Tesla Cars Hacked through Mobile App

‘Tis the season for giving, but Tesla may be offering more than what was originally planned.

If you’re a hacker, and you want a new Tesla car for the holidays, all you have to do is access the company’s smartphone app.

New research shows that Tesla cars can be stolen by hacking the company’s smartphone app.

Tesla Cars Vulnerable
According to SCMagazineUK, Norwegian app security firm Promon has demonstrated through research that cyber-criminals could take control of Tesla vehicles, to the point where they can locate, unlock and drive the car away unhindered. Such a hack, possible by exploiting a lack of security in their smartphone app, gives criminals total control of the vehicle, providing additional functionality to that exposed by Keen Security Labs in a different hack in late September.

This is all done by attacking and taking control of the Tesla app. This underlines the vital importance of app security, and the wider implications this could have for IoT-connected devices in general. (IoT refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other internet-enabled devices and systems.) Most people understand the importance of online website security – and only visiting sites that constantly check for vulnerabilities, but few consider the potential issues with mobile security.

Tom Lysemose Hansen, founder and CTO at Promon, said: “Keen Security Labs’ recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”

One way for the hack to work is for cyber-criminals to set up a Wi-Fi hotspot close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal. When clicking this link and downloading the accompanying app, hackers can gain access to the user’s mobile device, which enables them to attack the Tesla app.

According to Hansen, the ease with which any tech-savvy criminal can steal a Tesla car in this way is indicative of a need for a much greater focus on in-app security across all IoT-connected devices and applications. “Mobile-focused criminals are more skilled than ever before and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory, any app without the necessary protection in place could be affected.

“One way to achieve this is by introducing self-defending app software that protects the app from the inside out, greatly reducing the possibility of a cyber-attack. By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment card industry. Physical tokens are replaced by ‘mobile tokens’. We strongly believe that Tesla and the car industry needs to provide a comparable level of security, which is certainly not the case today.”

Hansen concluded: “Tesla is a shining example of how technological advances are providing unprecedented levels of innovation and user convenience. However, our increasingly app-focused world needs to be urgently secured, to prevent criminals from seizing their opportunity on a large scale.”

 

Special thanks to SCMagazineUK.com for providing much of the content for this article.

Top Three Cyber Security Tips

Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced on Thursday to 18 months in prison for his role in leaking private nude photos of celebrities he found by illegally accessing their Google and Apple accounts.

He is one of three men who has been convicted of leaking private celebrity photos, and is personally responsible for illegally accessing more than 100 accounts, prosecutors said. In total, the nude photo leak investigation included over 600 victims.

Cyber Security

Between November 2012 and September 2014, Collins pulled off a carefully targeted cyber security attack known as spear phishing. He sent targeted emails to his victims purporting to be from Apple and Google that seemed legitimate and tricked his high-profile targets into handing over their usernames and passwords, according to the U.S. Attorney for the Central District of California.

Once Collins had his target’s username and password, he was able to access their private accounts, steal their photos and in some instances, according to prosecutors, download full backups from the iCloud.

Sometimes, even for celebrities, it is hard to tell if an email is legitimate or not.

Here are some key cyber security tips:

  1. If you receive a suspicious email from a place where you have an account, never click on any links inside of it. Instead, go to the specific service provider’s website and log in from there. You can also make a quick phone call. In any case, most companies will not ask for your username or password through an email.
  2. Once you get to the website, use different passwords for different accounts, and switch passwords often – for banks every three months at least. If you have different passwords and one account gets hacked, the other accounts should be OK.
  3. If you feel confident about opening a link in a non-business-related email – even if it appears to be from a friend – always hover over the link first to see where the link is going before clicking on it. Your friend’s email account may have been hacked.

You could fork out $14,000 or so for a military-grade-secure smartphone to help thwart hackers — but a little cyber security know-how will certainly cost a lot less. There are many, many more hackers just like Mr. Collins who haven’t been caught. Let’s do everything we can to keep them away from our personal, private information.

 

Special thanks to NBC News for their article on the subject.

Fingerprints to Improve Email & Online Security

Fingerprints are set to point way to better email and online security.

