This week I’d like to revisit three topics from previous posts. These are all three cases of “plus ça change, plus c’est la même chose” or “the more things change, the more they remain the same”.
I talked about car hacking in February of last year, and again later I wrote about the security issues with keyless entry. Now the issue with automobile security is the ability of hackers to start VW vehicles. There seems to be a vulnerability in the keyless entry of those cars, too. Wired has a more in-depth story on these attacks. What I find interesting is the report that for 100 Million vehicles, the manufacturer used only 4 (yes, four) secret keys! The system uses an additional key from the user’s key fob and the paper linked in the article describes how they discovered each. Eavesdropping on the key fob required a $40 radio built by the researchers. That device can also be used to configure an exact copy of the user’s remote fob.
Part of the problem is the use of old technology. Security and encryption technologies have changed a lot in 20 years as participants in Learning Tree’s System and Network Security Introduction can attest.
In another reprise from last year, researchers have found another way to retrieve data from computers not connected to a network. Instead of heat, in this case, it is noise – the noise the head actuators make when seeking from track to track on a disk drive. Gizmodo reports that researchers have been able to send about 180 bits per minute using this method. This method also requires close proximity between devices: the devices must be less than six feet apart. That does not seem too uncommon a separation between a connected and a disconnected computer.
Again, attackers must install the malicious software required to move the actuators at the speeds necessary to send the data on the sending (disconnected) on the victim computer. And of course, if the device uses SSDs instead of hard drives, this attack won’t work at all.
An article in Ars Technica explains that flaws in a chip from giant Qualcomm could impact almost a billion Android phone users (including me). The issues are reportedly in the firmware of the chip. It seems that firmware can me modified to patch or fix those issues, and three have already been patched.
The flaws let an attacker take control of the device via “privilege escalation”. The idea is simple. Different pieces of software – including apps – have different capabilities they are allowed to perform. For example, one app may be allowed to use the camera while another may not. If the latter could access a flaw that allowed it to access the camera, that would be an escalation of privilege. In the case of the Qualcomm flaws, the attackers can access sensitive personal information.
These issues are not really new in the sense that encryption, secondary channels, and firmware flaws are not new. The research is new, and the researchers in all three cases should be commended. Both the VW and Android attacks impact many people and businesses. In addition to “what goes around comes around”, there are two important lessons here: cyber security practices need to be updated as technology and understandings change, and fixes and patches need to be deployed as soon as is practical.
To your safe computing,