Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Rainer Link (Senior Threat Researcher)




    Hearing about vulnerabilities in your car’s operating system might seem strange. But it’s now something we all need to get used to.

    Last January 30, several security loopholes in BMW’s ConnectedDrive system, that could allow potential thieves to unlock doors and track car data using a mobile device, as the security gap may affect the transmission path via the mobile phone network were revealed. This was uncovered during a privacy assessment conducted by the German auto club ADAC, and is believed to affect 2.2 million BMW vehicles worldwide.

    According to a statement from ADAC, the vulnerable vehicles were prone to abuse of features like Remote Services (opening doors remotely), tracking the vehicle’s current location and car speed via real-time traffic information (RTTI), enabling and changing phone numbers on the emergency call function, and reading emails via the BMW Online feature in the BMW ConnectedDrive Store.

    BMW quickly acted on this finding and have sent out the update to address them. According to their press release, the update is carried out automatically as soon as the vehicle connects up to the BMW Group server and can also be triggered manually. The statement said that they are increasing the security of data transmission in their vehicles as they issued a patch, which would be applied automatically, included encrypting data from the car via HTTPS. Details about the actual security flaws and the patching process have not been published.

    (Theoretically) Hacking a Connected Vehicle?

    We need to ensure that we don’t jump into conclusions about the actual exploitation of these vulnerabilities without first knowing its full details. The issues raised in the BMW ConnectedDrive security flaws pose a few questions:

    • How often is a connection to the BMW server made automatically?
    • Wasn’t HTTPS already in use since 2010? Why wasn’t it enabled for the data being sent/received via ConnectedDrive (GSM)? What kind of information could be stolen by an attacker with their own GSM base station?
    • Does HTTPS mean SSLv3, TLS 1.0/1.1/1.2? Does this mean the BMW Group server was not checked before? Is it possible that a malicious “firmware” update entered the BMW car then?
    • And if the update is silent, how would the car owner know that the vulnerability was fixed? Does this mean the owner has no control what updates BMW is performing on this system?

    Getting answers to these questions would definitely shed more light on the severity of the vulnerabilities.

    Now, moving away from GSM to Wi-Fi, I will now use Skoda as an example for a theoretical hacking scenario without an actual analysis. Skoda, a Czech carmaker owned by the Volkswagen group recently introduced the car model Skoda SmartGate, which allows certain apps to download car data over Wi-Fi.

    The Skoda SmartGate system contains what is in effect a Wi-Fi router that devices can connect to to access car data. The default password is the vehicle identification number (VIN) of the car, which in some countries, can be easily found at the front window. However, WiFi is only on when ignition is on, and SmartGate is an optional equipment, i.e. you have to pay extra for this when buying the car.

    According to the owner’s manual (specifically on pages 100-1001), the WiFi network name is “SmartGate_<last-six-digits-of-VIN>.” SmartGate seems to run a web server on http://192.168.123.1/ which provides information of the car and allows some configuration of the SmartGate system. It allows for example to change the default WiFi password, but the password seems to allow only letters (A-Z) and number (0-9), the minimum length is 8 characters, the maximum length is 17 characters. This follows the specification of a VIN, which cannot be longer than 17 characters (given the fact, that a WPA/WPA2 password can be up to 63 letters, it could be considered as a rather short password). SmartGate seems to allow connections without any password, if security is set to “open”, but we strongly advise not to do so.

    To locate the car you’re interested in, you can wait until the driver turns on the ignition to see if the Wi-Fi network comes up. Or, you simply ask erWin, or the Electronic Repair and Workshop Information service from Skoda Auto, as it’s able to show the complete configuration/complete list of equipment of a car by entering the VIN.

    You need to be registered for that and to query the system for an hour you need to spend 5 EURs. Of course, you need to be in range of that particular car.  So is stalking a Skoda car for fun and (probably no) profit something to worry about? It is theoretically possible.

    Conclusions

    While we’re on this topic, let me mention two other things which popped into my mind when reading the story about BMW ConnectDrive:

    First, like in most other industries, the automotive world is moving away from dedicated /specialized/closed networks/bus systems (like CAN bus) to Ethernet/IP-based networks within the car. In the past, the car was completely “isolated”, think of an island which has no connection to the outside world. Nowadays, the car is connected to the outside world via GSM/IP protocol. You can see this from slide 8 of this official BMW presentation, titled Ubiquitous Networking In- and Outside The Vehicle With Ethernet & IP

    Secondly, in the past, radio was just a “stupid” radio. But now, modern infotainment systems are considered computers as well (and, are, of course, integrated more or less in the car network.). Did you know that the Mazda Connect infotainment system allows to connect to it via SSH, even as the “root” user?  The password  jci seems to be the first lower-case letters of Johnson Controls Inc., the OEM for Mazdas Connect infotainment system.

    The modern car is not just a mechanical machine, it is also a computer that is online as much as a smartphone or PC is. Therefore, it is something that users will have to protect moving forward, and car manufacturers should move to secure their products before any real-world attacks become apparent.

