Monday, September 19, 2016

Petya Resolved!

Ransomware has become well-known over the last few years. The effects have been devastating to the consumer and commercial victims. Hospitals have had to pay in order to gain access to their files. At times, there have been no alternatives.
Ransomware had been used to encrypt data, files, or hard drives with a robust enough algorithm so it would take a year or years to guess the decryption key. Without this, the data is simply jumbled letters. A payment is generally demanded for the decryption key. This amount would vary in amount and would need to be paid within a certain number of days. If not paid within the attacker imposed timeframe, the deviant may not accept the funds and provide the key, or increase the fee for the decryption key.
Unfortunately for consumer and commercial enterprises, this has become more prevalent (Ginos, 2016). The deviants have noted the effort needed for the attack (spam email) in comparison to the potential fees to be collected. This has become lucrative for them based on this simple equation. This activity has been particularly rampant in the healthcare industries, as they need access to the patient medical records.
Some have no choice but to pay. If there are no recent back-ups, or the back-ups are corrupt or were not done there truly is not a choice if the data that is encrypted by the third party is of any consequence or the entity has to have it to operate, as in the case of hospitals.
This is not a new avenue for the criminals. Although much more common recently this has been an active pursuit for years. Prior versions of this included Cryptowall, TeslaCrypt, and Locky (Zorabedian, 2016).
Petya
With this specific sample of ransomware, the users statistically are lucky. Although this was, prior to the decryption methods, a true issue to the infected users and more importantly to their systems, Petya has not been seen abundantly (Zorabedian, 2016).
In general, the prior mode of operations had been to encrypt files. This is where the data was located the people needed for home or work. As this is the case, there would be a greater possibility of them paying. This is a clear detriment for the infected clients.
If this was not bad enough, Petya provided a new twist. This was coded specifically to also encrypt the master file table (MFT) (Bisson, 2016b; Ducklin, 2016). Petya also replaces the master boot record (MBR) with a malicious loader (Zorz, 2016a; Mimoso, 2016; Zorz, 2016b; Torres, 2016; Constantin, 2016).
As with other ransomware samples, this also had a target market in mind. The attackers sent the ransomware to mostly companies in Germany (Mimoso, 2016). The specific intended victims were the HR departments (Zorz, 2016a).
Petya also followed suit as there was a time limit involved for the payments. The user with the infected system had a week to pay the fee. After this the fee would double (Torres, 2016).
Method of Delivery
In order to get the most victims infected, a social engineering tactic was used. The user in the HR department receives the email. This appears to be from a job-seeker, but is really the deviant, with a malicious payload in the spam email. The file enclosed in the spam email appears to be a CV or a resume, which is what the HR department would expect (Zorz, 2016a; Ginos, 2016). There may also be a link to a dropbox file (Mimoso, 2016). Instead of an innocent file being downloaded, Petya is installed. The file is not a .doc or .docz file that is attached is an executable (Zorz, 2016a; Bisson, 2016). The HR department may not be that tech savvy and may not even notice it. The MBR is replaced with a malicious loader (Mimoso, 2016). After all the steps were done, the user would not receive the blue screen of death. After the infection has occurred, the ransomware demands approximately $400 in bitcoin for the decryption key (Torres, 2016; Thomson, 2016; Constantin, 2016; Bisson, 2016b; Mimoso, 2016b).
Encryption Cracked
Any encryption is valid only when it is not cracked. Once this is done, the encryption itself is only a speedbump. In this case the encryption was done with the Salsa 10 algorithm (Thomson, 2016). This has a less powerful encryption than the Salsa 20. Fortunately, there are tools that have been created to decrypt Petya (Zorz, 2016b). With this tool in hand, the computer is once again usable for more than just a boat anchor.
In late March 2016, an analyst specializing in malware (Hasherezade) wrote a decoder which was coded to extract the key needed to decrypt the ransomware (Zorz, 2016b; Zorz 2016c). Another tool created by “Leo Stone” also accomplishes this (Zorabedian, 2016; Zorz, 2016b; Zorz, 2016c). The difference with this other option is this tool can be used also the computer is rebooted. This is also provided free of charge (Mendoza, 2016). The decryption process may take up to seven seconds (Reeve, 2016).
It should be noted this is a relative anomaly. Generally these are written not to be able to be cracked within a reasonable amount of time.


References


Abrams, L. (2016, March 25). Petya ransomware skips the files and encrypts your hard drive instead. Retrieved from http://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/
Bisson, D. (2016, March 29). Petya ransomware goes for broke and encrypts hard drive master file tables. Retrieved from https://www.grahamcluley.com/2016/03/petya-ransomware  
Bisson, D. (2016b, April 11). Infected by petya ransomware? Use this tool to unlock your files...for now. Retrieved from https://www.grahamcluley.com/2016/04/petya-ransomware-unlock-tool/
Constantine, L. (2016, March 28). Petya ransomware overwrites MBRs, locking users out of their computers. Retrieved from http://www.infowarold.com/article/3048713/security/petya-ransomware-overwrites-mbrs-locking-users-out-of-their-computers.html
Constantin, L. (2016b, April 11). Experts crack petya ransomware, enable hard drive decryption for free. Retrieved from http://www.pcworld.com/article/3054220/security/experts-crack-petya-ransomware-enable-hard-drive-decryption-for-free.html
Ducklin, P. (2016, April 4). New ransomware with an old trick: “Petya” parties like it’s 1989. Retrieved from https://nakedsecurity.sophos.com/2016/04/04/new-ransomware-with-an-old-trick-petya-parties-like-its-1989/
Ginos, I. (2016, March 26). Petya ransomware reportedly encrypts hard drives, manipulates operating system boot process. Retrieved from http://www.neowin.net/news/petya-ransomware-reportedly-encrypts-hard-drives-manipulates-operating-system-boot-process
Mimoso, M. (2016, March 29). Researchers learning more about petya ransomware. Retrieved from https://threatpost.com/researchers-learning-more-about-petya-ransomware/117068/
Mimoso, M. (2016, March 28). Petya ransomware encrypts master file table. Retrieved from https://threatpost.com/petya-ransomware-encrypts-master-file-table/117024/  
Reeve, T. (2016). Cure for petya engineered by anonymous security researcher. Retrieved from http://www.scmagazineuk.com/cure-for-petya-engneered-by-anonymous-security-researcher/article/488802/?DCMP=EMC-SCUK_Newswire&spMailingID=14201710&spUserID-NTAzOTUzMjgwNzES1&spJob...
Thomson, I. (2016, April 12). Infected with petya ransomware? Retrieved from http://www.theregister.co.uk/2016/04/12/petya_ransomware_free_fixit_tool/
Torres, J.C. (2016, March 28). Petya ransomware targets entice drives, not just files. Retrieved from http://www.slashgear.com/petya-ransomware-targets-entice-drives-not-just-files-28433671/  
Zorabedian, J. (2016, April 12). Petya ransomware decryption tools sets your files free. Retrieved from https://nakedsecurity.sophos.com/2016/04/12/petya-ransomware-decryption-tool-sets-your-files-free/
Zorz, Z. (2016a, March 29). Petya ransomware encrypts files, disks, locks users out. Retrieved from https://www.helpnetsecurity.com/2016/03/29/petya-ransomware-locks-computers/
Zorz, Z. (2016b, April 11). Petya ransomware encryption has been cracked. Retrieved from https://www.helpnetsecurity.com/2016/04/11/petya-ransomware-encryption-cracked/
Zorz, Z. (2016c, April 11). Petya ransomware encryption has been cracked. Retrieved from https://www.helpnetsecurity.com/2016/04/11/petya-ransomware-encryption-cracked/



Posted by at No comments:

Thursday, September 15, 2016

Stop Looking at Me: The FDIC’s View of Cybersecurity

                Information security is pertinent to all businesses. This also reaches across all industries. At times, this is fully applied and at other times lacking. An example of the latter has been the breach with the Office of Personnel Management in 2014 with over 21M personnel records being stolen (Gordon, 2016). Although devastating for the consumer victims, this is likewise a concern for the targeted business. As of mid-2016, there was one industry however that was being targeted more often than not. This recent example was directed at the banking industry globally. This involved the Swift network.
                Another global example familiar to the US involves weak cybersecurity in the banking system and the Federal Deposit Insurance Corporation (FDIC).
Attack Period
                The target for the attacks was rather unique. For the most part, an attacker is seeking data that could be sold on the dark web or other areas. This may be focused on a business with credit card numbers, personnel records, or health records. The FDIC in this instance was the target of the cyber-attack. At times these attacks are a single occurrence as the attacker breaches the system during one, prolonged attack. In other circumstances, there may be a limited number of contacts for the attacker to pull the most amount of data for sale later. For this occurrence, the attacks however occurred in 2010, 2011, and 2014 (Lange & Volz, 2016; Sputnick, 2016, Gordon, 2016). This was a rather extended attack and allowed the attackers ample time to peruse through the files and servers at the FDIC.
Perpetrators
                Clearly this was a well-researched and planned attack due to the target-a federal entity. The higher risk and more valuable data involved, the more research may go into the enumeration of the target. This attack was investigated internally by the FDIC IT department. There was data left behind by the attackers. The data and research indicated the source of the attack was Beijing (Lange & Volz, 2016; Sputnik, 2016; Gordon, 2016). This attack has been in the form of an advanced persistent threat (APT) (Gordon, 2016).
How the Continued Attacks Were Successful
                The attacks covered a three year period, which is not the normal attack. In most other organizations, the attack on some level would have at least been noticed. In this case, there was a distinct lack of cyber-security efforts (Lange & Volz, 2016) and reporting.
                This continued to be an issue due to one glaring issue. The employees at the FDIC elected to actively hide the breach activities (Lange & Volz, 2016). This was an overt, deceiptful act (Pagliery, 2016) intended to mislead the remainder of the department and American society. Hiding this glaring and important issue was inept (Pagliery, 2016). This act was not done by one person but many people in the department.
                What makes this borderline unconscionable, heinous act is the FDIC’s top lawyers told the employees not to discuss the hacks via email. This directive was handed down by licensed attorneys who took the oath so there would not be a document trail. This is further exasperated as the CIO at the time actively misled the FDIC auditors as to the extent of the breach (Elfinger, 2016; Blake, 2016). This was at best ill-advised. This action only served to further expose confidential information and allow the attackers free reign over their system. This has effectually eroded any trust that was left in the US government.
                Had a business in the US had a breach and series of breaches allowing sensitive, confidential information to actively be exfiltrated from the business, and the breaches actively covered up, there would be a decidedly different result. The FTC would probably be diving very deeply into the business, applying an intense amount of pressure, and threatening legal action.
                This inaction, especially when the attacks were clearly known, was not prudent. The main rationale for this was brought to light much later. This was covered up expressly to protect the Chairman of the FDIC’s job (Lange & Volz, 2016). At the time the Chairman was Martin Gruenberg.
                The attack itself, over the years, was rather widespread. An attacker in general may look for one or two areas in an organization to attack. These may hold high profile information or confidential information, such as being finance or payroll oriented. In this instance though, it was not the case. The targets were 12 FDIC workstations and 10 servers over the years (Pagliery, 2016). The workstations were also varied in that these were not the usual targets, but included mainstream and the other executives systems (Sputnick, 2016). Overall during the years, there were an estimated 100 computers breached over the years since the first attack (Borack, 2016). Unfortunately, this was not the extent of the issue. There was also backdoors installed on the workstations and servers (Elfling, 2016; Gallagher, 2016).
Benefits to the Attacker
                This was not an attack simply for its own sake or for the person to be curious as to what was behind the wall. There was a distinct purpose in mind for the time and effort. There was a distinct purpose in mind for the time and effort. The point of this attack was the perpetrators apparently looking for “economic intelligence” (Lange & Volz, 2016). This much like earlier when the Chinese were “allegedly” were hacking the defense contractors for the plans and schematics.
Remediation
                After the report was published, naturally a significant amount of attention was paid to this. This was especially the case with the persons covering up the breaches. In response to this, the agency scheduled the policies to be updated. As part of this endeavor, the IT group is disengaging the users from using the USB drives, CDs, etc. from being used on their systems (Borak, 2016). The FDIC is also planning on upgrading their software. In addition, the FDIC IT group is working on a policy for employees who are leaving the FDIC employment. The plan is to have this done by October 28, 2016.
                This may correct inadequacies and vulnerabilities, however it completely misses the systemic issues with management, a lack of the ability to do the right thing, and licensed attorneys directing the issue to be covered up.
Troubling
                This intentionally deceitful set of acts is troubling and problematic on many levels. The FDIC intentionally hid the attacks and breaches over several years. This was directed on many levels. Clearly this was fraught with problems as the public was misled indirectly. Although there was not a direct lie told to the public, by hiding this, the agency was misleading the government, people, and institutions.
                The attacks went on for years. The extent of the attacks and the data viewed or exfiltrated may never be known. The FDIC does provide external facing data and statistics for the public to view. There is however more data that is confidential. The attackers may have accessed this at their leisure.
                This was hidden by all layers of the FDIC, from the C-suite and corporate attorneys downward. When the leadership is hiding this level of error from the public and all other agencies to protect one person, there is something inherently and systemically wrong. When the CIO and FDIC attorneys direct the staff directly and overtly to hide the breach of the system and confidential information, the problem is not isolated, but is with the organization.
                What is the most troubling is that this has not been overly noted in the news. A foreign country may have confidential data regarding the US banking industry. This is serious yet there has not been a mass amount of media involved with this. In a short period this may be forgotten by the public. What has not been brought forward is what could the other nation do with this information and data? What would happen with the banking industry if the nation used this data from the breach in a detrimental, persistent manner? This should make people concerned, yet this has been reduced in focus.














