Have a Job for Life – Go into Auto Security

It’s an emerging industry that’s growing ridiculously quickly, auto companies have endless money, and there’s many verticals being created to choose from.

New Job Possibilities

– fix CAN bus, that thing is a mess

– get good at D-Bus 

– work for the companies that build the infotainment units eg. Harmon Kardon

cellular companies, there’ll be a vertical dedicated to securing connected cars

– learn the QNX Operating System, 75% of cars use it

– figure out how to mass update older cars

– develop a penetration test for cars


And with this post, I’ve now summarized a talk, then summarized another talk about that talk HAHA.



Update your Android Phone NOW

There is a massive Android bug called Stagefright.

It’s being called the biggest Android flaw ever, it affected about 950 million devices.

It has its own logo.

Hundreds of millions of phones are affected.

Above is a list of vulnerable devices.

That’s Adrian Ludwig, lead engineer for Android security at Google, speaking about Stagefright at Black Hat 2015.

The bug was discovered by Joshua Drake from the Zimperium security firm. He tells FORBES magazine,

“All devices should be assumed to be vulnerable. Only Android phones below version 2.2 are not affected.”

The Attack

Uses MMS (texting.) It installs with no user interaction required, scary.

A MMS message is sent > it contains a media file > that the phone opens automatically > which releases and installs the bug > MMS is deleted > no trace of attack

Watch the attack.

What can Stagefright do?

Turn on both the camera and microphone, and secretly record video and listen to conversations.

A level deeper, and it’s view photos; read the device’s email, Facebook and WhatsApp messages; access contacts and data; or use the mobile as a jumping-off point into the victim’s cloud applications.

The Defence

Google shut down some functions, that’s why the messenger app stopped auto-loading and thumbnails reverted to static-only. Nexus devices are being updated automatically over the air.

What you can do:

1 – update your phone

2 – disable “auto-fetching in MMS” to stop the media from auto-downloading. How to here.

3 – never open a photo, video or click a link, from someone you don’t know

4 – download Zimperium’s Stagefright Detector App for Android Devices 

Further reading – Zimperium’s blog post

From Black Hat 2015

Blog tag = Black Hat



Facebook is Copying your Contacts

Finally upgraded my phone, and with it all apps including Facebook Messenger. Which really wants access to my contact list.

“Your contacts will be continuously synced with our servers.”

No no, and if you have little dossiers attached to a contact, bet those are copied too.

The app is aggressive, and about every 12th use it prompts.

Now begins the game of “it’s one slip of the finger and I accidentally hit okay…”

Then what, turn my phone off? That’s seconds, it’s likely done hoovering the list by now, or just pick up where it left off when the phone is turned back on.

Do you have a hard copy of your contact list?

Saved on a USB that’s tucked away safe?

How would you find your loved ones if you lost access to your account? Everything’s in the cloud and it fails? If your only copy of your contacts is stored in Facebook, please leave my blog.

Maybe it’s me. Maybe just give Facebook everything it wants, forget this all, and look at my new coat.

Blog tag = Facebook



Car Hacking Looks like This

Screenshots from the Black Hat presentation about the first remote hack of a passenger vehicle – a 2015 Jeep Cherokee (more here.)

It was these guys – Charlier Miller and Chris Valasek.

2 Biggest Takeaways for the Average Driver

1 – the attack they released no longer works

As of publishing of this post, the attack stopped working because Sprint closed the port they were using to enter the car (nice Sprint.)

If you own a Chrysler and were part of the 1.4 million recall, breathe a bit easier.

2 – update your car

This Jeep thing is a wakeup call – if your automaker issues an update, make it a priority. The industry is still in its infancy, the update will probably be inconvenient “pick up a USB from the dealership” DO IT.

Be mindful about how you connect your car to the internet (please never pair your car to public WiFi.)

From Black Hat 2015.



Good to Meet You Black Hat, I’m Keri

We’ve maybe met before, this is my 4th Black Hat as media. Media.

Because to be clear: compared to you guys I’m a baby, a script kiddie at best. I’m okay at OSCINT and SE, it ends there.

I’m an auto journalist with Sun Media, a Canadian newspaper chain. I write the news, car reviews and a weekly column – Keri on Driving – 400 words about whatever I want. For a sample, read my 150th Anniversary column.

Been starting to specialize in auto security, which is why I’m here.

Blog tag = Auto Security (34), and I run the security section of the newspaper here.

About my blog’s security section

I doubt this section would much interest you, I write for the end user. It’s more for like, a housewife in Iowa.

Like my Blackberry security video:

Please don’t hack me! Really, it’d be like picking on the kid at recess wearing a helmet.

I’ll leave you something
only this crowd will appreciate

Despite everyone rolling their eyes when I tell them, it’s maybe the thing about my blog I’m most proud of, more than it making through bank filters

…. my blog and I have been flown around North America, gained access to some amazing places and tested almost $10 million in cars…. ready….

… all without an About Page! Nor a LinkedIn! And I kept my last name offline for 5 years.


Find me fastest on Twitter @KeriBlog, if you see me say hi, and have a great conference!


Blog tag = Black Hat