    Update as of February 6, 2015, 07:12 AM PST

    This blog entry was written when the full details were not yet released to the public. Full details on the BMW ConnectedCar vulnerabilities are available now at the following link: http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html

    Update as of February 7, 2015, 21:42 PM PST

    Note that modifications have been made to this entry. We added a paragraph detailing the owner’s manual for clarification.

     
    Posted in Internet of Things |



    This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters.

    In this post, we’ll look at the risks when smart grids are attacked. Smart grids pertain to an electric grid with digital information/communication capabilities for recording information on both consumers and suppliers. What differentiates an attack on a smart grid from an attack on a smart meter? Simply put, scale: an attack on a smart grid affects many more users than an attack on an individual meter. The potential for damage is proportionately much more significant.

    However, this also means that the attack surface is different. Not only can the smart meters be attacked, but the servers at the utility that controls the smart meters can also serve as an attack vector. However, these servers can also be defended with tools used to defend against targeted attacks.

    Perhaps the most obvious smart grid attack scenario would be: extortion. An attacker would take control of the smart grid in order to disrupt the provided services. The attacker might even choose to “update” the firmware on the devices if they choose to, making the attack more difficult to completely mitigate. Either way, the goal of the attacker would be to cause disruption in the service in order to get money out of the local utility company or government. Alternately, the chaos itself may be the goal, either for political reasons or to distract local law enforcement from other crimes going on at the same time.

    One slightly more subtle attack against the smart grid would be a denial of service attack. How would the smart grid cope with corrupt data? This data can either be completely corrupt (incorrect format and content), or perhaps the corrupted data could have the correct format, but incorrect or crorrupt data. Either way, like buffer overflows on other piece of software, vulnerabilities in servers may also pose a risk to the grid as a whole.

    Figure 1. Denial of service attack targeting an entire grid
    (A screenshot from our video highlighting attack scenarios)

    An attack with less dire consequences would be meter tampering. It is very possible for smart meters to be tampered with – in fact, it’s already happened in Malta. As all the reading is “electronic”, it’s trivially easy to modify the readings of the meters. Modify the reading too much and the discrepancy becomes too obvious, but a small modification might not raise eyebrows much.

    We raise these scenarios not because we want to frighten people, but to raise awareness against them. It is possible to defend against these attacks – by designing the systems with security in mind, by ensuring that the appropriate custom defense solutions are in place, etcetera. However, these can only be put in place if people recognize that the threat does exist.

    You can read the previous blog posts on smart meters here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

     
    Posted in Internet of Things, Vulnerabilities | Comments Off



    In our previous post, we looked at how smart meters were being introduced across multiple countries and regions, and why these devices pose security risks to their users.

    At their heart, a smart meter is simply… a computer. Let’s look at our existing computers – whether they are PCs, smartphones, tablets, or embedded devices. Similarly, these smart meters are communicating via understood technologies: cellular connectivity, power-line networking, or the user’s own Internet connection.

    With that in mind, we have to consider the possible threats – what could happen if a smart meter is compromised? Similarly, what are the problems that could result if the connectivity of a smart meter is disrupted? Let us see.

    Perhaps the most obvious risk is simple: meter tampering. If a smart meter can be hacked, inaccurate information can be sent back to the utility, allowing an attacker to adjust the reading and resulting in an inflated bill. Let’s say, for example, that you have an argument with your neighbor. In revenge, if he can access your smart meter, you might see a rather large electric bill.

    Figure 1. Hacking a neighbor’s smart meter
    (A screenshot from our video highlighting attack scenarios)

    Of course, the bill can also change in the opposite direction. Let’s say you’re engaged in certain activities that require high levels of electricity… altcoin mining, for example. The biggest running cost for such an operation would be the electric bill. The smart meter could be hacked to have a lower reading – or, perhaps, in a location with time-varying electric rates, to make it look like the electricity was used at off-peak times?

    What are some other threats at the local, “retail” level when it comes to smart meters? Crime gangs (with smarts) may well find uses for smart meters too. Power savings are frequently promoted as a benefit of smart meter. However, power consumption is also a good way of checking if someone is in a home or not.

    Let’s say that a vulnerability made it easy for somebody other than the homeowner or the utility to see what the power usage was. (It could be as easy as a poorly-designed API, mobile app, or website.) The smart meter would then essentially become a giant “please rob me” sign for properly equipped thieves.

    Alternately, if that smart meter can be controlled remotely, you now have an excellent way to carry out extortion. Such a nice house you have there, it’d be shame if anything bad happened to its power…

    The connectivity of the smart meters can also be a security risk. Some meters use the cellular network to provide the connection to the main servers of their utility. The utility would, of course, be paying for the bills of these meters. A truly determined person could abuse this “free” phone to make calls, send text messages, even connect to the Internet.

    Alternately, the smart meter may use the same Internet connection as the home. This represents a potential risk: if somebody was able to hack the smart meter from the outside, then that attacker would have access to the house’s internal network. This would put your own internal network at risk of attack; it would be as dangerous as letting anyone connect to your home network.

    None of the above attacks are inevitable. You can build defenses against all of them. However, it is inevitable that somewhere, somehow, the defenses will fail. These attacks are possible, and we will have to figure out how to defend against them, especially once smart meters become more prevalent.

    All of the attacks I discussed above are essentially small-scale, however. What happens when you look at the security of not just individual meters, but the smart grid as a whole? That’s what we will discuss in the third post in this three-part series on smart meters and smart grids.

    You can read parts 1 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

     



    While wearable personal technology may be the most “public” face of the Internet of Everything, the most widespread use of it may be in smart meters.

    What is a smart meter, exactly? It’s a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it to the utility provider via some sort of two-way communication method. (Examples of these methods include a wireless mesh network, power line networking, or a connection to the user’s own Internet service.) Unlike simple home monitors, smart meters can collect data for remote reporting to the utility.

    One smart meter in isolation has limited uses. However, if the majority of meters in an area are now “smart”, the utility is able to reap large benefits. With the added information provided by large numbers of smart meters, a utility can adjust their services as needed to improve the efficiency, reliability, costs, and sustainability of their services.

    Deployment and Usage

    Some may think that smart meters are more theoretical than anything else. However, they are already in widespread use in some countries, and it is easy to see how in the next few years they will become even more widespread.

    Let me talk about the part of the world I know – Europe. For example, the former Italian electric monopoly, Enel, has rolled out smart meters to almost all of its 36 million customers. In addition, Enel has deployed a remote management system known as Telegestore, which allows the utility to carry out actions via the smart meter that would otherwise require a physical visit. 330 million meter readings and over a million other operations were carried out remotely, making this easier for both customers and Enel. Enel also owns 92% of the Spanish utility firm Endesa, and is rolling out similar products in that market.

    Italy and Spain are not the only countries in Europe leading the way in smart meter adoption. Other countries identified by the European Union as being “dynamic movers” in smart meters include Estonia, Finland, France, Ireland, Malta, the Netherlands, Norway, Portugal, Sweden, and the United Kingdom. In these countries, regulators and utilities are both making the necessary steps to move forward with smart meter adoption.

    Technical Standards and Risks

    There are a diverse number of industry groups and protocols that are promoting smart meter technology. In part, this is a reflection of the varying ways that smart meters are deployed and used: for different applications, different technology may be needed. However, this also means that there a wide variety of technical standards used in smart meters.

    Other such niche devices – such as home automation equipment and Internet routers – have proven to have serious security risks. It’s one thing to have, say, a light switch have some sort of vulnerability. It’s another thing for utility meters and controls to have vulnerabilities. Smart meters and smart grids have not yet been fully tested and vetted for potential security risks; we have to consider the potential scenarios if these devices are proven to have flaws – as some of them inevitably well.

    The video below highlights some of these potential scenarios. In future blog posts, we will look into some of these scenarios in some detail and discuss the circumstances that can lead into these issues.

    You can read parts 2 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

     



    Black Hat Europe is a series of highly technical security conferences that gathers professionals, researchers, and leaders of the infosec industry. Below are some of my thoughts about the interesting discussions I attended, which include a compelling talk by Trend Micro threat researcher Kyle Wilhoit about ICS/SCADA.

    Day 1

    My colleague Kyle and I joined the first session of the full-day vehicle networks workshop. Robert Leale of www.canbushack.com gave a nice introduction to controller area network (CAN) bus and other bus systems by, in which he gave basic information on the types of networks found in modern vehicles. I went to the next talk, “Let’s Play – Applanting” by Ajit Hatti, the co-founder of “null -Open security community,” where he described an attack to silently install an app in a user’s device (this has already been fixed by Google). As it turns out, a lot of people in India use their smartphones for online banking.

    XML out-of-band data retrieval” from Alexey Osipov and Timur Yunusov, which I attended later, showed how to retrieve data from an internal machine and network using several web applications.

    Because I own a Huawei USB UMTS/4G stick, I went to the talk “Huawei – From China with Love” from Nikita Tarakanov and Oleg Kupreev. From the discussion, I gathered that the software (available for Windows and Mac) seems to be a mess, security-wise.

    One of the better conferences of the day, Tobias Jeske presented the results of his research about floating car data from smartphones, based from Google Navigation and Waze. For his research, he reversed engineered the protocols with an MiTM proxy and source code and later explained to us the several possible attacks that can be launched.

    Day 2

    The first talk for the day was “The Sandbox Roulette”, which we can summarize as “for an application sandbox (Sandboxie, Chrome, Adobe X) the weakest link is the Windows kernel. An hypervisor sandbox is more secure than an application sandbox.”

    Read the rest of this entry »

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice