We’ve previously posted (here, and here) about the device security concerns facing today’s heavily computer-controlled automobiles. And now, researchers have found that even the requisite tire pressure monitoring systems — run by wireless sensors — could be a real security vulnerability.
The wireless sensors…can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction. [...]
The tire pressure monitors are notable because they’re wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.
The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.
As we previously reported, the Black Hat Conference in Las Vegas is a gathering of individuals from the security research and hacking communities, eager to flaunt their most recent discoveries and hacks. The purpose of these proceedings is purportedly to show the rest of the world what a determined hacker can do as well as raise awareness of security issues and what can be done about them.
Enter Barnaby Jack, Director of Research at IOActive labs who has in previous years been prevented from unveiling a custom-designed rootkit aimed at getting ATMs to release their cash payload due to complaints from ATM manufacturers. Finally at this year’s conference, Jack was able to execute this feat on not one but TWO ATMs installed especially for Jack’s demonstration, a first for the hacking community. Jack’s method takes cash from the machine without access to any customer’s account. These YouTube videos, taken from the audience perspective, show Jack’s handiwork in progress.
At the Black Hat conference in Las Vegas this month, a group of highly accomplished hackers-turned-security researchers will converge to show off their latest discoveries and to share their findings with the development community. Among them will be Craig Heffner, who plans to unveil a flaw in consumer routers that could expose ‘millions’ of home networks to hackers.
“The sleight of hand discovered by Heffner involves establishing an attack site which runs malicious script that means a visitor’s own IP address is presented as one of the site’s alternative IP addresses, thereby granting a trusted status to a malign site. Modern browsers are designed to block earlier types of such attacks but not with this particular scenario, for reasons Heffner is due to explain at Black Hat.”
Present in a variety of router models by companies such as Linksys, Belkin and Dell, the flaw is a vulnerability to a classic hacking technique called DNS rebinding, in which hackers use malicious code to “trick” a device into controlling it. While Heffner’s discussion will hopefully include preventative measures for the manufacturers of these routers, there is currently a list of vulnerable kits and sensible workarounds to address this flaw at Notebooks.com.
Commonly regarded as a more tweak-friendly alternative to Apple’s iPhone OS, Google’s Android OS has carved out a loyal market niche among power mobile users looking to get tricky with their smartphones as well as developers of third party apps that wouldn’t make the cut on Apple’s more stringent App Store. But those who love Android phones for their tweakability may want to think twice before shelling out for Motorola’s Droid X, the new flagship phone released today.
As reported by Venturebeat, the new Droid phone contains “eFuse” technology designed to render itself inoperable, should the smartphone be user-modified.
[eFuse] runs when the phone boots up, and it checks to make sure that the phone’s firmware, kernel information, and bootloader are legit before it actually lets you use the device….If the eFuse failes [sic] to verify this information then the eFuse receives a command to “blow the fuse” or “trip the fuse”. This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with.
Motorola insists that eFuse is a customer-focused security measure that helps to protect user data.
A developing story on Engadget reports that, just this weekend, the top 50 books by revenue category on the iTunes App Store had been dominated by 42 titles from a single developer. Additionally, these titles appeared to have virtually no user reviews, and featured possibly stolen content.
But even more concerning, Engadget reports that–while still unconfirmed–these rogue book apps were catapulted up the sales chart by fraudulent charges to unknowing iTunes customers for downloading the books — purchases these customers never authorized.
Since the initial report, Apple has confirmed the situation and has responded by removing the developer in question, and all of his apps, from the iTunes store. Apple has not commented, however, on any fraudulent credit card charges reportedly linked to this scenario.
With this increasing use of wireless and CPU-controlled technology in cars, The Sydney Morning Herald recently published a comprehensive look at growing concern that today’s–and tomorrow’s–automobiles are becoming increasingly vulnerable to hackers.
The big problem for car makers…will be those who open up their vehicles to add-on software applications, or “apps”….
In much the same way as we add software to a mobile phone today, some car makers envisage a future where owners can add functionality to their car via an internet connection. [...]
Ford has recently asked its US customers to nominate applications they would like to see in the connected car of the future, a move that suggests makers are getting serious about rolling them into vehicles.
Ford is developing apps for products such as the iPhone, so the car’s infotainment system can, say, recognise when a friend posts a comment on Twitter and then read you what was posted….
However, download from the wrong, untrustworthy source and – just like a computer – you could get more than you’ve bargained for.
The article also describes a number of new network-connected features in automobiles from Audi, Mercedes-Benz, Volvo and Toyota.
Following closely on the heels of their purchases of PGP and VeriSign, Symantec has made a major investment in smart-device security specialist Mocana, actually leading the company’s C-round of venture financing. As part of Symantec’s new “Norton Everywhere” initiative–aimed at securing the growing world of internet-connected, non-PC devices–the resulting technology partnership will expand Symantec’s offerings into the “Internet of Things.”
A British researcher–using simple RFID technology–has become the first human “infected” with a computer virus. Using a contaminated implanted chip, he successfully transmitted the virus to other external systems.
Under Obama’s American Recovery and Reinvestment Act, states have a limited window of time during which to invest their stimulus budgets into projects which will improve energy efficiency and make energy infrastructure more sustainable. To maximize their use of stimulus funds, states are quickly investing in smart grid technologies, a demand that tech innovator Hewlett Packard is eager to satisfy.
However, as an article in eWEEK Europe reports, HP may be shipping to meet that demand at the expense of security. At the company’s Executive Energy Conference in Dubai, HP’s utilities industry director Ian Mitton admitted that security has been an afterthought in smart grid and metering projects, with an emphasis being placed on early deployment to meet stimulus demand and experiment with the new technology. As we’ve previously discussed, security experts have been concerned about under-secured smart grid technology being rushed to market for some time.
A year ago, security researcher Barnaby Jack was set to show off a new rootkit, and its capabilities for hacking ATMs, at the Black Hat Las Vegas Conference. However, facing pressure from an ATM company concerned about misuse of this information, his employer pulled the plug. Now under new employ, Jack will present his discussion, “Jackpotting Automated Teller Machines,” at this year’s conference. In it, he’ll illustrate how the software in today’s ATMs is vulnerable to network attacks as well as reveal his multi-platform rootkit.
According to Businessweek, Jack’s rootkit is a first because in the past, thieves were only able to hit ATMs by installing skimmers and cameras to steal card numbers. Instead of using the machine as a point of access to user accounts, the hacker’s new method goes after the ATM itself, exploiting software vulnerabilities to get at what’s inside.
In addition to demonstrating these vulnerabilities, Jack will discuss ways that the ATM industry can protect itself from attack methods such as his own. The presentation will occur at the Black Hat Las Vegas conference, held July 28 and 29.
We’ve previously posted (here, and here) about the device security concerns facing today’s heavily computer-controlled automobiles. And now, researchers have found that even the requisite tire pressure monitoring systems — run by wireless sensors — could be a real security vulnerability.
As we previously reported, the Black Hat Conference in Las Vegas is a gathering of individuals from the security research and hacking communities, eager to flaunt their most recent discoveries and hacks. The purpose of these proceedings is purportedly to show the rest of the world what a determined hacker can do as well as raise awareness of security issues and what can be done about them.
At the Black Hat conference in Las Vegas this month, a group of highly accomplished hackers-turned-security researchers will converge to show off their latest discoveries and to share their findings with the development community. Among them will be Craig Heffner, who plans to unveil a flaw in consumer routers that 
Commonly regarded as a more tweak-friendly alternative to Apple’s iPhone OS, Google’s Android OS has carved out a loyal market niche among power mobile users looking to get tricky with their smartphones as well as developers of third party apps that wouldn’t make the cut on Apple’s more stringent App Store. But those who love Android phones for their tweakability may want to think twice before shelling out for Motorola’s Droid X, the new flagship phone released today.
A developing story on 
We’ve previously reported on the 
Following closely on the heels of their purchases of PGP and VeriSign, Symantec has made a major investment in smart-device security specialist Mocana, actually leading the company’s C-round of venture financing. As part of Symantec’s new “Norton Everywhere” initiative–aimed at securing the growing world of internet-connected, non-PC devices–the resulting technology partnership will expand Symantec’s offerings into the “Internet of Things.”
Under Obama’s American Recovery and Reinvestment Act, states have a limited window of time during which to invest their stimulus budgets into projects which will improve energy efficiency and make energy infrastructure more sustainable. To maximize their use of stimulus funds, states are quickly investing in smart grid technologies, a demand that tech innovator Hewlett Packard is eager to satisfy.
A year ago, security researcher Barnaby Jack was set to show off a new rootkit, and its capabilities for hacking ATMs, at the Black Hat Las Vegas Conference. However, facing pressure from an ATM company concerned about misuse of this information, his employer pulled the plug. Now under new employ, Jack will present his discussion, “Jackpotting Automated Teller Machines,” at this year’s conference. In it, he’ll illustrate how the software in today’s ATMs is vulnerable to network attacks as well as reveal his multi-platform rootkit.
