Senator Markey: Our connected cars are insecure and leaking data

As our cars gain more means to reach and connect to our smartphones, the cloud and the internet, they’re also creating more pathways to infiltrate our cars’ data and possibly providing a way for hackers to take control of our vehicles, according to a new report compiled by U.S. Senator Ed Markey (D-Mass.).

Markey, a member of the Senate Commerce, Science and Transportation Committee, sent letters to 19 automakers asking about the vulnerabilities of their vehicles to hackers, the security measures in place to protect customers from attacks and the data the automakers themselves collected through these connectivity channels. All of the major automakers responded (the three that didn’t were [company]Lamborghini[/company], [company]Aston Martin[/company] and – oddly enough – [company]Tesla[/company]), but Markey wasn’t exactly consoled by the responses.

U.S. Senator Ed Markey

U.S. Senator Ed Markey

All automakers told Markey’s office that they produced cars with some form of wireless connectivity, whether Bluetooth, Wi-Fi or a direct cellular link. But when questioned about if and how these “wireless points of entry” were being exploited by hackers and what protections were in place against such exploits, their responses were all over the map.

Several automakers just ignored some of the questions. Most of those who did respond said they unaware of or didn’t have data on any hacking attempts on their vehicles (though one automaker described non-malicious attempts by car owners trying to reprogram their own engines). As for preventative measures, only half of the companies provided specific examples of security technologies and testing, and only two responded that they had the means to identify and react to an intrusion in any meaningful way in real-time.

One manufacturer said it could remotely put the car in a “fail-safe” mode that limited how it could be operated, while another said it could remotely slow the car down and immobilize a compromised vehicle. I would take a look at the report for yourself if you get a chance. While Markey didn’t call out specific automakers responses, he clearly identifies the companies that didn’t respond to specific questions.

Markey car report

Markey’s staff also found that there was another way for hackers to get data from a car without getting anywhere near your vehicle’s radios: the cloud. While many car manufacturers collect vast amounts of information through their telematics services, that data is often collected by partners and stored in third-party data centers, but hardly any of them detailed how that data was secured.

We’re still in the early days of the connected car, so the public isn’t exactly clamoring over hacked vehicles today. That could explain many of the automakers responses: they may not have data on car computer attacks because they are either exceedingly rare or non-existent. But as Markey’s report makes abundantly clear, that doesn’t mean a hack won’t occur, and if it does the consequences could be catastrophic. This isn’t just your computer going haywire or your identity getting stolen. If a hacker gets into your drive computer, he can gain control over your vehicle, even if you’re in it.

Automakers make a point of saying that they keep the various networks of their cars separate for this very reason: The network that remotely unlocks your doors or blares the Beyonce from your iPhone through your cars’ speakers isn’t the same network that controls the engine. But white hat hackers have demonstrated that cars control systems are far more vulnerable than automakers claim. They’ve been able to control braking and acceleration by plugging a laptop into the same on board diagnostic port under your steering wheel. That’s the same network bus telematics services and infotainment systems are tapping with wireless connections.

Sony: Pictures hack cost $15M; 2,100 smartphone job cuts coming

Last year’s massive hack on Sony Pictures Entertainment, which the U.S. administration has blamed on North Korea, cost the Sony division around $15 million.

In [company]Sony[/company]’s results (PDF) for the third quarter of its fiscal year (the fourth quarter of 2014 proper), the company had to provide forecasted rather than actual results for the movie unit, because the cyberattack so severely disrupted its network and infrastructure.

The Japanese company placed the cost for investigating and remediating the attack at approximately $15 million, a hit that it will place on its books for the current quarter. It said the impact on its full-year results “will not be material.”

The quarterly results also showed a year-on-year 28.7 percent boost in sales and operating revenue for Sony’s smartphone unit, and the division’s operating profit for the quarter was up 46 percent, reaching a modest $76 million.

However, the smartphone unit is still heading for a bigger-than-anticipated full-year operating loss of 215 billion yen ($1.83 billion), and Sony also reiterated its plan to cut a couple thousand jobs in its smartphone division — now more specifically laid out as 2,100 jobs — by the end of March 2016. Previous reports have indicated these job losses will mostly take place in China and Europe.

The software that helped hack the iCloud nudes got a scary update

The software tool that was used to exfiltrate many of the photos that comprised the infamous iCloud celebrity nude dump of 2014 has received a big update. Elcomsoft Phone Breaker now supports the two-factor authentication process that Apple added as a result of the iCloud hacks.

Yik Yak shown no slack in intern hack attack

Getting hacked seems to be a rite of passage for social media companies. It’s sign that they’ve grown big enough to attract the attention of the hacking community.

Right on schedule, anonymous local chatting app Yik Yak has been hit with a big security breach, a mere two weeks after closing its $62 million round led by Sequoia. An intern from a security firm figured out how to unearth people’s real life identities and take control of their accounts.

I reached out to Yik Yak for comment and a spokesperson said, “Upon being informed of the issue, Yik Yak acted immediately to address and remedy the situation.” The company released an updated app last week that fixes the hole, before SilverSky Labs, a security firm, disclosed the flaw on Monday.

Yik Yak is huge in U.S. colleges, where people within a two mile radius of each other can post anonymous, public messages to a feed.

A young intern at SilverSky Labs decided to test Yik Yak’s system given recent privacy controversies in the anonymous app space (see: Whisper). It didn’t take long to crack the app’s code — just a few days. “This attack is not particularly sophisticated,” Brandon Edwards, VP of SilverSky Labs, told me. “A lot of the tools [we used] are common place in network analysis.”

Intern Sanford Moskowitz figured out that although Yik Yak encrypted the messages sent over its network, it also communicated with third party service providers that didn’t do so. Therein lay the weakness, allowing Moskowitz to find unique Yik Yak user ID numbers (different from the publicly facing username).

Since Yik Yak doesn’t require passwords, anyone with this person’s user ID number could tamper with the Yik Yak app to log into said user’s account, see their content, and post under their identity. They could also use the ID to figure out someone’s real-life identity, by running it through Wireshark and linking it to the person’s smartphone cues. For example, if you’re logged into other social networks that have your name, a hacker could trace that through your Yik Yak ID.

Until recently, Yik Yak had been the bastard child of the Secret-Whisper triangle, largely forgotten by Silicon Valley. But with its star is on the rise, its days of anonymity are over. Its systems are now under scrutiny, from investors, press, and hackers alike.