Mobile

7/25/2011
09:57 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'War Texting' Attack Hacks Car Alarm System

Researcher will demonstrate at Black Hat USA next week how 'horrifyingly' easy it is to disarm a car alarm system and control other GSM and cell-connected devices

It took researcher Don Bailey a mere two hours to successfully hack into a popular car alarm system and start the car remotely by sending it a message.

Click here for more of Dark Reading's Black Hat articles.

Bailey, a security consultant with iSec Partners, next week at Black Hat USA in Las Vegas plans to show a video of the car alarm attack he and fellow researcher Mat Solnik conducted. His Black Hat presentation is called "War Texting: Identifying and Interacting with Devices on the Telephone Network."

Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are ripe for attack, according to Bailey.

War texting is something that Bailey demonstrated earlier this year with personal GPS locators. He demonstrated how to hack vendor Zoombak's personal GPS devices to find, target, and impersonate the user or equipment rigged with those consumer-focused devices. Those low-cost embedded tracking devices in smartphones or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, he says.

His Black Hat research, meanwhile, focuses more on the infrastructure, as well as on fingerprinting or classifying these devices among millions of wireless phone numbers. Once those devices have been spotted by an attacker on the network, they then can be abused. Car alarms are vulnerable, for instance, because they connect and idle on Internet-ready cellular networks, and receive messages from control servers, Bailey says.

Bailey declined to reveal the car alarm vendor. He says these and other devices are being exposed to reverse-engineering and abuse via their GSM or cell connections. "Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn't necessarily know what was going on under the hood," Bailey says. "[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols."

Bailey says an attacker can glean previously undisclosed aspects of the alarm device from the phone network. "Now that they're OEM'ing GSM modules ... they are leaving the whole business exposed. It's serious from that angle: Attackers can finally get under the hood easily because they have a foot in the door with GSM," he says.

Bailey plans to release new tools to help gather information about these devices. "[The tools] will show how easily you can set up a network connection for mass-scanning over the entire phone network," he says. "The idea of war-texting communication with devices over the telephone network is simple."

Bailey says the car alarm hack just scratches the surface of the inherent danger of having such devices GSM- and cell-connected. "What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary," he says.

He says he was able to get enough reconnaissance on a handful of other devices to do the same type of hack. "I didn't bother to reverse-engineer them. Knowing their modules and understanding their design is enough" to pull off a war-texting attack, he says.

So how do you shore up security for these devices? "The real answer is engineering: getting the people designing these systems to analyze their security in a thorough fashion, which they are not doing now," Bailey says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3483
PUBLISHED: 2019-03-25
Mitigates a potential information leakage issue in ArcSight Logger versions prior to 6.7.
CVE-2019-3484
PUBLISHED: 2019-03-25
Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7.
CVE-2019-6240
PUBLISHED: 2019-03-25
An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal.
CVE-2015-3953
PUBLISHED: 2019-03-25
Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospi...
CVE-2015-3954
PUBLISHED: 2019-03-25
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommen...