A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

Tom Lysemose Hansen, founder and CTO at Promon, said: "Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."

One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal or coffee. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, allowing them to attack the Tesla app and obtain usernames and passwords.

Youtube Video

In an update, Promon outlines the many and varied security shortcomings of Tesla's app.

This attack is not Tesla specific, and can in generalised form be used against any app. However, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.

One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.

Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.

"If Tesla had followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills – and much more effort – to perform such an attack," according to Promon. The Norwegian app security firm said that it was in "close dialogue with Tesla" in order to address these app security issues.

El Reg asked Tesla to comment on the research on Thursday, a US national holiday. We're yet to hear back but we'll update this story as and when we hear more.

John Smith, principal solutions architect at app security firm Veracode, commented: "With Tesla just recently remediating a vulnerability which allowed the car to be exploited remotely, this new security flaw leaves the car vulnerable to theft and highlights the plethora of challenges that car manufacturers now face as they introduce internet-connected services into the car. Vulnerable software is one of the most significant challenges faced by the automotive industry, with findings from a recent IDC report indicating that there could be a lag of up to three years before car security systems are protected from hackers.

"There are over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car. So it is essential that car manufacturers put security at the heart of the development strategy, rather than as an afterthought." ®

Sponsored: Transforming software delivery with DevOps

The Register - Security

Three men are due to appear at the Old Bailey charged with various offences linked to an investigation into the mega TalkTalk hack a year ago.

The investigation was launched in October 2015 by the Met's Falcon Cyber Crime Unit following the hack in which 157,000 of its customers' personal details were accessed.

On Tuesday, 15 November, a 17-year-old boy pleaded guilty at Norwich Youth Court to seven offences under the Computer Misuse Act of 1990.

The boy was arrested in Norwich on 3 November last year and subsequently charged. He is due to be sentenced at Norwich Youth Court on 13 December.

The offences were all linked to the unauthorised access in October 2015 to data and programs on various organisations' websites including TalkTalk and Merit Badges as well as universities in Cambridge, Manchester, Sheffield, and Bournemouth.

As part of the wider investigation, detectives have also arrested three other individuals.

Daniel Kelley, of Llanelli, Wales, was charged on 26 September with various blackmail, cyber-crime and fraud offences, and is due to appear at the Old Bailey on Friday, 18 November.

Matthew Hanley and Conner Douglas Allsopp, both from Tamworth, were charged on 26 September with cyber crime and fraud offences and are due to appear at the Old Bailey on Monday, 21 November.

The investigation into the alleged data theft from the TalkTalk website is a joint investigation led by the Met's Cyber Crime Unit with support from Police Service Northern Ireland, Southern Wales Regional Organised Crime Unit, the National Crime Agency, and CERT UK (now the National Cyber Security Centre). ®

Sponsored: Customer Identity and Access Management

The Register - Security

FBI reports more attempts to hack voter registration system

James Comey, director of the FBI, speaks at a House Judiciary Committee hearing in Washington on March 1, 2016.


The U.S. Federal Bureau of Investigation has found more attempts to hack the voter registration systems of states, ahead of national elections.

The agency had reportedly found evidence in August that foreign hackers had breached state election databases in Illinois and Arizona, but it appears that there have been other attempts as well, besides frequent scanning activities, which the FBI describes as preludes for possible hacking attempts.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

"There have been a variety of scanning activities, which is a preamble for potential intrusion activities, as well as some attempted intrusions at voter registration databases beyond those we knew about in July and August," FBI Director James Comey told the House Judiciary Committee on Wednesday.

Comey said that the systems that could be at risk were the voter registration systems that are connected to the Internet. The vote system in the U.S., in contrast, is hard to hack into "because it's so clunky and dispersed," he added. He advised states to get the best information they can get from the Department of Homeland Security and ensure their systems are tight as there is "no doubt that some bad actors have been poking around."

"We are doing an awful lot of work through our counter-intelligence investigators to understand just what mischief is Russia up to in connection with our elections," Comey said. U.S. officials have hinted that they believe Russia is behind recent attacks on servers of the Democratic National Committee, which led to the leak of embarrassing emails through whistleblowing website, WikiLeaks. But the U.S. government has not directly attributed the attacks to Russia.

Security experts and Democratic party president candidate Hillary Clinton have blamed Russia for the attack, but Republican party candidate Donald Trump said nobody knows it was the Russians, adding that the hack could have come from Russia, China, or a 400-pound hacker working from his bed.

The U.S. government is not sure whether Russia, which is said to have interfered in U.S. elections since the 1960s, aims to influence the outcome of the election or try to
InfoWorld Security

An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.

In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.

Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.

Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.

InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.

However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.

Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.

Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.

According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.

InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.

Yahoo breach aftermath

News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $ 4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.

Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.

Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.

Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.

Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.

Related: Yahoo Pressed to Explain Huge 'State Sponsored' Hack

Related: Russia? China? Who Hacked Yahoo, and Why?

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection.

The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line.

The firmware is custom Linux, giving the printers a familiar networking environment for bad actors looking to exploit the fax line as an attack vector. Once they're in that ancient environment, it's possible to then move onto the network to which the the printer's connected.

Yves-Noel Weweler, Ralf Spenneberg and Hendrik Schwartke of Open Source Training in Germany discovered the bug, which occurs because Epson WorkForce multifunction printers don't demand signed firmware images.

The researchers tested their exploit on the Epson WF-2540 MFP, but reckon most WorkForce and Stylus devices are likely to be vulnerable. Since these units date back to 1999, “huge amounts” could be vulnerable.

“We were able to craft and install a malicious firmware image implementing a backdoor using the built-in data/fax modem. This backdoor may serve as a bridge head in to a network otherwise not connected to the internet,” they write.

“With a basic understanding of the firmware format and checksums, an attacker can create malicious firmware images including backdoors and malware for the devices.”

Epson has told the researchers it will publish security guidance for customers. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER

The Register - Security

Seagate NAS hack should scare us all Credit: Wikimedia

No fewer than 70 percent of internet-connected Seagate NAS hard drives have been compromised by a single malware program. That’s a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit.

I’m surprised this story hasn’t garnered more attention. Perhaps it’s because we’re talking only 7,000 hard drives possibly in total, or perhaps it’s because the mainstream media doesn’t understand what NAS means. Either way, it has colossal implications. Apparently, storage admins:

  • Aren’t very diligent about scanning for malware
  • Fail to change default NAS passwords
  • Allow direct connections to their huge network storage arrays without another authentication requirement
  • Put their companies at risk of attack by malicious intruders

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

More to the point, this attack means that over the last 13 years we’ve learned nothing. We are no more prepared for a bad malware outbreak than before. We’re lucky that Miner-C program is only a bitcoin miner. It’s bad. It’s unethical. It’s illegal. But it’s not intentionally killing data and bringing down businesses.

Unfortunately, the minimal effort expended by Miner-C attackers to break into Seagate NAS software is identical to that needed by those wielding a highly malicious program. In fact, hackers reading about this particular attack could use the exact same tricks to bring those companies down. Ransomware, anyone?

If I were a ransomware maker and read that many of the world’s hard drives were unprotected, including those at large companies, the first thing I’d do is recode my ransomware to take advantage of it.

Of course, anyone who falls victim to ransomware should be able to restore the data from the latest known good backup and call it a day without paying the ransom -- except that, uh-oh, even corporations often lack good backups. If they can’t prevent malware from infecting hard drives, are we supposed to believe they actually have good backups?

It doesn’t stop with Seagate NAS

When you see a major instance of any type of vendor-specific exploitation, one of the first questions to ask is how many other similar products could be impacted. News of this Seagate hack didn’t alarm me because 70 percent of 7,000 Seagate hard drives were involved -- it was the realization that many other hard drives arrays have the same issues. They're connected to the internet, allow remote connections, come with default passwords, and so on.

Even “little data” needs to be concerned. A lot of small businesses are eating up “consumer level” NAS devices that have the same feature sets. The customer plugs them in and forgets they connect to the internet and have default passwords that need to be changed. They have no idea that they are running little computers exposed to the internet. They will have no idea when those hard drive arrays become compromised -- until the attacker decides to do something more malicious than generate bitcoins with them.

Besides, we’re really talking about much more than storage arrays. We’re talking every internet-connected device running an embedded computer. It’s the internet of things, wireless routers, security cameras, and more. Most of these items run unpatched versions of insecure software -- software that would be very insecure even if fully patched -- accessible to the internet. I would venture to guess that a lot of us are unintentionally hosting massive bot net nodes because we really don’t know what’s running on those devices.

How to protect yourself

The list of how to protect your company from these sorts of threats simply reflects all the best practices you should have already been following, including:

  • Install latest security patches, including latest firmware
  • Change default passwords
  • Don’t allow regular, unauthenticated connections from the internet
  • Make sure you have regular, confirmed offline backups of all your critical data
  • Plan ahead for how your company would respond if its data was deleted or held for ransom

Seagate NAS devices are canaries in the coalmine. What the Seagate story tells me is that the professionals who are supposed to be minding the store aren’t minding the store. If they aren’t doing what they should be doing, then the rest of the world -- whose primary job isn’t to provide safe and reliable data storage -- is faring far worse. I bet a 70 percent infection rate wouldn’t be the highest infection rate if we were to do a massive internet-connected inventory.

Whenever I look at today’s internet-connected world, I realize that the security problems and risks are far worse and far more pervasive than anything I could have predicted 10 years ago. We’ve not only failed to make our internet lives safer, we haven’t fixed any of the problems and behaviors we’ve known about for decades.

Previous Post

Afraid of online hacks? Worry more about your phone

Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move.

An 8-minute video published on Monday by Tencent’s Keen Security Lab shows that researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could control the sunroof, the turn signals, the position of the seats, all the displays, and the door locking system.

While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment).

According to Keen Lab researchers, the attacks they demonstrated are possible due to a series of vulnerabilities that have been chained together.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers said. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”

Based on the video made available by Keen Lab, it appears that a specific Tesla Model S can be identified and hacked while its owner is searching for nearby charging stations.

