Tag Archives: i-news

Your car controlled remotely by hackers: it’s arrived.

Every now and again (once every several years or so), a high-profile unpleasantness occurs in the cyberworld – some unexpected new maliciousness that fairly bowls the world over. For most ‘civilians’ it’s just the latest in a constant stream of seemingly inevitable troublesome cyber-surprises. As for my colleagues and me, we normally nod, wink, grimace, and raise the eyebrows à la Roger Moore among ourselves while exclaiming something like: ‘We’ve been expecting you Mr. Bond. What took you so long?’

For we’re forever studying and analyzing the main tendencies of the Dark Web so we can get an idea of who’s behind its murkiness and of the motivations involved; that way we can predict how things are going to develop.

Every time one of these new ‘unexpected’ events occurs, I normally find myself in the tricky position of having to give a speech (rather – speeches) along the lines of ‘Welcome to the new era‘. Trickiest of all is admitting I’m just repeating myself from a speech made years ago. The easy bit: I just have to update that old speech a bit by adding something like: ‘I did warn you about this; and you thought I was just scaremongering to sell product!’

Ok, you get it (no one likes being told ‘told you so’, so I’ll move on:).

So. What unpleasant cyber-unexpectedness is it this time? Actually, one affecting something close to my heart: the world of automobiles!

A few days ago WIRED published an article with an opening sentence that reads: ‘I was driving at 70 mph on the edge of downtown St. Louis when the exploit began to take hold.‘ Eek!

The piece goes on to describe a successful experiment in which hackers security researchers remotely ‘kill’ a car that’s too clever by half: they dissected (over months) the computerized Uconnect system of a Jeep Cherokee, eventually found a vulnerability, and then managed to seize control of the critical functions of the vehicle via the Internet – while the WIRED reporter was driving the vehicle on a highway! I kid you not folks. And we’re not talking a one-off ‘lab case’ here affecting one car. Nope, the hole the researchers found and exploited affects almost half a million cars. Oops – and eek! again.

Jeep Cherokee smart car remotely hacked by Charlie Miller and Chris Valasek. The image originally appeared in Wired

However, the problem of security of ‘smart’ cars is nothing new. I first ‘joked’ about this topic back in 2002. Ok, it was on April 1. But now it’s for real! You know what they say… Be careful what you wish for joke about (there’s many a true word spoken in jest:).

Not only is the problem not new, it’s also quite logical that it’s becoming serious: manufacturers compete for customers, and as there’s hardly a customer left who doesn’t carry at all times a smartphone, it’s only natural that the car (the more expensive – the quicker) has steadily been transformed into its appendage (an appendage of the smartphone – not the user, just in case anyone didn’t understand me correctly).

More and more control functions of smart cars are now firmly in the domain of the smartphone. And Uconnect isn’t unique here; practically every large car manufacturer has its own similar technology, some more advanced than others: there’s Volvo On CallBMW Connected DriveAudi MMIMercedes-Benz COMANDGM OnstarHyundai Blue Link and many others.

More and more convenience for the modern car-driving consumer – all well and good. The problem is though that in this manufacturers’ ‘arms race’ to try and outdo each other, critical IT security matters often go ignored.

Why? 

First, the manufacturers see being ahead of the Jones’s as paramount: the coolest tech functionality via a smartphone sells cars. ‘Security aspects? Let’s get to that later, eh? We need to roll this out yesterday.’

Second, remote control cars – it’s a market with good prospects.

Third, throughout the auto industry there’s a tendency – still today! – to view all the computerized tech on cars as something separate, mysterious, faddy (yep!) and not really car-like, so no one high up in the industry has a genuine desire to ‘get their hands dirty’ with it; therefore, the brains applied to it are chronically insufficient to make the tech secure.

It all adds up to a situation where fancy motorcars are becoming increasingly hackable and thus stealable. Great. Just what the world needs right now.

What the…?

Ok. That’s the basic outline. Now for the technical background and detail to maybe get to know what the #*@! is going on here!…

Way back in 1985 Bosch developed CAN. No, not their compatriot avant-garde rockers (who’d been around since 1968), but a ‘controller area network’ – a ‘vehicle bus’ (onboard communications network), which interconnects and regulates the exchange of data among different devices – actually, those devices’ microcontrollers – directly, without a central computer.

For example, when the ‘AC’ button on the dashboard is pressed, the dashboard’s microcontroller sends a signal to the microcontroller of the air conditioner saying ‘turn on, the driver wants cooling down’. Or when the brake pedal is pressed, the microcontroller of the pedal mechanism sends an instruction to the brake pads to press up against the brake discs.

CAN stands for 'controller area network', a 'vehicle bus' which interconnects and regulates the exchange of data among different devices шт a smart car

Put another way, the electronics system of a modern automobile is a peer-to-peer computer network – designed some 30 years ago. It gets better: despite the fact that over three decades CAN has been repeatedly updated and improved, it still doesn’t have any security functions! Maybe that’s to be expected – what extra security can be demanded of, say, a serial port? CAN too is a low level protocol and its specifications explicitly state that its security needs to be provided by the devices/applications that use it.

Maybe they don’t read the manuals. Or maybe they’re too busy trying to stay ahead of competitors and come up with the best smart car features.

Whatever the reasons, the fundamental fact causing all the trouble remains: Some auto manufacturers keep squeezing onto CAN more and more controllers without considering basic rules of security. Onto one and the same bus – which has neither access control nor any other security features – they strap the entire computerized management system that controls absolutely everything. And it’s connected to the Internet. Eek!

Hooking up devices to the Internet isn't a good idea. Engineers should think twice before doing this

Just like on any big computer network (e.g., the Internet), cars too need a strict ‘division of trust’ for controllers. Operations on a car where there’s communication with the outside world – be it installation of an app on the media system from an online store, or sending car performance diagnostics to the manufacturer – need to be firmly and securely split from the engine control, the security and other critical systems.

If you show an IT security specialist a car, lots of functions of which can be controlled by, say, an Android app, he or she would be able to demonstrate in no time at all a dozen or so different ways to get round the ‘protection’ and seize control of the functions the app can control. Such an experiment would also demonstrate how the car isn’t all that different really from a bank account: bank accounts can be hacked with specially designed technologies, in their case with banking Trojans. But there is a further potential method that could be used to hack a car just like a bank account too: with the use of a vulnerability, like in the case of the Jeep Cherokee.

Any reasons to be cheerful?…

…There are some.

Now, the auto industry (and just about everyone else) seems to be well aware of the degree of seriousness of the problem of cybersecurity of its smart car sector (thanks to security researchers like those in the WIRED article, though some manufacturers are loath to show their gratitude openly).

A sign of this is how recently the US Alliance of Automobile Manufacturers announced the creation of an Information Sharing and Analysis Center, “that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks.” Good-o. I just don’t see how they plan to get along without security industry folks involved.

And it’s not just the motor industry that’s now on its toes: hours (!) after the publication of the WIRED article (the timing was a coincidence, it was reported) new federal legislation in the US was introduced establishing standardization of motor industry technologies in the field of cybersecurity. Meantime, we’re hardly twiddling thumbs or sat on hands: we’re actively working with several auto brands, consulting them on how to get their smart-car cybersecurity tightened up proper.

So, as you can see, there is light at the end of the tunnel. However…

…However, the described cybersecurity issue isn’t limited just to the motor industry.

CAN and other standards like it are used in manufacturing, the energy sector, transportation, utilities, ‘smart houses’, even in the elevator in your office building – in short – EVERYWHERE! And everywhere it’s the same problem: the growth of functionality of all this new tech is hurtling ahead without taking security into account!

What seems more important is always improving the tech faster, making it better than the competition, giving it smartphone connectivity and hooking it up to the Internet. And then they wonder how it’s possible to control an airplane via its entertainment system!

What needs doing?

First things first, we need to move back to pre-Internet technologies, like propeller-driven aircraft with analog-mechanical control systems…

…Not :). No one’s planning on turning the clocks back, and anyway, it just wouldn’t work: the technologies of the past are slow, cumbersome, inefficient, inconvenient and… a lot less secure! Nope, there’s no going backwards. Only forwards!

In our era of polymers, biotechnologies and all-things-digital, movement forward is producing crazy results. Just look around you – and inside your pockets. Everything is moving, flying, being communicated, delivered and received, exchanged… all at vastly faster speeds to those of the past. Cars (and other vehicles) are only a part of that.

All that does make life more comfortable and convenient, and digitization is solving many old problems of reliability and security. But alas, at the same time it’s creating new problems. And if we keep galloping forward at breakneck speed, without looking back, improvising as we hurtle along to get the very best functionality, well, in the end there are going to be unpredictable – even fatal – consequences. A bit like how it was with the Zeppelin.

There is an alternative – a much better one: What we need are industry standards; new, modern architecture, and a responsible attitude to the development of features – by taking into account security – as a priority.

