Phreaking Cars and Killer Robots

This week we have some repeat business from vulnerabilities in cars that are a bit unsettling and even more news around TikTok. I can’t imagine anyone still has that app, but there ya go! Also, we have the UK and US banning surveillance cameras made in China – which India was doing that back in 2010, more vulnerabilities in OT surface reminding us that industrial systems are at risk, and the UK looks to roll out heavy hitting legislation demanding reporting of incident by MSPs’.

Car Phreak

After finding multiple types of vulnerabilities in cars throughout 2022, researchers started to ask who is providing the systems for most of the manufacturers and started digging. It didn’t take long to find a vulnerability in Sirius XM's Connected Vehicle Services that allows a hacker to unlock doors and start engines remotely by just knowing the vehicle identification number (VIN). As highlighted in this newsletter a number of times, as we adopt technology in “everyday” things we expose ourselves to entirely new threats and risks. What’s interesting is that we have a hard time securing a basic computer and while losing control of it is bothersome, having your car exposed, well, that’s a game changer.

Article - https://www.theregister.com/2022/11/30/siriusxm_connected_cars_hacking/

Article - https://www.securityweek.com/several-car-brands-exposed-hacking-flaw-sirius-xm-connected-vehicle-service

Article - https://www.techradar.com/news/a-siriusxm-code-flaw-could-unlock-your-smart-vehicle

Phreak reference - https://en.wikipedia.org/wiki/Phreaking

Spying Cameras Being Spied On

Is it me or do you find it interesting that both the UK and the US on basically the same day banned Chinese manufactured surveillance cameras? It’s fun to see the results of secret collaboration materialize in the media. This one is just another in a series of Chinese technical products being banned by the US and the UK. Interestingly, many may not know this, but the first to openly ban Chinese telecom products was India, who identified 26 specific products that were no longer permitted back in 2010. In this case, the concern is the existence of back channels embedded in the chipset of the cameras allowing image processing by the Chinese government. Of course, there are well-founded. In fact, many years ago there was a research project performed in the UK in concert with telecommunications companies evaluating equipment where very sharp British technologists found that the boxes from Chinese providers were, well, phoning home. Putting aside the spy verses spy elements, this speaks clearly to the vastly complex supply chain security challenges and the massive risks it can represent.

Article - https://edition.cnn.com/2022/11/25/tech/uk-chinese-surveillance-cameras-restrictions-intl-hnk/index.html

Article - https://www.dw.com/en/us-bans-chinese-telecom-surveillance-cameras/a-63895206

India ban - https://www.itnews.com.au/news/india-bans-chinese-networking-kit-over-security-fears-173835

India telecom ban - https://timesofindia.indiatimes.com/business/india-business/citing-national-security-govt-set-to-bar-chinese-telecom-gear/articleshow/79769475.cms

I’ve Lost Count

Things continue to pile up on TikTok, and for good reason. This week the Governor of South Dakota banned the app from being even downloaded or accessed via a browser, much less using the app, for all state agencies, employees and contractors on state devices due to well-documented data collection practices by the Chinese Communist Party (CCP). The interesting part is this will start a trend and that will evolve rapidly into limiting software use when performing work for an organization, not just on company or state-owned systems. We see this come and go with BYOD concepts from the early 2000’s to this day. However, as we become more aware of just what is being collected on devices, you quickly learn that it is a comprehensive act, not just targeting the individual but the environment and all interactions. We’ll have to come to grips with that very soon.

State press release - https://news.sd.gov/newsitem.aspx?id=31872

State order - https://governor.sd.gov/doc/GovNoem-EO_2022-10.pdf

Article - https://www.theregister.com/2022/11/30/tiktok_nsfw_if_you_work/

Now You See Me

TikTok’s “invisible challenge” that’s going around is being used by criminals to deploy malware via a feature app. As people upload vids of themselves unclothed a filter is applied to blur out their body. Hackers are posting an “unfilter” app convincing people to install so they can see the actual picture of presumably naked people. Turns out millions have fallen victim and I’m sure many more now that their phone is laced with malware.

Report - https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package/

Article - https://www.theregister.com/2022/11/29/tiktok_invisible_challenge_malware/

Robots Attack!

Adding to the long list of Operational Technology (OT) insecurity is a report this week noting that three vulnerabilities in two Germany companies were identified in factory automation manufacture Festo and automation software company CODESYS allowing attackers to perform everything from manipulating code to denial of service. CODESYS has more than 8 million licenses with reports demonstrating more than 3000 impacted systems are accessible and discoverable from the Internet. To put things in perspective, even advanced systems will use PLC (Programable Logic Controllers) to perform specific, repeatable tasks. As many learned with Stuxnet, computers controlling physical systems can be manipulated in ways that weren’t intended. For example, around 1991 I was using PLC systems to control fuel systems, and any control error could have been disastrous. But once the code was written it was locked away in the controller. Today controllers are directly connected to central systems and the Internet. In fact, we’re still dealing with old tech connected to the Internet in SCADA systems related to utilities. As we push forward with technology we must also with security. But I think we’re lagging, and that gap is increasing dramatically.

Article - https://therecord.media/three-vulnerabilities-found-affecting-ot-products-from-german-companies-festo-and-codesys/

Stuxnet reference - https://www.csoonline.com/article/3218104/stuxnet-explained-the-first-known-cyberweapon.html

SCADA - https://scada-international.com/what-is-scada

UK MSPs Forced to Report

This week the UK Government introduced legislation requiring all Managed Service Providers (MSP’s) to disclose security incidents with related fines starting at 17 Million pounds. This movement of governments – epscially in the US, UK and Europe – and government agencies demanding incdents be reported is moving rapidly. Frankly, it’s completely predictable as the dgitial world becomes more “systemically exposed”, such as huge swaths of companies and organizations that can be impacted by an incident affecting a single company, such as an MSP or cloud provider. We’re even seeing cyberinsurance companies recalculate their coverage expectations related to multi-client impacting events in the cloud. As far as reporting to an agency, and not doing so garnering at least ￡17M in fines, being a value to organizations and the public at large still needs to be proven – at least to me anyway. Yes, I believe information sharing is at the heart of effective security. Yes, I believe that a well structured approach to incidents and greatly reduce exposures and proloferation of damage. However, I still struggle with how that could be used against an organization. It shluld be interesting to see how this evovles.

Article (very good, must read article) - https://therecord.media/uk-introducing-mandatory-cyber-incident-reporting-for-managed-service-providers/