Tuesday 2nd February 3:58 pm
How cyber-hackers become car-jackers
Tuesday 5th May 2015 2:49 pm
The business plan for a mugger is simple and effective. Hide in a dark alley until a random citizen walks by, and then jump out and steal their wallet. The problem, from a business perspective, is that the robber could steal only a few wallets each dark night, and not all of the wallets would be loaded with cash.
In 2013, a 17-year-old teenager in Russia came up with a better business plan. He wanted to commit some kind of cybercrime, but he didn’t know coding, or computer programming. So he went to the web and bought an app that would do all the evil he wanted. He used it to bust into the internal computer network of the giant retailer, Target – who had over 100 million customers. He stole the financial details of some tens of millions of customers.
You can see that this kind of cyber-robbery, from a strict business model point-of-view, has much better returns than mugging the odd victim every night.
Criminals have long been early adopters of new technologies. They had mobile phones long before the cops.
Welcome to the strange new world of cybercrime.
Lots of new software has not been intrinsically designed, from the ground up, with security in mind. The original Facebook motto was: “Move fast and break things”. In other words, get the app up and running, and sell it — and worry about bugs and security later.
For example, consider tyre pressure monitors. They can be used to kill you.
Tyre pressure monitors are currently only on some modern luxury cars, but soon, all cars will have them. They could warn you that your right front tyre has a slow leak — sounds perfectly fine. So how does the spinning tyre speak to the central computer in your car? It uses the short-range radio system called bluetooth. But the bluetooth link between the car computer and the tyres was designed without security in mind — and has already been hacked. You can pull alongside a speeding car with a bluetooth tyre pressure monitoring system, and take over the car’s computer. So you can accelerate, brake or steer — from outside the target’s car. That’s because many cars no longer have a pure mechanical link for the accelerator, brakes and steering, but have a computer inserted into the chain.
So if you had malicious intent, you could smash somebody’s car into an oncoming truck, killing the driver and passengers, and just drive on by.
A less dramatic cybercrime involves cars with keyless ignition. At your end, instead of a key, you have a small electronic gadget in your pocket. At the car end, its computer is constantly broadcasting a unique radio signal. Your car is continually asking for a reply from the key-gadget in your pocket. When you get close enough (say, a metre or so) to your car, your key-gadget picks up your car’s unique radio signal and responds. Your car then acknowledges by switching on the internal lights, and unlocking the doors.
The car thieves have worked out a way to take advantage of this. They get close to your car, and pick up the car’s weak radio signal. They then amplify this signal, and broadcast a really powerful version of this unique radio signal. Inside your house, some 20 or 30 metres away, you’ve already dumped the key-gadget on the kitchen bench. It picks up the powerful signal from the thieves’ amplifier, and responds. The thieves detect, and record, this response signal from your key-gadget. They then play it to your car, which obediently unlocks the doors.
The article I read that discussed this had an odd solution — keep your key-gadget in the freezer. You don’t have to go that far. After all, to totally block all external radio signals from talking to your key-gadget, all you have to do is keep it in a metal box — the technical term is a Faraday cage.
I suppose the authors guessed that everybody has a fridge – in other words, it was the only metal box that seemed ubiquitous.
But then again, it’s one way of putting a problem on ice …
This new high-tech world we’re entering throws up dilemmas for the individual citizens – and for governments. And I’ll talk more about this, next time…
© 2017 Karl S. Kruszelnicki Pty Ltd