Home Tags Jeep

Tag: Jeep

Researchers discover security problems under the hood of automobile apps

Kaspersky researchers find Android apps for connected cars soft targets for hackers.

EPA: Fiat Chrysler diesels have software to thwart emissions controls

Enlarge / STERLING HEIGHTS, MI - AUGUST 26: Fiat Chrysler Automobiles CEO Sergio Marchionne speaks at an event celebrating the start of production of three all-new stamping presses at the FCA Sterling Stamping Plant August 26, 2016 in Sterling Heights, Michigan. (Photo by Bill Pugliano/Getty Images)Bill Pugliano reader comments 89 Share this story On Thursday the US Environmental Protection Agency (EPA) announced that Fiat Chrysler (FCA) diesel vehicles were found to have "at least eight" instances of undisclosed software that modified the emissions control systems of the cars.

The vehicles implicated in the EPA's Notice of Violation (NOV) include 2014, 2015, and 2016 diesel Jeep Grand Cherokees, as well as Dodge Ram 1500 trucks with 3.0-liter diesel engines.

The allegations involve 104,000 vehicles, the EPA said. The EPA says it's still in talks with FCA and hasn't ordered the company to stop selling affected cars yet, nor is it officially calling the software a "defeat device" just yet until FCA provides a more detailed explanation. In a press conference, agency officials said that the undisclosed software was discovered after September 2015, when the EPA and the California Air Resources Board (CARB) began doing additional testing on vehicles in the wake of the Volkswagen Group scandal. VW Group was discovered to have almost 600,000 diesel vehicles on US roads with some kind of illegal software on them.

The software allowed VW Group's cars to pass emissions testing under lab conditions but would reduce the effectiveness of emissions controls under real-world driving conditions, causing the cars to emit nitrogen oxide (NOx) far in excess of federal limits. According to the EPA, FCA's undisclosed software works similarly, too.

EPA Assistant Administrator Cynthia Giles told press Thursday morning that the "software is designed such that, during the emissions test, Fiat Chrysler’s cars meet the standards," for NOx emissions. However, the "software reduces the effectiveness of emissions controls when driving at high speed or for long durations," she added. These kinds of workarounds are not uncommon for car makers to use and are not illegal if they're properly disclosed and approved by the EPA.

But efforts to meet emissions standards have driven automakers to install undisclosed devices illegally for decades.
In fact in the 1970s, Chrysler—along with GM, Ford, American Motors, Nissan, and Toyota—was reprimanded by the EPA for installing defeat devices in its cars to "defeat the effectiveness of emission control systems under conditions not experienced during EPA’s certification testing." In some instances the defeat devices helped the cars start more easily in cold weather, in others, time-delay switches cut the emissions control systems while the cars shifted from low to high gears. In Europe, too, rules allow diesel vehicles to cut the emissions control system under certain conditions like cold weather.

Automakers have toed a line, though, using emissions control software where "cold" weather means as high as 64 degrees Fahrenheit. Giles noted during the EPA's press conference that the agency has tested other diesel vehicles since the Volkswagen scandal was made public and found no violations. "It is by no means impossible to make a clean diesel vehicle that meets our standards," she said. In a statement (PDF), FCA said it would continue to work with the EPA to resolve the issue. "FCA US diesel engines are equipped with state-of-the-art emission control systems hardware, including selective catalytic reduction (SCR).

Every auto manufacturer must employ various strategies to control tailpipe emissions in order to balance EPA’s regulatory requirements for low nitrogen oxide (NOx) emissions and requirements for engine durability and performance, safety and fuel efficiency.

FCA US believes that its emission control systems meet the applicable requirements." FCA added that it had spent "months providing voluminous information" to the EPA and other regulators.

The company said it had also made proposals to fix the issues, including "developing extensive software changes to our emissions control strategies that could be implemented in these vehicles immediately to further improve emissions performance." FCA has not yet been sued, but the EPA says it could be "liable for civil penalties and injunctive relief for the violations alleged in the NOV [Notice of Violation]." Correction: This story originally said the EPA found the software on the FCA diesels was illegal.
In fact, the EPA is still determining whether the software itself was illegal. However, Fiat Chrysler violated EPA rules by not disclosing the software.

This is your captain speaking… or is it?

In-flight entertainment systems create hacker risk, say researchers Vulnerabilities in Panasonic in-flight entertainment systems create a possible mechanism for attackers to control in-flight displays, PA systems and lighting, say researchers. Ruben Santamarta, principal security consultant at IOActive, said it had found vulnerabilities in Panasonic Avionic In-Flight Entertainment (IFE) systems that it claims could allow hackers to "hijack" passengers’ in-flight displays and, in some instances, potentially access their credit card information.

The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain. “I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a 2014 flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic inflight display.

A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.” IFE system vulnerabilities identified by Santamarta might most straightforwardly be exploited to gain control of what passengers see and hear from their in-flight screen, he claimed.

For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.

An attacker might also compromise the "CrewApp" unit, which controls PA systems, lighting, or even the recliners on first class seating.
If all of these attacks are applied at the same time, a malicious actor may create a baffling and disconcerting situation for passengers.

Furthermore, the capture of personal information, including credit card details, is also technically possible due to backend systems that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data, said the researcher. Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger-owned devices, airline information services, and finally aircraft control.

Avionics is usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen.

This means that as long as there is a physical path that connects both domains, there is potential for attack.

The specific devices, software and configuration deployed on the target aircraft would dictate whether an attack is possible or not.
Santamarta urged airlines to steer towards a cautious course. “I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.” IOActive reported these findings to Panasonic Avionics in March 2015.
It only went public this week after giving the firm “enough time to produce and deploy patches, at least for the most prominent vulnerabilities”. Panasonic Avionic’s technology is used by a several major airlines including Virgin, American and Emirates airlines. El Reg asked Panasonic Avionic to comment on IOActive's research but we’ve yet to hear back. We’ll update this story as and when we learn more. The avionics research has some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system. Once again, it appears entertainment systems have created a potential route into sensitive systems that hackers might be able to exploit. Stephen Gates, chief research intelligence analyst at NSFOCUS, commented: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important.

As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. “This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s 'experience' while flying, but have yet to prove they could impact flight control systems,” he added. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

The coming IoT security plague

The internet of things (IoT) is an $11 trillion opportunity, breathlessly gasps McKinsey & Co.
It will change marketing, business, health care, and everything ... forever! declares Bosch executive Stefan Ferber and others. Or it will, if it doesn't...

Internet of Things security? Start with who owns the data

Cambridge Wireless event chews the fat over key questions “Defence is only as strong as the weakest link,” said Tim Phipps of Solarflare at today’s Cambridge Wireless event on security within the Internet of Things. Today's Cambridge Wireless event was part of its Special Interest Group focusing on security and defence.
In particular, on securing and defending the Internet of Things. Speaking to an audience of about 50 network industry executives this afternoon, Phipps highlighted three security challenges for the IoT: data loss, particularly with last week’s Yahoo! hack of half a billion user accounts; hijacking, such as the controversial Jeep hack published a little while ago; and consumer products, particularly, with the latter, medical device hacks of items including pacemakers and insulin pumps. Phipps also highlighted how Ken Munro of PenTest Partners had “made children’s toys swear” by hacking them, which drew general laughs. Building on that point of how a trivial hack can lead to bigger things - in the case of Munro and an IoT kettle, the host Wi-Fi network's authentication keys - however, Phipps warned: “The attacker needs to overwhelm you in just one place to be successful.
If it delivers on the promises of the hype, IoT looks like something that will be integrated into our home life, transportation, cities, and … even improving our health." “I think this is a Wild West industry” thundered Paul Tindall of Sepura, following on from Phipps, opening a talk that focused on IoT security beyond the simple headlines. “It is fragmented and that makes security harder to apply." "If you consider the fragmentation of the standards as well," he continued, "you cannot trust security due to the fact that you’re using an unusual standard. We’ve got to apply proper governance around this.” Take the example of a body-worn sensor such as a Fitbit health monitor which generates data about you, he said. "I think I own that data.

At some point that data is aggregated and [the aggregating party] is going to fuse that data with data from other sources.
If you wrap context around those sources you turn that into valuable information.
I don’t know who owns that information.

Actually, I think that gets really complicated from a legal point of view.” The legal side of things was a point that was returned to later on. So what could possibly go wrong? Adrian Winkles of Anglia Ruskin University, an information security lecturer, said: “IoT security is not device security.
IoT is end-to-end.
It has many different facets, many different faces.

There’s a whole raft of things we have to think about.” The DDoSing of Things Referring to the recent DDoS of Brian Krebs, which was powered by an IoT botnet – “cameras, lightbulbs and thermostats” all generating 990Gbps of traffic, “which would take most government websites down” - he contrasted what people think they have, in terms of networked devices, with what they actually have in terms of traffic types.
In brief, your devices generate far more information about you than the ordinary punter ever realises. Winkles summed it up neatly: “Security is like a stack of Swiss cheese.

Each slices covers up holes in the slices below it.” “You could make a financial difference by building security in,” added Winkles, who quoted NIST: “The cost of fixing a bug in the field is $30k vs $5k during coding.” As for baking proper infosec practices into the Internet of Things, Winkles was forthright about taking a top-down approach: There’s an argument that says you start from the boardroom.

The pressure to be first to market doesn’t feature security.

The pressure to reduce costs? If you ignore security, you do so at your peril; it's going to cost you more in the long run.

Educate boardroom and senior management to build security in from the start.

Appoint a Chief Information Security Officer. What I’m touting is bottom up and top down.

The end message is to build security in. Finally, in the first half of the afternoon, Laurence Kalman, a lawyer from international law firm Olswang, spoke about the legal problems the Internet of Things throws up. “Privacy and security are what’s got everyone talking,” he said. Much of the data generated by IoT devices “is also personal data”, including a vast range of data about “an individual." This includes things such as “driving habits” in the case of smart satnavs and other sensitive data. As his slide deck put it, “the success of the IoT both from an individual device and application perspective, and more broadly as something we accept into our lives, will come down to users' confidence.” There is no law of the IoT as such, said Kalman. “Having said that, IOT has attracted significant focus from regulators,” he continued, highlighting how the EU has issued consultations and solicited other expressions of interest from the industry. “Europe could be a very productive place to do business on the IOT,” he concluded. What about the detail-slurpage? What about data ownership? “Who owns data in the IOT? The answer is, it’s complicated.

From a legal perspective, the question of ownership isn’t a simple one to answer.

There’s no property rights in it, as such.

There might be intellectual property in data if you do certain things to do it to take it beyond a certain piece of information.

Complications of data, databases, might attract copyright protection… you could see these IP rights arising at some point in the IOT value chain but its not the case that each part of IOT data will have ownership attached to it in the first place.” The Data Protection Act “has very broad application” to the IOT, he said. “In the IOT world, where there's thousands of devices and infrastructure at various stages of the chain, its very easy for infrastructure owners to fall within that domain.” In particular, it could be “the device manufacturer”, or “the social network that disseminates that data” or even “the health insurer who takes that data and offers a product from it”. “There’s no cyber security regulation as such that applies to IOT stakeholders as such,” concluded Kalman. He said the EU’s new GDPR would apply from 25 May 2016, noting that the E-Privacy Directive is currently under review and that the Network and Information Security Directive will also come into play for IoT manufacturers. One questioner from the floor touched on an area that drew great interest from the assembled audience. “Quite often I can see a conflict between business processes that need audit trails and the desire to delete data.” Kalman, answering, said: “The tendency up until now is that there’s been little focus on” what data do I need.

That sort of good housekeeping “have had less focus and that will have to change with the regulatory direction we’re receiving.

Businesses are going to have to work out where the balance lies.” ®

FAA still maintains shampoo can be more dangerous than exploding Note...

Sean MacEnteereader comments 63 Share this story The Federal Aviation Administration is announcing new air passenger carry-on guidelines. Sadly, though, the authorities are not altering the terrorism-repelling edict prohibiting fliers from carrying on shampoo or other liquids and gels in containers larger than 3.4 ounces. The FAA, however, announced late Thursday that it will still allow you to bring your exploding Note 7 onboard—albeit with a few caveats. Samsung issued a Note 7 global recall last week of the 2.5 million units it had shipped amid reports that the phablet's batteries could explode or catch fire. In response, the FAA said it doesn't want you to use or charge the Note 7 while flying, and the agency doesn't want you to put the device in your checked bags, either. In light of recent incidents and concerns raised by Samsung about its Galaxy Note 7 devices, the Federal Aviation Administration strongly advises passengers not to turn on or charge these devices on board aircraft and not to stow them in any checked baggage. Qantas, Jetstar Airways, and Virgin Australia have issued similar Note 7 advisories. Days ago, a Florida family's vehicle caught fire after a Note 7 left in the Jeep exploded. Enlarge / One of the extra-crispy Galaxy Note 7s after a charging accident. BusinessKorea Rechargeable lithium batteries are in many electronic gadgets. They can overheat and possibly explode—under a process known as "thermal runaway"—if they are exposed to increased temperatures, if they have a manufacturing flaw, or are damaged. Earlier this year, a UN agency called the International Civil Aviation Organization barred bulk deliveries of rechargeable lithium-ion batteries on passenger planes. Samsung said in a statement that "We are aware of the Federal Aviation Administration’s statement about the Galaxy Note 7. Consumer safety and peace of mind are our top priority. We plan to expedite new shipments of Galaxy Note7 starting from this week in order to alleviate any safety concerns and reduce any inconvenience for our customers." If you're still in the market for a Note 7, here's our review. For more information on the recall, click here.

Operation Ghoul: targeted attacks on industrial and engineering organizations

Introduction Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016.

These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions.

The attackers try to lure targets through spear phishing emails that include compressed executables.

The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers. #OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countries Tweet We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries.
In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult. In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoul Tweet In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon.

Today, the term is sometimes used to describe a greedy or materialistic individual. Main infection vector: malicious emails The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document.

The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware.
In other cases, victims received phishing links.

A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims. Malicious attachments In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s: Malware MD5 hashes fc8da575077ae3db4f9b5991ae67dab1b8f6e6a0cb1bcf1f100b8d8ee5cccc4c08c18d38809910667bbed747b274620155358155f96b67879938fe1a14a00dd6 Email file MD5 hashes 5f684750129e83b9b47dc53c96770e09460e18f5ae3e3eb38f8cae911d447590 The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar: Chief Executive Officer Chief Operations Officer General Manager General Manager, Sales and Marketing Deputy General Manager Finance and Admin Manager Business Development Manager Manager Export manager Finance Manager Purchase manager Head of Logistics Sales Executive Supervisor Engineer Technical details Malware functionality The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution.
It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including: Keystrokes Clipboard data FileZilla ftp server credentials Account data from local browsers Account data from local messaging clients (Paltalk, Google talk, AIM…) Account data from local email clients (Outlook, Windows Live mail…) License information of some installed applications #OpGhoul malware collects all data such as #passwords, keystrokes and screenshots Tweet Data exfiltration Data is collected by the attackers using primarily: Http GET posts Sent to hxxp:// Email messages mail.ozlercelikkapi[.]com (, mail to info@ozlercelikkapi[.]com mail.eminenture[.]com (, mail to eminfo@eminenture[.]com Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services. Malware command center The malware connects to to deliver collected information from the victim’s PC.

This information includes passwords, clipboard data, screenshots… hxxp:// The IP address seems to belong to a compromised device running multiple malware campaigns. Victim information Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others: Number of Victim Organisations by Country Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy. Victim industry information Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment. #Manufacturing #transportation #travel targets of #OpGhoul Tweet Number of Victim Organizations by Industry Type Victim industry description Industrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics Engineering Construction, architecture, automation, chemical, transport, water Shipping International freight shipping Pharmaceutical Production/research of pharmaceutical and beauty products Manufacturing Furniture, decor, textiles Trading Industrial, electronics and food trading Education Training centers, universities, academic publishing Tourism Travel agencies Technology/IT Providers of IT technologies and consulting services Unknown Unidentified victims The last attack waves Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others. #opghoul highly active in #MiddleEast Tweet Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia. Other attack information Phishing pages have also been spotted through, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers.
Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms: Windows Mac OS X Ubuntu iPhone Android The malware files are detected using the following heuristic signatures: Trojan.MSIL.ShopBot.wwTrojan.Win32.Fsysna.dfahTrojan.Win32.Generic Conclusion Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments.
In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss. Indicators of Compromise The following are common among the different malware infections; the presence of these is an indication of a possible infection. Filenames and paths related to malware C:\Users\%UserName%\AppData\Local\Microsoft\Windows\bthserv.exeC:\Users\%UserName%\AppData\Local\Microsoft\Windows\BsBhvScan.exeC:\Users\%UserName%\AppData\Local\Client\WinHttpAutoProxySync.exeC:\Users\%UserName%\AppData\Local\Client\WdiServiceHost.exeC:\Users\%UserName%\AppData\Local\Temp\AF7B1841C6A70C858E3201422E2D0BEA.datC:\Users\%UserName%\AppData\Roaming\Helper\Browser.txtC:\Users\%UserName%\AppData\Roaming\Helper\Mail.txtC:\Users\%UserName%\AppData\Roaming\Helper\Mess.txtC:\Users\%UserName%\AppData\Roaming\Helper\OS.txtC:\ProgramData\Mails.txtC:\ProgramData\Browsers.txt List of malware related MD5 hashes 55358155f96b67879938fe1a14a00dd6f9ef50c53a10db09fc78c123a95e8eecb8f6e6a0cb1bcf1f100b8d8ee5cccc4c07b105f15010b8c99d7d727ff3a9e70fae2a78473d4544ed2acd46af2e09633d21ea64157c84ef6b0451513d0d11d02e08c18d38809910667bbed747b2746201fc8da575077ae3db4f9b5991ae67dab18d46ee2d141176e9543dea9bf1c079c836a9ae8c6d32599f21c9d1725485f1a3cc6926cde42c6e29e96474f740d12a786e959ccb692668e70780ff92757d23353664d7150ac98571e7b5652fd7e44085d87d26309ef01b162882ee5069dc0bde5a97d62dc84ede64846ea4f3ad4d2f935a68f149c193715d13a361732f5adaa1dabc47df7ae7d921f18faf685c367889aaee8ba81bee3deb1c95bd3aaa6b13d7460e18f5ae3e3eb38f8cae911d447590c3cf7b29426b9749ece1465a4ab4259e List of malware related domains Indyproject[.]orgStudiousb[.]comcopylines[.]bizGlazeautocaree[.]comBrokelimiteds[.]inmeedlifespeed[.]com468213579[.]com468213579[.]com357912468[.]comaboranian[.]comapple-recovery[.]ussecurity-block[.]comcom-wn[.]inf444c4f547116bfd052461b0b3ab1bc2b445a[.]comdeluxepharmacy[.]netkatynew[.]pwMercadojs[.]com Observed phishing URLs hxxp://free.meedlifespeed[.]com/ComCast/hxxp://emailreferentie.appleid.apple.nl.468213579[.]com/hxxp://468213579[.]com/emailreferentie.appleid.apple.nl/emailverificatie-40985443/home/login.phphxxp://verificatie.appleid.apple.nl.referentie.357912468[.]com/emailverificatie-40985443/home/lo…hxxp://[.]com/loginhxxp://apple-recovery[.]us/hxxp://apple.security-block[.]com/Apple%20-%20My%20Apple%20ID.htmlhxxp://cgi.ebay.com-wn[.]in/itm/2000-Jeep-Wrangler-Sport-4×4-/?ViewItem&item=17475607809hxxp://https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp://2b68.f444c4f547116bfd052461b0b3ab1bc2b445a[.]com/login.htmlhxxp://www.deluxepharmacy[.]net Other malware links Malware links observed on dating back to March and April 2016: hxxp://glazeautocaree[.]com/proforma-invoice.exehxxp://brokelimiteds[.]in/cdn/images/bro.exehxxp://brokelimiteds[.]in/cdn/images/onowu.exehxxp://brokelimiteds[.]in/cdn/images/obe.exehxxp://brokelimiteds[.]in/wp-admin/css/upload/order.exehxxp://brokelimiteds[.]in/wp-admin/css/upload/orders.exehxxp://papercuts[.]info/SocialMedia/java.exehxxp://studiousb[.]com/mercadolivrestudio/f.ziphxxp://copylines[.]biz/lasagna/gate.php?request=true For more information on how you can protect your business from similar attacks, please visit this post from Kaspersky Business.

