Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $ 10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

SecurityWeek has reached out to Tesla for comment and will update this article if the company responds.

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

The White House confirmed that the potential for election hacking led to using the special "red phone" to contact Russia eight days before the U.S. presidential election and issue a warning about influencing the process.

The original report said the White House used a secret "hotline"-style message on October 31st to clearly ask Russia to stop any cyberattacks that could undermine the election results. Anonymous White House officials told The Washington Post about the election hacking warning and said the Russian government response was "noncommittal." Even so, the officials said they hadn't seen an escalation in cyberattacks from Russia leading up to the election.

In a statement to The New York Times¸ the White House confirmed it had "contacted the Russian government directly regarding malicious cyberactivity" that was "targeting U.S. state election-related systems" using the Washington-Moscow Direct Communications Link connecting the Nuclear Risk Reduction Centers in both countries.

Cyberattacks attributed to Russia have been so plentiful this year that the White House previously admitted to considering "proportional response" to election hacking by the Russian government following attacks on voter registration systems and the Democratic National Committee. These attacks, as well as the breach of Clinton campaign chairman John Podesta's email account, were attributed to Russian hacker groups allegedly under orders by the Russian government.

Konstantinos Karagiannis, CTO of security consulting at BT America, said via Twitter that the leaks from these attacks likely prompted the warning.

Privacy Professor CEO Rebecca Herold said the leaks imply Russia's intent was likely to influence the election rather than perform direct election hacking. But, she said the White House's warning may been aimed at stopping more leaks in the lead-up to the election.

"It is likely Russia had just as much information, emails, and databases from the Republicans as they did for the Democrats (reports indicated the GOP systems were just as weak and vulnerable as the DNC's were), but chose to only release select information about the DNC, Clinton, and others, and possibly use it in other ways as well, to influence voters," Herold told SearchSecurity via email.

FBI Director James Comey said in September that state voter registration systems had been targeted by malicious actors and the Department of Homeland Security offered to help states to make sure systems were protected against potential election hacking. However, Comey also assured the public that the presidential election itself would be "very, very hard for someone to hack into because it's so clunky and dispersed."

Herold agreed that hacking of any election system was unlikely but Russia's attacks on voter registration databases would have provided "such things as voting histories, political group memberships, cause group memberships, addresses, polling and survey results, etc."

"It is feasible for such data to be run through big data analytics to determine the topics for which the voting population groups would have the most concerns, and thus the topics and/or specific types of hacked information that could be publicized with regard to each of the candidates to potentially help sway the voters to switch votes to the other candidate, or to even kill their motivation to even vote at all," Herold said. "If Russia had such data, and wanted to use it to try and make one candidate look bad, the other good, etc., that is how they would be viewed as influencing, or 'hacking' the election."

Next Steps

Learn how predictive modeling and forecasting failed to pick the election winner.

Find out why experts feared voting machine hacks during the general election.

Get info on the president-elect being silent on cybersecurity.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

US lawmakers introduce bill to delay enhanced government hacking powers

The U.S. Capitol in Washington.

Credit: Elizabeth Heichler

U.S. lawmakers have introduced legislation to delay the coming into force on Dec. 1 of a rule change that aims to expand the government’s ability to search computers and other digital devices across many jurisdictions with a single warrant.

The new Review the Rule Act aims to delay for discussion proposed amendments to rule 41 of the Federal Rules of Criminal Procedure until July 1 next year. The changes to the rule have already been approved by the Supreme Court in April, and if Congress doesn’t act to the contrary, they will go into effect on Dec. 1.

[ Watch out for 11 signs you've been hacked -- and learn how to fight back, in InfoWorld's PDF special report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

The modified rule would remove the current prohibition with some exceptions on a federal judge issuing a search warrant  outside of the judge’s district, so as to enable the remote search by law enforcement of computers whose locations are concealed using technology such as anonymizing techniques. The changes in rule 41 were proposed by the Advisory Committee on the Rules of Criminal Procedure at the request of the Department of Justice.

The rule changes have been opposed by lawmakers, industry and civil rights groups who are concerned about their implications on privacy and surveillance.

“Remote searches of media or information that have been ‘concealed through technological means’ may take place anywhere in the world,” said Google in a filing to the committee in February last year.

