Category Archives: What the Hack!

You can hack what?!


From skateboards and trucks to medical devices and rifles, these recent hacks show that every “thing” is at risk.


Musicians have the GRAMMYs. Actors have the Emmys. Athletes have the ESPYS. Hackers, well they have Black Hat. Every year, more than 10,000 security pros converge in Las Vegas to explore the latest network flaws, device vulnerabilities and cyber attacks of the past, present and future. While these demonstrations typically focused on how to take control of computers, given the rise of the Internet of Things, it seems like just about any “thing” can be susceptible to malicious intruders. As we gear up for what will surely be an insane amount of coverage across all media channels, here are a few hacks that’ll surely grab your attention.

OnStar vehicles

Serial hacker Samy Kamkar has devised a tablet-sized box that could easily tap into and wirelessly take control of a GM car’s futuristic features. With connected car security a hot topic at this year’s conferences, the Los Angeles-based entrepreneur has created a device — dubbed OwnStar — that can locate, unlock and remotely start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.

clky0h4wgaesaly

The system is driven by a Raspberry Pi and uses an ATmega328 to interface with an Adafruit FONA for cellular connection. After opening the OnStar RemoteLink app on a smartphone within Wi-Fi range of the hacking gadget, OwnStar works by intercepting the communication. Essentially, it impersonates the wireless network to fool the smartphone into silently connecting. It then sends specially crafted packets to the mobile device to acquire additional credentials and notifies the attacker over 2G about the new vehicle it indefinitely has access to, namely its location, make and model.

With the user’s login credentials, an attacker could do just about anything he or she wants, including tracking a car, unlocking its doors and stealing stuff nside (when carjacking meets car hacking), or starting the ignition from afar. Making matters worse, Kamkar says a remote control like this can give a malicious criminal the ability to drain the car’s gas, fill a garage with carbon monoxide or use its horn to drum up some mayhem on the street. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

Tesla Model S

Researchers said they took control of a Tesla Model S car and turned it off at low speed, one of six significant flaws they found that could provide hackers total access to vehicles, the Financial Times reported.

Tesla

Kevin Mahaffey, CTO of Lookout, and Marc Rogers, principal security researcher at Cloudflare, claimed they decided to hack a Tesla car because the company has a reputation for understanding software than most automakers. The hackers had to physically gain entry into the vehicle, which made it more difficult than many other attacks. Once they were connected through an Ethernet cable, they were later able to access the systems remotely. These included the screens, speedometer, windows, electronic locks, and the ignition.

“We shut the car down when it was driving initially at a low speed of five miles per hour. All the screens go black, the music turns off and the handbrake comes on, lurching it to a stop,” Rogers describes.

Tesla has since issued a patch to fix the flaws.

Electric skateboards

After his own electric skateboard abruptly stopped working last year, unable to receive commands from its remote control, Richo Healey decided to delve a bit deeper into the incident. What he discovered was that, the volume of Bluetooth traffic in the surrounding the intersection interfered with his RC’s connection to the board.

Hack

Cognizant of this defect, Healy teamed up with fellow researcher Mike Ryan to examine the hackability of his and other e-skateboards on the market today. The result was an exploit they developed called FacePlant that can give them complete control of someone’s gadget.

The duo describes FacePlant as “basically a synthetic version of the same RF noise” that Healey experienced at the intersection in his hometown of Melbourne. The exploit ultimately allows them to gain total control of someone cruising down the street or sidewalk, which means they could easily cold stop a board or send it flying in reverse, tossing the rider.

They found at least one critical vulnerability in each board they examined, all of which hinge on the fact that the manufacturers of the boards failed to encrypt the communication between the remotes and the boards. The attack for controlling them is essentially identical across the board (no pun intended), but the mechanism for conducting it differs somewhat for each one. As a result, they’ve only completed an exploit for the Boosted board at this time.

Square readers

Three former Boston University students have highlighted a vulnerability in the hardware of Square readers that would enable hackers to convert it into a credit card skimmer in less than 10 minutes. The rigged PoS device could then be used to steal personal information with a custom-recording app.

h_butoday_register.02-640859785726568a44d6465746406445

Computer engineering grads Alexandrea Mellen, John Moore and Artem Losev unearthed the flaw last year in a project for their cybersecurity class. They also found that Square Register software could be hacked to enable unauthorized transactions at a later date.