References
Asadorian, P. (Publisher). (2016, July 14). Security Weekly [Podcast]. Retrieved from https://securityweekly.com
Blake, A. (2016, July 13). FDIC let down its cyber defenses despite being hacked by Chines: House panel. Retrieved from http://www.washingtontimes.com/news/2016/jul/13/fdic-let-down-its-cyber-defenses-despite-being-hac/
Borak, D. (2016, July 14). Top FDIC officials weren’t fully informed on computer hacks chairman says. Retrieved from http://www.wsj.com/articles/top-fdic-officials-werent-fully-informed-on-computer-hacks-chairman-says-1468514182 
Daily Star. (2016, July 14). US banking regulator updates cyber security after data breach: Chairman. Retrieved from https://www.dailystar.com.1b/News/World/2016/Jul-14/362070-us-banking-regulator-updates-cyber-security-after-data-breach-chairman.ashx
Elfling. (2016, July 13). FDIC hacked by China, and CIO covered it up. Retrieved from http://www.dailykosbeta.com/story/2016/07/13/1394681/--FDIC-was-hacked-by-China-and-CIO-covered-it-up
Gallagher, S. (2016, July 13). FDIC was hacked by China, and CIO covered it up. Retrieved from http://arstechnica.com/security/2016/07/fdic-was-hacked-by-china-and-cio-covered-it-up/
Gordon, M. (2016, July 13). Chinese government suspected of hacking into FDIC computers. Retrieved from http://phys.org/news/2016-07-chinese-hacking-fdic.html
Lange, J., & Volz, D. (2016). Likely hack of U.S. banking regulator by China covered up: Probe. Retrieved from http://www.reuters.com/article/us-cyber-fdic-china-idUSKCN0ZT20M
Mimoso, M. (2016, July 13). Congressional report: China hacked FDIC and agency covered it up. Retrieved from https://threatpost.com/congressional-report-china-hacked-fdic-and-agency-covered-it-up/119276/
Pagliery, J. (2016, July 13). China hacked the FDIC-and US officials covered it up, report says. Retrieved from http://money.cnn.com/2016/07/13/technology/china-fdic-hack/index.html
Reuters. (2016, July 14). Why the FDIC is updating its cyber security policy after this data breach. Retrieved from http://fortune.com/2016/07/14/fdic-data-breach-cyber-security/ 

Sputnik International. (2016, July 13). China likely behind multiple computer breaches at US bank insurer. Retrieved from http://sputniknews.com/us/20160713/1042917703/us-cyber-security.html
Posted by at No comments:

Jackpotting ATMs: Here it comes Again

            ATMs over the years have been seen throughout the communities at the banks and credit unions. These however are now seen in several forms of retail establishments (convenience stores, grocery stores, malls, etc.) and in the workplace for the convenience of the consumers. The first ATMs were implemented in 1967 at a Barclays Bank branch in London (Kochetova, 2016). With the vast number of these located across the planet, all loaded with money, the attackers have decided to work at breaching these for profit.
History
            The attacks on ATMs are not a new phenomenon. These attempts have been recorded for at least a decade. In 2010 at Black Hat there was a demonstration on the methodology to jackpot on ATM machine. In this instance the demonstrator showed the methods to gain admin privilege and issue the command for it to liberate all of its cash (ATMequipment, 2010).
            Another presentation by Barnaby Jack also at Black Hat first demonstrated how to open an ATM, plug in a USB, and restarting the ATM. This attack was not complex or difficult. A second attack bypassed the authentication process remotely. A rootkit was installed, and the ATM machine was pwned (Dirro, 2010; Zetter, 2010).
            A later attack involved jackpotting ATMs by only using the keypad. This attack was done over 18 months in the Nashville, TN area. The attackers fraudulently collected over $400K in other people’s money. They were caught and will spend a great deal of time at the hospitable jail. With the lure of easy money, this is not unusual.
Recent Attack
            Over the last six years, after the security had improved, the incidents of ATM attacks had decreased to a not significant level. This was mostly done by people just being curious an not breaching the machine.
            That was, until recently. There was a theft of over $2M from ATMs with fraudulent withdrawals in Taiwan. As this had not happened for years, the authorities had no idea of the method it was perpetrated. From the camera recording, it was seen that the thefts were done without a card being inserted into the machine (Ducklin, 2016). At this point, the machine was jackpotted. The people gathering the cash wore masks, making identification exceptionally difficult at best. As the investigation continued, it became known that this was done by at least two Russian nationals. At first glance, it appeared the attackers used malware downloaded by the ATM.
            Further research indicated the parties involved were from Infocube, a security firm located in Russia, and a gang focused on cybercrime, Carbanack (Cluley, 2016). Carbanack is a familiar name in certain circles. They have been accused of fraudulently acquiring over $200M. In other attacks, they have used e-payment systems and installed malware on the infrastructure the ATMS operate on.
            These suspects were located and arrested (Abel, 2016). One was located in northeast Taiwan and two were in Taiwan’s capital of Taipei. There were also 13 others, who had fled the country, who were also implicated. Fortunately over half of the money was recovered. The process used to place the malware on the system for this attack in unknown. This attack on the network (Gray, 2016) will be investigated further.
References
Abel, R., (2016, July 19). Three arrested in £1.8 mil ($2.5M) Taiwanese ATM malware heist. Retrieved from http://www.scmagazineuk.com/three-arrested-for-alleged-using-malware-to-snag-18mil-from-taiwanese-atms/article/510195?DCMP=EMC-SCUK_Newswire&spMailingID=14995005-spUserID=NTAzOTUzM   
ATMequipment. (2010, August 3). Hantle (formerly Tranos) ATM machines. Retrieved from http://atmequipment.com/News/Technical-Bulletin-Jackpotting-ATM-Machines  
Cluley, G. (2016, July 20). Russian security firm linked to cybercrime gang. Retrieved from https://www.grahamcluley.com/2016/07/russian-security-firm-linked-cybercrime-gang/ 
Dirro, T. (2010, July 28). Remote jackpot: Hacking ATMs. Retrieved from https://blogs.mcafee.com/mcafee-labs/remote-jackpot-hacking-data/  
Ducklin, P. (2006, July 18). Mystery surrounds $2M ATM “jackpotting” attack in Taiwan. Retrieved from https://nakedsecurity.sophos.com/2016/07/18/mystery-surrounds-2m-atm-jackpotting-attack-in-taiwen 
Durden, T. (2014, November 16). “ATM jackpotting” exposed-It’s not just the fed that spits out free money. Retrieved from http://www.zerohedge.com/news/2014/11-16/atm-jackpotting-exposed-its-not-just-fed-spits-out-free-money  
Gray, P. (2016, July 21). Risky.biz #419—Brian krebs on future of bank cybecrime. Retrieved from http://risky.biz/RB419 
Kochetova, O. (2016, April 26). Malware and non-malware ways for ATM jackpotting. Retrieved from https//:securelist.com/analysis/publications/74533/malware-and-non-malware-ways-for-atm-jackpotting-extended-cut/  
Krebs, B. (2014, October 20). Spike in malware attacks on aging ATMs. Retrieved from http://krebsonsecurity.com/2014/10/spike-in-malware-attacks-on-aging-atms/ 
Krebs, B. (2015, January 6). Thieves jackpot ATMs with ‘Black Box’ attack. Retrieved from http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack
Roger, J. (n.d.). Jackpotting ATM machines courtesy of the jolly roger jackpotting was done rather successfully. Retrieved from http://skepticfiles.org/new/068doc.html 

Wikipedia. (2016, July 15). Security of automated teller machines. Retrieved from https://en.wikipedia.org/wiki/Security_of_Automated_Teller_Machines
Zetter, K. (2010, July 28). Researcher demonstrates ATM ‘jackpotting’ at black hat conference. Retrieved from https://www.wired.com/2010/07/atms-jackpotted/


Posted by at No comments:

Monday, September 12, 2016

VW: Old Vulnerability Brought to Light...Finally

Cybersecurity continues to be an issue in our environment. This concerns both old and new technology applied commercially and with consumers. Cybersecurity is also applicable to various industries. Recent examples abound in the current news. There has been hospitals recently being the recipient of ransomware and other malware. Granted this was traumatic for the respective hospital as their patient records were encrypted, however the reach goes far beyond this with the issues for the patients. There were also however a number of associated issues with this as any stolen patient records were being sold on the dark web, loss of trust and rapport within the community, the hospital administrator had to decide whether to pay the ransom or not, and analyzing the possible fines for the HIPAA violations. Banks have also been targeted by malware, in the form of phishing and SWIFT involving millions of dollars. Other businesses have been the victim of the executive wire scam.
Cybersecurity is becoming more of an issue. The government is planning more of a focus on this, as shown by the FCC becoming more involved with ensuring businesses apply the appropriate level of security to their enterprise. This has been handled in various cases as of late, with a hotel chain and other entities. One area not addressed at length is vehicle cybersecurity. Two congressmen, Senators markey and Blumenthal from Massachusetts and Connecticut respectively, have requested the FCC focus more on this aspect of our society (Markety, 2016). As of mid-September 2016, the vehicle manufacturers have not been assessed fines for the lack of vehicle cybersecurity, as other industries for their cybersecurity breaches.
Vehicle Vulnerability-Remote Door Control
There are a number of vulnerabilities with vehicles from various sources. These can be internal to the vehicle or from external sources. Specifically for this topic, the subject vehicles have a vulnerability with the unlocking of the doors using a remote or fob. One method to unlock remotely a vehicle a vehicle involved RFID functionality. The issue with this generally is the cryptographic keys tend to be too short (Bono, Green, Stubblefield, Rubin, Juels, & Szydlo, n.d.) As the length is too short, and cracked too easily. The other method involves the key fob.
VW
This year has certainly brought a certain level of notoriety to the VW nameplate. The first significant issue was concerning the misrepresentation of the diesel-emission test results. This proved to be very costly, financially and reputationally. If this was not a sufficiently negative event, there is now another issue regarding a significant vulnerability. This affects millions of VW vehicles manufactured since 1995 (McHugh, 2016; Utermohlen, 2016; Auchard, 2016; McGoogan, 2016; Ross, 2016; Bing, 2016; Abel, 2016; Reuters, 2016; Greenberg, 2016; Brown, 2016). This vulnerability was found in 2012 (Pagliery, 2016). The researchers were ready, willing, and able to publish this in 2013 but were sued by VW to cease the researchers from publishing for two years (Greenberg, 2016; Pagliery, 2016).
Manufacturing Process
In this case, the key fob is involved. This is used as the user pushes the button, the fob communicates to the vehicle and authenticates itself, as the car door(s) unlock, the lights blink, and the user is able to enter the vehicle. This appears to be a relatively simple process.
The manufacturing process itself also appears to be relatively straight-forward process. As the vehicle moves along the line, the equipment is added to the frame and vehicle as it takes the familiar shape. Near the end of the manufacturing line, the key fob for the vehicle is ready for programming. At this point, the application and code are programmed into the vehicle (Intagliata, 2016). This is done for every var. As the fob is coupled to the vehicle, the crypto-algorithm is applied to the code for each car. Years ago, this methodology was fine for that short time period. However after millions of vehicles, or samples to test, the cryptographic measures are not so robust. For the purpose of this discussion, this was the process for the Volkswagen Group for 20 years (Intagliata, 2016).