Under the modified rule, a judge may issue a warrant to remotely search, copy, and seize information from a device that does not have a known location, and may not even be in the district, because the location has been concealed through technological means, according to the lawmakers who introduced the legislation. They are also concerned about a provision that allows a single judge to issue a warrant to remotely search and copy information from suspected devices across five or more districts.

“A single prosecutor should not have the power to hack into the phone or computer of virtually anyone in the United States,” said Senator Mike Lee, a Republican from Utah and a member of the Senate Judiciary Committee.

Others backing the bill are Senators Chris Coons, a Democrat from Delaware; Steve Daines, a Republican from Montana; Ron Wyden, a Democrat from Oregon, and Al Franken, a Democrat from Minnesota. The bill is also supported by Representatives John Conyers, Jr., a Democrat from Michigan and Ted Poe, a Republican from Texas. Wyden and four others had introduced in May legislation for preventing the changes from coming into effect but that went on the back burner in the election year.

The expanded surveillance authority to allow the U.S. to hack multiple computers in unknown locations, including overseas, with a single warrant has far-reaching consequences for U.S. citizens and people around the world, warned Ed Black, president and CEO of the Computer & Communications Industry Association in a statement Thursday. “This policy impacts the relationship between citizens and our government and between the U.S. and allies,” he added.

The change is scheduled to come into force a little before a new president takes over in the U.S. in January, and will take over the vast surveillance apparatus the country already runs.

A delay in the proposed changes to rule 41 is required to ensure that the newly elected Congress and administration can carefully evaluate the amendment before it goes into effect to ensure that it is constitutional and in the best interests of the American people, said Rep. Poe.

The DOJ holds that “the amendments would not authorize the government to undertake any search or seizure or use any remote search technique, whether inside or outside the United States, that is not already permitted under current law.”

“This change would not permit indiscriminate surveillance of thousands of victim computers—that is against the law now and it would continue to be prohibited if the amendment goes into effect,” wrote Assistant Attorney General Leslie R. Caldwell of the Criminal Division in June in a blog post.

The amendments would make a difference in cases where a suspect has hidden the location of his computer using technological means, so that now the investigator would know which judge to approach for a warrant and go discover the computer’s location, Caldwell wrote. When a crime has affected computers in multiple judicial districts, the amendment removes the requirement to submit separate warrant applications in each district where a computer is affected, he added. 

That blog post and other statements by the DOJ have not satisfied lawmakers, who wrote in October to Attorney General Loretta Lynch asking for information, among other things, on how the government intends to “prevent forum shopping” by prosecutors seeking court approval to hack into Americans’ devices, and how the government plans to prevent “collateral damage” to innocent Americans’ devices and electronic data during remote searches of devices such as smartphones or medical devices.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and
InfoWorld Security

The Russian national arrested earlier this month by Czech police has been charged in the United States for hacking into the systems of LinkedIn, Dropbox and Formspring.

Yevgeniy Aleksandrovich Nikulin, 29, of Moscow, Russia, was arrested by Czech authorities on October 5, but news of the arrest only came to light last week.

While initially some believed that the arrest was related to cyberattacks supposedly launched by the Russian government against political organizations in the United States, LinkedIn revealed that the law enforcement operation, carried out in cooperation with the FBI, was actually linked to the breach suffered by the social media company in 2012.

The U.S. Department of Justice announced on Friday that Nikulin had been charged by a federal grand jury in Oakland, California, with nine counts related to obtaining information from computers, causing damage to computers, trafficking in access devices, aggravated identity theft and conspiracy.

Authorities said Nikulin is believed to be behind not only the LinkedIn breach, but also the 2012 attacks on Dropbox and Formspring.

The Dropbox hack, carried out after an employee’s credentials were stolen, has affected more than 68 million accounts, but the full extent of the incident only came to light recently. As for the social Q&A site Formspring, hackers leaked 420,000 hashed passwords back in 2012, which triggered a password reset on all user accounts.

According to the DoJ, LinkedIn and Formspring were also breached after hackers obtained employee credentials. Authorities said Nikulin conspired with others to sell the information stolen from Formspring.

Nikulin is currently in custody in the Czech Republic and the United States hopes to convince Czech authorities to approve his extradition. On the other hand, Moscow insists that the man be handed over to Russia.

