The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world

I’d hate to be labeled a “car guy” now mentioning my new electric car in the lede of two newsletters in a row, but I couldn’t resist. 
我不想被贴上“汽车人”的标签,现在我连续两次在时事通讯中提到我的新电动汽车,但我无法抗拒。

I’d been reading headlines for years about how electric cars (most notably Tesla) were vulnerable to a range of security vulnerabilities, even some that could allow bad actors to steal the car if they were close enough to the car’s keys. While I don’t own a Tesla, I am now more invested in following the various ways attackers can take advantage of the connectivity of electric cars. 
多年来,我一直在阅读关于电动汽车(最著名的是特斯拉)如何容易受到一系列安全漏洞的影响的头条新闻,甚至有些漏洞可以让坏人在离车钥匙足够近的情况下偷走汽车。虽然我没有特斯拉,但我现在更多地投资于跟踪攻击者可以利用电动汽车连接的各种方式。

I’ve bemoaned before about everything being “smart” now, but there’s no escaping it if you want to convert to an electric vehicle. They’re all Wi-Fi connected so drivers can control the charging speed and timing of their cars, monitor public charging stations and communicate with the dealer about any electrical failures. 
我以前曾抱怨过现在一切都很“智能”,但如果你想改用电动汽车,就无法逃避。它们都连接了Wi-Fi,因此司机可以控制汽车的充电速度和时间,监控公共充电站,并与经销商沟通任何电气故障。

A whole new slew of electric car-related vulnerabilities came out last week thanks to the Pwn2Own hacking event in Tokyo as part of the Automotive World conference. Car and charging companies were offering a combined $1 million in bug bounty payments for researchers who could find security vulnerabilities in a range of cars and electric car-related products like home chargers. 
上周,由于在东京举行的Pwn2Own黑客事件,作为汽车世界会议的一部分,一系列新的电动汽车相关漏洞出现了。汽车和充电公司为研究人员提供了总计100万美元的漏洞赏金,这些研究人员可以在一系列汽车和家用充电器等电动汽车相关产品中发现安全漏洞。

In all, researchers discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system. Other vulnerabilities were discovered in ChargePoint and Juicebox products, two prominent manufacturers of home, travel and commercial electric charging equipment. Although few details are available on the specific vulnerabilities, the Zero Day Initiative said on its blog that one researcher “was able to execute his attack against the ChargePoint Home Flex.” 
研究人员总共发现了49个零日漏洞,其中包括特斯拉汽车中的两个漏洞利用链,该漏洞可能允许攻击者接管车载信息娱乐系统。在ChargePoint和Juicebox产品中发现了其他漏洞,这两家公司是家庭,旅行和商业充电设备的着名制造商。尽管关于具体漏洞的细节很少,但零日倡议在其博客上表示,一名研究人员“能够对ChargePoint Home Flex执行攻击”。

Some of these exploits are funny to read about. Imagine an attacker taking the time to hack into a Tesla’s modem so they can turn on a car’s windshield wipers without the driver knowing. Tesla stated after Pwn2Own that none of the vulnerabilities discovered would be more than an annoyance for the driver.  
其中一些漏洞读起来很有趣。想象一下,攻击者花时间侵入特斯拉的调制解调器,这样他们就可以在司机不知道的情况下打开汽车的挡风玻璃雨刷。特斯拉在Pwn2Own之后表示,发现的漏洞对驾驶员来说都不会超过烦恼。

Certainly, previous vulnerabilities that could allow someone to drive away with your car would be more than an annoyance, but this latest batch of bugs has lower stakes than that.  
当然,以前的漏洞,可以让别人开车离开你的车将不仅仅是一个烦恼,但这最新的一批错误有较低的风险。

I could see a lot of traditionalists who are hesitant to switch to electric cars being hesitant because their 2011 Toyota Corolla doesn’t require the internet to run. That doesn’t mean that owning an electric car or installing a home charger are inherently risky. I would argue that the average IoT device or home router runs a higher risk of exposing your home network to a larger risk surface because they are often overlooked in security.  
我可以看到很多传统主义者谁是犹豫切换到电动汽车正在犹豫,因为他们的2011年丰田花冠不需要互联网运行。这并不意味着拥有电动汽车或安装家用充电器本身就有风险。我认为,普通的物联网设备或家用路由器将家庭网络暴露在更大的风险表面上的风险更高,因为它们在安全性方面经常被忽视。

As weird as it is to say, just like you patch an IoT device, it’s important to patch the firmware on your vehicle (gas-powered or not) regularly. Still, I’m not sure it’s time to just assume your electric car is going to be hacked like in “Cyberpunk 2077” because these vulnerabilities are out there. 
就像你修补物联网设备一样,定期修补车辆上的固件(燃气动力或非燃气动力)很重要。尽管如此,我不确定现在是时候假设你的电动汽车会像《赛博朋克2077》中那样被黑客攻击,因为这些漏洞就在那里。