The vulnerabilities have been disclosed to Tesla Motors through the company’s Bugcrowd-hosted bug bounty program. According to Keen Lab, Tesla has confirmed the flaws and is working on addressing them. Fortunately, Tesla can release over-the-air firmware updates, which means that, unlike other carmakers, the company does not need to recall vehicles to apply security patches.

SecurityWeek has reached out to Tesla for comment and will update this article if the company’s representatives respond.

Tesla launched its bug bounty program in June 2015, more than a year after researchers started demonstrating that its vehicles could be hacked. After initially offering only up to $ 1,000 per vulnerability, in August 2015, the company decided to increase bug bounty payouts to a maximum of $ 10,000 for each flaw found in websites, mobile applications and vehicle hardware.

Research conducted over the past years by several experts – the most well-known are Charlie Miller and Chris Valasek, who have managed to hack cars both locally and remotely – has led to the launch of companies and departments that specialize in automotive security. Earlier this month, Volkswagen announced that it has teamed up with Israeli security experts to launch a new firm called CYMOTIVE Technologies.

Related: Fiat Chrysler Launches Bug Bounty Program

Related: Cars Plagued by Many Serious Vulnerabilities

Related: Symantec Wants to Protect Your Car From Zero-Day Attacks

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Google offers $ 200K for top prize in new Android hack challenge Credit: C_osett

Google yesterday announced a six-month bug contest that will pay up to $ 200,000 for an Android "bug chain," one or more successful exploits of previously unknown vulnerabilities.

Dubbed "Project Zero Prize," it differed from hacking contests that take place over one or two days: Researchers can submit entries from now until March 14, 2017. In that regard, Google's contest resembled the limited-time bug bounties that rival Microsoft has offered to focus on, among other areas and applications, in Windows 10's Edge browser.

[ Android is now ready for real usage in the enterprise. Read InfoWorld's in-depth guide on how to make Android a serious part of your business. | Get the best office apps for your Android device. ]

In the case of multi-exploit entries, Google also departed from the usual contest or bounty rules by encouraging researchers to submit each link in the bug chain as the flaws were uncovered, rather than wait until all were in place and exploitable.

"Instead of saving up bugs until there's an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker," wrote Natalie Silvanovich, a Google security engineer, in a post to a company blog. "They can then be used as a part of submission by the participant anytime during the six-month contest period."

It's in each participant's interest to file bugs as soon as possible since Google will credit only the first who submits a specific bug.

Researchers must be able to hack a Nexus 6P and a Nexus 5X smartphone running any version of Android that is current during the six-month stretch. "Entries where the user must open an email in Gmail, or open an SMS in Messenger are eligible, otherwise no user interaction is allowed," the contest's rules stated.

The first researcher to submit a winning bug chain will be awarded $ 200,000, with half of that going to the second researcher. Others will receive at least $ 50,000 each.

Silvanovich touted the contest as not only a way for Google to quash a few bugs, but to learn more about the vulnerability marketplace. "We hope that this contest will give us another data point on the availability of these types of exploits," she said. "There is fairly limited public information about this subject, and we might be able to glean some useful data from the number of submissions."

Google announced the Project Zero Prize a week after security vendor Trend Micro spelled out Mobile Pwn2Own 2016, a more traditional hacking contest that will run Oct. 26 and Oct. 27 in Tokyo. Prizes at Pwn2Own range from $ 35,000 to $ 250,000, with those targeting the Nexus 6P -- one of three smartphones on the hit list -- maxing out at $ 100,000.

Although Google had been a co-sponsor of Pwn2Own in the past, that relationship ended last year.

This story, "Google offers $ 200K for top prize in new Android hack challenge" was originally published by Computerworld.

If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.


The company behind the popular Paid To Click site has been breached, the site (Clixsense.com) made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.

The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.

The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.

Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.

It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.

They have released a sample of the stolen data, containing that of early users, as proof.

Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.

Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $ 0.00.”

After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”

Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.

But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.

Help Net Security

The FBI is taking "very seriously" the possibility a foreign country is trying to meddle with America's electoral process and even influence voting outcomes, the agency's director James Comey said Thursday.

US agencies, companies and individuals are frequently targeted by overseas hackers, and Democratic presidential nominee Hillary Clinton's campaign has accused Moscow of hacking into Democratic National Committee (DNC) emails.

The recent breach of DNC data, along with other electronic intrusions, has raised concerns about cyber incidents that could affect the outcome of the US presidential race, or other contests.

FBI agents "take very seriously the notion that a state actor is messing someway in our electoral process -- whether that is to disrupt, to influence, to sow discord, or to create doubt," Comey said at a Washington security summit, without specifically mentioning Russia.

The FBI is "working very hard" to understand the size and scope of any hacking attempts, he said, but tried to reassure the public that the old-fashioned way of tallying ballots in many states protects them from hackers.

"The actual vote counting in this country tends to be kind of clunky, in a way that's a blessing because it makes it more resilient," he said.

Director of National Intelligence James Clapper on Wednesday said Russia hacks US computer networks "all the time."

view counter

© AFP 2016


SecurityWeek RSS Feed