Don’t Customize your Car’s Home Screen

For the past couple months, I’ve been trying to upload images into the infotainment home screen of whatever car I have each week.

I’ve now tried 5 different manufactures, formatting the USB 3 different ways, using  jpegs/bmps, and each time I keep failing.

I can’t get them to talk, none of the five. Strangest thing. So my reasoning is – if that doesn’t work, there’s a problem, so don’t.

Because here is the possible attack:

The Attack

Download image from the internet to USB > there’s flaws in the code that reads jpegs/bmps that could be used to execute arbitrary code on the device > leading to you running bad stuff (malware, virus, etc.)

The Defence

Just don’t. Everything doesn’t need to be customized.

To be clear: I highly doubt this niche attack will happen to you, and if it does, it’s probably because you’re a target and likely have bigger things to worry about.

But it’s not always going to be this way. In the near future, we’ll be adding apps to our cars the same way we now do to our phones. Good habits start now.

Photo I’m trying to load is from the post: Got stuck in some PVC pipe yesterday here

***

Blog tag = auto security

 

 

Your Screen can be Seen from Far Away

Like the 2nd floor of a mall.

What about using using a real camera, instead of a phone?

And know how, while typing, the letters get larger?

The Attack

HD video camera > zoom > record > play it back slowly > get password

The Defence

Back to the wall when entering passwords, and look up first, everyone forgets to look up.

 

 

Never Connect your Car’s WiFi to a Public Network

Staring this 2015 model year, cars will come equipped with internet and WiFi capabilities.

Here I am sitting outside a friend’s house in suburbia; I could connect to the houses around me.

You’ll soon be connecting your car to your home network to update it. Only ever connect your car to a known, safe network, like your home, and never a public network, like a coffee shop.

* = password

The Attack

You connect the car via a coffee shop > an attacker inside has MITM’d the connection > now all internet traffic runs through his computer first, before going to the internet

The Defence

Connect only to a network you fully control, like your home.

While this is unlikely to happen…

… that’s only for now. While car hacking is still in its infancy, now is the time to form good habits, because it only takes one connection, one time, to tank it all.

(see: ‘Keri on Driving’ column Dispelling Car Hacking Fears, and the lead press piece I wrote for last year’s SecTor Security Conference)

***

Further reading:

– how to secure your car’s internet connection

– my column: WiFi HotSpots are coming to Cars

– what is a MITM attack

– general WiFi security 

 

 

The Scariest Type of Malware – Ransomware

Of all the types of malware, this one scares me the most.

Ransomware – a type of malicious software that locks, and sometimes encrypts, the victim’s entire computer. The victim is then informed that removal is only possible, when they pay a ransom fee to the creator of the malware. Basically, ALL your files get locked up, and someone else has the key. 

The Attack

On my other computer, I was catching up on celebrity gossip, and streaming TV from a sketchy Eastern European site, when this page overtook my browser.

1 – informs me all my files have been encrypted
2 – shows my IP address, which didn’t pinpoint my exact physical location, but was pretty close
3 – ransomware often uses this popular ‘police-theme’, to give the illusion of authenticity, and heighten fear
4 – a scary countdown timer; I have 24 hours to pay the ransom

The Defence

Ransomware is usually installed from clicking a bad link on social media, in a website or email, opening a malicious email attachment, or sometimes just visiting a malicious site.

closer investigation reveals this is mostly scareware. The English is poor, I’m on a Mac not a PC, the “Internet Police Department” uh-huh, and child p0rn phft as if, I don’t even really like kids.

Plus, 24 hours have passed, and my computer is fine.

Notice though, I said “my other computer“.

Because never would I visit those sites on my work computer. Which is why, had this actually happened, my solution would be to wipe the entire laptop, wouldn’t matter, there’s nothing on it. Opposite of this computer.

Keep your anti-virus software updated, your firewall on, and be careful what you click.

The Fix 

It’s up to you if you decide to pay the ransom.

F-Secure has removal instructions, as does Norton.  Or take you computer to your trusted IT repair place.

Regularly backup your files.