Hardware
The researchers were able to easily clone the remote keyless communication between the key fob and vehicle. This was done using common equipment (McHugh, 2016) that may be secured by anyone. Specifically this used an RF transceiver made with a Arduino processor, a handful of other basic parts, and a 9 volt battery. Although these cost approximately $40 USD (Abel, 2016; Ross, 2016; Bring, 2016; Greenberg, 2016; McGoogan, 2016). This assisted the researchers to break/decode the crypto-algorithm used to encrypt the communication via analyzing the chips in the VW group vehicles and fobs (Intagliata, 2016). The researchers are not divulging where or how it acquired the crypto key (Davies, 2016; Khandelwal, 2016). Once decrypted, the researcher and attackers are able to put this into a generic fob and unlock the vehicles (Intagliata, 2016). With this in hand, the attackers do not require any damage to the vehicle to steal it (Bing, 2016). Thus, the hardware itself to exploit the vulnerability is relatively simple.
The hardware of this attack uses a radio transmitter to complete the man-in-the-middle (MitM) attack to sniff the communication between the fob and the car (Hopping, 2016; McHugh, 2016). This communication contains a limited amount of data, including the master key code (Ross, 2016). This coupled with the algorithm allows the attacker to reach the goal of unlocking the vehicle. The attack can done up to 300 feet away (Bing, 2016; Greenberg, 2016) or 100 meters (Kan, 2016).
The decryption of the signal and cloning it (McHugh, 2016; Bing, 2016; Courtney, 2016) describes the more basic attack on these vehicles. The more advanced attack, Hitag2, was focussed on the Chevrolet, Renault, and Ford select models (Ross, 2016; Tung, 2016). This version focussed on cracking the rolling code, as this was used with these models, which took merely one to a few minutes to crack (Davies, 2016; Solon, 2016). As this is cracked, the final checksum for this is predictable (Ross, 2016; bing, 2016; Garcia, Oswald, Kasper, & Pavlides, 2016).
Remediation
First, it is notable and disturbing how VW handled this issue. VW stated in their manufacturing process the state of the art security is implemented with their vehicles. This is beneficial to the users. They however noted that there is no 100% guaranty in their vehicle security (Murdoch, 2016). This is a well-accepted generalization for the info sec industry. The issue is with VW stating this, it appears as though this has been fully internalized by VW and they are accepting to secure every aspect. Granted, securing every aspect is not possible due to unknown vulnerabilities, however a fully secure vehicle should be a goal striven towards.
This attack, both versions would explain the stolen vehicle insurance claims when the owner claimed the vehicle was locked (Zorz, 2016).
VW had been aware of the issue for years (Intagliata, 2016; Bing, 2016; Reuters, 2016) since 2012 (Greenberg, 2016). In 2013, the researchers were ready to publish this when VW sued them to stop this publication for two years. The models affected include Ford, Chevrolet, Nissan, and Mitsubishi as these used the same process for the fob as VW. This also affected GM’s Opel and Renault models (McHugh, 2016) and Peugeot (Brown, 2016). Of these,the VW models are the most at risk (Hopping, 2016; Bing, 2016). All of these had the same weak crypto-algorithm in place (Intagliata, 2016).
With recent models, VW has stated the issue has been corrected (Davies, 2016; Utermohlen, 2016; Tragianis, 2016). This has been updated with the unique security keys (Brown, 2016) and the MQB Modular Transverse Matrix (McGoogan, 2016).


References
Abel, R. (2016, August 12). Volkswagon bug: 100M vehicles vulnerable to door unlocking hack. Retrieved from http://www.scmagazineuk.com/researchers-vulnerability-affecting-every-volkswagon-since-1995/article/515616/  
Auchard, E. (2016, August 11). Keyless entry systems on most volkswagens, audis, can be hacked: Researchers. Retrieved from http://theglobeandmail.com/globe-drive/culturetechnology/keless-entry-systems-on-most-volkswagens-audies-can-be-hacked-researchers/article31379613
Bing, C. (2016, August 12). 100 million vehicles are vulnerable to hack that unlocks door. Retrieved from http://fedscoop.com/volkswagon-hack-ford-nissan-fiat-august-2016
Bono, S., Green, M., Stubblefield, A., Rubin, A. Juels, A., & Szydlo, M. (2016). Exploiting RFIDs: Car immobilizers and the exxon mobile speedpass. Retrieved from https://securityevaluators.com/knowledge/case_studies/rfid/  
Brown, B. (2016, August 11). 100 million volkswagen vehicles can be unlocked wirelesslessly by hacker thieves. Retrieved from http://www.digitaltrends.com/cars/remote-key-fobs-vulnerable-vw/
Cockfield, B. (2016, May 3). Volkswagen beetle-The most hackable car. Retrieved form http://hackaday.com/2016/05/03/volkswagen-beetle-the-most-hackable-car/
Courtney, W.S. (2016, August 11). 100 million volkswagen cars threatened by wireless key hack. Retrieved from http://www.thedrive.com/news/4801/100-million-ovlkswagen-cars-threatened-by-wireless-key-hack
Davies. C. (2016, August 11). Volkswagen hack renders millions of car locks useless. Retrieved from http://www.slashgear.com/volswagen-hack-renders-millions-of-car-locks-useless-11451502
Fadilpasic, S. (2016, December 8). Got a volkswagen? You might want to read this one. Retrieved from http://www.itproportal.com/2016/08/12/got-a-volkswagen-you-might-want-to-read-this-one/
Garcia, F.D., Oswald, D., Kasper, T., & Pavlides, P. (2016). Lock it and still lose it-On the (in)security of automotive remote keyless entry systems. Retrieved from https://assets.documentcloud.org/documents/2010178/Volkswagen-amp-HiTag2-Keyless-Entry-System.pdf
Greenberg, A. (2016, August 10). A new wireless hack can unlock 100 million volkswagens. Retrieved from https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/
Hopping, C. (2016, August 14). Keyless car entry systems could be a huge security risk. Retrieved from http://www.itpro.co.uk/hacking/27088/keyless-car-entry-systems-could-be-a-huge-security-risk
Intagliata, C. (2016, August 12). Remote door controls are car security flaw. Retrieved form http://scientificamerican.com/podcast/episode/remote-door-controls-are-car-security-flaw/
Khandelwal, S. (2016, August 11). Car thieves can unlock 100 million volkswagens with a single hack. Retrieved from http://thehackernews.com/2016/08/hack-unlock-car-door.html?utm_source=feedburner&utm_medium=feed&utm+campaign=Feed%3A+TheHackerNews+%28The+Hacker+news+-+Security+Blog%29&_3...
Knight, H. (2016, July 18). Understanding electronic control units (ECUs) in connected automobiles and how they can be hacked. Retrieved from https://www.alienvault.com/blogs/security-essentials/understanding-electronic-control-units-ecus-in-connected-automobiles-and-how-they-can-be-hacked  
Liberatore, S. (2016, August 12). Security experts reveal $40 device that would allow thieves to wirelessly unlock nearly every volkswagen made since 1995. Retrieved from http://www.dailymail.co.uk/sciencetech/article-3737375/Security-experts-reveal-40-device-allow-thieves-wirelessly-unlock-nearly-Volkswagen-1995.html
Markey, E.J. (2016, August 4). Markey and blumenthal call on the FCC to help improve vehicle cybersecurity and privacy protections. Retrieved from http://www.markey.senate.gov/news/press-releases/markey-and-blumenthal-call-on-the-fcc-to-hep-improve-vehicle-cybersecurity-and-privacy-protections
McGoogan, C. (2016, August 11). Bought a volkswagen in the last 20 years? It can probably be unlocked by hackers. Retrieved from http://www.telegraph.co.uk/techology/2016/08/11/bought-a-volkswagen-in-the-last-20-years-it-can-be-probably-be-unlo/
McHugh, D. (2016, August 12). Security experts: Remotes are hackable on many vehicles. Retrieved from http://napavalleyregister.com/news/world/security-experts-remotes-are-hackable-on-many-vehciles/article_3e2c5da6-16ad-532a-b56f-7bdc7de2ae94.html
Murdoch, J. (2016, August 12). Volkswagen security vulnerability leaves 100 million cars wide open to wireless key hacking. Retrieved form http://www.ibtimes.co.uk/volkswagen-security-vulnerability-leaves-100-million-cars-wide-open-wirless-key-hacking-1575624
Pagliery, J. (2016, August 14). Volkswagen hid a car hacking flaw for two years. Retrieved from http://money.cnn.com/2015/08/14/techlogy/volkswagen-car-hacking/index.html
Reuters. (2016, August 11). Millions of vw’s cars can be hacked with a cheap device, experts show. Retrieved from http://www.nbcnews.com/business/autos/millions-vw-s-cars-can-be-hacked-cheap-device-experts-u628271
Solon, O. (2015, August 14). VW has spent two years trying to hide a big security flaw. Retrieved from http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw
Tragianis, N. (2016, August 11). Researchers find security flaw with vws built since 1995. Retrieved from http://driving.ca/volkswagen/auto-news/news/researchers-find-security-flaw-with-vws-built-since-1995
Tung, L. (2016, August 11). Millions of vw cars at risk: Wireless hack lets crooks clone volkswagen keys. Retrieved from http://www.zdnet.com/article/millions-of-vw-cars-at-risk-wireless-hack-lets-crooks-clone-volkswagen-keys-at-100m/
Utemohlen, K. (2016, August 11). Millions of vw cars at risk of unlocking hack. Retrieved from http://investorplace.com/2016/08/vw-hacked/#.V6zZhPkrK00
Zorz, Z. (2016, August 11). Hundreds of millions of cars can be easily unlocked by attackers. Retrieved from https://www.helpnetsecurity.com/2016/08/11/cars-easily-unlocked-attackers/

Posted by at No comments:
Subscribe to: Posts (Atom)