close
close

A Kia can be hijacked using its phone number and license plate. • Registry

Posted on by darion

Infosec in short Put away that screwdriver and USB charging cable – the latest way to steal a Kia only requires the victim’s cell phone and registration number.

Sam Curry, who has previously demonstrated remote takeover vulnerabilities across brands ranging from Toyota to Rolls Royce, discovered the vulnerability in vehicles as old as the 2014 model year. The clutter means cars can be geolocated, turned on and off, lock and unlock, honk, turn on the lights, and even have access to cameras – all remotely.

The vulnerability also exposed victims’ personal information – name, phone number, email address and physical address – and allowed attackers to add themselves as invisible secondary users to the vehicle.

The problem occurred on one of Kia’s online portals used by dealers. Long story short, after considerable abuse of the API, Curry and his team of much more capable Kia Boyz managed to register a fake dealer account to obtain a valid access token, which they could then use to call any back-end dealer with the API command they wanted.

“No notification was received from the victim regarding access to her vehicle or any change in access privileges,” Curry noted in his letter. “An attacker could recognize someone’s license plate, enter the VIN via the API, then passively track that person and send active commands such as unlock, start, or honk.”

Curry’s team developed a smartphone tool that automated the process, but did not release it. It wouldn’t really matter: Curry noted that Kia had fixed the problem and verified that the exploit no longer worked.

“Cars will still have weaknesses,” Curry noted. “In the same way that Meta could implement a code change that would allow someone to take over your Facebook account, automakers could do the same for your vehicle.”

Critical Vulnerabilities of the Week: Another Ivanti Exploit on the Loose

It’s been a busy few weeks at Ivanti’s production sites. After listing the CVSS 9.4 path crossing vulnerability on its catalog of known vulnerabilities on September 20, CISA added another one just seven days later.

CVE-2024-7593 is rated 9.8 and indicates that Ivanti Traffic Manager versions other than 22.2R1 or 22.7R2 have an issue that means a remote attacker can bypass the authentication requirements of the product’s admin panel.

Not a great solution for such critical software – we recommend making sure you’re using one of these secure versions as soon as possible.

A British citizen accused of breaking into companies to steal financial secrets

The US Securities and Exchange Commission has charged a British national with hacking into public companies before they announced their financial results in order to steal information used to make money on the stock market.

Robert Westbrook was accused of hacking into five unnamed US companies before they announced their earnings at least 14 times between January 2019 and August 2020, earning approximately $3.75 million from information he obtained. access.

The SEC said Westbrook gained access by resetting passwords to accounts belonging to senior executives. No details were provided beyond the SEC’s indictment, indicating that “four of the five companies attacked used the same password reset portal software.”

Westbrook allegedly took significant steps to conceal his identity, including using anonymous emails, VPN services and cryptocurrency – but none of it seems to have mattered.

“The Commission’s advanced data analytics, crypto asset tracking and technology can detect fraud even in cases involving sophisticated international intrusions,” explained Jorge Tenreiro, acting director of the SEC’s Crypto Assets and Cyber ​​Unit.

Westbrook was detained by British authorities and is awaiting extradition to the United States, where he also faces charges brought by the Department of Justice. If convicted on the Justice Department charges, he could face up to 65 years in prison.

Namebay became ransomware

Monaco-based Namebay, one of the oldest domain registrars in the world, has admitted to being the victim of a ransomware attack.

According to Namebay, the attack occurred on September 21, disabling email, hosting and API services. Other services remained online, although the site’s DNS system went down for several hours while recovering from the incident.

As of Friday, September 27, Namebay email hosting is still not functioning properly, although the registrar said it had activated alternative messaging infrastructure on Wednesday. Namebay customers will not automatically be able to access the service; however, they will need to contact Namebay directly to activate specific mailboxes. The company said the process was ongoing and that staff would be available over the weekend to ensure activation continued.

Namebay did not specify whether any data was extracted during the attack or when normal operations would be restored.

How not to succeed in buying out critical infrastructure

Critical infrastructure systems such as water treatment plants have become popular targets for nation-state-backed cybercriminals and sometimes idiots.

Last week, city officials in the small town of Arkansas City, Kansas, took to the local news to assure citizens that a cyber attack on the city’s water treatment plant may have knocked systems offline, but there was nothing to worry about.

“Residents can rest assured that their drinking water is safe and the city is operating under full control during this period,” city manager Randy Frazer told local news site Courier Traveler.

Local residents need not worry because although the attack disabled the plant’s control systems, it also prevented the attackers from further tampering with the infrastructure. Frazer told Courier Traveler that no city or customer information was compromised.

Local news reports that the identity of the attackers remains a secret and that Arkansas City authorities had no plans to pay the requested ransom.

TikTok is displacing Russian media

TikTok has banned multiple media outlets linked to the Russian government amid growing concerns about disinformation from Moscow in the run-up to the U.S. election.

Accounts associated with Rossiya Segodnia and TV-Novosti were removed last week “for engaging in covert influence operations on TikTok, in violation of our Community Guidelines.” This came weeks after the Department of Justice seized multiple websites and charged two RT (Russia Today) employees with spreading Russian propaganda on social media.

TikTok shut down three accounts “representing a media company, its founder and a fake news outlet” days after the Justice Department’s moves, although it did not specify who the accounts were associated with.

Like TikTok, Meta took similar action to block RT accounts following the Justice Department’s report, citing that the actions violated its rules on foreign interference activities.

This week, the US director of national intelligence also said that Russia continues to be the most effective use of artificial intelligence to meddle in US politics. ®