Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/25/2011
09:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'War Texting' Attack Hacks Car Alarm System

Researcher will demonstrate at Black Hat USA next week how 'horrifyingly' easy it is to disarm a car alarm system and control other GSM and cell-connected devices

It took researcher Don Bailey a mere two hours to successfully hack into a popular car alarm system and start the car remotely by sending it a message.

Click here for more of Dark Reading's Black Hat articles.

Bailey, a security consultant with iSec Partners, next week at Black Hat USA in Las Vegas plans to show a video of the car alarm attack he and fellow researcher Mat Solnik conducted. His Black Hat presentation is called "War Texting: Identifying and Interacting with Devices on the Telephone Network."

Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are ripe for attack, according to Bailey.

War texting is something that Bailey demonstrated earlier this year with personal GPS locators. He demonstrated how to hack vendor Zoombak's personal GPS devices to find, target, and impersonate the user or equipment rigged with those consumer-focused devices. Those low-cost embedded tracking devices in smartphones or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, he says.

His Black Hat research, meanwhile, focuses more on the infrastructure, as well as on fingerprinting or classifying these devices among millions of wireless phone numbers. Once those devices have been spotted by an attacker on the network, they then can be abused. Car alarms are vulnerable, for instance, because they connect and idle on Internet-ready cellular networks, and receive messages from control servers, Bailey says.

Bailey declined to reveal the car alarm vendor. He says these and other devices are being exposed to reverse-engineering and abuse via their GSM or cell connections. "Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn't necessarily know what was going on under the hood," Bailey says. "[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols."

Bailey says an attacker can glean previously undisclosed aspects of the alarm device from the phone network. "Now that they're OEM'ing GSM modules ... they are leaving the whole business exposed. It's serious from that angle: Attackers can finally get under the hood easily because they have a foot in the door with GSM," he says.

Bailey plans to release new tools to help gather information about these devices. "[The tools] will show how easily you can set up a network connection for mass-scanning over the entire phone network," he says. "The idea of war-texting communication with devices over the telephone network is simple."

Bailey says the car alarm hack just scratches the surface of the inherent danger of having such devices GSM- and cell-connected. "What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary," he says.

He says he was able to get enough reconnaissance on a handful of other devices to do the same type of hack. "I didn't bother to reverse-engineer them. Knowing their modules and understanding their design is enough" to pull off a war-texting attack, he says.

So how do you shore up security for these devices? "The real answer is engineering: getting the people designing these systems to analyze their security in a thorough fashion, which they are not doing now," Bailey says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11496
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
CVE-2020-15822
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2020-24375
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVE-2020-7193
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
CVE-2020-7194
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).