Critics viewed the bill as seeking protections against nonrealistic "doomsday" fears, but most stakeholders agree that oversight is needed in the GenAI space.

Source: CoreDESIGN via Shutterstock

California Gov. Gavin Newsom (D) has vetoed SB-1047, a bill that would have imposed what some perceived as overly broad — and unrealistic — restrictions on developers of advanced artificial intelligence (AI) models.

In doing so, Newsom likely disappointed many others — including leading AI researchers, the Center for AI Security (CAIS), and the Screen Actors Guild — who perceived the bill as establishing much-needed safety and privacy guardrails around AI model development and use.

**Well-Intentioned but Flawed?**

"While well-intentioned, SB-1047 does not take into account whether an AI system is deployed in high-risk environments, or involves critical decision-making or the use of sensitive data," Newsom wrote. "Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology."

Newsom's veto announcement contained references to 17 other AI-related bills that he signed over the past month governing the use and deployment of generative AI (GenAI) tools in the state, which is a category that includes chatbots such as ChatGPT, Microsoft Copilot, Google Gemini, and others.

"We have a responsibility to protect Californians from the potentially catastrophic risks of GenAI deployment," he acknowledged. But he made clear that SB-1047 was not the vehicle for those protections. "We will thoughtfully — and swiftly — work toward a solution that is adaptable to this fast-moving technology and harnesses its potential to advance the public good."

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

There are numerous other proposals at the state level, seeking similar control over AI development amid concerns about other countries overtaking the US on the AI front.

**The Need for Safe & Secure AI Development**

California State senators Scott Wiener, Richard Roth, Susan Rubio, and Henry Stern proposed SB-1047 as a measure that would impose some oversight over companies like OpenAI, Meta, and Google, which are all pouring hundreds of millions of dollars into developing AI technologies.

At the core of the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act are stipulations that would have required companies that develop large language models (LLMs) — which can cost more than $100 million to develop — to ensure their technologies enable no critical harm. The bill defined "critical harm" as incidents involving the use of AI technologies to create or use chemical, biological, nuclear, and other weapons of mass destruction, or those causing mass casualties, mass damage, death, bodily injury and other harm.

Related:Reachability Analysis Pares Down Static Security-Testing Overload

To enable that, SB-1047 would have required covered entities to comply with specific administrative, technical, and physical controls to prevent unauthorized access to their models, misuse of their models, or unsafe modifications to their models by others. The bill included a particularly controversial clause that would have required the OpenAIs, Googles, and Metas of the world to implement nuclear-like failsafe capabilities to "enact a full shutdown" of their LLMs in certain circumstances.

The bill won broad bipartisan support and easily passed California's state Assembly and Senate earlier this year. It headed to Newsom's desk for signing in August. At the time, Weiner cited the support of leading AI researchers such as Geoffrey Hinton (a former AI researcher at Google), professor Yoshua Bengio, and entities such as CAIS.

Even Elon Musk, whose own xAI company would have been subjected to SB-1047, came out in support of the bill in a post on X saying Newsom should probably pass the bill given the potential existential risks of runaway AI, which he and others have been flagging for many months.

Related:Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

**Fear Based on Theoretical, Doomsday Scenarios?**

Others, however, perceived the bill as based on unproven doomsday scenarios about the potential for AI to wreak havoc on society. In an open letter, a coalition that included several entities including the Bay Area Council, Chamber of Progress, TechFreedom, and Silicon Valley Leadership Group called the bill fundamentally flawed.

The group claimed that the harms that SB-1047 sought to protect against were completely theoretical, with no basis in fact. "Moreover, the latest independent academic research concludes, large language models like ChatGPT cannot learn independently or acquire new skills, meaning they pose no existential threat to humanity." The coalition also took issue with the fact that the bill would hold developers of large AI models responsible for what others do with their products.

Arlo Gilbert, CEO of data-privacy firm Osano, is among those who views Newsom's decision to veto the bill as a sound one. "I support the governor's decision," Gilbert says. "While I'm a great proponent for AI regulation, the proposed SB-1047 is not the right vehicle to get us there."

As Newsom has identified, there are gaps between policy and technology, and the balance between doing the right thing and supporting innovation is one that merits a cautious approach, he says. From a privacy and security perspective, small startups or smaller companies that would have been exempt from this rule can actually present a greater risk of harm due to their relative access to resources to protect, monitor, and disgorge data from their systems, Gilbert notes.

