"As I mused, the fire burned"

Reflection on life as a person of faith.

Hacking Your Car’s Control System?

leave a comment »

I’ve been reading some technical manuals on computer forensics to support an investigation into a laptop that failed. My formation was primarily as a hardware engineer, where we were always working directly with the computer components or very closely to them (as in assembler code).

Higher levels in the computer system are more and more abstracted from the hardware. So, using a web browser involves multiple layers of software between you and the actual, physical computer components.

What has shocked me in reading the forensics manuals is how much abstraction is present in modern computing devices. We are now so far removed from the hardware it is almost as if our computers have become nothing more than user interfaces, mediating between the user and a black box that performs almost mystical feats.

All that to say, with the greater abstraction comes more paths by which computer systems can be subverted for criminal purposes.

At the latest hacker’s convention in the US, an article was presented about the failings of pseudo-random number generators (PRNG). Random numbers are the basis of all the cryptography used on the internet, what are called public key systems. Now, one of the things you learn from the hardware is that it is very challenging to make a truly random number generator (which is why these are called ‘pseudo’ random).

It is an over-simplification, but the quality of your random number generator is directly tied to the quality of your encryption scheme.  If an attacker can determine what generator was used, it can be a clue that speeds up the breaking of the key.

Now comes this other story, also from the black hat conference, about the ability to hack automobile control systems through the cellular network:

$25 gadget lets hackers seize control of a car

After journalist Michael Hastings’s death, there were rumours that his car had been hacked. Now two researchers say they can do it for real

IN THE early hours of 18 June, a Mercedes coupé travelling at extremely high speed along a Los Angeles street smashed into a palm tree. It exploded into flames, killing the driver; the impact ejected the engine 50 metres clear of the car. Was it an accident? Or was the car hacked, allowing it to be driven off the road by remote control?

The very idea might sound crazy – but it’s one that Richard Clarke, a former counterterrorism adviser to the US National Security Council, has raised after the driver was identified as Rolling Stone journalist Michael Hastings. Known for his revealing articles on the US military and its intelligence agencies, Hastings had emailed colleagues the day before he died to say that he was going “off the radar for a bit” to chase down a “big story”.

“What evidence is available publicly is consistent with a car cyberattack,” says Clarke in a Huffington Post interview. Intelligence agencies, he says, can remotely seize control of a car to make it accelerate wildly or brake suddenly, for instance.

This may be new, undeveloped technology that only works on a few vehicles (particularly those that use the cell network to communicate), but it is a troubling repeat of the history we’ve seen for the past two decades.  Modern hackers, even ethical hackers (those who are employed to find weaknesses in systems), can not resist the challenge of a system that has not yet been compromised, or a system that calls itself ‘fully secure’.

One of the security lessons I took from the military was never to trust to only one layer of security – so to always make sure there is ‘defence in depth’ or layered security.  Part of my personal approach to using the internet for transmission of sensitive data is assuming that anything I put out there will eventually be compromised – once the information crosses from a physically secure zone into a zone secured by software (like the act of taking a credit card from your pocket, physically secure, and typing the number into an internet commerce site) the chance of discovery increases dramatically.

Modern browsers are now using a 256-bit cypher for secure processing.  It wasn’t that long ago it was a 128-bit cypher (IE 4.5), and not long before that it was a 40-bit cypher.  The security is upgraded in order to deal with the increasing threat that a public-key system can be compromised.

While internet browsers are new technology, they have been around for a number of years and have a mature security framework in place.  I’m never worried about online banking or shopping as long as I stick to some basic rules:

  • only use the websites of well-established, known corporations
  • monitor my credit card account regularly for unusual activity
  • ensure I have a secure, multi-layer defence in place on my home network (including monitoring logs for attacks and unusual traffic)
  • before any online banking, ensure a secure link is in place, and that you’re on the correct website (use only your links)
  • don’t store any sensitive personal information on mobile computing devices, ever (assume you will lose it, and an identity thief will find it)

What surprises me is the number of people now using banking apps on smart phones – because the smart phone technology is nowhere near as secure as browser technology.  It’s coming along, but it will be at least a few years before a similar level of security is present.  Smart phones are also carried with you everywhere, are easy to lose or to steal.  While the iPhone is probably the most secure of the phones (due in large part to Apple’s very closed development and distribution model) it is still young technology.  A recent ethical hack revealed a problem in signing of Android apps that could have compromised all Android phones.

It leads me to add one more rule to my list:

  • Only install software (apps) from known suppliers…regardless of how good the deal looks.

Which brings me to the final point.  My forensics research has left me just stunned with the amount of information that is left on a personal computer by the user.  It is literally possible to reconstruct almost everything that has been done on a given machine…even if the person was careful to empty cookies, history, and temporary internet files, there are still digital footprints remaining.

The only way to be absolutely certain that those footprints are not left, is to never go there in the first place.  This is one of the reasons that a whole field of counter-forensics computer applications now exist, to enable crooks to cover their tracks.  It’s a complicated world.

A small bit of healthy paranoia is a good thing when it comes to computers.  I recently had a 1 TByte hard drive fail catastrophically.  That drive had a ton of personal information stored – mostly photos and letters, but lots of stuff that you wouldn’t want someone to find in a landfill.  The hardware failure meant I could not use one of the secure erase products (that over-write all sectors on the drive several times with random characters).  My only remaining option was to disassemble the drive, and to physically destroy the drive platters with a welding torch (the heat causes the magnetic dipoles to release, and also distorts the physical media to make it impossible to read).

Now we have to start worrying about our cars, as well.

 

 

Advertisements

Written by sameo416

August 11, 2013 at 11:50 am

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Urbane Adventurer: Amiskwacî

thoughts of an urban Métis scholar (and sometimes a Mouthy Michif, PhD)

Joshua 1:9

Reflection on life as a person of faith.

Engineering Ethics Blog

Reflection on life as a person of faith.

asimplefellow

Today, the Future and the Past all kinda rolled up in one.

istormnews

For Those Courageous in Standing for Truth

âpihtawikosisân

Law, language, life: A Plains Cree speaking Métis woman in Montreal

Malcolm Guite

Blog for poet and singer-songwriter Malcolm Guite

"As I mused, the fire burned"

Reflection on life as a person of faith.

%d bloggers like this: