Honda’s Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles
A duo of researchers has released a proof-of-concept (PoC) demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what’s called a replay attack.
The attack is made possible, thanks to a vulnerability in its remote keyless system (CVE-2022-27254) that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry (HackingIntoYourHeart).
“A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership,” Berry explained in a GitHub post.
The underlying issue is that the remote key fob on the affected Honda vehicles transmits the same, unencrypted radio frequency signal (433.215MHz) to the car, effectively enabling an adversary to intercept and replay the request at a later time to wirelessly start the engine as well as lock and unlock the doors.
This is not the first time a flaw of this kind has been uncovered in Honda vehicles. A related issue discovered in 2017 Honda HR-V models (CVE-2019-20626, CVSS score: 6.5) is said to have been “seemingly ignored” by the Japanese company, Berry alleged.
“Manufacturers must implement Rolling Codes, otherwise known as hopping code,” Rajesh said. “It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system.”
In response to the findings, Honda said “this is generally not a new assertion with several past unconfirmed iterations of similar key fob devices, and in my opinion doesn’t merit any further reporting,” and that it “has no plan to update older vehicles at this time.”
“Legacy technology utilized by multiple automakers to remotely lock and unlock doors may be vulnerable to determined and very technologically sophisticated thieves,” Honda spokesperson Chris Martin told The Hacker News.
“At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby.”
“Further, access to a vehicle without other means to drive the vehicle, while hi-tech in nature, does not provide thieves an advantage much greater than more traditional and certainly easier ways to gain entry to a vehicle. And there is no indication that the type of device in question is widely used.”
“Also, for Acura and Honda vehicles, while certain models feature a remote start feature, a vehicle started remotely cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle, reducing the likelihood of a vehicle theft. There is no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.”
IT Firm Globant Confirms Breach after LAPSUS$ Leaks 70GB of Data
The LAPSUS$ data extortion gang announced their return on Telegram after a week-long “vacation,” leaking what they claim is data from software services company Globant.
“We are officially back from a vacation,” the group wrote on their Telegram channel – which has nearly around 54,000 members as of writing – posting images of extracted data and credentials belonging to the company’s DevOps infrastructure.
The screenshots depict a folder listing for what appears to be different companies from across the world, including Arcserve, Banco Galicia, BNP Paribas Cardif, Citibanamex, DHL, Facebook, Stifel, among others.
Also shared is a torrent file purported to contain around 70GB of Globant’s source code as well as administrator passwords associated with the firm’s Atlassian suite, including Confluence and Jira, and the Crucible code review tool.
As malware research group VX-Underground points out, the passwords are not only easily guessable, but they have also been reused multiple times, prompting LAPSUS$ to call out the “poor security practices in use” at the company.
When reached for a response, Globant confirmed the incident stating it “recently detected that a limited section of our company’s code repository has been subject to unauthorized access,” adding it’s currently “conducting an exhaustive investigation” and that it’s “taking strict measures to prevent further incidents.”
CISA Warns of Ongoing Cyber Attacks Targeting Internet-Connected UPS Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) are jointly warning of attacks against internet-connected uninterruptible power supply (UPS) devices by means of default usernames and passwords.
“Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet,” the agencies said in a bulletin published Tuesday.
UPS devices, in addition to offering power backups in mission-critical environments, are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features can also open the door to malicious attacks.
To mitigate against such threats, CISA and DoE are advising organizations to enumerate and disconnect all UPS systems from the internet and gate them behind a virtual private network (VPN) as well as enforce multi-factor authentication.
The agencies have also urged concerned entities to update the UPS usernames and passwords to ensure that they don’t match the factory default settings. “This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS,” the advisory read.
The warnings come three weeks after Armis researchers disclosed multiple high-impact security flaws in APC Smart-UPS devices that could be abused by remote adversaries as a physical weapon to access and control them in an unauthorized manner.