In an emailed statement, Melissa Ruzzi, director of artificial intelligence at AppOmni, identified SB-1047 as raising issues that need attention now: "We all know AI is very new and there are challenges in writing laws around it. We cannot expect the first laws to be flawless and perfect — this will most likely be an iterative process, but we have to start somewhere."

She acknowledged that some of the biggest players in the AI space, such as Anthropic and Google, have put a big focus on ensuring their technologies do no harm. "But to make sure all players will follow the rules, laws are needed," she said. "This removes the uncertainty and fear from end users about AI being used in an application."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Calif. Gov. Vetoes AI Safety Bill Aimed at Big Tech Players

Red Hat Security Advisory 2024-7261-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7261.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7261-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7261Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud.  It is compatible with composer-cli and cockpit-composer clients.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7261-03

Red Hat Security Advisory 2024-7208-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7208.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7208-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7208Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud.  It is compatible with composer-cli and cockpit-composer clients.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7208-03

Red Hat Security Advisory 2024-7205-03 - An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7205.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: osbuild-composer security updateAdvisory ID:        RHSA-2024:7205-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7205Issue date:         2024-09-26Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for osbuild-composer is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:An image building service based on osbuild It is inspired by lorax-composer and exposes the same API. As such, it is a drop-in replacement.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7205-03

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers to gain control of vulnerable devices. The flaw is under investigation, with full disclosure expected next week.

Simone Margaritelli, a cybersecurity researcher and Linux developer has discovered a critical Linux vulnerability that could allow attackers to gain complete control of vulnerable systems. This Linux vulnerability affects GNU/Linux systems, specifically for Linux Remote code execution. If confirmed, it could be one of the worst vulnerabilities in history.

****A Decade-Old Flaw:****

The vulnerability, which has reportedly existed for over a decade, impacts all GNU/Linux systems. While specific details remain confidential, the severity score of 9.9 out of 10, confirmed by major Linux distributors like Canonical and Red Hat, indicates the immense potential for damage if exploited.

****The Controversy:** **

Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, and developers are still debating whether certain aspects of the vulnerability pose a security risk. This disagreement has led to delays in addressing the issue and has caused frustration among security researchers.

Margaritelli has publicly expressed his disappointment with the handling of the disclosure. He claims to have provided proof-of-concept exploits, but developers have been more focused on debating the vulnerability’s impact rather than working towards a solution.

He has, therefore, decided not to go for responsible disclosure instead of full disclosure of the flaw. While his decision could accelerate the fix race but will also expose millions of Linux systems to malicious attacks if no swift countermeasures are taken.

For your information, Simone Margaritelli, aka evilsocket, is a renowned cybersecurity expert who has created numerous tools for professionals and researchers worldwide. One of his most notable contributions is Bettercap, an open-source tool designed for Man-in-the-Middle (MITM) hacking attacks and network penetration testing.

The vulnerability may affect known exposed services like OpenSSH and possibly filtering services like Net Filter, although there is no indication of which service may be affected, and these are just hypotheses.

As per the latest updates, the flaw will be initially disclosed to the Openwall security mailing list on September 30th, followed by full public disclosure on October 6th. Linux users are advised to stay informed about official updates and patch systems as soon as patches are available.

> \* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.  
> \* Full disclosure happening in less than 2 weeks (as agreed with devs).  
> \* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).  
> \* Still no working fix.  
> \* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR
> 
> — Simone Margaritelli (@evilsocket) September 23, 2024

Brian Fox, CTO of software security platform, Sonatype, and governing board member of the Open Source Security Foundation, has found similarities between this vulnerability and the **Log4j/Log4Shell** vulnerability (CVE-2021-44228). Fox is working closely with Sonatype’s research team and the open-source security community to understand the gravity of the issue and possible mitigation methods.

“While we don’t have the technical details yet, a vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system. Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your wifi router to the grid keeping the lights on runs on Linux,” Brain explained.

He further added “This combination of low complexity and high usage is reminiscent of Log4Shell, though the scale of usage here is much more significant. I understand the logic in phasing out disclosure, as this vulnerability will take time to find and fix, however, we should also expect threat actors to be scrutinizing the commit history and looking for clues to exploit.”