In all, the WIRED article has shown us a very interesting investigation. It will be even more interesting seeing how things progress in the industry from here. Btw, at the Black Hat conference in Vegas in August there’ll be a presentation by the authors of the Jeep hack – that’ll be something worth following…

Smart cars can be remotely hacked. Fact. Period. Shall we go back to the Stone Age? @e_kaspersky explains:Tweet

PS: Call me retrogressive (in fact I’m just paranoid:), but no matter how smart the computerization of a car, I’d straight away just switch it all off – if there was such a possibility. Of course, there isn’t. There should be: a button, say, next to the hazard lights’ button: ‘No Cyber’!…

…PPS: ‘Dream on, Kasper’, you might say. And perhaps you’d be right: soon, the way things are heading, a car without a connection to the ‘cloud’ won’t start!

PPPS: But the cloud (and all cars connected to it) will soon enough be hacked via some ever-so crucial function, like facial recognition of the driver to set the mirror and seat automatically.

PPPPS: Then cars will be given away for free, but tied to a particular filling station network digital network – with pop-ups appearing right on the windscreen. During the ad-break control will be taken over and put into automatic Google mode.

PPPPPS: What else can any of you bright sparks add to this stream-of-consciousness brainstorming-rambling? :)

Cybernews from the dark side – July 26, 2014.

Remote controlled car – your car, while you’re driving it…

News about new hacks, targeted attacks and malware outbreaks is beginning to bore the general public. It’s becoming an incessant stream after all. What isn’t boring the life out of the general public is something a bit more unusual: stuff you wouldn’t dream could be hacked… getting hacked.

A report from China told how hackers broke into the Tesla motor car’s gadgetry – as part of a contest during a hacker conference. So, why Tesla? What’s so good about Tesla? Well, that’ll be its being an electric car, and its being crammed with so much ‘smart’ electronics that it hardly resembles an automobile than a mobile supercomputer. Still, what was Tesla expecting? Any new functionality – especially that developed without the involvement of IT security experts – will inevitably bring with it new threats via vulnerabilities, which is just what the hackers at the conference in China found.

Cybernews from the darkside

Read on: malware getting closer to industrial systems…

Flickr photostream

Instagram photostream

Cybernews from the dark side: June 30, 2014

Stock market hacks for microsecond delays.

Cyber-swindling gets everywhere. Even the stock market. First, a bit of history…

The profession of stockbroker was once not only respected and honorable, but also extremely tough. Dealers in stocks and shares once toiled away on the packed floors of stock exchanges and worked silly hours a week, stressed to the limit by relentless high pressure decisions all day (and night). They bought and sold securities, stocks, bonds, derivatives, or whatever they’re called, always needing to do so at just the right moment while riding the waves of exchange rates and prices, all the while edging nearer and nearer to serious heart conditions or some other burn-out caused illness. Other times they simply jumped out of windows to bring a swift end to it all. In short – hardly the world’s best job.

Anyway, all that was long ago. All that hard manual labor has been replaced by automation. Now thinking hard, stressing and sweating aren’t needed: a large proportion of the work today is carried out by robots – special programs that automatically determine the very best moments to buy or sell. In other words, the profession of stockbroker has in large part been boiled down to the training of bots. And to these bots reaction times – to the microsecond – are vital to take advantage of this or that market swing. So speed literally depends on the quality of an Internet connection to the electronic stock exchange. That is, the nearer a robot is physically located to the exchange, the higher its chances of being the first with a bid. And vice versa – robots on the periphery will always be outsiders, just as will those not using the very latest progressive algorithms.

These critical reaction times were recently tampered with by unknown cyber-assailants. A hedge fund’s system was infected with malware to delay trading ability by a few hundred microseconds – which can – and probably did – make all the difference between clinching deals and losing them.

bae-600x255

Read on: Your password for a Twix?…

Enter your email address to subscribe to this blog

Cybernews from the dark side – June 24, 2014

Patent trolls – continued.

Here, alas, passions are still running high, with the occasional fit of… passion. Indeed, the issues related to patent parasites haven’t gone away; it’s just that only the most interesting – ‘loudest’ – cases ever get heard about. But if you dig deeper, you eventually hit upon stuff that is interesting, just not paid attention to. Which is what we did – and found quite a bit on patent trolls worthy of the title of this blogpost. So, he we go…

The irony’s all too much.

For this item I didn’t have to dig all that deep actually – I just checked Ars Technica. There I found some rather familiar glorification of the patent aggregator RPX – made out to be a sweet and innocent protector of orphans, the poor, and princesses (from dragons). I just couldn’t believe what I was reading: “RPX works by selling memberships to companies that feel harangued by patent trolls, including Apple and many other tech companies. RPX basically buys up patents it believes will be used by trolls. By uniting the buying power of many companies, it can get the patents for a bargain price.”  Well, maybe I could believe it… I was just so rattled at being reminded of the hypocrisy.

WHAT? RPX is some kinda anti-troll? And trolls may fly…

Patent TrollSource

We first came across this so-called anti-troll in the year of its creation, and were one of the first to bite it back – successfully.

Read on: a simple arrangement…

Cybernews from the dark side – June 4, 2014.

True to my word, herewith, the second installment of my new weekly (or so) series, ‘dark news from the cyber-side’, or something like that…

Today the main topic will be about the security of critical infrastructure; in particular, about the problems and dangers to be on the watch for regarding it. Things like attacks on manufacturing & nuclear installations, transportation, power grid and other industrial control systems (ICS).

Actually, it’s not quite ‘news’ here, just kinda news – from last week: fortunately critical infrastructure security issues don’t crop up on a weekly basis – at least, not the really juicy bits worthy of a mention. But then, the reason for that is that probably that most issues are kept secret (understandable, but worrying all the same) or simply no one is aware of them (attacks can be carried out on the quiet – even more worrying).

So, below, a collection of curious facts to demonstrate the current situation and trends as regards critical infrastructure security issues, and pointers to what needs to be done in face of the corresponding threats.

Turns out there are plenty of reasons to be bowled over by critical infrastructure issues…

If ICS is connected to the Internet, it comes with an almost 100% guarantee of its being hacked on the first day

The motto of engineers who make and install ICS  is ‘ensure stable, constant operation, and leave the heck alone!’ So if a vulnerability in the controller is found through which a hacker can seize control of the system, or the system is connected to the Internet, or the password is actually, really, seriously… 12345678 – they don’t care! They only care about the system still running constantly and smoothly and at the same temperature!

After all, patching or some other interference can and does cause systems to stop working for a time, and this is just anathema to ICS engineers. Yep, that’s still today just the way it is with critical infrastructure – no seeing the gray between the black and the white. Or is it having heads firmly stuck in the sand?

In September last year we set up a honeypot, which we connected to the Internet and pretended was an industrial system on duty. The result? In one month it was successfully breached 422 times, and several times the cyber-baddies got as far as the Programmable Logical Controllers (PLC) inside, with one bright spark even reprogramming them (like Stuxnet). What our honeypot experiment showed was that if ICS is connected to the Internet, that comes with an almost 100% guarantee of its being hacked on the first day. And what can be done with hacked ICS… yes, it’s fairly OMG. Like a Hollywood action movie script. And ICS comes in many different shapes and sizes. For example, the following:

Nuclear malware

Mondju nuclear reactorSource

Read on: absence of light will only be the result of burned out bulbs and nothing else…

Cybernews from the dark side – May 26, 2014

Greetings droogs!

It seems ages since I’ve touched upon a cyber-maliciousness topic on these here pages – what’s hot and what’s not, what’s in and out, and all that… You might even think we’re twiddling our thumbs here seeing as I stay shtum on topics relating to our raison d’être…

Well just let me reassure you that we are on top of EVERYTHING going on in the cyber-jungle; it’s just that we publish all the detailed information we have on dedicated techy news resources.

The only problem with that is very few folks actually read them! Maybe that’s understandable: the detail can get tiresome – especially to non-tech-heads. Not that that’s a reason not to publish it – far from it. However here on this blog, I don’t bog the reader down with too much tech. I just give you the most oddly curious, amusing and entertaining morsels of cybernews from around the world.

Sooo, what was curiously odd, entertaining and bizarre last week?…

 

“He hit me!” “He started it!”

The sparring between the USA and China about cyber-espionage has taken a new turn…

This time the Americans took their swipe with photographs and names of ‘guilty’ individuals: five Chinese military specialists have ended up on the latest classic Wild West-inspired FBI ‘Wanted’ poster for allegedly breaking into networks of US companies and stealing secrets.

Cyber security news of the week

Read on: An example of some seriously perplexing cyber-alchemy…

New viruses from Chelyabinsk so advanced they blow the mind.

Every day our valiant antivirus lab processes hundreds of thousands of files. Each single day! Admittedly, some of them turn out to be clean and honest files, or just broken code, innocent scripts, assorted scraps of data, etc., etc., etc., but mostly it’s maliciousness – a lot of which is analyzed and processed automatically (as I’ve already mentioned on these cyberpages).