Critical SonicOS Vulnerability Affects SonicWall Firewall Appliances
SonicWall has released security updates to contain a critical flaw across multiple firewall appliances that could be weaponized by an unauthenticated, remote attacker to execute arbitrary code and cause a denial-of-service (DoS) condition.
Tracked as CVE-2022-22274 (CVSS score: 9.4), the issue has been described as a stack-based buffer overflow in the web management interface of SonicOS that could be triggered by sending a specially crafted HTTP request, leading to remote code execution or DoS.
The flaw impacts 31 different SonicWall Firewall devices running versions 7.0.1-5050 and earlier, 7.0.1-R579 and earlier, and 6.5.4.4-44v-21-1452 and earlier. ZiTong Wang of Hatlab has been credited with reporting the issue.
The network security company said it’s not aware of any instance of active exploitation in the wild leveraging the weakness, and that no proof-of-concept (PoC) or malicious use of the vulnerability has been publicly reported to date.
That said, users of the affected appliances are recommended to apply the patches as soon as possible to mitigate potential threats. Until the fixes can be put in place, SonicWall is also recommending customers to limit SonicOS management access to trusted source IP addresses.
The advisory arrives as cybersecurity company Sophos cautioned that a critical authentication bypass vulnerability in its firewall product (CVE-2022-1040, CVSS score: 9.8) has been exploited in active attacks against select organizations in South Asia.
New Hacking Campaign by Transparent Tribe Hackers Targeting Indian Officials
A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021.
“Transparent Tribe has been a highly active APT group in the Indian subcontinent,” Cisco Talos researchers said in an analysis shared with The Hacker News. “Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage.”
Last month, the advanced persistent threat expanded its malware toolset to compromise Android devices with a backdoor named CapraRAT that exhibits a high “degree of crossover” with CrimsonRAT.
The latest set of attacks detailed by Cisco Talos involves making use of fake domains that mimic legitimate government and related organizations to deliver the malicious payloads, including a Python-based stager used to install .NET-based reconnaissance tools and RATs as well as a barebones .NET-based implant to run arbitrary code on the infected system.
Besides continually evolving their deployment tactics and malicious functionalities, Transparent Tribe is known to rely on a variety of delivery methods, such as executables impersonating installers of legitimate applications, archive files, and weaponized documents to target Indian entities and individuals.
One of the downloader executables masquerades as Kavach (meaning “armor” in Hindi), an Indian government-mandated two-factor authentication solution required for accessing email services, in order to deliver the malicious artifacts.
Also put to use are COVID-19-themed decoy images and virtual hard disk files (aka VHDX files) that are used as a launchpad for retrieving additional payloads from a remote command-and-control server, such as the CrimsonRAT, which is used to gather sensitive data and establish long-term access into victim networks.
Privid: A Privacy-Preserving Surveillance Video Analytics System
A group of academics has designed a new system known as “Privid” that enables video analytics in a privacy-preserving manner to combat concerns with invasive tracking.
“We’re at a stage right now where cameras are practically ubiquitous. If there’s a camera on every street corner, every place you go, and if someone could actually process all of those videos in aggregate, you can imagine that entity building a very precise timeline of when and where a person has gone,” Frank Cangialosi, the lead author of the study and a researcher at the MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), said in a statement.
“People are already worried about location privacy with GPS — video data in aggregate could capture not only your location history, but also moods, behaviors, and more at each location,” Cangialosi added.
Privid is built on the foundation of differential privacy, a statistical technique that makes it possible to collect and share aggregate information about users, while safeguarding individual privacy.
This is achieved by adding random noise to the results to prevent re-identification attacks. The amount of noise added is a trade-off – adding more noise makes the data more anonymous, but it also makes the data less useful – and it’s determined by the privacy budget, which ensures that the results are still accurate and at the same time configured low enough to prevent data leakage.
The querying framework involves an approach called “duration-based privacy” wherein the target video is chopped temporally into chunks of same duration that’s then fed separately into the analyst’s video processing module to produce the “noisy” aggregate result.
Credit: The Hackers News