“As we wait for more details to come out, enterprise security teams must scour their environments and SBOMs to understand where they might be vulnerable and be prepared to patch. Cancel your vacations because, on October 6, it could be a race against attackers,” Brian emphasised.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**
5.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**

Old Vulnerability Rated 9.9 Impacts All GNU/Linux Systems, Researcher Claims

Red Hat Security Advisory 2024-7137-03 - An update for the python39:3.9 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7137.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python39:3.9 security updateAdvisory ID:        RHSA-2024:7137-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7137Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-6923====================================================================Summary: An update for the python39:3.9 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* cpython: python: email module doesn't properly quotes newlines in email headers, allowing header injection (CVE-2024-6923)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6923References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2302255

Red Hat Security Advisory 2024-7137-03

Mozilla has introduced a feature called Privacy Preserving Attribution and turned it on by default, much to the chagrin of a privacy watchdog.

A European privacy watchdog has filed a complaint against Mozilla for quietly enabling Privacy Preserving Attribution (PPA) in its Firefox browser.

Noyb (none of your business) argues that despite its reassuring name, the feature allows the browser to track your online behavior. By design, Privacy Preserving attribution shifts the tracking from the websites to the browser.

With this shift it seems that Mozilla is following Google’s example. Google is focusing on Privacy Sandbox to replace the despised third party tracking cookies. This also puts the browser (Chrome and Chromium based) in charge of the tracking.

The problem noyb has with PPA is not so much the tracking which is less invasive than what we are used to, but the fact that it was introduced without giving users a chance to think about it. Mozilla simply turned it on by default after a recent update, which noyb says is disappointing coming from a company that is supposed to be privacy friendly.

And, even though the Firefox PPA offers more privacy than third-party cookies, noyb says this move means that Mozilla is caving in to advertisers.

Felix Mikolasch, data protection lawyer at noyb, said:

> “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool.”

Mozilla says that PPA allows advertisers to measure the effectiveness of their advertising without compromising the user’s privacy. Admittedly the user’s benefit indirectly, as the sites they visit are often supported by advertising. Making advertising better also makes it possible for more sites to function using the support that advertising provides.

The costs of getting rid of third-party cookies by using PPA are small, Mozilla says:

*   CPU, network, and battery costs for generating and submitting reports. Here, this cost is negligible, particularly relative to what sites are already able to use. This design could replace some of those costs, which might lead to improvements in some cases.
*   Privacy loss from use of their information. Attribution information will be aggregated and will include noise that protects the contribution that each person makes. This design is structured so that advertisers learn about what many people do as a group, not what any single person does.

If this is the price we must pay to get rid of third-party cookies and some degree of targeted advertising, is that worth it to you? Let us know in the comments.

Noyb has asked the Austrian data protection authority (DSB) to investigate Mozilla’s behavior. They say Mozilla should properly inform everyone about Firefox’s data processing activities and effectively switch to an opt-in system, as well as delete all unlawfully processed data.

**How can I disable PPA?**

If you want to disable PPA, this is what you need to do:

1.  Click the menu button and select **Settings**.
2.  In the **Privacy & Security** panel, find the **Website Advertising Preferences** section.
3.  Uncheck the box labeled **Allow websites to perform privacy-preserving ad measurement**.

**Protection, in the browser**

Malwarebytes’ free Browser Guard extension can help you block ads and other unwanted content in Firefox.

 Privacy watchdog files complaint over Firefox quietly enabling its Privacy Preserving Attribution 

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

When security researchers in the past found ways to hijack vehicles' internet-connected systems, their proof-of-concept demonstrations tended to show, thankfully, that hacking cars is hard. Exploits like the ones that hackers used to remotely take over a Chevrolet Impala in 2010 or a Jeep in 2015 took years of work to develop and required ingenious tricks: reverse engineering the obscure code in the cars’ telematics units, delivering malicious software to those systems via audio tones played over radio connections, or even putting a disc with a malware-laced music file into the car’s CD drive.

This summer, one small group of hackers demonstrated a technique to hack and track millions of vehicles that’s considerably easier—as easy as finding a simple bug in a website.

Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.

“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It's been two years, there's been a lot of good work to fix this problem, but it still feels really broken.”

**Read a License Plate, Hack a Car**

Before they alerted Kia to its latest security vulnerability, the research group tested their web-based technique on a handful of Kias—rentals, friends’ cars, even cars on dealer lots—and found that it worked in every case. They also showed the technique to WIRED, demonstrating it on the 2020 Kia Soul of a security researcher introduced to them just minutes earlier in a parking lot in Denver, Colorado, as seen in the video above.

The group’s web-based Kia hacking technique doesn’t give a hacker access to driving systems like steering or brakes, nor does it overcome the so-called immobilizer that prevents a car from being driven away, even if its ignition is started. It could, however, have been combined with immobilizer-defeating techniques popular among car thieves or used to steal lower-end cars that don't have immobilizers—including some Kias.

Even in cases when it didn't allow outright theft of a car, the web flaw could have created significant opportunities for theft of a car's contents, harassment of drivers and passengers, and other privacy and safety concerns.

“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” says Curry. “If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.” For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak.

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia's web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles' features to any customer account they created. “It’s really simple. They weren't checking if a user is a dealer,” says Rivera. “And that's kind of a big issue.”

Kia's web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car's VIN after obtaining its license plate number using the website PlateToVin.com.

More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles' features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.

**A Dozen Carmakers Websites, Millions of Hackable Cars**

Curry and Rivera, who worked with two other researchers to develop their hacking technique, reported their findings to Kia shortly after demonstrating them to WIRED in June, and the company responded to an inquiry from WIRED to note that it was investigating their findings. “We take this matter very seriously, and value our collaboration with security researchers,” a spokeperson wrote.

Shortly after the researchers reported the issue, Kia did make a change to its web portal API that appeared to block their technique, the researchers say. Then, in August, Kia told the researchers it had validated their findings but was still working on implementing a permanent fix for the problem. Kia hasn't updated the researchers since or responded to WIRED's questions. But after the standard 90-day window given to companies to fix security issues that researchers report, the hackers decided to go public with their findings—though they haven't released their Kia-hacking proof-of-concept application and don't plan to.

The Kia-hacking research group first began to assemble around the idea of probing carmakers' websites and APIs for vulnerabilities in late 2022. A few of them were staying with a friend on a college campus and messing around with the app for a mobile scooter company when they accidentally triggered all the company's scooters across the campus to honk and flash their lights for 15 minutes. At that point, the group “became super interested in trying more ways to make more things honk,” as Curry would write—including vehicles more significant than scooters. Soon after, Curry discovered that Rivera, who'd long been focused on car hacking and had previously worked at the carmaker Rivian, was already looking at web vulnerabilities in vehicle telematics.

In January 2023, they published the initial results of their work, an enormous collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari—all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars' connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies' internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe—though they didn't have the means to safely test out that potentially dangerous trick.

In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles' features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he'd been able to reassign himself control of a target Toyota's connected features over the web. Curry didn't film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he'd disclosed, even temporarily taking its web portal offline to prevent its exploitation.

“As a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,” a Toyota spokesperson wrote to WIRED in June.

**More Smart Features, More Dumb Bugs**

The extraordinary number of vulnerabilities in carmakers' websites that allow remote control of vehicles is a direct result of companies' push to appeal to consumers—particularly young ones—with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to hack a car's steering and brakes over the internet in 2010. “Once you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn’t have to worry about before,” Savage says.

Still, he says, even he is surprised at the insecurity of all the web-based code that manages those features. “It’s a little disappointing that it’s as easy to exploit as it has been,” he says.

Rivera says he's observed firsthand in his time working in automotive cybersecurity that car companies often put more focus on “embedded” devices—digital components in non-traditional computing environments like cars—rather than web security, in part because updating those embedded devices can be far more difficult and lead to recalls. “It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,” Rivera says. “These two things mix together very often, but people only have experience in one or the other.”

UCSD's Savage hopes that the Kia-hacking researchers' work might help shift that focus. Many of the early, high-profile hacking experiments that affected cars' embedded systems, like the 2015 Jeep takeover and the 2010 Impala hack pulled off by Savage's team at UCSD, persuaded automakers that they needed to better prioritize embedded cybersecurity, he says. Now car companies need to focus on web security too—even, he says, if it means making sacrifices or changes to their process.

“How do you decide, ‘We’re not going to ship the car for six months because we didn’t go through the web code?’ That’s a a tough sell,” he says. “I would like to think this kind of event causes people to look at that decision more fully.”

Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

Red Hat Security Advisory 2024-7103-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7103.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana-pcp security updateAdvisory ID:        RHSA-2024:7103-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7103Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7103-03

Red Hat Security Advisory 2024-7102-03 - An update for grafana is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7102.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana security updateAdvisory ID:        RHSA-2024:7102-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7102Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Tag

#sap