The one big thing 
一件大事

The FBI says it’s shut down the recently emerged Volt Typhoon, a Chinese state-sponsored actor. FBI Director Christopher Wray announced the disruption Wednesday during a hearing with a U.S. House committee. Volt Typhoon was first disclosed in mid-2023 for targeting outdated wireless routers, including some belonging to U.S. critical infrastructure. The hackers had been targeting U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems, Wray said. 
美国联邦调查局说,它已经关闭了最近出现的伏特台风,一个中国国家赞助的演员。联邦调查局局长克里斯托弗·雷星期三在美国众议院一个委员会的听证会上宣布了这一消息。Volt Typhoon于2023年年中首次披露,目标是过时的无线路由器,包括一些属于美国关键基础设施的路由器。Wray说,黑客的目标是美国的水处理厂、电网、石油和天然气管道以及运输系统。

Why do I care? 
我为什么要关心?

Aging network infrastructure is a problem for all users across the globe. As highlighted by Talos’ report on JaguarTooth last year, unpatched routers or older routers with security vulnerabilities are easy targets for state-sponsored actors, and they can often sit unnoticed on these devices for months or years. Volt Typhoon is particularly notable for its targeting of high-risk sectors and U.S. military bases.  
老化的网络基础设施是困扰地球仪所有用户的一个问题。正如Talos去年关于JaguarTooth的报告所强调的那样,未打补丁的路由器或存在安全漏洞的旧路由器很容易成为国家支持的行为者的目标,它们经常会在这些设备上被忽视数月或数年。Volt Typhoon以其针对高风险部门和美国军事基地而特别引人注目。

So now what? 
那现在怎么办

The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned router vendors to patch their devices as soon as possible to prevent the exploitation of vulnerabilities Volt Typhoon is known for using. All users should check to make sure their routers, regardless of make, model or age, have the latest firmware installed. We also have several recommendations for everyone to defend their network infrastructure and upgrade to newer hardware. 
美国联邦调查局和美国网络安全和基础设施安全局警告路由器供应商尽快修补其设备,以防止利用Volt Typhoon的漏洞。所有用户都应该检查以确保他们的路由器,无论品牌,型号或年龄,都安装了最新的固件。我们还为每个人提供了一些建议,以保护他们的网络基础设施并升级到新的硬件。

Top security headlines of the week 
本周的顶级安全头条新闻

Ads displayed in several different popular mobile apps are part of a mass global surveillance effort, with the information eventually being sold to national security agencies that can track the physical location, hobbies, and names of users’ family members. The ad-based tool, known as Patternz, strikes deals with smaller ad networks to gather information from users’ devices when they access some apps like Kik messenger and the 9gag online forum. While reporting from 404 Media shows a specific example targeting an Android user, the same methods work on iOS devices. Separately, security researchers also found that many push notifications on iPhones are unknowingly sending user information back to apps, even if the user doesn’t have those apps installed. When triggered, some push notifications will send app analytics and device information to remote servers belonging to other apps like TikTok, Facebook, Instagram and X, formerly known as Twitter. (404 Media9to5 Mac
在几个不同的流行移动的应用程序中显示的广告是大规模全球监视工作的一部分,这些信息最终被出售给国家安全机构,这些机构可以跟踪用户家庭成员的物理位置,爱好和姓名。这个基于广告的工具名为Patternz,它与较小的广告网络达成协议,在用户访问Kik Messenger和9gag在线论坛等应用程序时从用户的设备上收集信息。虽然404 Media的报告显示了一个针对Android用户的具体示例,但同样的方法也适用于iOS设备。另外,安全研究人员还发现,iPhone上的许多推送通知会在不知不觉中将用户信息发送回应用程序,即使用户没有安装这些应用程序。当触发时,一些推送通知会将应用分析和设备信息发送到属于其他应用的远程服务器,如TikTok,Facebook,Instagram和X,以前称为Twitter。(404媒体,9to5 Mac)

A cyber attack disrupted nearly all the government services of Fulton County, Georgia, this week, with systems still recovering as of Wednesday afternoon. The attack is notable because Fulton County is where former U.S. President Donald Trump is charged and being tried for his involvement in trying to overturn the results of the 202 presidential election. The cyber attack also targeted the office of the District Attorney who investigated and is charging Trump. The county’s government phone systems were all down, as were access to court filings, tax processing and more. Law enforcement was still investigating the attack as of Wednesday afternoon, though county officials said they had not seen any evidence that personal information of employees or citizens had been stolen. (NBC NewsCNN
本周,一次网络攻击扰乱了格鲁吉亚富尔顿县几乎所有的政府服务,截至周三下午,系统仍在恢复。这起袭击事件值得注意,因为富尔顿县是美国前总统唐纳德特朗普因参与试图推翻202年总统大选结果而被起诉和受审的地方。这次网络攻击还针对了调查并指控特朗普的地区检察官办公室。该县的政府电话系统都瘫痪了,法庭文件、税务处理等也都瘫痪了。截至周三下午,执法部门仍在调查这起袭击事件,不过县政府官员表示,他们没有看到任何证据表明员工或公民的个人信息被盗。(NBC美国有线电视新闻网(CNN)

