Bad rolling code in key fob for many Subaru cars

Most cars you see on the road have key-less entry. This means that you do not have to use your key in the door, and can lock/unlock you car door from a few meters away, making life much easier. First a short explanation on how rolling codes work, and then how Subaru’s rolling codes failed.

Inside your key fob is a small radio transmitter, and inside the car is a corresponding radio receiver. When you press the unlock or lock button, a new 40 digit rolling code is generated from a pseudo-random number generator. The car and fob both use the same generator, so they both get the same new code without anyone on the outside being able to predict the pattern. If the code from the fob matches the code in the car, the car unlocks and locks. When the car receives a valid code, it generates the next number in the sequence. To account for things like pressing the lock/unlock buttons when the car is out of range, the car stores around 250 of the next numbers from the generator, so the fob can match any of those.

How Subaru failed is their rolling code was generated using an incremental algorithm, meaning by intercepting enough signals you could figure out how it increments and calculate the next code. Even worse, it is surprisingly easy and also cheap to execute this attack. The few supplies you need are: A raspberry pi with WiFi, a radio receiver, a wire, 433 MHz antenna, and smartphone. All you need to do is connect the receiver and antenna, wire it to the pi, connect to the pi, and run a script. Once a signal is received, the next code in the sequence is calculated and you can use it to unlock the car. If you don’t feel like committing grand theft auto, you can flood the car with hundreds of new rolling codes, meaning any code from the fob won’t work. This means you will not be able to use remote lock, and you have to take the car into a dealership to put it into programmer mode and reset the codes.

On newer models across all cars, some form of encryption is used to transmit the rolling code, and only the car knows the decryption key. The list of affected cars is:

2006 Subaru Baja
– 2005 – 2010 Subaru Forester
– 2004 – 2011 Subaru Impreza
– 2005 – 2010 Subaru Legacy
– 2005 – 2010 Subaru Outback

However, more Subaru vehicles could be affected.

 

Noah Kalinowski

Advertisements

U.S. Proposes New Cyber Security Controls to Protect Power Grid

Image result for picture of power lines

The US Federal Energy Regulatory Commission (FERC) aims to mitigate the risks of attacks on the power grid.

The controls that they proposed are intended to increase the reliability and resilience of the grid, according to a federal regulator.

These controls are set to implement mandatory controls to mitigate risks posed by malware from devices such as laptops, flash drives and other devices.

On top of that, the regulator has told the North American Electric Reliability Corporation (NAERC), a corporation that monitors the grid, to seek ways to reduce the threat of malicious code. They were also told to define clear criteria and provide modifications for electronic access controls for low-impact cyber systems.

US FERC said: “These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the Critical Infrastructure Protection (CIP) standards.”

This is, in part, a response to their report in January. In this report, the Energy Department said that the grid was at a great risk and needed better security measures put into place in order to prevent a large scale attack.

Sources:

https://www.bloomberg.com/news/articles/2017-10-19/u-s-proposes-new-cyber-security-controls-to-protect-power-grid

http://utilitiesnetwork.energy-business-review.com/news/us-proposes-new-cyber-security-management-controls-for-power-grid-201017-5952963

-Kyle Smith

ATM malware is being sold on Dark Web market that can make ATMs drain available cash

In May 2017, Kaspersky security researchers have noticed a forum post advertising ATM (Automated teller machine) malware that was targeting specific vendor ATMs.

The malware has been sold on the AlphaBay Dark Web marketplace since May 2017, but today, its administrators started a new standalone website after US authorities had taken down AlphaBay in mid-July.

The cost of the toolkit was 5000 USD at the time of the research. The AlphaBay description covers details such as the needed tools, targeted ATMs vendors, as well as tips and tricks for the malware’s operation.

The list of crimeware contains in the toolkit includes:
– Cutlet Maker—ATM malware which is the main component of the toolkit.
– Stimulator—an app to gather cash cassette statuses of a targeted ATM
– c0decalc—a simple terminal-based app to generate a pass for the malware.

According to Kaspersky:

“This type of malware does not affect bank customers directly, it is intended for the theft of cash from specific vendor ATMs. CUTLET MAKER and Stimulator show how criminals are using legitimate proprietary libraries and a small piece of code to dispense money from an ATM. “

The Cutlet Maker malware has been written in Delphi, and its name originates from the Russian language.

The malware literally allows an attacker to tell an ATM to dispense money – no credit or debit card required. An analysis published in May 2014 by Symantec says the malware is a Trojan which, if installed, “enables an attacker to use the ATM PIN pad to submit commands to the Trojan,” and can be set to automatically delete itself if the infection isn’t successful. As that suggests, the malware can’t be used to infect every type of ATM. To date, versions of the malware found in the wild have only been compatible with the Extension for Financial Services (XFS) DLL that runs in a 32-bit version of the Windows Embedded operating system

ATM malware

-Ezana Kalekristos

Kaspersky Lab Antivirus Used to Retrieve Sensitive Data

A few days ago, sensitive information from an NSA contractor who worked with top-secret and confidential information on his home computer was stolen because the computer had Kaspersky antivirus software installed on it. Russian hackers used the software to steal the information, but a new report says that this flaw in the software might not even be a flaw at all and in fact intentional. The software would scan for viruses but it would also look for key phrases such as “top secret” which would be present on secret government documents.

This additional hidden feature of Kaspersky’s antivirus software is something that would have had to be added with company knowledge. While suspicious continue to pile up over the program, Kaspersky Lab denies any knowledge of this feature and dismisses claims that they are working with the Russian government. However, there is an interesting connection between the founder of Kaspersky and the Russian government since the founder went to a KGB technical school.

This issue was most likely first brought to light when Israel alerted the US about the spying being done by Kaspersky. Following this report, the US has been able to verify that spying is being done and the Department of Homeland Security banned all federal agencies from using the antivirus software.

~ Alex Haubert

Source: http://bgr.com/2017/10/12/kaspersky-antivirus-spying-users-russia-spies/

Uber is Yet Again Spying on Users’ Phones

Throughout the past year, Uber has been called out on many controversial practices. In May of 2016, they were revealed to be monitoring battery life of users’ phones (Forbes.com). In November they started requiring that the app could always gather data about the user’s location and phone, however in August, they released a statement saying they would stop tracking a user’s location at all times (Reuters.com). They were even caught using software to find out if people were driving for both Uber, as well as their competitor Lyft (wsj.com).

Recently, Uber has been revealed to yet again be monitoring perhaps a bit too much information. Applying only to Apple phones, Uber was able to Record an Uber user’s phone screen, even while the app was just running in the background. Apple explicitly granted them this “entitlement,” something they have given to no other third-party developer. It’s original use was for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone and then send the rendering to the Watch app (Gizmodo.com), however that’s no longer necessary after frequent improvement to Apple’s OS.

This permission could be used for many malicious things; the ability to view and record every user’s screen as long as the app was running in the background is something that shouldn’t be given to many apps, if any at all, and especially not one with such a history as Uber. It could be used to steal passwords and important information, view people’s private messages, and see anything else that someone might be using their phone for. They could also use it to see if people were using their competition, Lyft, which isn’t too far-fetched after being caught using a program to nicknamed “Hell”, which allowed Uber to view how many Lyft drivers were available, and what their prices were, as well as determine if people were driving for both Uber and Lyft.

Thankfully, this function will be removed from the app, so people no longer have to worry. Whether or not Uber will do something again to make user’s wary of privacy is up for debate, but with their history it’s not unlikely.

 

-Chris Heine

Sources:

Screen Monitoring: https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235

Battery Monitoring: https://www.forbes.com/sites/amitchowdhry/2016/05/25/uber-low-battery/#68a6950574b3

Constant Location Tracking: https://www.reuters.com/article/us-uber-privacy/uber-to-end-post-trip-tracking-of-riders-as-part-of-privacy-push-idUSKCN1B90EN

Software “Hell”: https://www.wsj.com/articles/uber-faces-fbi-probe-overprogram-targeting-rival-lyft-1504872001