“The merchant could swipe the card an extra time at the point of sale. You think nothing of it, and a week later when you’re not around, I charge you $20, $30, $100, $200… You might not notice that charge. I get away with some extra money of yours,” Moore explains.

The group says there is no evidence that either of the vulnerabilities have been employed to scam credit card holders, but does warn that their findings raise red flags for the fast-emerging mobile commerce industry.

Medical devices

The U.S. Food and Drug Administration and Department of Homeland Security have both issued advisories warning hospitals not to use the Hospira infusion system Symbiq due to cybersecurity risks. While no known attack has occurred, hackers could theoretically tamper with the intravenous infusion pump by accessing a hospital’s network.

“This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA said in a statement.

Hospira has since discontinued the manufacture and distribution of the Symbiq Infusion System, because of unrelated issues, and is working with customers to transition to alternative systems. However, amid the latest string of security woes, the FDA strongly encourages healthcare facilities to begin transitioning to other infusion systems as soon as possible.

This isn’t the first time vulnerabilities in medical devices have been in the spotlight. Back in 2014, Scott Erven and his team found that drug infusion pumps could be remotely manipulated to change the dosage doled out to patients. On top of that, a WIRED article noted that “Bluetooth-enabled defibrillators could be hacked to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring, X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”

Semi trucks

Asset-tracking systems made by Globalstar and its subsidiaries were discovered to have flaws that would enable a hijacker to track valuable and sensitive cargo and then disable the location-tracking device used to monitor it. From here, criminals could potentially fake the coordinates to make it appear as if the shipment was still traveling its intended route. Or, as WIRED points out, a hacker who simply wanted to cause chaos could add false coordinates to companies and militaries monitoring their assets and shipments to make it appear as if they’d been taken over.

Intercepting-Satellite-Comms-from-Plane-768x1024

These findings were brought to light by Colby Moore, a researcher with the security firm Synack. The same vulnerable technology isn’t only employed for tracking cargo, it’s used in people-tracking systems for search-and-rescue missions and in SCADA environments as well.

As Moore tells the magazine, the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. Subsequently, a hacker could intercept the communication, spoof it or jam it.

“Each device has a unique ID that’s printed on its outer casing. The devices also transmit their unique ID when communicating with satellites, so an attacker targeting a specific shipment could intercept and spoof the communication. Often the unique IDs on devices are sequential, so if a commercial or military customer owns numerous devices for tracking assets, an attacker would be able to determine other device IDs, and assets, that belong to the same company or military based on similar ID numbers.”

Rifles

Security researchers Runa Sandvik and Michael Auger have hacked a pair of $13,000 TrackingPoint self-aiming rifles. The duo has developed a set of techniques that could let an attacker compromise the gun via its Wi-Fi connection and exploit vulnerabilities in its software. According to WIREDthe tactics can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing.

Hack

“The first of these has to do with the Wi-Fi, which is off by default, but can be enabled so you can do things like stream a video of your shot to a laptop or iPad. When the Wi-Fi is on, the gun’s network has a default password that allows anyone within Wi-Fi range to connect to it. From there, a hacker can treat the gun as a server and access APIs to alter key variables in its targeting application.”

Additionally, the researchers shared that a hacker could alter the rifle in a way that would persist long after that Wi-Fi connection is broken. It’s even possible, they tell WIRED, to implant the gun with malware that would only take effect at a certain time or location-based on querying a user’s connected phone.

Hijacking data as sound waves

Reuters has reported that a team of researchers led by Ang Cui have demonstrated the ability to hijack standard equipment inside computers, printers and millions of other electronic devices to send information through sound waves.

funtenna.jpg.CROP.promovar-mediumlarge

The project, called Funtenna, refers to a software payload that intentionally causes its host hardware to act as an improvised RF transmitter using existing hardware, which is typically not designed for electromagnetic emnation.

The program works by taking control of the physical prongs on general-purpose input/output circuits and vibrates them at a frequency of the researchers’ choosing, which can be audible or not. The vibrations can be picked up with an AM radio antenna a short distance away.

The new transmitting antenna adds another potential channel that would be hard to detect because no traffic logs would catch data leaving the premises. Cui tells Reuters that hackers would need an antenna close to the targeted building to pick up the sound waves, as well as find some way to get inside a targeted machine and convert the desired data to the format for transmission.

Smart homes

Tobias Zillner and Sebastian Strobl of Cognosec uncovered flaws in the Zigbee standard, which is widely used by countless IoT appliances. Specifically, the researchers shed light on the fact that the protocol’s reliance on an insecure key link with smart gadgets opens the door for hackers to spoof them and potentially gain control of your connected home. According to Cognosec, the items that have been tested and proven to be susceptible include ight bulbs, motion sensors, temperature sensors and door locks.

“If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile. However, the use of a default link key introduces a high risk to the secrecy of the network key,” the team states in its recent paper. “Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialisation and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.”

[Images: Samy Kamkar, Tesla, Colby Moore, Square, WIRED, Ang Cui]

Breach Brief: Hackers threaten to expose 37 million AshleyMadison.com users


Hacker group targets AshleyMadison.com because it has allegedly been lying to customers with their “full delete” feature. 


Hackers are threatening to leak the personal details of more than 37 million users of the notorious affair website AshleyMadison.com, after claiming they broke into the site’s systems.

55acaea31700004000bafce5

What happened? According to Krebs on Security, the intruders are a group of hackers who go by the name of “Impact Team.” The team claims to have broken into the systems belonging to Avid Life Media, the owner of the site with the tagline of “Life is short. Have an affair.”

Who’s behind the attack? The hackers’ main reason for the breach is that, although AshleyMadison.com says that its $19 fee to completely erase the information of its users, this is not the case. “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the Impact Team reveals.

What information was breached? The group claims to have complete access to the Avid Life Media’s database, including not only user records for every single member, but financial and other proprietary information. For now, the Impact Team has only released 40MB of data, such as credit card details and several important documents.

What they’re saying: “We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies. We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system. At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible,” the company explained in a statement.

The intrusion of AshleyMadison.com comes in the wake of several other breaches, some of which in the same space. One in particular, AdultFriendFinder, was hacked earlier in the year exposing the personal information of about almost 4 million members. With the number of cyber incidents on the rise and no apparent end in sight, taking the necessary measures to safeguard networks has never been so paramount.

Breach Brief: UCLA Health data breach may affect 4.5 million people


Hackers have gained access into the network of the Ronald Reagan UCLA Medical Center and three other hospitals.


A cyber attack on the UCLA Health system may have exposed the information of as many as 4.5 million people, officials say.

(Source: Wikipedia)

(Source: Wikipedia)

What information was breached? During the breach, which was announced Friday, the attackers accessed parts of the computer network that contain personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare and health plan IDs, as well as some medical information like conditions, medications, procedures, and test results.

How many were affected? At this time, it is believed that as many as 4.5 million patients may have been affected across the network, which includes Ronald Reagan UCLA Medical Center and three other hospitals.

When did it occur? Suspicious activity was first detected in the network last October, prompting an investigation assisted by the FBI. Based on the investigation, it appears that the attackers may have even had access to these parts of the system as early as September 2014. It was only on May 5, 2015 that UCLA Health discovered that the part of the network in question had, in fact, been accessed.

What they’re saying: “At this time, there is no evidence that the attacker actually accessed or acquired individuals’ personal or medical information. Because UCLA Health cannot conclusively rule out the possibility that the attackers may have accessed this information, however, individuals whose information was stored on the affected parts of the network are in the process of being notified,” the healthcare provider wrote in a statement.

The latest incident demonstrates that healthcare is among one of the top industries at risk of being targeted by cyber criminals, raising concerns over the safeguarding of electronic medical records and other sensitive data. This attack comes on the heels of several other breaches, namely Anthem which had impacted80 million Americans earlier this year. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network is protected?

Breach Brief: Trump Hotel Collection likely victim of data breach

The Trump Hotel Collection appears to be the latest organization to be hit with a major credit card breach, according to a report from Krebs on Security

(Source: Trump Hotel Collection)

(Source: Trump Hotel Collection)

What happened? Sources reveal that several banks have traced a pattern of fraudulent debit and credit card charges to accounts that had all been used at Trump hotels.

What they’re saying: “Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties. We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly,” Eric Trump, EVP of Development and Acquisitions said in a statement.

