Headline
The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world
Researchers recently discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system.
Thursday, February 1, 2024 14:00
I’d hate to be labeled a “car guy” now mentioning my new electric car in the lede of two newsletters in a row, but I couldn’t resist.
I’d been reading headlines for years about how electric cars (most notably Tesla) were vulnerable to a range of security vulnerabilities, even some that could allow bad actors to steal the car if they were close enough to the car’s keys. While I don’t own a Tesla, I am now more invested in following the various ways attackers can take advantage of the connectivity of electric cars.
I’ve bemoaned before about everything being “smart” now, but there’s no escaping it if you want to convert to an electric vehicle. They’re all Wi-Fi connected so drivers can control the charging speed and timing of their cars, monitor public charging stations and communicate with the dealer about any electrical failures.
A whole new slew of electric car-related vulnerabilities came out last week thanks to the Pwn2Own hacking event in Tokyo as part of the Automotive World conference. Car and charging companies were offering a combined $1 million in bug bounty payments for researchers who could find security vulnerabilities in a range of cars and electric car-related products like home chargers.
In all, researchers discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system. Other vulnerabilities were discovered in ChargePoint and Juicebox products, two prominent manufacturers of home, travel and commercial electric charging equipment. Although few details are available on the specific vulnerabilities, the Zero Day Initiative said on its blog that one researcher “was able to execute his attack against the ChargePoint Home Flex.”
Some of these exploits are funny to read about. Imagine an attacker taking the time to hack into a Tesla’s modem so they can turn on a car’s windshield wipers without the driver knowing. Tesla stated after Pwn2Own that none of the vulnerabilities discovered would be more than an annoyance for the driver.
Certainly, previous vulnerabilities that could allow someone to drive away with your car would be more than an annoyance, but this latest batch of bugs has lower stakes than that.
I could see a lot of traditionalists who are hesitant to switch to electric cars being hesitant because their 2011 Toyota Corolla doesn’t require the internet to run. That doesn’t mean that owning an electric car or installing a home charger are inherently risky. I would argue that the average IoT device or home router runs a higher risk of exposing your home network to a larger risk surface because they are often overlooked in security.
As weird as it is to say, just like you patch an IoT device, it’s important to patch the firmware on your vehicle (gas-powered or not) regularly. Still, I’m not sure it’s time to just assume your electric car is going to be hacked like in “Cyberpunk 2077” because these vulnerabilities are out there.
**The one big thing **
The FBI says it’s shut down the recently emerged Volt Typhoon, a Chinese state-sponsored actor. FBI Director Christopher Wray announced the disruption Wednesday during a hearing with a U.S. House committee. Volt Typhoon was first disclosed in mid-2023 for targeting outdated wireless routers, including some belonging to U.S. critical infrastructure. The hackers had been targeting U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems, Wray said.
**Why do I care? **
Aging network infrastructure is a problem for all users across the globe. As highlighted by Talos’ report on JaguarTooth last year, unpatched routers or older routers with security vulnerabilities are easy targets for state-sponsored actors, and they can often sit unnoticed on these devices for months or years. Volt Typhoon is particularly notable for its targeting of high-risk sectors and U.S. military bases.
**So now what? **
The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned router vendors to patch their devices as soon as possible to prevent the exploitation of vulnerabilities Volt Typhoon is known for using. All users should check to make sure their routers, regardless of make, model or age, have the latest firmware installed. We also have several recommendations for everyone to defend their network infrastructure and upgrade to newer hardware.
**Top security headlines of the week **
Ads displayed in several different popular mobile apps are part of a mass global surveillance effort, with the information eventually being sold to national security agencies that can track the physical location, hobbies, and names of users’ family members. The ad-based tool, known as Patternz, strikes deals with smaller ad networks to gather information from users’ devices when they access some apps like Kik messenger and the 9gag online forum. While reporting from 404 Media shows a specific example targeting an Android user, the same methods work on iOS devices. Separately, security researchers also found that many push notifications on iPhones are unknowingly sending user information back to apps, even if the user doesn’t have those apps installed. When triggered, some push notifications will send app analytics and device information to remote servers belonging to other apps like TikTok, Facebook, Instagram and X, formerly known as Twitter. (404 Media, 9to5 Mac)
A cyber attack disrupted nearly all the government services of Fulton County, Georgia, this week, with systems still recovering as of Wednesday afternoon. The attack is notable because Fulton County is where former U.S. President Donald Trump is charged and being tried for his involvement in trying to overturn the results of the 202 presidential election. The cyber attack also targeted the office of the District Attorney who investigated and is charging Trump. The county’s government phone systems were all down, as were access to court filings, tax processing and more. Law enforcement was still investigating the attack as of Wednesday afternoon, though county officials said they had not seen any evidence that personal information of employees or citizens had been stolen. (NBC News, CNN)
Cozy Bear, a well-known Russian APT, is reportedly behind two recent breaches at Microsoft and Hewlett Packard Enterprise (HPE). Microsoft, calling the group “Midnight Blizzard” said in a blog post that they detected a state-sponsored attack on their internal systems on Jan. 12, 2024. Microsoft stated that the actor got in by abusing user accounts “to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity.” This was the second time in six months that Microsoft disclosed a state-sponsored actor targeting its internal systems. In the case of Cozy Bear, the hacking group allegedly monitored the email accounts of senior Microsoft executives and members of the company’s cybersecurity teams. Executives from HPE filed a notice with the U.S. Securities and Exchange Commission last week stating that the same actor “gained unauthorized access to HPE’s cloud-based email environment.” HPE said the actor initially gained access through a compromised Microsoft Office 365 email account. (Microsoft, Ars Technica)
**Can’t get enough Talos? ****Most prevalent malware files from Talos telemetry over the past week **
SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH
SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7
MD5: 0e4c49327e3be816022a233f844a5731
Typical Filename: aact.exe
Claimed Product: AAct x86
Detection Name: PUA.Win.Tool.Kmsauto::in03.talos
SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e
MD5: 040cd888e971f2872d6d5dafd52e6194
Typical Filename: tmp000c3787
Claimed Product: Ultra Virus Killer
Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg
SHA 256: e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93
MD5: 5800fc229e3a5f13b32d575fe91b8512
Typical Filename: client32.exe
Claimed Product: NetSupport Remote Control
Detection Name: W32.Riskware:Variant.27dv.1201
SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
MD5: 4c648967aeac81b18b53a3cb357120f4
Typical Filename: yypnexwqivdpvdeakbmmd.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201