- Log In
We’re excited to announce that Bridge, a professional development program hosted by Designer Fund, and Lookout are partnering to find talented designers to join our team. Bridge connects experienced designers with top companies and the design community in San Francisco.
After hacking a Tesla over the past year, Kevin Mahaffey came to a simple conclusion: “When you connect a car to the Internet, it is no longer just a car: It is a computer on wheels.”
He recently published his thoughts in an Op/Ed with TechCrunch, which you can read here.
Among the many new features in iOS 9, Apple introduced a critical adjustment enterprises should note: a change in sideloading applications that we think is a serious win for security.
The recently revealed KeyRaider is yet another proof point that malicious actors are looking to tinker with iOS.
It’s a piece of malware that affects jailbroken iOS devices and was distributed through a Chinese repository which could be used by Cydia users. Because of this, its exposure was relatively limited.
KeyRaider’s goal is to allow anyone with a jailbroken device running specific instances of KeyRaider to spoof in-app purchases without having to pay, and download paid apps from the Apple App Store, though we haven’t been able to definitively confirm this functionality.
These are all up-and-coming device manufacturers (some more up-and-coming than others) that use alternate forms of Android (read: versions of Android that are not controlled by Google), and they are quickly shaking up the mobile market.
Droppers — no, they’re not just the tool you use to administer eye-drops or medicine. They’re also a tool used by malicious actors to quietly install apps, of which some may be malicious, onto your device.
As it comes to mobile, droppers are apps that either have or pretend to have the functionality of popular apps, such as games and utilities, but they also install additional applications to a device that can be malicious, or steal your data.
While the federal government might be under the impression that it doesn’t have a BYOD program, it is overlooking a key issue: Shadow BYOD.
Shadow BYOD is very similar to Shadow IT, in which employees use technologies — usually to enhance their productivity — that the IT department has not sanctioned or deployed. In Shadow BYOD’s case, it’s the issue of unmanaged personal devices connecting to the network and accessing government or corporate data.
The mobile ecosystem is moving toward economical smartphones. They are customizable and much more affordable than the $600 plus Android phones you might see on the market.
This poses a problem for enterprises which, to date, have relied on the app testing and vetting process applied to Google Experience devices, and the fact that app downloads on these devices are by default funneled through Google Play. Non-Google Experience devices introduce much more fragmentation.
With connected automobiles, the stakes for getting security right have never been higher. “What’s the worst that could happen?” is a lot more serious when you’re talking about a computer that can travel 100+ MPH.
When an industry without experience in Internet security starts connecting things to the Internet, it typically makes a number of mistakes both in how it implements secure systems, and how it interacts with the security community.
My colleague Marc Rogers and I set out to audit the security of the Tesla Model S because we wanted to shine a light on a car that we hypothesized would have a strong security architecture, given the Tesla’s team’s deep software experience. Out of this research, we hoped to be start a conversation about simple and clear security best practices for the automotive industry.
That hypothesis turned out to be correct: The Tesla Model S has a very well designed security architecture, that we believe should serve as a template for others in the industry. We also found a number of vulnerabilities that allowed us to, with physical access to the vehicle, to gain root access to two of the infotainment systems: the instrument cluster (IC) above the steering wheel, and the 17-inch touchscreen center information display (CID) in the middle of the dash. This allowed us to perform a number of tasks, such as remotely opening and closing the trunk and frunk, locking and unlocking the doors, starting the car, and stopping the car.
However, this research focused on answering the question: how can we make cars more resilient to attack, assuming attackers can get into the infotainment systems. All of the exploitation performed was done with physical access and we did not demonstrate any remotely executable exploits. There is sufficient research already done that proves cars can be exploited remotely. Further, we believe it to be a relatively conservative assumption that any browser running WebKit will be exploitable to an attacker with sufficient skill or resources.
Connected cars are about to change the auto industry’s assembly line.
Vehicles are becoming computers on wheels and now have more in common with your laptop than they do the Model T. Just as smartphones have supplanted non-Internet-connected phones, connected cars will supplant non-Internet-connected cars. Auto manufacturers need to become software companies if they want to survive into the 21st century. To that end, the auto industry must now consider cybersecurity as an integral part to how cars are built, just as physical safety became a critical part of how cars were built in the late 20th century.
When an industry without experience from the front lines of Internet security begins connecting its products, one of two outcomes often occurs. If there are clear security best practices, then most companies will (hopefully) implement those best practices. If there are no clear best practices, companies will likely make a lot of security mistakes, resulting in major cybersecurity problems down the road. My research partner, Marc Rogers of CloudFlare, and I decided to help make sure those clear best practices were in place for the auto industry.