Connected cars and cybercrime: A primer

/in /by

September 5, 2023 | By Rainer Vosseler | Help Net Security |

Original equipment suppliers (OEMs) and their suppliers who are weighing how to invest their budgets might be inclined to slow pedal investment in addressing cyberthreats. To date, the attacks that they have encountered have remained relatively unsophisticated and not especially harmful.

Analysis of chatter in criminal underground message exchanges, however, reveals that the pieces exist for multi-layered, widespread attacks in the coming years. And given that the automotive industry’s customary development cycles are long, waiting for the more sophisticated cyberattacks on connected cars to appear is not a practical option.

What should the world’s automotive OEMs and suppliers do now to prepare for the inevitable transition from today’s manual, car-modding hacks to tomorrow’s user impersonation, account thefts and other possible attacks?

How connectivity is changing car crime
As our vehicles become more connected to the outside world, the attack surface available to cybercriminals is rapidly increasing, and new “smart” features on the current generation of vehicles worldwide open the door for new threats.

Our new “smartphones on wheels”—always connected to the internet, utilizing many apps and services, collecting tremendous amounts of data from multiple sensors, receiving over-the-air software updates, etc.—stand to be attacked in similar ways to how our computers and handheld devices already are today.

Automotive companies need to think now about those potential future threats. A car that an OEM is planning today will likely reach the market in three to five years. It will need to be already secured against the cyberthreat landscape that might be in existence by then. If the car hits the market without the required cybersecurity capabilities, the job of securing it will become significantly more difficult.

The likelihood of substantially more frequent, devious, and harmful attacks is portended by the complex attacks on connected cars that we have seen devised by industry researchers. Fortunately, the attacks to this point largely have been limited to these theoretical exercises in the automotive industry. Car modding – e.g., unlocking a vehicle’s features or manipulating mileage – is as far as real-world implementation has gotten.

Connectivity limits some of the typical options that are available to criminals specializing in car crime. The trackability of contemporary vehicles makes reselling stolen cars significantly more challenging, and even if a criminal can manage to take a vehicle offline, the associated loss of features renders the car less valuable to potential buyers.

Still, as connectivity across and beyond vehicles grows more pervasive and complicated, so will the threat. How are attacks on tomorrow’s connected cars likely to evolve?

Emerging fronts for next-generation attacks
Because the online features of connected cars are managed via user accounts, attackers may seek access to those accounts to attain control over the vehicle. Takeover of these car-user accounts looms as the emerging front for attack for would-be car cybercriminals and even criminal organizations, creating ripe possibilities for user impersonation and the buying and selling of the accounts.

Stealing online accounts and selling them to rogue collaborators who can act on that knowledge tee up a range of future possible attacks for tomorrow’s automotive cybercriminals:

– Selling car user accounts

– Impersonating users via phishing, keyloggers or other malware

– Remote unlocking, starting and controlling connected cars

– Opening cars and looting for valuables or committing other one-off crimes

– Stealing cars and selling for parts

– Locating cars to pinpoint owners’ residential addresses and to identify when owners are not home

The crime triangle takes shape
Connected car cybercrime is still in its infancy, but criminal organizations in some nations are beginning to recognize the opportunity to exploit vehicle connectivity. Surveying today’s underground message forums quickly reveals that the pieces could quickly fall into place for more sophisticated automotive cyberattacks in the years ahead. Discussions on underground crime forums around data that could be leaked and needed/available software tools to enable attacks are already intensifying.

A post from a publicly searchable auto-modders forum about a vehicle’s multi-displacement system (MDS) for adjusting engine performance, is symbolic of the current activity and possibilities.

Another, in which a user on a criminal underground forum offers a data dump from car manufacturer, points to the possible threats that likely are coming to the industry.

Though they still seem to be limited to accessing regular stolen data, compromises and network accesses are for sale in the underground. The crime triangle (as defined by crime analysts) for sophisticated automotive cyberattacks is solidifying:

          – Target — The connected cars that serious criminals will seek to exploit in the years ahead are becoming more and more prevalent in the global marketplace.

          – Desire — Criminal organizations will find ample market incentive to monetize stolen car accounts.

          – Opportunity — Hackers are steeped in inventive methods to hijack people’s accounts via phishing, infostealing, keylogging, etc.

Penetrating and exploiting connected cars
The ways for seizing access to the data of users of connected cars are numerous: introducing malicious in-vehicle infotainment (IVI) apps, exploiting unsecure IVI apps and network connections, taking advantage of unsecure browsers to steal private data, and more.

Also, there’s a risk of exploitation of personally identifiable information (PII) and vehicle telemetric data (on a car’s condition, for example) stored in smart cockpits, to inform extremely personalized and convincing phishing emails.

Here’s one method by which it could happen:
– An attacker identifies vulnerabilities that can be exploited in a browser.

– The attacker creates a professional, attractive webpage to offer hard-to-resist promotions to unsuspecting users (fast-food coupons, discounts on vehicle maintenance for the user’s specific model and year, insider stock information, etc.)

– The user is lured into visiting the malicious webpage, which bypasses the browser’s security mechanisms

– The attacker installs backdoors in the vehicle IVI system, without the user’s knowledge or permission, to obtain various forms of sensitive data (driving history, conversations recorded by manufacturer-installed microphones, videos recorded by built-in cameras, contact lists, text messages, etc.)

 

The possible crimes enabled by such a process are wide ranging. By creating a fraudulent scheme to steal the user’s identity, for example, the attacker would be able to open accounts on the user’s behalf or even trick an OEM service team into approving verification requests—at which point the attacker could remotely open the vehicle’s doors and allow a collaborator to steal the car.

Furthermore, the attackers could use the backdoors that they installed to infiltrate the vehicle’s central gateway via the IVI system by sending malicious messages to electronic control units (ECUs). A driver could not only lose control of the car’s IVI system and its geolocation and audio and video data, but also the ability to control speed, steering and other safety-critical functions of the vehicle, as well as the range of vital data stored in its digital clusters.

Positioning today for tomorrow’s threat landscape
Until now there might have been reluctance among OEMs to invest in averting cyberattacks, which haven’t yet materialized in the real world. But a 2023 Gartner Research report, “Automotive Insight: Vehicle Cybersecurity Ecosystem Creates Partnership Opportunities,” is among the industry research documenting a shift in priorities.

Driven by factors such as the significant risk of brand and financial damage from cyberattacks via updatable vehicle functions controlled by software, as well as emerging international regulatory pressures such as the United Nations (UN) regulation 155 (R155) and ISO/SAE 21434, OEMs have begun to emphasize cybersecurity.

And today, they are actively evaluating and, in some cases, even implementing a few powerful capabilities:
– Security for IVI privacy and identity

– Detection of IVI app vulnerabilities

– Monitoring of IVI app performance

– Protection of car companion apps

– Detection of malicious URLs

– 24/7 surveillance of personal data

Investing in cybersecurity in the design stage, versus after breaches, will ultimately prove less expensive and more effective in terms of avoiding or mitigating serious crimes involving money, vehicle and identity theft from compromised personal data by the world’s most savvy and ambitious business criminals.

Read the original article HERE

Using technology to help find missing children

/in /by

September 8, 2023 | Fox 5 Atlanta | By Denise Dillon |

ATLANTA – The National Center for Missing and Exploited Children has a new way to alert people to be on the lookout for missing kids in their area.

The organization has helped law enforcement across the country find more than 450,000 missing children since 1994. One thing they do with all the children is push their photo out to the public as quickly as possible. They’ve done this through posters, billboards, social media, and now QR codes.

“It puts the most recent missing child images literally in the palm of your hand,” said John Bischoff with the National Center of Missing and Exploited Children.

Just by scanning the QR code with your cell phone, you’ll be able to see photos of all the missing children in your area.

“These kids are out there. They need our help. It just takes the right person to help them out,” said Bischoff.

Bischoff says on any given day there are about 7,000 missing children in the U.S.

“It’s a scary number. These are kids where their families don’t know their whereabouts,” said Bischoff.

Bischoff understands the importance of putting out pictures of these children, in hopes that someone sees them or has information about them.

“We’d send out loads of printed posters just to keep engaged with the community to remind them this child is missing in your area,” said Bischoff.

The QR code gets the images out faster and lets you see images of missing children within 50 miles of your location.

I did it from Marietta and the images of 51 missing children popped up with their name, age, how long they’ve been missing and the last place they were seen. By clicking on a photo, you can easily submit a tip or share the image.

“We know someone is going to use this QR code. We know they’re going to recognize something. All it takes is one set of eyes to be a hero,” said Bischoff.

The QR code was just launched a couple of weeks ago… Now the national center for missing and exploited children is working on partnerships to get the QR code on water bottles, chip bags, storefronts, anywhere they can.

You can scan the QR code at: https://www.missingkids.org/blog/2023/new-posters-qr-code

Read the original article HERE

Meta plans to roll out default end-to-end encryption for Messenger by the end of the year

/in /by

August 23, 2023 | By Ivan Mehta | TechCrunch |

Meta said today that the company plans to enable end-to-end encryption by default for Messenger by the end of this year. The tech giant is also expanding its test of end-to-end encryption features to “millions more people’s chats.”

The company has been building end-to-end encryption features in Messenger for years now. However, most of them have been optional or experimental. In 2016, Meta started rolling out end-to-end encryption protection through a “secret conversations” mode. In 2021, it introduced such an option for voice and video calls on the app. The company made a similar move to provide an end-to-end encryption option for group chats and calls in January 2022. In August 2022, Meta started testing end-to-end encryption for individual chats.

There is increasing pressure on Meta to enable end-to-end encryption so the company or others can’t access users’ chat messages. Protecting individual communications has become more important after a girl and her mother in Nebraska pleaded guilty to abortion charges in July after Meta handed over her DMs to cops. Last year, the police prosecuted the 17-year-old based on data about her direct messages from Messenger provided by Meta soon after the Supreme Court overturned Roe v. Wade, a 1973 judgment to make abortion legal.

In a letter to the digital rights advocacy group Fight for the Future (via The Verge) this month, Meta’s deputy privacy officer Rob Sherman said that it will roll out end-to-end encryption to Instagram DMs after the Messenger rollout. He also mentioned that “the testing phase has ended up being longer than we anticipated” because of engineering challenges.

In a blog post, the company explained that there were significant challenges in building out encryption features for Messenger. The company had to shed the old server architecture and build a new way for people to manage their chat history through protections like a PIN.

Meta added that it had to rebuild over 100 features like showing link previews in conversations to accommodate end-to-end encryption. The company’s popular messaging app WhatsApp has had end-to-end encryption for years, and in recent years it has figured out a way to support multi devices for one account without breaking encryption. Meta said that the Messenger team is learning lessons from WhatsApp to implement end-to-end encryption.

After the incident, multiple organizations, including Amnesty International, Access Now, and Fight for the Future wrote a petition to Meta and other platforms to enable end-to-end encryption for private chats.

Authorities around the world have been exploring rules that could put encryption in messaging apps at risk. While Meta has pushed back on these proposals through WhatsApp to support end-to-end encryption, it is yet to fully build out these protections for Messenger and Instagram DMs.

Read the original article HERE.

Cellebrite asks cops to keep its phone hacking tech ‘hush hush’

/in /by

August 19, 2023 | By Lorenzo Franceschi-Bicchierai | TechCrunch|

The phone hacking tech company asks law enforcement users to keep the use of its technology as secret as possible

For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and obtain the data within. And the company has been keen on keeping the use of its technology “hush hush.”

As part of the deal with government agencies, Cellebrite asks users to keep its tech — and the fact that they used it — secret, TechCrunch has learned. This request concerns legal experts who argue that powerful technology like the one Cellebrite builds and sells, and how it gets used by law enforcement agencies, ought to be public and scrutinized.

In a leaked training video for law enforcement customers that was obtained by TechCrunch, a senior Cellebrite employee tells customers that “ultimately, you’ve extracted the data, it’s the data that solves the crime, how you got in, let’s try to keep that as hush hush as possible.”

“We don’t really want any techniques to leak in court through disclosure practices, or you know, ultimately in testimony, when you are sitting in the stand, producing all this evidence and discussing how you got into the phone,” the employee, who we are not naming, says in the video.

For legal experts, this kind of request is troubling because authorities need to be transparent in order for a judge to authorize searches, or to authorize the use of certain data and evidence in court. Secrecy, the experts argue, hurts the rights of defendants, and ultimately the rights of the public.

“The results these super-secretive products spit out are used in court to try to prove whether someone is guilty of a crime,” Riana Pfefferkorn, a research scholar at the Stanford University’s Internet Observatory, told TechCrunch. “The accused (whether through their lawyers or through an expert) must have the ability to fully understand how Cellebrite devices work, examine them and determine whether they functioned properly or contained flaws that might have affected the results.”

“And anyone testifying about those products under oath must not hide important information that could help exonerate a criminal defendant solely to protect the business interests of some company,” said Pfefferkorn.

Hanni Fakhoury, a criminal defense attorney who has studied surveillance technology for years, told TechCrunch that “the reason why that stuff needs to be disclosed, is the defense needs to be able to figure out ‘was there a legal problem in how this evidence was obtained? Do I have the ability to challenge that?’”

The Cellebrite employee claims in the video that disclosing the use of its technology could help criminals and make the lives of law enforcement agencies harder.

“It’s super important to keep all these capabilities as protected as possible, because ultimately leakage can be harmful to the entire law enforcement community globally,” the Cellebrite employee says in the video. “We want to ensure that widespread knowledge of these capabilities does not spread. And if the bad guys find out how we’re getting into a device, or that we’re able to decrypt a particular encrypted messaging app, while they might move on to something much, much more difficult or impossible to overcome, we definitely don’t want that.”

Cellebrite spokesperson Victor Cooper said in an email to TechCrunch that the company “is committed to support ethical law enforcement. Our tools are designed for lawful use, with the utmost respect for the chain of custody and judicial process.”

“We do not advise our customers to act in contravention with any law, legal requirements or other forensics standards,” the spokesperson said. “While we continue protecting and expect users of our tools to respect our trade secrets and other proprietary and confidential information, we also permanently continue developing our training and other published materials for the purpose of identifying statements which could be improperly interpreted by listeners, and in this respect, we thank you for bringing this to our attention.”

When asked whether Cellebrite would change the content of its training, the spokesperson did not respond.

The Electronic Frontier Foundation’s senior staff attorney Saira Hussain and senior staff technologist Cooper Quintin told TechCrunch in an email that “Cellebrite is helping create a world where authoritarian countries, criminal groups, and cyber-mercenaries also are able to exploit these vulnerable devices and commit crimes, silence opposition, and invade people’s privacy.”

Cellebrite is not the first company that asks its customers to keep its technology secret.

For years, government contractor Harris Corporation made law enforcement agencies who wanted to use its cellphone surveillance tool, known as stingrays, sign a non-disclosure agreement that in some cases suggested dropping cases rather than disclosing what tools the authorities used. These requests go as far back as the mid 2010s, but are still in force today.

Here’s the full transcript of the training video…

Continue reading the full article HERE.

How to Remove Your Info From Google With the ‘Results About You’ Tool

/in /by

August 9, 2023 | By Reece Rogers | Wired |

You can soon set up alerts for whenever your home address, phone number, or email address appears in Search.

IN 2022, GOOGLE launched the “Results about you” tool to help people remove personal info from the company’s search results. With billions of searches happening daily on Google, finding your private phone number or home address indexed for the world to see can be quite shocking. Luckily, new updates to “Results about you” make it easier to discover when your data pops up in Search.

Previously, you had to proactively find the links of sites hosting your personal data to report and request the removal of identifiable information. Now, you’ll be able to set up alerts for whenever your email, home address, or phone number appear on Google. At first, this update will only be available in the US and scan for results just in English.

“Results about you” is accessible in your browser or through the mobile app. For browsers, log into Google or create an account, then visit this webpage to get started. If you’re using the app (Android, Apple), tap on your profile icon, then select the option from the menu.

After the update fully rolls out, here’s where you’ll find tabs labeled Results to review and Reviewed. Input the personal data you’d like to be notified about if it appears in Search, and results containing that info will appear in the “Results to review” section. The mobile app can send you a push notification when new results are added.

For more detailed directions about what info you’ll need in order to submit the removal request to Google, check out my article that steps you through the complete process. Once your request is submitted, use the “Results about you” tool to track whether the request is in progress, approved, or denied. Here’s three things worth keeping in mind:

This is just a request. The people at Google reviewing your request could decide to do nothing, remove the result when associated with your name, or completely remove the result.
Some of the other personal info that you can request for removal includes social security numbers, credit cards, handwritten signatures, medical records, and login credentials.
Google can remove the search result to lessen traffic, but you have to contact the owner or hosting service behind the webpage where it’s posted to get the data scrubbed completely.
In the past, criticism of Google’s privacy features focused on how these tools placed the onus on users to defend themselves. By streamlining aspects of the removal process for personal information and enabling proactive notifications, the company is making small, but important, moves toward less burdensome privacy controls.

“Results about you” is a free tool worth using, but if you have concerns about online doxxing, it might be worth considering a paid service as well, like DeleteMe, that tries to thwart online data brokers. Want to go even more incognito online? Try some of WIRED’s tips for disappearing from the internet.

Read the original article HERE.