Since 2016, there have been multiple instances of attacks on keyless entry car-locks, and there’s a burgeoning industry of expensive ($5000) aftermarket alarm systems that are billed as protecting your car from these radio attacks on its security.
Pen-Test Partners evaluated several of these systems and found that the two leading models, Pandora and Viper (AKA “Clifford”) were very defective, with a mix of vulnerabilities that allow attackers to track cars in realtime, extract the car and its owner’s details, disable the alarm, remotely enable/disable the immobilizer, stop the car while it’s in motion, eavesdrop on the in-car mic, and even steal the car.
Pen-Test Partners attacked the companies’ APIs, which allow their apps to communicate with and configure the in-car systems; by modifying the parameters in API calls, they were able to hijack users’ accounts, changing the associated email and password. Once that is done, “It’s possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors.”
There’s plenty of room for research on even more extravagant attacks: the alarm systems interface with cars internet networks over the CAN bus — a common data infrastructure system that all the car’s subsystems use to talk to each other.
Pen-Test Partners estimates that $150B worth of cars are exposed via these flaws — about 3M high-end cars.
This is a superb example of how security systems can expose users to risk: once you design a system that treats the person using it as an adversary and a remote party as trusted, then, by design, a remote party who compromises the system can attack the person who’s using it. What’s more, the entire system is designed to prevent the person in the car from overriding the remote party using the app, so once that initial line of defense is breached, it becomes very hard to protect yourself.
We contacted the vendors involved and gave them 7 days to take down or fix the vulnerable APIs. This is much less than the 90 days we would usually offer vendors. Why?
The vulnerabilities were easy to find, easy to fix and owners could operate the alarms without requiring the API. The supplied RF alarm key fob can be used in place of the mobile app. All the user would lose as a result of the API being taken down is the ability to remotely start the car and geo-locate it.
Others have been looking at smart car alarms, so there was a high chance that professional criminals already have this knowledge.
There is a route for vehicle owners with these alarms fitted to mitigate these attacks themselves, but it isn’t particularly satisfactory or advised: One could extract the SIM card from the alarm module in the car, though this may require some electronics skill and may affect warranties.
Pandora’s UK representative responded in about 48 hours and had their Moscow-based HQ take action quickly. The IDOR was fixed overnight and we confirmed that the following morning
Viper responded faster, but took a little longer to fix the vulnerability. That one is also confirmed as fixed.
Gone in six seconds? Exploiting car alarms [Ken Munro/Pen Test Partners]
(via Naked Capitalism)
For several years, I’ve been covering the bizarre phenomenon of “adversarial examples (AKA “adversarial preturbations”), these being often tiny changes to data than can cause machine-learning classifiers to totally misfire: imperceptible squeaks that make speech-to-text systems hallucinate phantom voices; or tiny shifts to a 3D image of a helicopter that makes image-classifiers hallucinate a rifle
Security researchers announced at RSAC today announced they have discovered a trove of 809 million personal records exposed on the internet. This time more than just emails and passwords were exposed — data also includes physical addresses, personal mortgage details, social media accounts, and credit score analysis.
Last September, Facebook drew fire for abusing the phone numbers users provided for two-factor authentication messages, sending spam advertising messages over the same channel — now, rather than reforming its ways, Facebook has doubled down on poisoning the security well, by adding a no-opt-out policy of allowing anyone in the world to search for you […]
Big companies want automation on a big scale. Doing that means diving into the tricky world of machine learning and data science. And no matter what platform you’ll be implementing it on, you can learn how with the Machine Learning & Data Science Certification Training Bundle. In 48 hours and through eight courses, this bundle […]
Big systems need tight security – and the experts who can implement it. Cisco Networking Systems are the go-to providers for network infrastructure, but maintaining it takes a lot of up-to-date knowledge. If you want that knowledge right from the source, there’s an online course that can get you certified painlessly: The Foundational Cisco CCNA […]
Computer slowing down? There are a ton of reasons why that might be, especially if your unit has a few years on it. Junk files and programs can accumulate over time, some even left over from otherwise uninstalled software. This virtual debris can slow your PC down dramatically, but there’s a surprisingly quick fix. Lauded […]