Tag Archives: i-news

Cyber-news from the dark side: Japanese legal hacking; iKeychain hack; 2FA -> $0; an Iranian cyber-whodunit; and a USB-eating leopard seal.

Privyet boys and girls!

Herewith, the next in my periodic/occasional cyber-news cyber-shocker-bulletins: a few stories of the cyber-interesting, the cyber-this-news-just-in, and the cyber-absurd…

State-sanctioned hacking!

The Japanese government is believed to be planning to hack 200 million IoT devices of its citizens. And that’s not science fiction folks; it looks like it’s for real. Indeed, it’s how the Japanese are preparing for the Olympics to be held in Tokyo in 2020 – and it’s all legal of course, since it’s the government who’s behind it. So their citizens’ gadgets will be hacked using the cybercriminals favorite method: using default passwords and password dictionaries. If a device is found to have a weak password, bureaucrats will enter the device into a list of unsecure gadgets, which list will then be handed over to internet service providers, which will be expected to inform subscribers and have them make their devices secure by changing the password. It’s all being done as a resilience test in the run-up to the Olympics, to work out if IoT devices in the country are sufficiently protected, and to try and prevent their use in attacks on the Olympics’ infrastructure. The methods to be used for this ‘test’ can easily be disputed, but the fact that the authorities are doing something concrete so well in advance is certainly a good thing. For let’s not forget that the Olympics have been targeted before – and not all that far away from Japan.

iOops!

An 18-year-old hacker, Linus Henze, has published a video highlighting a startling weakness in MacOS – specifically its Keychain program, which stores and secures a user’s many passwords. The teenager used a zero-day to develop his own app that can scan the full contents of the keychain.

Curiously, intriguingly, Mr. Henze isn’t planning on sharing his research and his app with the tech giant, since Apple still doesn’t run a bug-bounty program. So that leaves the company with two options: negotiate with the expert (which would be an unprecedented move for Apple), or consider trying to remedy the issue themselves – which they may or may not be able to do, of course.

Meanwhile, you, dear readers, need not fear for the safety of your passwords! Since there do exist (who’d know?!) fully secure, cross-platform password managers out there. And researchers – there do exist software companies that run bug-bounty programs ).

Even two-factor authentication can be hacked now.

Bank accounts being emptied by cyber-thiefs is on the up. One example recently involved accounts held at the UK’s Metro Bank. And the method used for the robberies involved intercepting text messages sent to account-holders’ phones for two-factor authentication. Now, 2FA is a good thing: it’s an extra layer of security and all that, so why not? It’s just that SMSs are by far not the most secure way to transfer data. For example, vulnerabilities can be exploited in the SS7 protocol, which is used by telecoms operators the world over to coordinate how they route texts and calls. If cyber-baddies manage to access the mobile network of an operator, they’re able to re-route messages and calls without the user being any the wiser. First they’d need to know your login and password for online banking, but that isn’t beyond the abilities of modern-day cyber-villains with their crafty keyboard spies, phishing tactics, or banking Trojans.

Once inside the online bank, the criminals send a request for a money transfer and intercept the message with the one-time code from the bank. The code is entered, and the bank transfers the funds, since both the password and the code were correctly entered. And the criminals are laughing all the way to the bank, as it were ).

So what can you do to stop such a scenario happening to you? Here are a couple of tips:

  • Never tell anyone your login or passwords – even to a bank employee, but you’ll probably know that one: banks helpfully remind us whenever they can.
  • Protect your devices from malware with a reliable antivirus app. There is one I happen to know of… but no – you choose the one you want ).

Cyber-spying on foreign diplomats in Iran – but whodunit?

Our researchers just recently discovered multiple attempts at infection of foreign diplomatic missions in Iran with some rather primitive cyber-espionage malware. The backdoor is presumed to be associated with the hacking group know as Chafer, which happens to ‘speak’ Farsi, and which is thought to have been responsible for cyber-surveillance on individuals in the Middle East in the past. This time, they cybercriminals used an improved version of the Remexi backdoor, designed to remotely control (as administrator) a victim’s computer.

