Going Back to Black Hat

Yesterday afternoon I received my confirmation of media credentials to Black Hat in Vegas.

Here’s the conference link if you’re curious. Basically, it’s the world’s most prestigious online security conference.

It’ll be my 4th, here’s the blog tagBlack Hat – see you there!

 

 

First Time a Vehicle is Remotely Hacked

WIRED magazine published a story yesterday about the world’s first documented wireless attack of a vehicle. A pair of security researchers put a journalist behind the wheel of a Jeep Cherokee and took control of it while he was driving miles away.

Read my synopsis on Autonet, here’s the original WIRED story by Andy Greenberg, and below are the key things to know.

This security update does NOT affect Canadian vehicles

I contacted Chrysler, and got this quote for Autonet:

“An FCA representative in Canada tells Autonet, “Due to market access to cellular connectivity in the Canadian marketplace, FCA Canada vehicles are not affected by this condition and therefore do not require a system upgrade.”

It does however, affect American vehicles, specifically American mid-2013 to 2015 Fiat-Chrysler vehicles that are equipped with the Uconnect infotainment system.

WIRED estimates about 417,000 are affected. Download the security update from FCA here, or take it to a dealership mechanic.

What happened to the car?

Radio, A/C and wipers were all turned on high, and Andy spun the control dials with zero affect. They altered the dashboard screen image.

They cut the transmission, and an 18-wheeler came barrelling up behind him, then they disengaged the brakes and sent Andy into a ditch.

They turned the SUV into a surveillance tool, tracking its GPS coordinates and tracing it on a map.

How was the car attacked?

The pair gain wireless control of the Cherokee via the vehicle’s Uconnect infotainment system which is connected to the Sprint network.

They enter the car through its cellular connection, then move to an adjacent chip in the head unit and rewrite the chip’s firmware to include their malicious code. Now they’re able to send commands through the car’s computer network – CAN bus – and control physical components like the brakes and transmission.

What’s next?

The pair will present their findings at the upcoming Black Hat online security conference in Vegas, as well as share their code. A key vulnerability will be omitted, but the code to do the dashboard tricks will hit the internet.

Why? They say 2 reasons: for peer review, and it “sends a message: automakers need to be held accountable for their vehicles’ digital security.”

Overall Takeaway

What Charlie said:

“We shut down your engine—a big rig was honking up on you because of something we did on our couch,” Miller says, as if I needed the reminder. “This is what everyone who thinks about car security has worried about for years. This is a reality.”

Related Blog Links

– I’d like to know if they can access the driver’s contacts? I don’t pair my phone to a car

– you’ve met this pair of security researchers – Charlier Miller briefly at Sector, and Chris Valasek for my column, and a press piece for Sector 2014

– sign I Am the Cavalry’s petition to the automakers, I did

about the OBDII port

– there are over 100 computers in your car

– one of which is the black box – an EDR

blog tag = auto security  – newspaper tag = auto security

– I was recently in Utah with Jeep, off-roading a Cherokee, Trailhawk trim.

They hacked a fun SUV.

 

 

Analzying a Vishing Attack

There’s a CRA (Canada Revenue Agency) scam going around right now.  I received a call from “Roger” at the CRA this week, asking me verify my current address.

Let’s analyze at the attack.

The Attack

Flag #1

Roger’s number displayed on my phone – 905-XXX-XXXX. Nope.

The CRA agent’s number will never display, it will come up as “Private” or “Blocked” because imagine? People would lose their minds dialling directly to harass the agent.

Flag #2

Roger lists my last 3 home addresses, my company name, then asks for only one piece of information to verify my identity – my birthday. One piece of publicly available information to verify me?  No way.

From the CRA website, here’s the list of identification questions they’ll use.

Flag #3

Me: this number on my screen, if I call it back it’ll go to you?
Roger: yes, that will go directly to my desk.

Uh-huh. See Flag #1. Plus, if he’s at his desk, why don’t I hear office noises in the background?

Let’s keep talking.

Me: what’s the problem?
Roger: the address we have on file for your company is incorrect, because the mail we sent you was returned. We need to update your address.

Flag #4

Not only do I have my mail forwarded from my old downtown address, but my accountant and I are very on top of things, so there is no chance this is correct.

I tell him to switch it to my home address, which he has already listed, and he rushes off the phone.

I immediately email my accountant, who searches the CRA database and comes back with this confirmation – my correct address is on file.

Flag #5

I call the number back and it goes straight to voicemail.

Not only is it full and cannot accept new messages, but the name on the voicemail is not Roger.

Flag #6

I trace the phone number, and land up at a suburban house just outside of Toronto. Not posting a map of that, bet the poor guy has no idea his number has been hijacked.

Flag #7

Over to Google, and there’s news everywhere, including one from CBC a couple weeks ago warning Ontario residents. Read it here.

The Defence

– stay sharp and calm… the above played out over 60 seconds, as in, quickly. And if the call comes in while you are distracted or busy, that’s how you slip up and they win 

– when in doubt never ever give out personal information, especially your Social Insurance Number (SIN)

– call the CRA directly to confirm the validity. Say something like, “I’m very busy at the moment, but will call you back by end of the day.” That way you’ve initiated contact, and the problem should be listed on your file

– ask lots and lots of questions, they don’t like that

– the scammer will be skilled on the phone, they’ll sound smooth, almost too-smooth

– CRA emails will never contain any links, nor will they contain personal information

– listen to your gut, it’s the best defence in these scenarios

See the CRA website for more details on scams.

As always in suspicious scenarios, be wary of clicking on links in an email, and if you must, expand the URL before clicking.

Test yourself here – Spot the phishing email

Blog tag = phishing