The problem affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.
Security experts were able to create a fake mobile phone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.
Other boffins working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.
Hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry – which is a lot better than a brick through the window or a bent coat hanger.
ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.
The vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS. Since HTTPS is the minimal sort of security you would expect from an online transition, you would have thought that BMW’s have thought to install it.
The fact BMW still took half a year to work out a fix and roll it out, indicates that they have not really thought this whole security thing through yet.
Still it is likely that we will see a lot more of these sorts of patches being rolled out for cars. In the old days you could open a mini with a fork.
Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link’s DSL-2740R ADSL modem/wireless router.
The firmware is used in gear made by D-Link, TP-Link Technologies and ZTE.
The flaw allows attackers to access the device’s Web administration interface without authentication, and through it to modify the DNS settings, which could allow them to redirect users to malware-laden and phishing sites and prevent them to visit legitimate sites for OS and software updates (including security software).
Donev released exploit code for the flaw in a security advisory and said that it could be exploited remotely if the device’s interface is exposed to the Internet.
It is not the first time that the firmware has been found a little holey. In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.
Security experts at Kaspersky Lab have discovered shared code and functionality between the Regin malware and a similar platform in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.
The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.
Writing in their blog, Kaspersky Lab researchers Costin Raiu and Igor Soumenkov said that considering the extreme complexity of the Regin platform there’s little chance that it can be duplicated by somebody without having access to its source codes.
They think that the QWERTY malware developers and the Regin developers were the same or working together.
The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.
QWERTY is a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced.
Kaspersky researchers Raiu and Soumenkov said QWERTY malware is identical in functionality to a particular Regin plugin.
Raiu and Soumenkov said within QWERTY there were three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251.
Side-by-side comparisons of the respective source code shows they are close to identical and sharing large chunks of code.
Regin was discovered in late November by Kaspersky Lab and it was quickly labelled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.
Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.
All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.
Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.
The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.
While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.
In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.
The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.
There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.
The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.
It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.
But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.
Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.
In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.
Last month, Google angered Microsoft by releasing the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.
That would all be fine but Google does not have the same standards for itself. An exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60 per cent of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.
The flaw, which exists in WebView impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.
To make matters worse Jelly Bean was first announced in June of 2012, which means that Google is dropping support for its mobile OS less than three years after it was released.
Google is clearly stating that legacy support for the OS is not on their agenda even while phones are still being flogged with Jelly Bean under the bonnet.
The question is why if Google is being such a bastard about its own operating system is it so keen to throw Microsoft under the bus?
The Indian company, C-Cubed Solutions, is alleged to call people up saying people have had problems with their computers and conning them out of money.
The case claims that representatives from the company claim they represent Microsoft and then attempt to inveigle people into visiting web sites which are infected with malware, according to the Times of India. The caller may also attempt to get remote access to a computer and ask for payment using a credit card under the pretext of providing technical support.
Microsoft says it never cals people cold and advises people who get such calls never to give any information to people who claim to represent it.
The scam doesn’t only affect people in the USA – cold calls have been made to other countries including the UK, Ireland, Australia, Canada and New Zealand.