Remexi software was first detected in 2015 when it was used for illegal surveillance of individuals and organizations across the whole region. The Windows-targeting surveillance-ware can exfiltrate keystrokes, screenshots, and browser-related data like cookies and history.

Much ‘home made’ malware is used in the region – often in combination with public domain utilities. But who’s behind these particular attacks? Finding out is made all the more difficult by the very fact that the malware is homespun; it literally could be anybody: Iranians, or non-Iranians pulling a false-flag operation. Alas, false flags are on the up and up and look set to remain so.

“Well, actually… a seal ate my USB stick, sir.”

In New Zealand, one day out walking a vet observed a clearly unwell leopard seal on a beach. As any concerned vet would, he proceeded to… scoop up a lump of the poorly seal’s poop and took it off for analysis. He was expecting to find therein some ghastly little parasites or viruses or what have you, but instead found… a USB stick. After much disinfection (I hope), the vet stuck the thumb drive into his computer (don’t try any of this at home kids, but this was a special case). And guess what? Thereon were stored lots of photos of the beautiful New Zealand scenery! Now the vet and Co. are seeking the owners of the USB – using this here video. Recognize it, anybody?

i-news: best of the best in 2018.

Boys and Girls! I hereby give you the last edition of i-news for 2018. Every year around this time I get the urge to do a bit of light-hearted summarizing and recapping, so we can see in the New Year in a good mood :). So, today we will talk about the loudest, silliest, funniest and weirdest news from the world of IT and cybersecurity that appeared on our screens in 2018.

First, let’s talk about professionalism in the media – you know, stuff like objectivity, investigative journalism and fact-checking. Or, to be more precise, the absence of all those things.

In October, Bloomberg Businessweek published an “investigation” with a pretty sensational headline and authored by a well-known ‘sauna journalist’. The first part of the headline says it all – The Big Hack. The story is based on information from anonymous sources (surprise, surprise!) and claims hardware manufactured by Super Micro has bugs implanted in them. And it’s supposedly been going on for several years. The chips were supposedly found by staff at Apple and Amazon, and the US authorities have been carrying out an investigation since 2015. And then, the interesting part starts…

Amazon denied any knowledge of the bugs, while Tim Cook of Apple said it’s all lies and called for the article to be retracted. Super Micro declared it had never received any customer complaints or questions from the authorities. (All this sounds pretty familiar!) Within 24 hours of the publication, Super Micro shares plummeted 60%. The company called in an outside firm to conduct an investigation that found no evidence to back up the journalists’ claims. Bloomberg appears to be in no hurry to apologize, although it did assign another journalist to do some further research.

Read on…

Flickr photostream

Instagram photostream

Digital demons – in art and in everyday life.

As regular readers of this here blog of mine will already know, I’m rather into modern art. But when art somehow merges with the anything IT-related, I’m the world’s biggest fan. Well, such a merging is taking place right now in Moscow in its Museum of Modern Art with the exhibition Daemons in the Machine, so supporting it was a no brainer. Artists, consulted by scientists, aimed their creativity at the modern-day topics of artificial intelligence (which, IMHO, is hardly any intelligence at all – just smart algorithms), blockchain, neural networks and robotics. The result is a curious mix of futurology, ethics and – of course – art.

I haven’t been myself as I’m only just back from my latest trip, but I hope to find time for a visit before my next one.

And now, we move from high-art digital demons to everyday, run-of-the-mill – but very worrying – digital demons…

Read on…

Enter your email address to subscribe to this blog

Cyber-tales from the dark – and light – sides.

Hi folks!

Today I’ve got some fresh, surprising cybersecurity news items for you. The first few are worrying stories about threats stemming from a certain ubiquitous small device, which many folks simply can’t be without just for one minute – including in bed and in the bathroom. The last few are positive, encouraging stories – about women on the up in IT. Ok, let’s dive in with those worrying ones first…

Don’t join the Asacub victim club

These days, folks tend to entrust their (trusty?) smartphones with all sorts of stuff – banking, important work and personal documents, messaging (often with very personal details strictly for a few eyes only), and more. But, hey, you’ll know all this perfectly well already, and may be one of these folks to this or that extent yourself; and if you are – you really do need to read this one carefully…

At the end of August a sharp increase was detected in the proliferation of the Android Trojan Asacub, which exploits that peculiarly human weakness called curiosity. The Trojan sends a text message with words like: ‘Hey John: You should be ashamed of yourself! [link]’, or ‘John – you’ve been sent an MMS from Pete: [link]’. So John scratches his head, becomes as curious as a cat, wonders what’s in the photo, clicks on the link, and (willingly!) downloads an application… which then proceeds to stealthily access his full contact list and start sending out similar messages to all his peers.

But this crafty malware doesn’t stop there. It can also, for example, read incoming texts and send their contents to the hackers running the malware, or send messages with a given text to a given number. And the ability to intercept and send texts gives the authors of the Trojan the ability to, among other things, transfer to themselves funds from the bank card of the victim if the card is digitally connected to the phone number. And as if that weren’t bad enough – there’s a bonus for the victim: a huge bill from his mobile provider for sending all those messages to everybody.

So how can you protect yourself from such fearsome mobile malware? Here’s how:

  • Don’t click on suspicious links;
  • Carefully check which rights are being requested by the downloaded application (e.g., microphone, camera, location…);
  • And last and most: the simplest step – install reliable protection on your Android smartphone.

Android? Hmmm. I can hear all the sighs of relief just now: ‘Aaaaahhhh, thank goodness I’ve got an iPhone!’!

Hold your horses all you Apple lovers; here’s a couple of links for you too (don’t worry: you can click these – honest!):

Read on…

Dutch hacker, big cyber-politics, and the anatomy of ‘real’ fake news.

Almost 21 years ago, I embarked on a mission to make the world a safer, better place. Today, we’re proud to protect with our cybersecurity solutions the digital lives of over 400 million consumers and 270,000 organizations around the world. Like many other companies whose aim is enhancing people’s lives, we also know that the higher you go, the stronger the winds can be. For us these winds include false media reporting. And in today’s environment of ‘media-ocracy’ and fake news, the situation is getting worse.

For nearly four years now, certain U.S. media outlets have been printing outlandishly preposterous false stories about cyber-conspiracies concocted between secret service folks and Yours Truly against the ‘free world’.

Evidence suggests that a Dutch politician is behind a fake story about Kaspersky Lab in the biggest Dutch daily newspaper

These tales from the paranoid side about us all fit the same template. Accordingly, their basic structure and rhetoric are always identical:

  • Unnamed U.S. intelligence officials share certain ‘shocking details’ about [insert as applicable] with a select few representatives of a given media outlet;
  • Anonymous sources are mostly used; any ‘sources’ cited are incompetent/unqualified to be sources;
  • Zero evidence of any wrongdoing on our part is presented (logical: there is no wrongdoing);
  • Distortion of reality based on the Pareto principle (80% truth + 20% fiction = monstrous lie);
  • These media stories are then used as a basis for taking political decisions (proof).

Incidentally, you may be wondering why, if all the stories about us are indeed false, we’ve never taken legal action in the U.S. The short answer to that is that U.S. legislation makes establishing the truth of a media story very difficult. Meanwhile, we get a ‘media-ocracy’ – with ‘news’ that isn’t news at all, just a vehicle for instilling in readers’ minds images of an ‘enemy’, so as to influence the underlying opinions of the people reading those media. But it doesn’t stop there. This non-news is used to justify high-level political moves against the next-in-line-to-be-out-of-favor company. Yes, of late it’s not just KL being pinpointed; this is growing bigger and bigger every month, affecting other companies too.

Worryingly, this media-ocracy is very influential – and highly contagious; so much so that it can now be felt all around the world, not just in America. And that now includes even the Netherlands.

Media-ocracy: vehicle for instilling in readers’ minds images of an ‘enemy’ and using false allegations for taking political decisions. Alas, it’s highly contagious.

On February 3 of this year, the largest Dutch national daily newspaper, De Telegraaf, published a ‘sensational’ article about a hacker who, allegedly, had claimed to have hacked into the network of our Dutch office (from just outside the building) and managed to obtain a number of IP addresses – all as part of a supposed investigation to help uncover a leak in the Dutch parliament – a leak organized to help ‘the Russians’. Inevitable questions like why specifically we were hacked, why those particular IP addresses were obtained, etc. are left unanswered, but for us the key thing to be addressed was the claim that someone had breached our own highly secure corporate network.

So yes, we took the claims very seriously. We’re a cybersecurity company, remember?! So naturally we carried out an internal investigation. And guess what it showed. No hack occurred. But that’s only the start of this sorry tale.

Read on: It gets even more ridiculous…

Uh-Oh Cyber-News: Infect a Friend, Rebooting Boeings, No-Authentication Holes, and More.

Hi folks!

Herewith, the next installment in my ‘Uh-oh Cyber-News’ column – the one in which I keep you up to date with all that’s scarily fragile and frailly scary in the digital world.

Since the last ‘Uh-oh’ a lot has piled up that really needs bringing to your attention. Yep, the flow of ‘Uh-ohs’ has indeed turned from mere mountain-stream trickle to full-on Niagara levels. And that flow just keeps on getting faster and faster…

As a veteran of cyber-defense, I can tell you that in times past cataclysms of a planetary scale were discussed for maybe half a year. While now the stream of messages is like salmon in spawning season: overload! So many they’re hardly worth mentioning as they’re already yesterday’s news before you can say ‘digital over-DDoSe’. “I heard how they hacked Mega-Corporation X the other day and stole everything; even the boss’s hamster was whisked away by a drone!”…

Anyway, since the stream of consciousness cyber-scandals is rapidly on the up and up, accordingly, the number of such scandals I’ll be writing about has also gone up. In the past there were three of four per blogpost. Today: seven!

Popcorn/coffee/beer at the ready? Off we go…

1) Infect a Friend and Get Your Own Files Unlocked for Free.

Read on: Effective Hacker Headhunting…

Uh-oh Cyber-News: The Future’s Arrived, and Malware Back from the Dead.

As always for this ‘column‘, I’ll be giving you a round-up of some of the most eek recent items of cybersecurity news, which might not have made the headlines but which are no less eek for that. And as usual, it’s all mostly bad news. There are still a few reasons to be optimistic though – but only a few. Eek!

Uh-oh Cyber-News Item No. 1: The Future’s Arrived.

news-1A screenshot from Blade Runner

Many authors like to fantasize about how things will be in the future. Often, science fiction writers come up with deep philosophical reflections upon man and his place in the Universe. There’s Russia’s Strugatsky brothers, there’s Philip K. Dick, and there’s Arthur C. Clarke (plus his ‘translator’ to the silver screen Stanley Kubrick), for example. And very often such deep philosophical reflection is rather bleak and scary.

Other times, the reflection is a little less deep and philosophical, but no less likely to one day lead to reality – in fact, oftentimes more so. This is where I make appearances!…

So. Back in the first decade of this century, during my presentations your humble servant liked to tell fun ‘scare’ stories about what could happen in the future. Example: a coffeemaker launches a DDoS attack on the fridge, while the microwave works out the factory PINs of the juicer so it can then show text-adverts on its digital display.

Fast forward less than a decade and such ‘sci-fi’ is coming true…

Read on: Computer worms rising from the dead…

Uh-oh Cyber-News: Infected Nuclear Reactors, Cyber-Bank Robbers, and Cyber-Dam-Busters.

Just a quick read of the news these days and you can find yourself wanting to reach for… a Geiger counter. I mean, some of the news stories are just so alarming of late. Or am I overreacting? Let’s see…

Uh-oh News Item No. 1: Apocalypse Averted – for Now. 

inews-1Photo courtesy of Wikipedia

It was reported that the IT system of Unit B of the Gundremmingen Nuclear Power Plant in Swabia, Bavaria, southwestern Germany – right on the 30-year anniversary to-the-day of the Chernobyl disaster (!) – had been infected by some malware. However, it was also reported that there’s no reason to worry at all as no danger’s being posed whatsoever. All’s ok; we can all sleep soundly; everything’s under control; the danger level couldn’t be lower.

After sighing a ‘pheewwwww’ and mopping one’s brow, you read further…

… And as you do, you get a few more details of the incident. And it does indeed seem all is ok: the background radiation level, after all, didn’t go up – that’s the main thing, surely. Right? But then you read further still…

And you find out that the (Internet-isolated) system that was infected happens to be the one that controls the movement of nuclear fuel rods. It’s here you stop, rub the eyes, and read that again slowly…

WHAAAAT?

Read on: Cyber-Spy-Novel-Worthy …

Cyber-news: Vulnerable nuclear power stations, and cyber-saber… control?

Herewith, a quick review of and comment on some ‘news’ – rather, updates – on what I’ve been banging on about for years! Hate to say ‘told you so’, but… TOLD YOU SO!

First.

(Random pic of) the Cattenom Nuclear Power Plant in France where, I hope, all is tip-top in terms of cybersecurity(Random pic of) the Cattenom Nuclear Power Plant in France where, I hope, all is tip-top in terms of cybersecurity

I’ve been pushing for better awareness of problems of cybersecurity of industry and infrastructure for, er, let’s see, more than 15 years. There has of late been an increase in discussion of this issue around the world by state bodies, research institutes, the media and the general public; however, to my great chagrin, though there’s been a lot of talk, there’s still not been much in the way of real progress in actually getting anything done physically, legally, diplomatically, and all the other …lys. Here’s one stark example demonstrating this:

Earlier this week, Chatham House, the influential British think tank, published a report entitled ‘Cyber Security at Civil Nuclear Facilities: Understanding the Risks’. Yep, the title alone brings on goosebumps; but some of the details inside… YIKES.

I won’t go into those details here; you can read the report yourself – if you’ve plenty of time to spare. I will say here that the main thrust of the report is that the risk of a cyberattack on nuclear power plants is growing all around the world. UH-OH.

The report is based exclusively on interviews with experts. Yes, meaning no primary referenceable evidence was used. Hmmm. A bit like someone trying to explain the contents of an erotic movie – doesn’t really compare to watching the real thing. Still, I guess this is to be expected: this sector is, after all, universally throughout the whole world, secret.

All the same, now let me describe the erotic movie from how it was described to me (through reading the report)! At least, let me go through its main conclusions – all of which, if you really think about them, are apocalyptically alarming:

  1. Physical isolation of computer networks of nuclear power stations doesn’t exist: it’s a myth (note, this is based on those stations that were surveyed, whichever they may be; nothing concrete). The Brits note that VPN connections are often used at nuclear power stations – often by contractors; they’re often undocumented (not officially declared), and are sometimes simply forgotten about while actually staying fully alive and ready for use [read: abuse].
  2. A long list of industrial systems connected to the Internet can be found on the Internet via search engines like Shodan.
  3. Where physical isolation may exist, it can still be easily gotten around with the use of USB sticks (as in Stuxnet).
  4. Throughout the whole world the atomic energy industry is far from keen on sharing information on cyber-incidents, making it tricky to accurately understand the extent of the the security situation. Also, the industry doesn’t collaborate much with other industries, meaning it doesn’t learn from their experience and know-how.
  5. To cut costs, regular commercial (vulnerable) software is increasingly used in the industry.
  6. Many industrial control systems are ‘insecure by design’. Plus patching them without interrupting the processes they control is very difficult.
  7. And much more besides in the full 53-page report.

These scary facts and details are hardly news for IT security specialists. Still, let’s hope that high-profile publications such as this one will start to bring about change. The main thing at present is for all the respective software to be patched asap, and for industrial IT security in general to be bolstered to a safe level before a catastrophe occurs – not after.

Among other things, the report recommends promoting ‘secure by design’ industrial control systems. Hear hear! We’re totally in support of that one! Our secure OS is one such initiative. To make industrial control systems, including SCADA, impenetrable, requires an overhaul of the principles of cybersecurity on the whole. Unfortunately, the road towards that is long – and we’re only at the very beginning of it. Still, at least we’re all clear on which direction to head toward. Baby steps…

Second.

For several years I’ve also been pushing for the creation of a global agreement against cyberwar. Though we signs of a better understanding of the logic of such an agreement on the part of all the respective parties – academics, diplomats, governments, international organizations, etc. – we’re seeing little real progress towards any such concrete agreement, just like with the securing of industrial systems. Still, at least the reining in of cyber-spying and cyberwar is on the agenda at last.

Photo: Michael Reynolds/EPA. SourcePhoto: Michael Reynolds/EPA. Source

For example, Barack Obama and Xi Jinping at the end of September agreed that their countries – the two largest economies in the world – won’t engage in commercial cyberspying on each other anymore. Moreover, the topic of cybersecurity dominated their joint press conference (together with a load measures aimed at slowing climate change). Curiously, the thorny issues of political and military cyber-espionage weren’t brought up at all!

So. Does this represent a breakthrough? Of course not.

Still, again, at least this small step is in the right direction. There have also been rumors that Beijing and Washington are holding negotiations regarding an agreement on prohibiting attacks in cyberspace. At the September meeting of the leaders the topic wasn’t brought up, but let’s hope it will be soon. It would be an important, albeit symbolic, step.

Of course, ideally, such agreements would be signed in the future by all countries in the world, bringing the prospect of a demilitarized Internet and cyberspace that little bit closer. Yes, that would be the best scenario; however, for the moment, not the most realistic. Let’s just keep pushing for it.

Your car controlled remotely by hackers: it’s arrived.

Every now and again (once every several years or so), a high-profile unpleasantness occurs in the cyberworld – some unexpected new maliciousness that fairly bowls the world over. For most ‘civilians’ it’s just the latest in a constant stream of seemingly inevitable troublesome cyber-surprises. As for my colleagues and me, we normally nod, wink, grimace, and raise the eyebrows à la Roger Moore among ourselves while exclaiming something like: ‘We’ve been expecting you Mr. Bond. What took you so long?’

For we’re forever studying and analyzing the main tendencies of the Dark Web so we can get an idea of who’s behind its murkiness and of the motivations involved; that way we can predict how things are going to develop.

Every time one of these new ‘unexpected’ events occurs, I normally find myself in the tricky position of having to give a speech (rather – speeches) along the lines of ‘Welcome to the new era‘. Trickiest of all is admitting I’m just repeating myself from a speech made years ago. The easy bit: I just have to update that old speech a bit by adding something like: ‘I did warn you about this; and you thought I was just scaremongering to sell product!’

Ok, you get it (no one likes being told ‘told you so’, so I’ll move on:).

So. What unpleasant cyber-unexpectedness is it this time? Actually, one affecting something close to my heart: the world of automobiles!

A few days ago WIRED published an article with an opening sentence that reads: ‘I was driving at 70 mph on the edge of downtown St. Louis when the exploit began to take hold.‘ Eek!

The piece goes on to describe a successful experiment in which hackers security researchers remotely ‘kill’ a car that’s too clever by half: they dissected (over months) the computerized Uconnect system of a Jeep Cherokee, eventually found a vulnerability, and then managed to seize control of the critical functions of the vehicle via the Internet – while the WIRED reporter was driving the vehicle on a highway! I kid you not folks. And we’re not talking a one-off ‘lab case’ here affecting one car. Nope, the hole the researchers found and exploited affects almost half a million cars. Oops – and eek! again.

Jeep Cherokee smart car remotely hacked by Charlie Miller and Chris Valasek. The image originally appeared in Wired

However, the problem of security of ‘smart’ cars is nothing new. I first ‘joked’ about this topic back in 2002. Ok, it was on April 1. But now it’s for real! You know what they say… Be careful what you wish for joke about (there’s many a true word spoken in jest:).

Not only is the problem not new, it’s also quite logical that it’s becoming serious: manufacturers compete for customers, and as there’s hardly a customer left who doesn’t carry at all times a smartphone, it’s only natural that the car (the more expensive – the quicker) has steadily been transformed into its appendage (an appendage of the smartphone – not the user, just in case anyone didn’t understand me correctly).

More and more control functions of smart cars are now firmly in the domain of the smartphone. And Uconnect isn’t unique here; practically every large car manufacturer has its own similar technology, some more advanced than others: there’s Volvo On CallBMW Connected DriveAudi MMIMercedes-Benz COMANDGM OnstarHyundai Blue Link and many others.

More and more convenience for the modern car-driving consumer – all well and good. The problem is though that in this manufacturers’ ‘arms race’ to try and outdo each other, critical IT security matters often go ignored.

Why? 

First, the manufacturers see being ahead of the Jones’s as paramount: the coolest tech functionality via a smartphone sells cars. ‘Security aspects? Let’s get to that later, eh? We need to roll this out yesterday.’

Second, remote control cars – it’s a market with good prospects.

Third, throughout the auto industry there’s a tendency – still today! – to view all the computerized tech on cars as something separate, mysterious, faddy (yep!) and not really car-like, so no one high up in the industry has a genuine desire to ‘get their hands dirty’ with it; therefore, the brains applied to it are chronically insufficient to make the tech secure.

It all adds up to a situation where fancy motorcars are becoming increasingly hackable and thus stealable. Great. Just what the world needs right now.

What the…?

Ok. That’s the basic outline. Now for the technical background and detail to maybe get to know what the #*@! is going on here!…

Way back in 1985 Bosch developed CAN. No, not their compatriot avant-garde rockers (who’d been around since 1968), but a ‘controller area network’ – a ‘vehicle bus’ (onboard communications network), which interconnects and regulates the exchange of data among different devices – actually, those devices’ microcontrollers – directly, without a central computer.

For example, when the ‘AC’ button on the dashboard is pressed, the dashboard’s microcontroller sends a signal to the microcontroller of the air conditioner saying ‘turn on, the driver wants cooling down’. Or when the brake pedal is pressed, the microcontroller of the pedal mechanism sends an instruction to the brake pads to press up against the brake discs.

CAN stands for 'controller area network', a 'vehicle bus' which interconnects and regulates the exchange of data among different devices шт a smart car

Put another way, the electronics system of a modern automobile is a peer-to-peer computer network – designed some 30 years ago. It gets better: despite the fact that over three decades CAN has been repeatedly updated and improved, it still doesn’t have any security functions! Maybe that’s to be expected – what extra security can be demanded of, say, a serial port? CAN too is a low level protocol and its specifications explicitly state that its security needs to be provided by the devices/applications that use it.

Maybe they don’t read the manuals. Or maybe they’re too busy trying to stay ahead of competitors and come up with the best smart car features.

Whatever the reasons, the fundamental fact causing all the trouble remains: Some auto manufacturers keep squeezing onto CAN more and more controllers without considering basic rules of security. Onto one and the same bus – which has neither access control nor any other security features – they strap the entire computerized management system that controls absolutely everything. And it’s connected to the Internet. Eek!

Hooking up devices to the Internet isn't a good idea. Engineers should think twice before doing this

Just like on any big computer network (e.g., the Internet), cars too need a strict ‘division of trust’ for controllers. Operations on a car where there’s communication with the outside world – be it installation of an app on the media system from an online store, or sending car performance diagnostics to the manufacturer – need to be firmly and securely split from the engine control, the security and other critical systems.

If you show an IT security specialist a car, lots of functions of which can be controlled by, say, an Android app, he or she would be able to demonstrate in no time at all a dozen or so different ways to get round the ‘protection’ and seize control of the functions the app can control. Such an experiment would also demonstrate how the car isn’t all that different really from a bank account: bank accounts can be hacked with specially designed technologies, in their case with banking Trojans. But there is a further potential method that could be used to hack a car just like a bank account too: with the use of a vulnerability, like in the case of the Jeep Cherokee.

