Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/25/2011
09:57 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'War Texting' Attack Hacks Car Alarm System

Researcher will demonstrate at Black Hat USA next week how 'horrifyingly' easy it is to disarm a car alarm system and control other GSM and cell-connected devices

It took researcher Don Bailey a mere two hours to successfully hack into a popular car alarm system and start the car remotely by sending it a message.

Click here for more of Dark Reading's Black Hat articles.

Bailey, a security consultant with iSec Partners, next week at Black Hat USA in Las Vegas plans to show a video of the car alarm attack he and fellow researcher Mat Solnik conducted. His Black Hat presentation is called "War Texting: Identifying and Interacting with Devices on the Telephone Network."

Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are ripe for attack, according to Bailey.

War texting is something that Bailey demonstrated earlier this year with personal GPS locators. He demonstrated how to hack vendor Zoombak's personal GPS devices to find, target, and impersonate the user or equipment rigged with those consumer-focused devices. Those low-cost embedded tracking devices in smartphones or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, he says.

His Black Hat research, meanwhile, focuses more on the infrastructure, as well as on fingerprinting or classifying these devices among millions of wireless phone numbers. Once those devices have been spotted by an attacker on the network, they then can be abused. Car alarms are vulnerable, for instance, because they connect and idle on Internet-ready cellular networks, and receive messages from control servers, Bailey says.

Bailey declined to reveal the car alarm vendor. He says these and other devices are being exposed to reverse-engineering and abuse via their GSM or cell connections. "Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn't necessarily know what was going on under the hood," Bailey says. "[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols."

Bailey says an attacker can glean previously undisclosed aspects of the alarm device from the phone network. "Now that they're OEM'ing GSM modules ... they are leaving the whole business exposed. It's serious from that angle: Attackers can finally get under the hood easily because they have a foot in the door with GSM," he says.

Bailey plans to release new tools to help gather information about these devices. "[The tools] will show how easily you can set up a network connection for mass-scanning over the entire phone network," he says. "The idea of war-texting communication with devices over the telephone network is simple."

Bailey says the car alarm hack just scratches the surface of the inherent danger of having such devices GSM- and cell-connected. "What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary," he says.

He says he was able to get enough reconnaissance on a handful of other devices to do the same type of hack. "I didn't bother to reverse-engineer them. Knowing their modules and understanding their design is enough" to pull off a war-texting attack, he says.

So how do you shore up security for these devices? "The real answer is engineering: getting the people designing these systems to analyze their security in a thorough fashion, which they are not doing now," Bailey says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.