UCSD computer scientist Stefan Savage and colleagues will present their work at Usenix Security: they were able to disable the brakes on a 2013 Corvette by breaking into a Mobile Devices/Metromile Pulse dongle, used by insurance companies to monitor driving in exchange for discounts on coverage.
Uber offers insurance to its drivers through Metromile; those drivers use Metromile devices. Metromile claims it has patched all the devices, but by scanning the Internet, the researchers were able to locate thousands of vulnerable vehicles on the road today that used the Mobile Devices dongle distributed in the US by Metro Mile.
Other insurance company/automotive telematics devices, including the Snapshot (mandated by Progressive Insurance), are also vulnerable. Federal regulations require federal agencies with more than 20 vehciles in their fleets to use the devices as well.
In the Mobile Devices dongles specifically, the UCSD team found a slew of serious security bugs. The gadgets had their “developer” mode enabled, allowing anyone who scanned for the devices to access them via SSH, a common protocol for remotely communicating with a computer. They stored the same private key on every device, which a hacker could immediately extract to gain complete “root” access on any of the dongles. And the Mobile Devices dongles were also configured to accept commands via SMS, a protocol with virtually no authentication. By sending texts to the devices from a certain phone number, anyone could rewrite their firmware or simply begin issuing commands to a connected car.
Hackers Cut a Corvette’s Brakes Via a Common Car Gadget [Andy Greenberg/Wired]
In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt “Certificate Authorities,” the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger — bad certificates could allow anything from eavesdropping on financial transactions to […]
Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers’ data; undersecured it; and then failed to warn their customers that they were at risk.
A security researcher has published a vulnerability and proof-of-concept exploits in Google’s Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months […]
You know the drill. You go to the dentist and they ask you how often you floss. You lie through your teeth and say, “every day!” (Bonus points if you have some cilantro or chives stuck in your gums from lunch). You don’t want to keep up the charade any longer, but rubbing that tiny strand […]
The Raspberry Pi Foundation has done outstanding work packing a fully capable desktop computer into a package the size of a deck cards—especially one that only costs $35. But if you already have a working laptop, why should you care? Oh, how much you have to learn. Besides operating well as a compact digital media hub, […]
Custom coffee vessels are the perfect piece of office flair, but it’s just a matter of time before your VOTE FOR PEDRO mug will start to lose its relevant wit. Why not have a new one every day, with whatever silly nonsense you want sticking off the sides? You can save big on your novelty […]