Deloitte says that touch technology will rescue consumers from password overload. The need to remember huge numbers of online passwords may be replaced by using fingerprints to unlock not just smartphones but also websites and services, according to a new report.fingerprints security

Paul Lee, head of technology, media, and telecoms research at Deloitte, said that using fingerprints to access email, online banking, streaming services such as Spotify and Netflix and newspaper subscriptions would help consumers who may feel overwhelmed by the number of passwords they have to remember.

Companies that sell subscriptions could start to use fingerprints rather than a password login to stop illegitimate sharing of accounts. “You can share a password but not a fingerprint,” said Mr. Lee. Deloitte said that while fingerprints have taken a long time to gain traction, the technology has taken off during the past three years.

The company interviewed 4,000 people and said that 31 percent of 18-24 year-olds were using the fingerprint scanners on their phones, compared with 8 per cent of those aged over 65. Deloitte predicts there will be one billion smartphones with fingerprint readers in use by the end of next year and that the technology will spread to cheaper models.

The first fingerprint reader was launched on a mobile phone almost a decade ago.

Toshiba adapted the identification function from its laptops to a little- remembered handset, the Portege G500. Motorola tried again with the Atrix 4G in 2011 before Apple’s iPhone 5s pushed the technology into the mainstream when it incorporated “Touch ID” in 2013.

Toshiba adapted the identification function from its laptops to a little- remembered handset, the Portege G500. Motorola tried again with the Atrix 4G in 2011 before Apple’s iPhone 5s pushed the technology into the mainstream when it incorporated “Touch ID” in 2013.

But the impact of the authentication technology was not immediate, despite the hype. Mr. Lee, the author of the Deloitte Mobile Consumer Survey said that the issue for many users had been that fingerprint scanning was associated with criminality and “having your fingerprints taken”. Now non-criminals are sharing their most personal identification with total strangers.

People have dozens of online accounts. They cannot remember that many different passwords so chances are, unless they use a site like LastPass, they will use the same one. The fingerprint provides an alternative. Deloitte calculates that in the UK alone, the tips of our fingers are now read more than 100 billion times a year.

But passwords with all their varieties are here to stay for a while. The company’s research showed that 63 percent of the people it surveyed still rely on passwords and PINs to unlock their mobile phones, with a further 30 percent not bothering to lock their phones at all. With a lot of online activity happening from mobile devices, it makes sense that a fingerprint tool would increase the security of emails and need-to-be-secure websites.

Special thanks to Financial Times.

Hackers Can Access Millions of Smart Phones!

Using a malicious app, hackers could access Android-specific security vulnerabilities from Qualcomm chipsets.hackers, security vulnerabilities, mobile apps, Trust Guard

Since 1993, DEF CON has been holding its annual hacker conventions in Las Vegas. As one of the largest such conventions in the world, security companies like Trust Guard share information about the security (and lack thereof) with online and mobile devices and apps. As one of the oldest such organizations, it is privy to much of the available information concerning security breaches – be they online or, more recently, mobile.

2016 was no different. This year computer security firm Check Point and its mobile threat research team revealed details of what it says are a set of “four vulnerabilities affecting 900 million Android smartphones and tablets that use Qualcomm® chipsets.” They call the set of vulnerabilities QuadRooter.

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. All it takes it to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked. If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible.

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets. The drivers, which control communication between chipset components, become incorporated into the Android “builds” that manufacturers develop for their devices. Check Point says that since the vulnerable drivers are pre-installed on devices at the point of manufacture, they can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers issuing patches can only do so after receiving fixed driver packs from Qualcomm.

tg-10year-badge-High DefinitionSome of the latest and most popular Android devices found on the market today use these Qualcomm chipsets, including:

BlackBerry Priv
Blackphone 1 and Blackphone 2
Google Nexus 5X, Nexus 6 and Nexus 6P
HTC One, HTC M9 and HTC 10
LG G4, LG G5, and LG V10
New Moto X by Motorola
OnePlus One, OnePlus 2 and OnePlus 3
Samsung Galaxy S7 and Samsung S7 Edge
Sony Xperia Z Ultra

If you are using one of the above devices, we suggest you go to your phone distributor or carrier to get the patch to fix the security hole as soon as possible. If you have a website, we recommend using Trust Guard’s security scanning software to protect your site from online cyber security threats.

This type of extensive security problem shows how vulnerable our mobile devices are to security threats from hackers. These four vulnerabilities, of course, aren’t all the vulnerabilities. And Qualcomm isn’t the only instigator of chipsets with bugs in them. For all app users, Android, Apple’s IOS, or others, all it takes is to download the wrong app and, often without even realizing it, our personally identifiable information will have been hacked.

Special thanks to Sky Valley Chronicle for much of the information about the vulnerabilities found.

 

 

Five Tips to Protect Yourself from Malware

malwareYou need to know how to protect yourself from malware.

Recently, Cisco Systems tested the software of 115,000 devices for security gaps.  Of these devices, 92 percent were identified as having security vulnerabilities such as malware. No wonder every time you turn around there is another tweet about somebody getting hacked. It is projected that issues will continue to increase as cyber criminals look to double their efforts to attack individuals and businesses.

Unfortunately, with these increased risks of malware attacks, if you don’t scan your website for malware and other vulnerabilities consistently, it is important for you to know if you are potentially infected. Here are some ways that could help you determine if your computer is infected with malware:

1. Unusually slow speed – Slow speed can be the first red flag noticed when a PC becomes infected with malware.

2. Unwanted browser revamps – Does your web browser look newly updated and you did not update it?  This could be a potential malware hack.

3. Suspicious social media messages –  These are messages that appear to have been sent from your social media accounts to friends, which could include malicious links.Malware-Virus-2

4. Computer crashes and/or program problems – Typically, we think it could be a small technical issue causing this, but it could be something much bigger.

5. Pop-ups, pop-ups, pop-ups – The most common form of adware; however these could also include ill-intended links.

So what can you do to prevent malware?  If you already have an anti-virus program, make sure it is enabled.  There are times where the anti-virus program could become unintentionally disabled, leaving your PC completely unprotected.  Also, you will want to be sure to check your firewalls, as well as ensure your PC is up-to-date with all software updates. For your website, you’ll want to run periodic vulnerability scanning to inform you of security risks that need to be resolved in order to keep hackers away.

FBI Asks Apple to Create Hacker-Friendly Software

FBI Apple iPhone Software WarBy now you have heard about the potentially dangerous security issues that could arise should Apple do as requested by the FBI to build a new software, a backdoor into the iPhone – specifically built to can break the encryption system which protects the personal information of every iPhone user.

According to Bruce Sewell, Apple’s chief lawyer in his statement to a congressional committee today that “the FBI is asking Apple to weaken the security of our products. Hackers and cyber criminals could use this to wreak havoc on our privacy and personal safety. It would set a dangerous precedent for government intrusion on the privacy and safety of its citizens.” In essence, if Apple creates this software, our private information would be vulnerable to the government if we deserve it and to hackers if we don’t. To the iPhone user, having Apple create the software is a lose-lose situation. Aren’t hackers doing enough damage online? It’s hard enough for business owners to scan their sites for vulnerabilities that might be accessible to hackers. Such scans, now required to achieve Payment Card Industry (PCI) compliance, ensure our security as consumers as well as the safety of the business owner’s proprietary content. If Apple creates the requested software, no one will be safe from the possibility of getting their phone hacked into. 

When this all started, the FBI argued that all it wanted was access to one little iPhone – but an important iPhone – as it belonged to a terrorist. But if that was the case, it isn’t the case now. Sewell reminded people of this in his opening statement, saying that “building that software tool would not affect just one iPhone. It would weaken the security for all of them.” He continues, “the US government has spent tens of millions of dollars through the Open Technology Fund and other US government programs to fund strong encryption. The Review Group on Intelligence and Communications Technology, convened by President Obama, urged the US government to fully support and not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.” Encryption is necessary. App developers and app users alike welcome it as our last-ditch effort to keep our privacy and security safe. Sewell says that Apple has “been using it in our products for over a decade. As attacks on our customers’ data become increasingly sophisticated, the tools we use to defend against them must get stronger too. Weakening encryption will only hurt consumers and other well-meaning users who rely on companies like Apple to protect their personal information.”

Forcing Apple to create this software could damage the security of our freedoms and liberties we hold so dear and make us even more vulnerable to thieves and terrorists. Mandating a backdoor encryption software is a very bad idea. It would just give hackers one more income stream and give government even more access into our personal lives.

Read more here.