Tag Archive for: Teen

Let’s make the teen Tesla hack a teachable moment

/in


The buzz about 19-year-old Tesla hacker David Colombo is well deserved. A flaw in third-party software allowed him to remotely access 25 of the world’s leading EV manufacturer’s vehicles across 13 countries. The hacker shared that he was able to remotely unlock the doors, open the windows, blast music and start each vehicle.

The vulnerabilities he exploited aren’t in Tesla’s software, but in a third-party app, so there are some limits to what Colombo could accomplish; he couldn’t do anything in the way of steering or speeding up or slowing down. But he was able to open the doors, honk the horn, control the flashlights and gather private data from the hacked vehicles.

EVs are fun. They are superbly connected, constantly updated and offer a great user experience, but they are cars, not mobile phones. Assaf Harlel

For cybersecurity pros, such remote code execution or stealing app keys is a daily occurrence, but my hope is that we don’t become so desensitized to breach disclosures that we miss the opportunity to use this one as a teachable moment to educate stakeholders across the connected car ecosystem.

This compromise is a cybersecurity hygiene 101 issue, and frankly, a mistake that shouldn’t happen. The third-party software in question may have been a self-hosted data logger, as Tesla suddenly deprecated thousands of authentication tokens the day after Colombo posted his Twitter thread and notified them. Some other Twitter users supported this idea, noting that the default configuration of the app left open the possibility of anyone gaining remote access to the vehicle. This also tracks with Colombo’s initial tweet claiming the vulnerability was “the fault of the owners, not Tesla.”

Recent automotive cybersecurity standards SAE/ISO-21434 and UN Regulation 155 mandate automakers (aka OEMs) to perform threat analysis and risk assessment (TARA) on their entire vehicle architecture. Those regulations have made OEMs accountable for cyber risks and exposures. The buck stops there.

It is somewhat awkward that a sophisticated OEM such as Tesla oversaw the risk of opening up its APIs to third-party applications. Low quality apps may not be well-protected, enabling…

Source…

A Teen Took Control of Teslas by Hacking a Third-Party App

/in


On Friday, Russia did the previously unimaginable: It actually arrested a bunch of ransomware operators. Not only that, but members of the notorious group REvil, which has been behind some of the biggest attacks of the last several years, including IT management firm Kaseya and meat giant JBS. Russian president Vladimir Putin had previously given ransomware hackers a free pass. It’s not clear yet whether this was a calculated political move, a sign of a broader crackdown, or both, but it’s certainly a watershed moment.

As everyone scrambles to find Log4j in their systems—no easy task for even well-resourced companies—the FTC has set strict deadlines for patching the very bad, no good vulnerability in the ubiquitous logging library. It’ll be unlikely if not impossible for everyone to find it in time, which speaks more to the fragile and opaque nature of the open source software world than the FTC’s aggressive timeline.

Telecoms around the world have pushed back against Apple’s Private Relay, a not-quite-VPN that bounces your traffic through a couple of servers to give you extra anonymity. T-Mobile in the US recently blocked it for customers who had parental control filters. It’s unclear why they’ve taken those measures against Apple and not the many, many VPNs that work unfettered, but it may have to do with the potential scale of Apple customers who could sign up for the service.

In other Apple privacy news, iOS 15 brought with it a new report that shows you what sensors your apps are accessing and what domains they’re contacting. It’s a lot of information all at once; we helped break down how to read it

North Korean hackers had a “banner year” in 2021, stealing nearly $400 million of cryptocurrency. And while Israeli spyware vendor NSO Group insists that it has controls in place to prevent abuses of its product, dozens of journalists and activists in El Salvador had their devices infected with Pegasus, NSO’s signature product, as recently as November.  

And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

A 19-year-old security researcher named David Colombo detailed this week how he…

Source…

Teen hacker discovered Tesla remote control security flaws by accident

/in


David Colombo, a 19-year-old cybersecurity researcher in Germany, came upon the biggest discovery of his young career by accident.

He was performing a security audit for a French company when he noticed something unusual: a software program on the company’s network that exposed all the data about the chief technology officer’s Tesla Inc. vehicle.

The data included a full history of where the car had been driven and its precise location at that moment.

But that wasn’t all. As Colombo dug deeper he realized that he could push commands to Tesla vehicles whose owners were using the program.

That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features. (He couldn’t take over the cars’ steering, braking or other operations, however.)

The discovery, which Colombo published on Twitter this week, triggered a vigorous discussion online as the latest example of hacking risks associated with the so-called Internet of Things, where seemingly every product — from refrigerators to doorbells — now have an internet connection.

“I’m not sure I would send that tweet again,” said Colombo, who began programming when he was 10.

“The response was crazy. Somewhere in the comments I have pro- and anti-Tesla arguing very heatedly. It just got blown up so much.”

Colombo said he found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack, and that subsequent analysis indicated there could have been hundreds more.

The flaws aren’t in Tesla’s vehicles or the company’s network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.

Tesla didn’t respond to requests for comment.

Colombo said a member of the company’s security team contacted him and that he shared his findings.

A spokesperson for the U.S. National Highway Traffic Safety Administration said it has been in contact with Tesla about the matter and that the agency’s cybersecurity technical team would assist with the evaluation and review of the information.

Colombo provided screenshots and other documents…

Source…

Teen Girl, Security Guard Shot Outside of Bronzeville High School, Chicago Fire Officials Say – NBC Chicago

/in


A student and a security guard were seriously wounded in a shooting Tuesday afternoon outside a high school in the Bronzeville neighborhood.

The 14-year-old girl and the 46-year-old guard were shot around 3:20 p.m. outside Wendell Phillips Academy High School, 244 E. Pershing Road, according to Chicago Fire Department spokesman Larry Langford.

The child was shot three times in the abdomen and taken to Comer Children’s Hospital, according to Chicago police spokesman Michelle Tannehill. She was listed in good condition.

The guard, shot in the arm, was taken to the University of Chicago Medical Center, she said. Langford said he was listed in serious condition.

In September, two 15-year-old students from Simeon Career Academy were shot and killed on the same day in separate attacks.

“It’s ridiculous, you know the kids have to go to school, it’s just very unsafe now because we don’t know if the kids are gonna be safe going to school or picking up after school,” said an employee of Chicago’s Home of Chicken and Waffles restaurant, around the corner from Phillips.

The employee, who did not want to be named, said they heard about four or five shots, then saw police cars flood the area.

“I just wish our city would be safer, I just wish it was more safety,” she said. “Our kids have to grow up here, our kids have to go to school here, we have a restaurant to run here. I just pray for our safety.”

Source…