Any reasons to be cheerful?…

…There are some.

Now, the auto industry (and just about everyone else) seems to be well aware of the degree of seriousness of the problem of cybersecurity of its smart car sector (thanks to security researchers like those in the WIRED article, though some manufacturers are loath to show their gratitude openly).

A sign of this is how recently the US Alliance of Automobile Manufacturers announced the creation of an Information Sharing and Analysis Center, “that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks.” Good-o. I just don’t see how they plan to get along without security industry folks involved.

And it’s not just the motor industry that’s now on its toes: hours (!) after the publication of the WIRED article (the timing was a coincidence, it was reported) new federal legislation in the US was introduced establishing standardization of motor industry technologies in the field of cybersecurity. Meantime, we’re hardly twiddling thumbs or sat on hands: we’re actively working with several auto brands, consulting them on how to get their smart-car cybersecurity tightened up proper.

So, as you can see, there is light at the end of the tunnel. However…

…However, the described cybersecurity issue isn’t limited just to the motor industry.

CAN and other standards like it are used in manufacturing, the energy sector, transportation, utilities, ‘smart houses’, even in the elevator in your office building – in short – EVERYWHERE! And everywhere it’s the same problem: the growth of functionality of all this new tech is hurtling ahead without taking security into account!

What seems more important is always improving the tech faster, making it better than the competition, giving it smartphone connectivity and hooking it up to the Internet. And then they wonder how it’s possible to control an airplane via its entertainment system!

What needs doing?

First things first, we need to move back to pre-Internet technologies, like propeller-driven aircraft with analog-mechanical control systems…

…Not :). No one’s planning on turning the clocks back, and anyway, it just wouldn’t work: the technologies of the past are slow, cumbersome, inefficient, inconvenient and… a lot less secure! Nope, there’s no going backwards. Only forwards!

In our era of polymers, biotechnologies and all-things-digital, movement forward is producing crazy results. Just look around you – and inside your pockets. Everything is moving, flying, being communicated, delivered and received, exchanged… all at vastly faster speeds to those of the past. Cars (and other vehicles) are only a part of that.

All that does make life more comfortable and convenient, and digitization is solving many old problems of reliability and security. But alas, at the same time it’s creating new problems. And if we keep galloping forward at breakneck speed, without looking back, improvising as we hurtle along to get the very best functionality, well, in the end there are going to be unpredictable – even fatal – consequences. A bit like how it was with the Zeppelin.

There is an alternative – a much better one: What we need are industry standards; new, modern architecture, and a responsible attitude to the development of features – by taking into account security – as a priority.

In all, the WIRED article has shown us a very interesting investigation. It will be even more interesting seeing how things progress in the industry from here. Btw, at the Black Hat conference in Vegas in August there’ll be a presentation by the authors of the Jeep hack – that’ll be something worth following…

Smart cars can be remotely hacked. Fact. Period. Shall we go back to the Stone Age? @e_kaspersky explains:Tweet

PS: Call me retrogressive (in fact I’m just paranoid:), but no matter how smart the computerization of a car, I’d straight away just switch it all off – if there was such a possibility. Of course, there isn’t. There should be: a button, say, next to the hazard lights’ button: ‘No Cyber’!…

…PPS: ‘Dream on, Kasper’, you might say. And perhaps you’d be right: soon, the way things are heading, a car without a connection to the ‘cloud’ won’t start!

PPPS: But the cloud (and all cars connected to it) will soon enough be hacked via some ever-so crucial function, like facial recognition of the driver to set the mirror and seat automatically.

PPPPS: Then cars will be given away for free, but tied to a particular filling station network digital network – with pop-ups appearing right on the windscreen. During the ad-break control will be taken over and put into automatic Google mode.

PPPPPS: What else can any of you bright sparks add to this stream-of-consciousness brainstorming-rambling? :)