Hack my ride

Posted: July 23, 2015 in Uncategorized

I wrote about the issue of car hacking about 6 months ago. Since then, the predictable has happened. The threat has been shown to be even worse through a new proof of concept hack that allowed a 2014 Jeep Cherokee to be remotely, wirelessly controlled from 10 miles away. In this controlled demonstration, the driver knew he was going to be hacked but still experienced a combination of weird and frightening scenarios including:

  • radio turning on spontaneously blaring music and can’t be turned down or off
  • windshield wipers (complete with washer fluid spray) operating on their own
  • engine slowing to a crawl
  • losing control of the steering wheel
  • horn honking on its own

An article in Wired.com covers the demo in more detail. To watch a video of the “thrill ride” take a look here.

Car Hacking Demonstration

Car Hacking Demonstration

Crazy stuff, huh?

Before you dismiss this threat because you don’t drive that model of vehicle, bear in mind that the guys behind this hack believe that there are many more models as well. One estimate has the number at more than 470,000 vehicles vulnerable to this particular exploit alone.

Why these internal systems would ever be accessible remotely is the question that automakers need to answer. At a minimum there should be an “air gap” separating these systems:

  • vehicle control system
  • entertainment system
  • monitoring system

Only the latter should be remotely accessible and even that one is debatable.

The bottom line here is that we are in the early days of Internet of Things (IoT) and vehicle/computer integration. Unfortunately, the focus seems to be on building the functionality and taking care of security as an afterthought. Things are likely to get worse before they get better so buckle up and be prepared for a rough ride…

Who doesn’t love a good sci-fi movie? They offer us a glimpse into a possible future world that may or may not ever come to actually exist but, either way, can be enormously entertaining in the process.

One of the best from my childhood was the 1968 classic (yes, I’m old) Planet of the Apes. 

pota1*** Spoiler Alert *** In the final scene the protagonist, George Taylor (played by Charleston Heston), is walking along the beach of the dystopian world his spacecraft crash landed on. This alien world is run by intelligent, talking apes who have enslaved the native human population. Taylor looks up to see a half-buried Statue of Liberty and realizes that he isn’t on some distant planet but is, instead, back on planet earth many years after he left it. His final lines are:

Oh my God. I’m back. I’m home. All the time, it was… We finally really did it. [screamingYou Maniacs! You blew it up! Ah, d*** you! God d*** you all to hell!

Dramatic stuff! My young mind was completely blown. Still is …

But what if it isn’t apes that we need to keep our eyes on? What if the plot is actually more sinister? What if the threat comes from an even more unlikely source?

COWS!!! CIXs1kCUcAAAeaT

Yes, cows. It seems Hollywood got it wrong (shocking!). Believe it or not, according to US CDC statistics you are more likely to be killed by a cow than a shark — twenty-two times more likely, in fact. All this time they’ve been standing in our fields passively chewing cud and staring at us with those cold, dead eyes …

OK, so I’m overdramatizing for effect. No, I don’t believe that cows are out to get us or that they will eventually become our overlords, but the the point is that we are often quite bad at assessing risk. Are most people more afraid of cows or sharks? According to the actual data, which one should they be more concerned about?

What does this have to do with IT security? If we are bad at assessing real world threats, why would we think that we don’t carry some of the same deficiencies into our assessment of cyber threats? My guess is we shouldn’t think that we don’t because we do.

So, the next time you hear someone trying to downplay a potential risk, it might be worth taking a second look to see if the facts support it. Otherwise, we could one day be living on … the planet of the cows!

key-470345_1280Increasingly, we are living more and more of our lives online. What used to be in person interactions are more likely to be virtual. Rather than going to the bank, you can deposit a check by taking a picture of it with your mobile phone (along with some magic from a specially-designed mobile app from the bank). Make investments from your browser. Speak with a doctor via video conference for a virtual office visit from the comfort of your own home rather than spending the morning in a waiting room full of other sick people sharing their germs. Buy that hot new gadget online and have it show up at your door a few days later.

Great stuff — and it all relies on a system of trust for verifying identities of the various parties based typically on our ability to enter a presumably “secret” password that no one else knows when prompted.

But what if you aren’t the only one who knows your password? You didn’t tell anyone what it was (please, tell me you didn’t!) and you didn’t write it down where others could read it (I know you’re smarter than that, right?). Instead, you stored it in an encrypted software password vault of some sort and gave yourself a pat on the back for this technical accomplishment.

Great! That’s what you should do. However …

… no system is perfect and that includes encrypted password stores. If you use a Mac, Keychain is a convenient choice. It makes things easier still if you have multiple Apple devices by synchronizing passwords via iCloud so that your iPhone and iPad get updated when you change a password on your MacBook.

Or you could use LastPass or 1Password, which provide similar functions across Apple and non-Apple platforms like Windows and Android. There are plenty of other similar choices too but let’s keep this discussion simple and just look at these.

Well, guess what? In the past week, stories have come to the forefront that all of these solutions are vulnerable to attack.

  • Glen Fleishman of MacWorld.com does a nice job of explaining the technical details of the LastPass hack and the protections in place to deal with the risk in this article.
  • Glen also covers the latest vulnerability disclosure in OS X and iOS that expose Keychain to hacking in this article.
  • 1Password makers tried to reassure their users in this blog post.

None of these revelations should come as a surprise. OK, so maybe you didn’t know the specifics but the point is any operational system is vulnerable. The goal should not be to eliminate all risk (although, that would be nice), but rather, to bring risks down to an acceptable level by mitigating the ones we can and avoiding or accepting the ones we can’t.