If confirmed, the incident would be the latest in a long string of breaches involving the hospitality industry, which include Mandarin Oriental and White Lodging this past spring. With the number of hacks on the rise and no apparent end in sight, how can you ensure that your network and its data are protected?

Breach Brief: Cyberattack on LOT Polish Airlines grounds 10 flights


Hackers grounded 10 flights and delayed another 12 by Polish airline LOT after breaching their computer system.


Nearly 1,400 passengers of the Polish airline LOT were affected at Warsaw’s Chopin airport on Sunday after hackers managed to access the computer system responsible for issuing flight plans.

(Source: Wikipedia)

(Source: Wikipedia)

What happened? The cyberattack targeted computers issuing flight plans at Warsaw’s Chopin Airport, officials said. As a result, LOT was forced to ground 10 flights and delayed another 12 including those to Hamburg, Dusseldorf and Copenhagen. The breach took place in the afternoon and, upon being detected, required just about five hours to repair the damage. However, the source of the hack remains unknown.

What they’re saying: In a statement, the airline said that the airport itself wasn’t affected, nor were flights already in the air compromised by the breach. “We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry,” company spokesman Adrian Kubicki said. “We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry.”

This latest incident comes amid growing concerns that even the most trusted sites and systems can be used by hackers aimed at infiltrating sensitive industries. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network and its data are protected?

Breach Brief: FBI investigating Cardinals for hacking Astros computer network


According to the New York Times, the FBI is investigating St. Louis Cardinals officials for hacking into the Houston Astros internal networks.


The St. Louis Cardinals are being investigated by the FBI and the U.S. Justice Department for possibly hacking into the internal network of the Houston Astros to steal information on player personnel, the New York Times has reported.

(Screenshot: SI.com)

(Screenshot: SI.com)

What happened? Investigators have come across evidence that the Cardinals front office staff may have broken into the network of the Astros, which housed a number of special databases. According to officials, internal discussions around trades, proprietary stats and scouting reports were among the information compromised.

How did it happen? The intrusion does not appear to be sophisticated, law enforcement officials have noted. According to the New York Times, the FBI believes Cardinals personnel gained access to the Astros’ system by using a list of passwords associated with Astros general manager Jeff Luhnow dating to his tenure with the Cardinals from 2003 until he left for Houston after the 2011 season.

What they’re saying: MLB has shared that it has fully cooperated fully the ongoing investigation, which began last year after data was posted anonymously online. According to the statement, “Major League Baseball has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database. Once the investigative process has been completed by federal law enforcement officials, we will evaluate the next steps and will make decisions promptly.”

The professional sports world has seen everything form Spygate to Deflateglate in recent months, but perhaps this cyberattack marks the start of the next wave of cheats. This latest high-profile incident comes amid growing concerns that even the most trusted sites and systems can be used by hackers aimed at infiltrating sensitive industries. With the number of breaches on the rise and no apparent end in sight, how can you ensure that your network and its data are protected?

Breach Brief: Cyberattack compromises the data of at least 4 million government workers


Four million current and former federal employees may have had their personal information hacked.


Hackers based in China breached U.S. Office of Personnel Management (OPM) computers, according to officials. One spokesperson has even described the incident as perhaps one of the largest thefts of government data ever.

635566102005778756-1392287189000-OPM

What happened? According to the Washington Post, the cyber intruders accessed information that included employees’ Social Security numbers, job assignments, performance ratings and training information. No direct deposit data was exposed. Unfortunately, they could not say for certain what data was taken, simply which information had been accessed.

How many were affected? It appears that at least four million current and former federal employees could have been impacted.

When did it occur? The hackers, who are believed to have ties to the Chinese government, gained entry into the federal computer system last September. However, the breach wasn’t detected until April.

How did it happen? The hackers are said to have used a previously unknown cyber tool, called “zero-day,” to take advantage of a vulnerability in the system.

What they’re saying: “We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace.” An FBI spokesman has said that the agency is working with other parts of the government to investigate the matter.

In addition, cybersecurity experts have also noted that the OPM was the target of another attack a year ago that was suspected of originating in China. At that time, authorities reported that no personal information had been stolen. This latest high-profile occurrence comes amid growing concerns that even the most trusted sites and systems can be used by hackers aimed at infiltrating sensitive industries. With the number of cyber attacks on the rise and no apparent end in sight, how can you ensure that your network and its data are protected?