Related: Moscow Confirms Ministry Website Attack After U.S. Hacker Claim

Related: 50 Hackers Using Lurk Banking Trojan Arrested in Russia

Related: US Jury Convicts Russian MP's Son for Hacking Scheme

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

An American who worked at the same intelligence contractor as NSA whistleblower Edward Snowden has been charged with the theft of classified documents.

Harold Martin, 51, of Glen Burnie, Maryland, was arrested in late August after the FBI raided his house and storage shed, allegedly finding a number of top secret documents he had taken home without permission.

It is believed the files included source code for exploiting software vulnerabilities to hijack systems used by Russia, China, Iran and North Korea.

"These documents were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues," US prosecutors said on Wednesday.

"The disclosure of the documents would reveal those sensitive sources, methods, and capabilities."

US Department of Justice lawyers said in an unsealed court document that Martin had been granted top secret security clearance through his work as a private contractor with the government. Specifically, Martin was employed by military contractor Booz Allen Hamilton when he was cuffed by the Feds – the same outfit Snowden worked for when he took off to Hong Kong with a clutch of super top-secret NSA files in 2013.

In a statement today, Booz Allen said it has fired Martin and offered its "total cooperation" to investigators. Curiously, Martin's home has been scrubbed from Google Street View.

We're told Martin took home with him printed and digital documents at least six of which were designated as top secret by Uncle Sam. The DoJ noted that Martin cooperated with g-men when they turned up at his home to search it for the missing material.

While the DoJ is not providing details on the documents themselves, the filing notes that the dossiers contain intelligence gathered in 2014 and "were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues."

"The documents have been reviewed by an original classification authority of the government and, in each instance, the authority has determined that the documents are currently and properly classified at the TOP SECRET level, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security of the United States," the filing reads.

The filing does not disclose what Martin is said to have planned to do with the stolen documents – it is suggested he allegedly made an operational security blunder rather than seek to leak the contents of the blueprints. If convicted, he could face more than a decade behind bars.

The US government has hit Martin with charges of theft of government property, carrying a maximum of 10 years in prison, and unauthorized removal and retention of classified materials, which carries a maximum of one year in prison.

"Hal Martin loves his family and his country. There is no evidence that he intended to betray his country," lawyers for Martin said on Wednesday. ®

Sponsored: Optimizing the hybrid cloud

The Register - Security

As the day when US citizens cast a vote for their preferred presidential nominee quickly approaches, the issue of whether the actual voting process can be tampered with is a topic that interests many.

hacking e-voting

It is widely believed, but never officially confirmed, that the DNC hack – and subsequent leaking of data stolen during the breach – is the work of hackers backed by the Russian government and president Vladimir Putin.

As Harvard law professor and former US assistant attorney general Jack Goldsmith pointed out to Ars Technica, the Russian government has, in the past, used “social media disinformation, denial of service attacks, and hacking campaigns to shape the political landscape in former Soviet states and elsewhere in Europe frequently over the last decade.”

But would they attempt to infiltrate the US e-voting machines and system in order to influence the actual voting outcomes? It’s possible. Is it likely, though? That’s up for debate.

It’s not that they – or anyone else – couldn’t. Since late August, the Institute for Critical Infrastructure Technology has been publishing analyses about the ease of hacking voting machines, interfering with campaigns, stealing data, and so on.

Andrew Appel, a professor with Princeton University’s Computer Science Department, has also recently published a rundown of some of the electronic voting machines used in the US, and their vulnerability to hacking.

While some of them can be hacked through the Internet, all can be hacked by attackers with physical access to them, and only a few allow for the possibility of an audit or recount of (paper) votes in order to check for possible interference.

Generally, security experts have been warning for years about the “hackability” of electronic voting machines, with few positive results. As with any other technology so far, security is still in the back seat, even though there is confirmation that tamperings with electoral systems has already been happening.

US Congressman Hank Johnson is currently trying to minimize this risk, by introducing two bills for the US Senate to vote on:

  • The “Election Infrastructure and Security Promotion Act of 2016”, which would make voting systems part of the country’s critical infrastructure. The bill would require the Department of Homeland Security to protect it, and would promote the development of security standards and innovative security solutions.
  • The “Election Integrity Act” that (among other things) would limit the purchase of any new voting systems that do not provide durable voter-verified paper ballots, and enable verifiable manual audits of federal elections.

These bills will surely not be voted into law before these presidential elections, but it’s good to see that some legislators are taking the threat seriously.

Help Net Security

A student at Kennesaw State University in Georgia is accused of hacking into his professor's computer to improve his grades.

Chase Arthur Hughes, 19, was arrested and charged this week after allegedly raiding the university's computers in May. The teen made a number of alterations to his grades, and those of his friends, for two classes, it is claimed. He allegedly upgraded one of his grades from a B to an A, and changed two other people's grades from F to A and C to A.

"I mean, I thought it was pointless. Why would you go in and change your grade? I think I saw one of them he changed from a B to an A. It doesn't seem to be worth the trouble,” student Drew Weldon told WSB-TV Atlanta.

According to the police, Hughes carried out a series of hacks using his girlfriend's internet connection, and didn't just confine his cyber-tampering to one professor's computer, it is claimed.

After his arrest, investigators found the usernames and passwords for at least 36 faculty members in a notebook stored at his home, we're told.

The authorities were tipped off thanks to an alert system set up in the university's Owl Express software, which sent an automatic email to a professor after one of the grades was tweaked. The professor queried the updated and an investigation was launched.

"While the system worked as it should and alerted the professors of the grade changes, additional measures have been put into place to help further detect unauthorized access,” said KSU interim chief information officer Lectra Lawhorne.

Hughes, a business major with a concentration in finance, is facing charges of computer trespassing, computer invasion of privacy, and computer forgery. If found guilty, he faces up to 15 years in prison – but at least that's better than global thermonuclear war, right Lightman? ®

Youtube Video

Sponsored: Optimizing the hybrid cloud

The Register - Security

A new federal court ruling has found the FBI's investigative use of hacking violates the Fourth Amendment, but not all courts agree, so experts are unsure if a precedent has been set.

A number of cases arose from the FBI's use of its Network Investigative Technique (NIT) to hack thousands of computers, which had accessed a deep web site hosting child pornography via the anonymous Tor network. The question is whether law enforcement hacking constitutes search as defined by the Fourth Amendment, because the FBI only had one warrant issued in Virginia to cover thousands of computers from various locations.

David Alan Ezra, senior district judge for the United States District Court for the Western District of Texas, San Antonio Division, ruled using malware to hack someone's computer does indeed fall under the definition of search.

"Here, the NIT placed code on Mr. [Jeffrey Jerry] Torres' computer without his permission, causing it to transmit his IP address and other identifying data to the government," Ezra wrote in his ruling. "That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import. This was unquestionably a 'search' for Fourth Amendment purposes."

Other recent court rulings have gone the other way and determined law enforcement hacking does not require a warrant because people do not have a reasonable expectation of privacy in their computers.

Amie Stepanovich, U.S. policy manager at Access Now, based in New York, said there's a long way to go before this issue is resolved in court.

"Several judges right now are considering cases stemming from a single warrant issued in Virginia to allow the Federal Bureau of Investigation to essentially insert malware on any computer that visited a specific website," Stepanovich told SearchSecurity. "The jurisdictional splits being created by these cases are likely to be appealed and may even make it up to the Supreme Court on any one or more of the issues that are being challenged -- from jurisdiction to constitutionality."

Ezra said Congress needed to clarify the issue.

"The instant NIT warrant has brought to light the need for congressional clarification regarding a magistrate's authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user's identity," Ezra wrote.

Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society, said the issue could be resolved by Congress first with the decision on "a pending change to Rule 41 of the Federal Rules of Criminal Procedure, which governs the issuance of search and seizure warrants by federal judges."

"The rule change would expressly authorize law enforcement to get 'a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information,'" Pfefferkorn told SearchSecurity.

The change to Rule 41 has been approved by the Supreme Court, but Pfefferkorn said it faces opposition in Congress. "Sen. Ron Wyden has introduced a bill that would stop this change from going into effect, which it will on Dec. 1, unless Congress acts to stop it. If it does go into effect, the Texas court's ruling will be superfluous because the revised rule expressly authorizes government hacking like this and says it is a search."

Stepanovich said Congress needs to go beyond just deciding on the changes to Rule 41.