Internet of Car…rikey what the hell just happened to my car?

Complete/partial loss of control of your vehicle's systems? Yeah, possibly - IOActive Vehicle manufacturers are making many of the same security mistakes as each other, creating scores of vulnerabilities in the process. Not very reassuringly, half of the vulnerabilities discovered by security researchers at IOActive could result in "complete or partial loss of control" of a vehicle. IOActive’s study is based on real-world security assessments with the world’s leading vehicle manufacturers, covering three years’ worth of data and active vulnerabilities.

An alarming 71 per cent of the vulns uncovered during the research could be exploited without much difficulty, or are almost certain to be exploited. Vulnerabilities stemming from design-level are often unfixable because the vehicle is "insecure by design", so short of a product recall and major retrofit exercise, makers are stuck with them. “Security is a relatively new concern for the automotive industry,” said Corey Thuen, a senior security consultant at the outfit. “These systems were designed without security in mind and security is much more difficult, if not impossible, to bolt on after the fact.” “The Automotive industry has been making improvements in the awareness department.

But, as we’ve seen in other industries, it can still be difficult to get appropriate spending in security as its ROI [return on investment] is difficult to gauge,” he added. IOActive is at the forefront of research into vehicle vulnerability research.

For example, former staffer Chris Valasek was one of two researchers behind the famous Jeep Cherokee hacking exercise last summer. Thuen reckons the involvement of the insurance industry, rather than government regulation, will help drive improvements in the vehicle security. “Government regulations for safety actually help and hurt the cybersecurity aspects,” Thuen said. “Things like insecure access to the Controller Area Network Bus are mandated in the OBDII [on-board diagnostic] spec.

Government regulation for safety is a primary defence against cyberattack in the Automotive and Industrial Control System sectors.” He added: “Insurance companies are very good at assessing risk.
If anyone can figure out what the value of 1,000 man hours of cybersecurity vulnerability testing is worth, it’s them.

This will allow us to reframe the ROI of security from “invest in security or something bad might happen to you… but it might not” to “invest in security to reduce your insurance premiums by $X per year.". IOActive’s yet-to-be-published paper explains the differences in testing methodologies, with recommendations on the most appropriate methods for testing connected vehicle systems.

Detailed findings including the impact, likelihood, overall risk, and remediation of vulnerabilities IOActive consultants have discovered over the course of thousands of testing hours. ® Sponsored: Global DDoS threat landscape report

Blackhat USA 2016

This year’s Blackhat USA briefings were held at the spacious Mandalay Bay, bringing speakers from all over the world to deliver mostly technical cyber-security talks. A number of our researchers were there attending talks and participating in the parallel IOActive and BSides events on Smart Cities cyber-security and “Stealing Food From the Cat’s Mouth”. We even bought a round of drinks for a GReAT happy hour at our booth, thanks for coming by! And on Tuesday night, we announced a public HackerOne-coordinated bug bounty program, setting aside $50,000 for critical vulnerabilities. Blackhat whitepapers, slidedecks, and some source code are being posted to the site. Talks and speakers that we enjoyed here: DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR and BEHIND THE SCENES OF IOS SECURITY Low level details of Apple iPhone security were presented, both from offensive researchers hacking apart hardware and software, and one of the vendor’s lead security engineers Ivan Krstic. They revealed cryptographic design and implementation details of the secure enclave processor and its OS, the iCloud keychain, and JIT hardening, and pointed out some weaknesses and areas for likely security vulnerabilities in the code. CAPTAIN HOOK: PIRATING AVS TO BYPASS EXPLOIT MITIGATIONS The speakers demonstrated how many AV vendors are performing inline and Kernel to user hooking for exploit mitigation, and how this is being done insecurely. They were able to utilize the mistakes made in the various hooking engines to run malicious code in memory. Their research identified six different types of vulnerabilities in the hooking engines and how to exploit them. Essentially, most of the vulnerabilities boiled down to improper handling of permissions on created memory blocks by the AV engines. ADVANCED CAN INJECTION TECHNIQUES FOR VEHICLE NETWORKS As always, Charlie and Chris delivered a fantastic talk on the next step in their research; targeting CAN to manipulate vehicle behaviors while driving at high speeds. While their research was done hard wired into the car, they stated that if another remote vulnerability were discovered, these attacks would be plausible remotely, not requiring physical access. They showed how they were able to manipulate various vehicles to apply the emergency brake, turn off the power steering module, control the steering, etc, all while driving at a high speed. They had to essentially bypass security measures which don’t normally allow diagnostic mode to be invoked while the car is on or in motion. In normal Charlie and Chris fashion, the talk was full of funny videos of their exploits, one of which showed them crashing their Jeep into a ditch in a cornfield and subsequently having to be rescued by some locals. 🙂 A few GReAT researchers were caricatured by an artist at our Kaspersky Lab booth, next to our Kaspersky Anti-Targeted Attack demo. The artist was good! Defcon’s challenge badges ran out in record time this year at under 60 minutes! The conference is going on now at Paris and Bally’s. See you next year!

Jeep hackers: How we swerved past Chrysler’s car security patches

Clue: It involves physically breaking into a ride this time Black Hat Last year, the Black Hat presentation by Charlie Miller and Chris Valasek caused Chrysler to recall 1.4 million vehicles to install a software update after they proved they could remotely hack Jeeps. This year, in Las Vegas, the pair showed us how to defeat that update. The dynamic duo praised Chrysler's efforts to secure their vehicles, noting that the new firmware won't accept commands via the builtin diagnostic port if the car is traveling more than five miles per hour.
Vehicles also can't receive data via their wireless Sprint connection unless they are fully patched against the vulnerabilities Miller and Valasek found, which makes remote hacking difficult to virtually impossible. So instead, the two focussed on direct physical attacks against the car's Controller Area Network (CAN) bus, by plugging into the OBD-II (on-board diagnostics) port fitted as standard to modern vehicles to control the onboard computers. Using the official mechanics software program, costing $1,650, they went for a rummage in the car's operating system. Using this method the two found that, with nine hours work, they could brute force their way into the car's sensitive subsystems, including the speedometer.

By manipulating this so that the car thought it was going under the 5MPH limit, they found it was possible, although not easy, to take control of the vehicle's steering and brakes via diagnostic messages. They found that the adaptive cruise control was pretty secure because it automatically shut down if someone tried to push it commands.

By reverse-engineering the system, the two managed to get control of the brakes and throttle, though. They also successfully got into the steering system and were able to make the wheel very difficult to turn, and to turn it 90 degrees – with the latter move piling their test vehicle into a ditch.

This could be done at speed and has the potential to kill an unsuspecting driver. The emergency brake was also vulnerable.

The pair were able to permanently lock the brake on and said it would be non-trivial to fix. Miller suggested that a mechanic would probably have to replace the entire braking system, as that would be easier than trying to fix it. Chrysler appears relaxed about this year's hacking, since it requires physical access to the car to work – you basically have to break in and fit a gizmo to the diagnostics port to disrupt the vehicle's operations, rather than hack it anonymously from the other side of the internet. On the other hand, you could sneak the device into the OBD-II with some wireless comms and take over the car while it's being driven. All these issues could be stopped if only car manufacturers built a basic intrusion detection system into their cars, such as the Can-no hackalator 3000 that the two built in 2014. When asked by The Register why this wasn't being done, Miller said he didn't know, but as cars are typically designed over five-year cycles, the automakers may be working on one and just haven't rolled it out yet.
In the meantime, he isn't worried about mass car hacking. "It's hard, so I'm not worried about it," he said. "It's not like one day someone is going to make all the cars in the world stop.

But we can't ignore it just because I'm not worried about it." This will be the last time Miller and Valasek demonstrate their car hacking skills.
Valasek said they had been doing this for four years now and it was time to pass the baton to other researchers.
In the meantime, the two are concentrating on their day jobs: developing automated car software for Uber. ® Sponsored: 2016 Cyberthreat defense report

Black Hat: Car Hackers Find New Flaws

Researchers Miller and Valasek continue to find risks in connected cars.
Secure technology, such as intrusion-prevention devices, should be built in, they said. LAS VEGAS—For the third year in a row, security researchers Charlie Miller and Chris Valasek gave a talk at the Black Hat USA conference here about car hacking.

Despite the high-profile recall of 1.4 million cars in 2015 after their talk, there are still risks in vehicles that can enable an attacker to take control of steering and brakes.The highly anticipated talk at this year's Black Hat conference played out in front of a standing room-only audience that had gathered to hear the pair of researchers with their unique brand of onstage showmanship and drama. The two researchers, who now work for Uber, started off by recounting their previous two Black Hat talks in 2014 and 2015 that laid the groundwork for what they revealed this year.In the 2014 attack, Miller and Valasek were able to discover how to manipulate some Controller Area Network (CAN) messages that handle some functions in the car.

The limitation was that the commands could only be passed to a car that was either not moving or moving at less than 5 mph.
In the 2015 attack, the researchers found a remote way into the vehicle via a flaw that Chrysler has since patched.

Additionally, remote access was blocked by Sprint, which is the carrier used by Chrysler to enable its vehicles.Miller quipped that Chrysler did a great job of patching and Sprint blocked access effectively, which hampered his and Valasek's efforts at further research, so they needed to find another way in. The Chrysler Jeep vehicle they had also has a USB port, which Miller and Valasek were able to use to get Secure Shell (SSH) access to the CAN on the car.

The simple password that the pair discovered to get access was "dtdonkey," but the pair joked they didn't know what that referred to. From there, the pair spent a lot of time looking at the messages going across the CAN to see if they could, in fact, manipulate steering and brakes when the car was moving faster than 5 mph.

The key challenge they initially found was a message conflicting issue, such that when they injected messaged into the CAN, the legitimate messages were still being sent.
In some cases, the message contention could have just shut down the attacked system, not enabling anything to happen.To solve the issue, Miller and Valasek came up with an approach they called BootROM Boogaloo.

The Jeep and other vehicles have firmware that can be reflashed to enable software updating.

By starting the firmware upgrade process while the car was still stationary, and then starting the car and injecting the fake messages via the USB, it was possible to bypass the 5-mph restriction.

Additionally, the two researchers came up with a system they called "message unconfliction" to further trick the car's systems and block the legitimate messages in favor of the injection messages.Miller and Valasek showed video of how they were able to manipulate the steering wheel and brakes by using the BootROM Boogaloo and "message unconfliction" approaches.
In one of the test cases, the two researchers ended up putting their Jeep into a ditch on the side of a highway in Missouri, which elicited a loud roar of laughter from the audience.Compared with the reaction to Miller and Valasek's 2015 research that led Chrysler to issue a vehicle recall, the response to this year's attack was more muted."Based on the material provided, while we admire their creativity, it appears that the researchers have not identified any new remote way to compromise a 2014 Jeep Cherokee or other FCA US vehicles," Chrysler said in a statement.Miller said that Chrysler essentially told them that since the attack isn't remote and isn't easily executed there is no immediate concern.

Both Miller and Valasek shrugged, commenting that vendors need to build secure technology into cars.At the core, the simple fix for all the issues outlined by Miller and Valasek in the 2016 talk is the same fix they first proposed in 2014, namely an intrusion-prevention device for cars.

The pair also advocate the use of code-signing technology to help make sure only valid code runs on cars.At a press conference following the talk, the researchers were asked why they did the research.Although car hacking in the wild is largely impractical today, there are risks, Valasek said. "The main reason we're doing this is to get ahead of issues so it won't be a big problem," Valasek said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter

Jeep Hackers Return With New Tricks

Jeep parent company Fiat Chrysler Automobiles, meanwhile, says not to worry. A year after Charlie Miller and Chris Valasek disclosed a major security vulnerability that could allow hackers to remotely hijack your Jeep, the infamous auto hackers are a...