Hackers could gain control of systems in Volkswagen connected cars through vulnerabilities in the in-vehicle infotainment systems, researchers at Computest have discovered.
The vulnerabilities in the connected cars—2015 Volkswagen Golf GTE and Audi A3 e-tron—cannot be fixed remotely. Owners must bring their vehicles into the dealer to get the firmware upgrade. This means owners will continue to be vulnerable to the attack until they bring their cars in.
The researchers, Daan Keuper and Thijs Alkemade, exploite vulnerabilities in the infotainment system manufactured by Harman. They were then able to gain control of the central screen, speakers, and microphone. “This is a level of access that no attacker should be able to achieve,” the researchers opined.
At the same time, the researchers said that they were not able to directly affect driving behavior or any safety systems because of the control area network (CAN) gateway.
“A remote adversary is new territory for most industrial component manufacturers, which, to be mitigated effectively, requires embedding security in the software development lifecycle,” they observed.
“This is easier in an environment with automatic testing, continuous deployment and possibility to quickly apply updates after release. This is not always possible in the hardware industry, due to local regulations and the ecosystem. It often requires coordination between many vendors. But, if we want to protect future cars, these are problems we have to solve,” they concluded.
The Department of Homeland Security (DHS) has fallen short in fulfilling its mission to lessen cybersecurity risks on federal and private-sector computer systems and networks, judged the Government Accountability Office (GAO) in a recent report.
In particular, DHS has failed to develop metrics to measure and report on the effectiveness of its cyber risk mitigation activities or the IT security posture of the eight critical infrastructure sectors for which it is the lead federal agency, the report found.
The department’s National Cybersecurity and Communications Integration Center has failed to develop metrics and methods to evaluate its performance against statute-defined implementing principles.
Also, DHS’s National Cybersecurity Protection System had only partially met its objectives of detecting and preventing intrusions, analyzing malicious content, and sharing threat information.
The department has not identified all of its cybersecurity position, has not assigned codes to filled and vacant positions, and has not determined critical skill requirements for those positions.
“Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department’s ability to improve and promote the cybersecurity of federal and private-sector networks will be limited,” the GAO concluded.
Attackers behind SamSam ransomware use two tactics to penetrate and organization. They target vulnerabilities in a target organization’s systems to gain access its network or they launch brute-force attacks against weak passwords of the remote desktop protocol (RDP).
This is according to an analysis by security firm SophosLabs.
“Unlike most of the well-known ransomware families, which attack randomly, SamSam is used against specific organizations, those most likely to pay to get their data back, like hospitals or schools,” SophosLabs researchers said in a white paper
Once the attackers get in, they look for additional victims through network mapping and credential theft. Then, the attackers manually deploy SamSam on targeted systems using PSEXEC and batch scripts.
The attackers cover their tracks, so security pros have trouble determining the initial infection point and the some of their steps inside the network. They also delete attack files, including the SamSam payload, and change the deployment methodology.