Tesla’s Zero-click Vulnerabilities

The zero-click vulnerabilities, which the researchers named “TBONE,” were to be demonstrated at the hacking contest “Pwn2Own,” which was scheduled to be held in Vancouver in March 2020. However, it had to close its doors due to the pandemic. Tesla takes pride in identifying itself as a technology firm than an automobile giant because of its pioneering technology of self-driven cars. Thus, it supports such hacking contests and bug bounty programs to furthermore secure its tech front.

Weinmann and Schmotzle said that exploiting the vulnerabilities would allow the attacker to “lock/unlock the doors and trunk, change seat positions, both steering and acceleration modes” – in short, pretty much everything that a driver can do by pressing various buttons on the console. However, one thing to be noted here was the fact that even after gaining control over these features, the attacker could not fidget with the drive control of the car. (So, no, your Tesla won’t just roll out of the parking lot and reach the attackers’ destination… at least for now.)

What the Researchers Say…

Weinmann, who is the CEO of Kunnamon, said,

Looking at the fact that TBONE required no user interaction, and the ease of delivery of the payload to parked cars, we felt this attack was ‘wormable’ and could have been weaponized.”

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. However, we did not want to weaponize this exploit into a worm.

The researchers did not have an actual Tesla car to test their exploit, so, they used an in-house emulator – “KunnaEmu” – to devise these attacks. However, they were confident about its accuracy and thus disclosed their analysis at Tesla’s bug bounty program in October 2020. Tesla was quick to work around it and released a patch update v2020.44 in late October. Additionally, Tesla has also reportedly moved to an alternative of ConnMan – dnsmasq.

ConnMan is used in several German automobiles and thus the duo shared their findings with the CERT-Bund (German CERT) to help automobile companies fix these vulnerabilities at the earliest.

Related News:

Tesla Offers US$1 Million and a Car as Bug Bounty Reward

The post Tesla’s Zero-click Vulnerabilities Allowed its Car to be Hacked Remotely Using Drones appeared first on CISO MAG | Cyber Security Magazine.

 Key Highlights 

• Tillie Kottmann, part of a hacktivist group dubbed “APT 69420 Arson Cats,” published the screenshots and footage of the leak on her Twitter feed. Twitter has since suspended her account.
• The attack was targeted at a Jenkins server used by Verkada’s support team to perform bulk maintenance operations on customer cameras.
• The attackers gained illicit access into this server on March 7, 2021 and retained it until the noon (PST) of March 9, 2021.
• Verkada has confirmed that the security breach compromised its video and image data from a limited number of cameras (although Kottmann claims that feeds from 150,000 cameras were accessed), a list of client account administrators including names and email addresses, and Verkada’s sales orders.

The Verkada Security Breach: As it Happened

Bloomberg first broke the news post Kottmann’s tweets showing evidence of the leaked footage. It contacted Kottmann to know the complete details of the compromised data. Responding to the question of the motive behind the hack, Kottman said,

Lots of curiosity, fighting for the freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.

On the other hand, when Verkada was informed about the security breach, it took immediate action and set up a team of experts to curtail the issue. Their internal investigation found out that the attackers gained access to their data through a Jenkins server, which is used by Verkada’s support team for maintenance work like adjusting camera image settings upon customer request. Once the threat actors got access to the server, it was easy to obtain client account administrator credentials that helped them bypass Verkada’s authorization and two-factor authentication security measures.

Further internal investigation, which is being carried out with the expert help from two external firms – Mandiant Solutions and Perkins Coie – has also noted that, until now, no evidence of Verkada’s user passwords or password hashes, internal network, financial systems, or any other business systems being compromised have been found.

However, Filip Kaliszan, CEO, Verkada Inc., did acknowledge the breach, stating,

Attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however, we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.

Kottman’s Side of the Story

Kottmann’s side of the story, however, contradicts what Kaiszan’s update says. Talking to CBS News, Kottmann revealed that her group first found a Verkada internal administrator username and password stored on an unencrypted subdomain. According to her, the company had kept an internal development server exposed to the open internet that contained “hard-coded credentials” for a system account with “super admin” rights. Kottmann added,

We did not access any server. We simply logged into their web UI with a highly privileged user (account).

Kottmann shared around 5GB of archives with CBS and Bloomberg that included videos and images from the hack. As per her claims, the threat group was able to download the feed from nearly 150,000 security cams placed in locations like hospitals, prisons, schools, public areas, and even in the vicinity of some known companies like Tesla, Nissan, Equinox, and Cloudflare, among others.

Experts Speak…

Asaf Hecht, Cyber Research Team Leader at CyberArk says, “The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard-coded passwords that are rarely, if ever, changed by the customer.