Cozy Bear, a well-known Russian APT, is reportedly behind two recent breaches at Microsoft and Hewlett Packard Enterprise (HPE). Microsoft, calling the group “Midnight Blizzard” said in a blog post that they detected a state-sponsored attack on their internal systems on Jan. 12, 2024. Microsoft stated that the actor got in by abusing user accounts “to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity.” This was the second time in six months that Microsoft disclosed a state-sponsored actor targeting its internal systems. In the case of Cozy Bear, the hacking group allegedly monitored the email accounts of senior Microsoft executives and members of the company’s cybersecurity teams. Executives from HPE filed a notice with the U.S. Securities and Exchange Commission last week stating that the same actor “gained unauthorized access to HPE’s cloud-based email environment.” HPE said the actor initially gained access through a compromised Microsoft Office 365 email account. (MicrosoftArs Technica
据报道,俄罗斯著名的APT公司Cozy Bear最近在微软和惠普企业(Hewlett Packard Enterprise,HPE)的两次违规事件背后。微软在一篇博客文章中称,他们在2024年1月12日发现了一次由国家赞助的对内部系统的攻击。微软表示,该行为者通过滥用用户帐户“创建,修改和授予OAuth应用程序的高权限,他们可以滥用这些应用程序来隐藏恶意活动”。这是六个月来微软第二次披露一个国家支持的攻击者针对其内部系统。在Cozy Bear的案例中,黑客组织据称监控了微软高级管理人员和公司网络安全团队成员的电子邮件帐户。上周,HPE的高管向美国证券交易委员会提交了一份通知,称同一名参与者“未经授权访问了HPE基于云的电子邮件环境。HPE表示,这名黑客最初是通过一个受损的Microsoft Office 365电子邮件帐户获得访问权限的。 (微软,Ars Technica)

Can’t get enough Talos? 
不能得到足够的Talos?

Most prevalent malware files from Talos telemetry over the past week 
过去一周Talos遥测中最流行的恶意软件文件

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
SHA 256:4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
 
MD5: ef6ff172bf3e480f1d633a6c53f7a35e 
MD5:ef6ff172bf3e480f1d633a6c53f7a35e

Typical Filename: iizbpyilb.bat 
典型Fill:iizbpyilb.bat

Claimed Product: N/A   声明产品:不适用
Detection Name: Trojan.Agent.DDOH 
检测名称:Trojan.Agent.DDOH

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7
SHA 256:8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7
  
MD5: 0e4c49327e3be816022a233f844a5731  
MD5:0e4c49327e3be816022a233f844a5731

Typical Filename: aact.exe  
典型文件夹:aact.exe

Claimed Product: AAct x86  
产品名称:AAct x86

Detection Name: PUA.Win.Tool.Kmsauto::in03.talos 
检测名称:普阿.Win.Tool.Kmsauto::in03.talos

SHA 256: 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e
SHA 256:77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e
 
MD5: 040cd888e971f2872d6d5dafd52e6194 
MD5:040cd888e971f2872d6d5dafd52e6194

Typical Filename: tmp000c3787 
典型滤波器:tmp000c3787

Claimed Product: Ultra Virus Killer 
产品名称:Ultra Virus Killer

Detection Name: PUA.Win.Virus.Ultra::95.sbx.tg 
检测名称:普阿.Win.Virus.Ultra::95.sbx.tg

SHA 256: e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93
SHA 256:e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93
 
MD5: 5800fc229e3a5f13b32d575fe91b8512 
MD5:5800fc229e3a5f13b32d575fe91b8512

Typical Filename: client32.exe 
典型文件夹:client32.exe

Claimed Product: NetSupport Remote Control 
产品名称:NetSupport Remote Control

Detection Name: W32.Riskware:Variant.27dv.1201 
检测名称:W32.Riskware:Variant.27dv.1201

SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
SHA 256:1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
 
MD5: 4c648967aeac81b18b53a3cb357120f4 
MD5:4c648967aeac81b18b53a3cb357120f4

Typical Filename: yypnexwqivdpvdeakbmmd.exe 
典型文件:yypnexwqivdpvdeakbmmd.exe

Claimed Product: N/A   声明产品:不适用
Detection Name: Win.Dropper.Scar::1201 
检测名称:赢.滴.痕::1201

原文始发于Jonathan Munshaw:The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world

版权声明:admin 发表于 2024年2月8日 上午8:37。
转载请注明:The many ways electric cars are vulnerable to hacks, and whether that matters in a real-world | CTF导航

相关文章