use, and developers don’t have to do anything to get stuff ready to work with it – the system sees it as generic storage device with a standard file system.

Said file system includes just two files, one for read and one for write, that any app has to go through in order to communicate with Vault. This also means that it works with any operating system, including Android, Windows, OS X and Linux, since essentially it’s just a generic storage device to the host computer or phone.

 

 

Today, ATAP is releasing the open source development kit so that people can understand and test it prior to it going live. They’ve also built an enterprise-targeted first product version that’s being used internally at Google right now, and there are plans to eventually make consumer-focused hardware, too.

In a demo, ATAP showed how Vault could be used to secure a chat conversation. Once the Vault micro SD is installed, the chat application just opens the virtualized two-file system with the read/write I/O. Vault takes care of encrypting the message and then sending it though as cypher text. The phones automatically decrypt the conversation, but never actually see any keys or algorithms on either end.

 

Credit: Darrell Etherington