Quoting from the 1Password blog:

There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.

Very true. The lesson here is not that we shouldn’t use password managers. The alternative is worse. The lesson is that none of these systems are sufficient to keep everything secure. That means you have to protect your system from malware by:

  • not installing software from questionable sources
  • not clicking on attachments that you aren’t expecting
  • not using trivial passwords
  • not neglecting to install patches both to the operating system and apps
  • not storing passwords in the cloud but, instead, syncing across devices via a wired or secured wifi connection

Also, choose to set up 2-factor or 2-step authentication on the systems that support it. These typically involve sending you a text message with a seemingly random number that only you will know if you have pre-registered your phone and keep it in your possession (and free from malware too). These systems aren’t perfect either, but they make the job of cracking your castle harder for the bad guys and that’s a good thing for you and your online kingdom.

jc-blog-iphoneSecurity professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

IMG_1602What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.

Screen Shot 2015-02-05 at 2.16.49 PMIn 2013 I did a presentation on social media threats at the OOP (Object Oriented Programming) conference in Munich. (You can see my presentation here.)

Well, the folks that ran the conference were nice enough to invite me back for this year’s event where I did a talk entitled “The Data Center in Your Pocket: Securing Mobile Devices.”

There’s logo_biggerno video this time around but I did do an interview for InfoQ.com on the general topic of mobile security, which you can find here, in case you’re interested.

You are driving down the road minding your own business on a brisk winter day when suddenly the stereo starts blaring unrecognizable music, the air conditioner begins blasting cold air, the onboard navigation system changes course, the headlights start flashing, the engine turns off, killing the power steering and braking systems making a controlled stop difficult, if not impossible. Oh, and the same thing just happened to every other car on the road around you at the very same time.

Got your attention?

That scenario, though implausible today, is not impossible in the not too distant future. The Internet of Things (IoT) movement to turn everything we use into computers has already taken hold in the automotive industry. Cool new features that let you remotely lock and unlock and start your car are becoming more common. That’s great news for both the good folks who enjoy this infusion of technology into more and more parts of their lives and it’s great news for the bad guys who would like to exploit the darker sider of these advancements.

The point is that if you can control all these systems on your car wirelessly, the potential exists for a hacker to do the same.

While the doomsday scenario outlined previously is still a bit far fetched, it may not be as unlikely as you might think as we are already starting to see proof of concept attacks and other vulnerabilities emerge. Here are a few examples:

  • Reuters reported that BMW recently patched a bug that left over 2 million Rolls-Royce, Mini and BMW cars open to having their doors unlocked by attackers. According to the article, the vulnerable software allowed drivers to:

    activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.

    Apparently the communications between the car and the controller weren’t encrypted so an attacker could trick the car into listening to unauthorized commands. The problem is supposed to be fixed now but one has to wonder why it just now occurred to the powers that be that authenticating the source of the commands might be an important feature.

  • The Register reported that:

    Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn – all while the car was driving along.”

  • And there’s this from ARS Technica:

    papers published in 2010 and 2011, on-board components such as CD players, Bluetooth for hands-free calls, and “telematics” units for OnStar and similar road-side services make it possible for an attacker to remotely execute malicious code.
    The research is still in its infancy, but its implications are unsettling. Trick a driver into loading the wrong CD or connecting the Bluetooth to the wrong handset, and it’s theoretically possible to install malicious code on one of the ECUs. Since the ECUs communicate with one another using little or no authentication, there’s no telling how far the hack could extend.”

  • And if you’d like to see a proof of concept take a look at this video which shows a car’s horn, steering and brakes being controlled by a backseat driver.

Before you throw away your keys and go horse shopping bear in mind that most cars on the road lack these sort of remote control capabilities in the first place but that is changing. The hope here is that the auto makers will learn from these early mistakes and make safer vehicles in the future. The likelihood is that we will hear about a lot more of these types of vulnerabilities before they do.

Now, who wants a self driving car?

You’ve just checked into your hotel and gotten situated in your room. All that time on the plane has left you feeling a bit out of touch so you head down to the business center to do a quick check of your email. You’re in luck — there’s a free workstation just waiting there for you. You log in to your account, read a few, respond to some, delete some spam, log off and head for the gym feeling that everything is now in order. But is it?

Turns out that the person using that same PC a few hours ago opened an attachment that contained malware that installed itself on the system and has been recording every keystroke entered ever since. Making matters worse, all those email responses, web site addresses, credit card numbers and logins have also been surreptitiously forwarded to someone on the other side the world who now has everything they need to take over your email, raid your bank account and run up charges on your credit card.

Krebs on Security has a good post on this threat along with a discussion of  some preventative measures your hotel could have taken to protect you. The problem is, as the author points out, all of them can potentially be circumvented.

Of course, you could enable all your accounts to use 2-factor (a.k.a. two step) authentication where a seemingly random set of numbers are texted to your phone that you then have to enter after entering your account name and password (and you should!), but most people don’t want to be bothered with this extra step and they are precisely the ones that the bad guys are counting on.

The bottom line is, if you don’t control the system you’re using (and you never do with a public terminal), you really have no idea who else might be listening in so you should consider that anything you type (including your password) is now public information.

The best thing you can do to avoid this scenario is simply to not use public workstations. It may be a pain to lug along your own laptop but it beats the alternative.