While Verkada reportedly took the right steps to disable all internal administrator accounts to prevent any unauthorized access, it was likely too late. The attackers had already landed. Based on what’s been reported, this attack follows a well-worn attack path – target privileged accounts with administrative access, escalate privileges to enable lateral movement, and obtain access to highly sensitive data and information – effectively completing the intended goal. What we’ll need to especially watch in this case is the potential for far-reaching implications for privacy regulations including HIPAA.”

Talking about the gravity of the attack and the seriousness of cybersecurity in physical security professionals, Christian Morin, CSO & Vice-President of Integrations & Cloud Services, Genetec, said, “As an industry, and as manufacturers in physical security, we cannot take these hacks lightly. The potential broad reaching impact of these hacks on physical security systems, including providing a beachhead to facilitate lateral movement onto networks, resulting in data and privacy breaches or access to critical assets and infrastructure, cannot be understated.

In one of our recent surveys, the State of Physical Security, we uncovered that only about 30% of security professional respondents were prioritizing cybersecurity initiatives in 2021. I can only hope this most recent incident acts as the wakeup call required to ensure every organization in the chain understands and acts upon the critical importance of privacy and security in the design, development, implementation, and operations of physical security systems.”

Related News:

Hacking Alert! Footage of 50,000 Singaporean Homes Lands on the Internet

Over 100,000 Security Cameras in U.K. Are Hackable: Report

The post 150,000 Security Cams Hacked; Tesla, Cloudflare, Equinox on the Victims’ List appeared first on CISO MAG | Cyber Security Magazine.

 Key Highlights 

• A Russian-speaking, non-U.S. citizen working at Tesla’s Gigafactory Nevada was contacted by Egor Igorevich Kriuchkov (conspirator) on July 16, 2020.
• He told the employee about a “Special Project” that would require him to install malware on the company’s system.
• Kriuchkov offered a payout of $1 million for carrying out this activity.
• The employee, however, reported this to its employer who in turn reported it to the FBI.
• The FBI finally arrested Kriuchkov on August 22, 2020, in Los Angeles on the count of “Conspiracy to Intentionally Cause Damage to a Protected Computer” under Title 18, United States Code, Section 371.

The Story, as it Happened

On July 16, 2020, a Russian-speaking, non-U.S. citizen working at Tesla’s Gigafactory Nevada was contacted by another Russian speaking person named, Egor Igorevich Kriuchkov, over WhatsApp under the pretext of meeting him in person in the District of Nevada. The meeting was set for August 1, 2020, at a hotel in Reno, Nevada.

Initially, Kriuchkov befriended Tesla’s employee and spent time with his associates at the employee’s home and other public places. Only after gaining enough trust, on August 3, 2020, Kriuchkov told the employee about a “Special Project” that he and some others were working on, which would require a Tesla insider to install malware on the company’s computer system. This malware would be provided by his co-conspirators and would require him to do a manual installation once. With the help of this malware, the conspirators planned to carry out DDoS attacks on the company’s computer network and search for private and confidential information, probably with the intent of withholding it for a ransom. To woo the employee into carrying out this cybercriminal activity, Kriuchkov offered a $1 million payout to the Tesla employee.

The Earnest Hero

The offer was tempting, but the earnest employee instead turned in the cyber conspirators. He reported these inappropriate advances to the authorities at Tesla, who in turn informed the FBI. The FBI asked the employee to continue communications with the conspirator to expose the entire nexus. Over the next couple of weeks, the FBI wired the Tesla employee and monitored Kriuchkov’s movements. On August 21, 2020, Kriuchkov informed the employee that the plan was getting postponed by a few days and that he shall soon get his money through Bitcoins. He also informed that he was going away for a few days and handed a mobile phone, which he asked to keep on airplane mode until further intimation.

The FBI went on a high alert since this communication and followed Kriuchkov from Reno to Los Angeles (LA), where he drove down on the same night. He was in readiness to flee the country from LA and, thus, the FBI eventually arrested Kriuchkov on August 22, 2020. The cybercriminal was charged under Title 18, United States Code, Section 371, on the count of “Conspiracy to Intentionally Cause Damage to a Protected Computer.”

Tesla CEO Elon Musk accepted that the tech giant avoided a planned cyberattack owing to an earnest employee and acknowledged him on Twitter saying, “Much appreciated.”

Much appreciated. This was a serious attack.

— Elon Musk (@elonmusk) August 27, 2020

However, it’s time for corporates to stay vigilant about such insider threats because, “Buddy, money can make you do things that you don’t want to do.”

The post Tesla Avoids a Cyberattack Bump; Acknowledges the Earnest Employee appeared first on CISO MAG | Cyber Security Magazine.