But every now and again we come across some reeeaaal unusual items – something totally new and unexpected. Something that activates the little grey cells, makes the heart beat faster, and gets the adrenaline pumping. I mean things like Stuxnet, Flame, Gauss and Red October.

Anyway, it looks like we’ve found something else in this original-oddity category…

Yes, we’ve detected another malware-monster – a worm originating from the cyberstreets of the Russian Internet. What we were able to say straight off was that it surpasses in sophistication by a long way not only all known malicious programs today – including professional cyberspies and cyberweapons – but also any other known software – judging by the logic of the algorithms and the finesse of their coding.

Yes folks, this is big!

We’ve never come across such a level of complexity and perplexity of machine code with program logic like this. Analyzing the most complicated worms and Trojans normally takes several weeks – whereas this baby looked like it’d take years! Maybe several years!!! It’s just so darn elaborate and convoluted.

I don’t know a single software company that would have been able to develop such a beast. Nor any cybercriminals with their mostly primitive malware. Nor any of the secret services assumed to be behind the more artful malware that’s appeared in recent years. No. This new find simply cannot be the work of any of those three.

So… Are you sitting down? No? Change that.

I’d say it’s theoretically impossible to say that this code was written by a human being (glad to be seated now?).

This code is so infernally intricate that I fear this newly-discovered worm must have extraterrestrial origins.

Hohoho

But wait – there’s more…

Securing Mother-SCADA.

Hi all!

We’re always assessing the state of the world of computers by prodding it with various hi-tech instruments in different places, taking measurements from different Internet sensors, and studying “information noise”. From the information we glean from all this, plus data from other sources, we constantly evaluate the overall body temperature and blood pressure of the computer world, and carefully monitor the main risk areas. And what we’re seeing at the mo – that’s what I’ll tell you about in this post.

To many, it seems that the most diseased elements of the digital world are home computers, tablets, cellphones and corporate networks – that is, the computer world that most folks know about – be it of a work or home/consumer coloring. But they’d be wrong. Despite the fact that the majority of cyberattacks occur in “traditional” cyberspace (cyberespionage, cybercrime, etc.), they don’t represent the main threat. In actual fact, what should be feared most of all are computer attacks on telecommunications (Internet, mobile networks) and ICS (automated Industrial Control Systems).

One particular investigation of ours, conducted as part of our ongoing secure OS project, detected a seriously low level of “computer immunity” for control systems of critically important infrastructure. ICS, including SCADA, all of which is made up of software and computerized hardware, is responsible for controlling – and the smooth, uninterrupted running of – tech-processes in practically every sector of industry, be it the power industry, transportation, the mass media, and so on. Computer systems control critical aspects of all modern cars, airplanes and trains; every power station and waterworks, every factory, and even every modern office building (lifts, electricity and water supply, emergency systems like smoke alarms and sprinklers, air conditioning, etc.). SCADA and other ICS – it’s all imperceptible, working in the background in some corner or other nobody takes any notice of… but a whole lot around us depends on it.

Alas, as with any other computer systems, SCADA & Co. can be exposed to malware and hacker attacks, as was clearly demonstrated by the Stuxnet worm in 2010. Therefore, protection of critically important systems has become one of the main strategic priorities of computer security in most developed countries of the world, while in response to cyberattacks on critical infrastructure some countries are ready to go to war – real tanks-and-bombs war (if they can find out which country is responsible). So indeed, the situation’s sure hotting up.

Of course, we’re on the case with SCADA security, and have been for a while. Over the last several years we’ve been conducting detailed analysis of ICS, been establishing the fundamental principles of SCADA security, and also developing a prototype solution for guaranteed SCADA protection from malware threats – based on traditional endpoint security and our secure OS. Products fit for consumption aren’t ready just yet, but active work is currently underway – so they should be soon…

Now, while continuing our usual analysis of SCADA security, earlier today we stumbled upon one heck of a big surprise: we came across “Mother-SCADA”, the chief, predominant, all-powerful ICS of the whole world, on whose smooth and uninterrupted operation relies literally everything on the planet: from how breakfast tastes and the size of annual bonuses, to the hours of night and day time and how fast the sun and the stars move across the skies.

Yep, we’ve gone and found the SCADA that manages all the technological processes in the Matrix!

Mother SCADA admin panel

More: Mother SCADA controls your annual bonus!…