"These changes to Rule 41 will ostensibly remove procedural hurdles to government hacking, but, unless stopped, [they] will also provide evidence to argue for congressional approval of invasive hacking operations that Congress has never authorized," Stepanovich said. "Congress should block these changes and instead hold hearings on the extent that hacking should be permissible by law enforcement entities, and if they choose to authorize it, should pass a law doing so and providing substantial protections and safeguards."

Next Steps

Learn why security and privacy experts are wary of Rule 41.

Find out about the Tor vulnerability the FBI was asked to disclose.

Get info on the Stingray rules requiring a warrant to track mobile phones.

SearchSecurity: Security Wire Daily News

What does a team of talented and highly motivated interns do when paired with the expertise and capability of professionals in IBM Managed Security Services? Develop an interactive IBM hacking competition, of course.

I am intrigued by the idea of matching young, capable college students with seasoned IBM professionals to create interactive events. Knowing this, Diane Delaney, a worldwide talent manager at IBM, recommended I interview Chelsea Williams, one of the interns chosen to develop the IBM hacking competition.

An Intern Dishes on the IBM Hacking Competition

Question: Can you give us an idea of what this project was all about?

Williams: Sure, it was a Capture the Flag (CTF) event and was designed to test offensive, or red team, skills of the participants. Although these skills often fall into the realm of black-hat hacking, the thought is that without knowing how to break into a system, you can’t truly know how to secure a system. Thus, a CTF allows for these skills to be tested and developed.

The CTF, which we designed, hosted 15 teams consisting of 60 IBM employees from Managed Security Services.

That sounds like a very cool project for IBM interns. How did you and your fellow interns contribute?

Well, we started off with building the hardware that was required. Then, we were involved in physically building the servers to house the required hardware. By the end of the setup, we had four physical servers racked into the lab server racks.

Once the servers were installed, the networking had to be implemented according to documentation that was designed. From that point, the infrastructure was ready to be configured for the games to start. One of the servers was designated to host Kali Linux, the operating system used by participants to interface with the rest of the environment.

We were responsible for the master virtual machine (VM), from which 20 clones were created, and each team was given its own VM. We were also responsible for the creation and testing of the various machines and challenges used throughout the CTF. We tested the challenge machines and ensured the walk-throughs were in place, just in case the teams required assistance throughout the two-week event.

Wow! What a great hands-on learning experience! What will you take away from this?

I have met and worked with some pretty incredible IBMers. We all worked tirelessly to make the CTF competition a success, which is what makes it so memorable. I have thoroughly enjoyed working as an intern for IBM, and I am very grateful to represent a company that values the input from and collaboration with students.

Everyone Wins

The winner of the IBM hacking competition was team “Boom!” — a group of security correlation engineers at IBM. But, clearly, Williams and her fellow interns will be counted among the winners as well.

Security Intelligence

Google announced on Tuesday the launch of a new hacking contest that invites researchers to find serious vulnerabilities and exploit chains in the Android operating system. The search giant is prepared to pay hundreds of thousands of dollars to the winners.

The contest, named “The Project Zero Prize,” will run until March 14, 2017. Participants must find a full exploit chain that allows them to achieve remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number – the maximum allowed user interaction is opening an email in Gmail or an SMS in Messenger.

The first winning entry will be awarded $ 200,000, and the second will get $ 100,000. All the other winning entries will receive at least $ 50,000. Winners will also be invited to write a short technical report describing the vulnerabilities on the Project Zero blog.

While the Project Zero Prize competition takes place over the course of six months, hackers must not hoard the flaws they find. Each bug in the chain must be submitted to the Android issue tracker as soon as possible to ensure that it’s not reported by someone else first, as only the first person to file a vulnerability can use it as part of their exploit.

“Our main motivation is to gain information about how these bugs and exploits work,” explained Natalie Silvanovich of Google’s Project Zero team. “There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”

Another reason for running the contest, Silvanovich said, is to fix potentially dangerous Android vulnerabilities so that they don’t impact users. The search giant also hopes to gather some statistical data on the availability of these exploits.

Entries that don’t win any prizes as part of the competition can still qualify for a reward in the regular Android bug bounty program. In June, after paying out more than half a million dollars, Google announced that it increased Android bug bounty payouts to a maximum of $ 50,000 per submission.

Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements

Related: Overwhelming Majority of Android Devices Don't Have Latest Security Patches

Related: Critical Vulnerabilities Patched in Android Mediaserver, Qualcomm Drivers

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed