E-mobility: The next target for hackers - SecurityInfoWatch

E-mobility: The next target for hackers - SecurityInfoWatch


E-mobility: The next target for hackers - SecurityInfoWatch

Posted: 30 Sep 2020 01:35 PM PDT

Electro-mobility (e-mobility) is a technological innovation that is environmentally friendly and full of promise, yet it presents abundant opportunities for compromise by hackers.

By incorporating internet connections, external communication ports, and digitizing processes that used to be wholly mechanical, automotive manufacturers have unwittingly provided cybercriminals new targets to exploit.

E-mobility encompasses the principles and concepts surrounding the use of electric-powered vehicles in a wide range of product categories such as drivetrains, drones, and unmanned aerial vehicles, oil tankers, hoverboards, corporate fleets, and a host of others.

Protecting these Electric Vehicles (EVs) demands confronting an ever-increasing range of cybersecurity issues that a fast-paced innovation is exposing e-mobility providers, users, and manufacturers.

The Dangers Involved with E-mobility

While e-mobility provides a lot of benefits, the safety stakes remain much higher if a moving vehicle is hacked. The threat of malign actors successfully exploiting its wide surface of attack and diverse points of vulnerability poses more dire consequences than hacking a company's information systems and stealing data.

According to Vic Harkness, a security consultant at F-Secure Consulting, "A nation-state or serious organized crime group could induce a range of vehicles to crash at high speeds. Attackers wishing to harm critical national infrastructure without direct loss of life could force all traffic to attempt to go through certain areas, creating largely localized traffic jams."

Hence, with the possible catastrophic impact on human lives, the risk of e-mobility compromise can cause, the security concerns surrounding the e-mobile ecosystem have to be addressed and fortified so the domain can be resilient and secure. 

Hiding your IP address and safeguarding your online activities by encrypting your data should be a must for every e-vehicle. Just think about it for a moment - in a world where a hacked e-vehicle can potentially cost someone's life, the use of reliable VPN services will become an integral and crucial part of our society as a whole. VPNs won't be just great tools to protect your privacy and increase your security on the Internet, but they will also be seen as one's e-ID.

The General Approach to Prevent E-mobility Breaches

To secure the future of e-mobility, the solutions proffered and implemented need to incorporate a comprehensive approach to cybersecurity.

The challenge, however, is that e-mobility is still a nascent industry, and although mobility operators can look into other industries to understand how they have coped, there isn't much experience in dealing with EVs, and cybersecurity expertise mainly lies in stopping threats on PCs and phones. 

Any comprehensive approach should incorporate the following:

  • Building in safeguards: A lot of onboard software in these vehicles will require navigational and security updates, which will need dedicated communication links back to the manufacturer to transmit patches and updates, especially with autonomous vehicles.
  • Securing the most sensitive assets: Balancing the need for business growth, cost optimization, and productivity on the one hand, with the need to reduce risk. 
  • Establish security standards and best practices: Create sophisticated threat models to deal the type of non-conventional attacks that are bound to arise with e-vehicles.
  • Implementing digital signatures in e-mobility infrastructure: These communication controls provide much-needed confidentiality, integrity, and accountability for messages. 

E-vehicle Mitigation Techniques for Remote Threats

Vehicles are becoming more sophisticated and connected. The number of vehicles offering internet connectivity is rising. Contracting solutions that allow personnel and passengers to enjoy onboard Internet access while guaranteeing safe browsing and installing tools able to track vehicles and monitor the received signal strength along vehicle routes will help companies optimize their operations and deliver improved user experiences.

Numerous companies are already providing Software-as-a-Service (SaaS) capabilities in order to deliver a complete Wi-Fi solution for your fleet, which means that you can deliver your applications to customers through the cloud as a service. In other words, you can offer a portal in your vehicles, filter browsing content, and block malware threats. You can also remotely monitor all your devices, tracking their location, and obtaining information on the received signal quality.

However, this integrated connectivity poses the largest attack potential for EV networks. Cybersecurity researchers Charlie Miller and Chris Valasek provided an insight into the dangerous mischief that EV networks can pose. Initially, hardwiring computers directly to a car in 2015, they were able to shut down a Jeep's acceleration while it was on the highway, eventually disabling its brakes in a parking lot. More troublingly, they were later able to develop the capability to send messages remotely.

Unfortunately, things haven't improved in the remote threat to the EV domain. Research shows that by connecting cellular phones to vehicles, attackers can potentially take control and crash systems.

These are some things that can be done to mitigate remote threats by drivers and fleet managers:

  • Freight on Board (fob) keys should be stored in an enclosed metal box to prevent cloning or message relaying
  • Ensure any fob key failure is reported to the fleet manager.

These are the things manufacturers can do to lessen the risk of remote access compromise:

  • Incorporating digital signatures, requiring authentication and authorization from users - including strong passwords for mobile applications that establish communications with vehicles.
  • Ensure Over-The-Air (OTA) vehicle data house remotely, firmware updates, safety-critical inter-Engine Control Unit (ECU) communications are all encrypted.  
  • Making infotainment systems operate on a different communications network other than those used for safety and operations.

E-vehicle Mitigation Techniques for Physical Threats

Some of the directives may seem mundane, but the older fashioned physical access is a viable threat to  internal vehicle communication system buses, so do the following:

  • Park EVs in secure locations, securing their keys and locking doors to prevent unauthorized access.
  • Ensure only reputable mechanics and trusted partners have physical access to EVs.
  • Keep an eye for signs of intrusive physical access on the vehicles, signs the dashboard has been removed, and report any concerns regarding unknown devices connected to ports that can be used to transmit malware.

EV manufacturers can assist fleet operators and managers in reducing physical risk by:

  • Installing tampering alarms and network traffic monitoring.
  • Installing firewalls, implementing whitelisting, and blacklisting of the Engine Control Unit (ECU) messages to prevent unsafe commands from being transmitted.
  • Safeguard the EV's networked functionality with fail-safe mechanisms that are mechanical. 

E-vehicle Mitigation Techniques for Threats Against Telematics

With over 50% of business computing devices being of the mobile variety, mobile devices are now posing new challenges to enterprise network security. Even when a manufacturer has done its best to secure a mobile device, the telematics service involved could be a source of compromise. And e-vehicles are no exception to this rule. 

A security researcher, Vangelis Stykas, detailed that although he couldn't find any vulnerability in a new smart car alarm system, he was able to discover a bug in the telematics server its app was connected to. This ultimately enabled him not only to gain access, but also to modify and control "millions of connected vehicles, user privacy, safety, and vehicles," with direct access to sensitive data such as user information and vehicle locations. 

Monitoring the entire chain of communication between an EV, its apps, and the telematics server is the only reliable way to enforce rigorous protection over telematics data.

E-vehicle Mitigation Techniques for Connected and Automated Vehicle (CAVs) Threats

Electric vehicles (EVs) use smart grid communications through utility and energy service networks, thereby posing risk to the collective smart grid. Propagation of viruses can occur among electric vehicles (EVs) and Electric Vehicle Supply Equipment (EVSE) networks. 

Since an infected EV can communicate with its connected charging station, there is the risk that malware can spread from this point to a network of other vehicles and the electric grid at large. To forestall this scenario, stakeholders should ensure network segmentation should be employed between EVs, their charging points, and other EVSEs.

E-vehicle Mitigation Techniques for Corporate Fleets

The advantage of corporate fleets is that the organization has full control over the vehicles driven by their employees, and this control often extends to choosing the vehicle safety features. However, they lack this level of control when it comes to connected and automated vehicles (CAVs), EVs, and electric vehicle supply equipment (EVSE). 

In the e-mobility ecosystem, these fleets are vulnerable to conditions beyond their control like charging stations using out-of-date Open Charge Point Protocols based on HTTP, which doesn't encrypt communications data, unlike HTTPS.

E-mobility is different from data moving through the cloud or the web. Instead of sitting at API endpoints, EV data is normalized and aggregated across relevant streams to provide fleets, OEMs, and other relevant stakeholders a holistic view of how data flows in the e-mobility environment. This unified picture provides clarity and visibility to spot threats in the network and pinpoint anomalies before they spiral.

Therefore, fleets and e-mobility stakeholders need to jettison their current practice of relying on silos, with their in-vehicle security, or network security, since this is inadequate to meet the challenges of an increasingly complex environment. The only solution to keep these stakeholders ahead of the game is a single pane of glass approach that provides them a panoramic view of what is happening with their e-vehicles.

It is predicted that by 2030, 125 million electric vehicles will be on the road. Other statistics are equally impressive; with market research showing EV sales reaching 2.3 million vehicles, with 2.4 percent market penetration in 2019.

Yet, with so much promise comes a lot of peril. Ominously, in 2018, black hat attacks exceeded research-based white hat attacks for the first time, according to reports. A great deal of effort, research, and innovation in this domain is necessary to ensure malign actors don't get the upper hand.

About the Author: 

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphasis on technology trends in cyberwarfare, cyberdefense, and cryptography.

Protect Your Privacy: Bollywood Stars' Whatsapp Chats Are Leaking, Is Your Data Safe? Are You Sure Your Message Has Deleted? How Can You Save Your Data? Here's All You Need To Know - Inventiva

Posted: 30 Sep 2020 06:01 AM PDT

The most popular messaging platform undoubtedly claims to be the safest, but the recent cases that have surfaced have opened its door. Narcotics Control Bureau's Special Investigation Team obtained many clues through WhatsApp chats during the investigation of the actor Sushant Singh Rajput's death case. Several media channels also shared WhatsApp chats while disclosing case-related names.

In the Sushant Singh Rajput's death case, Riya Chakraborty's first WhatsApp chat was leaked, which cause the actress to be named in connection with the drugs, causing a lot of panics. But now, the names of Bollywood big stars are gradually appearing in drug connections.

Let us know that one of the most popular actresses, Deepika Padukone, is currently being held in several churches. Research on the actress' WhatsApp chats has led to her name being linked to drug connection. Nowadays, a big question has arisen about encryption and user privacy.

Can the government read your chat history or access any third WhatsApp message except the receiver or sender? All users are looking for answers to these questions. The question now is, is it possible to exclude privacy for legitimate purposes? 

As we all know, most people usually use WhatsApp to chat, but how do they keep your data safe? To keep your data confidential, first of all, tell you that if you have not deleted the chat history, then the input saved by cloning the phone can be removed. In addition to this, if the backup is not deleted, it can undoubtedly access the backup data of your phone or any cloud services.

The easiest way to read other users' messages and steal data on WhatsApp, is to steal their identity. If WhatsApp senses that you are one of the receiver or sender, you can still read the message despite the encryption. Cloning can be a method by which after stealing a user's identity, his/her data can be copied to another device.

With the help of an app, without touching his/her phone, the identity of someone can be stolen and his/her WhatsApp account can be accessed like a cloned user. Besides this, the WhatsApp chats backup is not encrypted, which may be the reason for the leakage of personal messages. 

WhatsApp is one of the most widely used applications in the world. To create an account on WhatsApp, users only need a mobile number and verify their identity through the SMS that comes on it. WhatsApp does not allow users to set a PIN or password, like other social media services, without which it cannot sign in. You can only set a verification pin after log in.

This means that if a user's number is cloned, his/her WhatsApp account can be created and it can be restored using any old chat backup.WhatsApp's Two-Factor Authentication (2FA) is also unavailable because its 6-digit code(by SMS) also appears on the user's contact number.

These are some of the methods by which one can ensure the privacy of personal chats and the safety of the Watsapp data.

 Many applications (including Telegram, Signal, and WhatsApp) allow you to set app-specific passwords (or require the use of fingerprint or face ID). Even if someone accesses your phone through hackers or through physical means, this will add a layer of security.

Therefore, your privacy settings mainly depend on your application. When you install any application from the Google Play Store or App Store, you should be extra careful not to approve the application to be verified. Even the user's location should be avoided. At the same time, never keep automatic uploading on your phone. This may cause problems with your privacy.

Hence, always keep your WhatsApp application delinked. If you choose to back up your phone to back up your WhatsApp/phone data and then the button will turn green and it will back up everything on your phone. If you do not select the backup option, then this button will turn gray.

The problem is that many of us only grant permissions without understanding what we allow. WhatsApp itself will trouble you to back up your chats from time to time and you think this is not a bad idea. The backup is stored on your Google Drive or iCloud. This is how; it seems that the private chats of Bollywood actors are being broadcast on the public domain.

If a user exports his/ her WhatsApp chat history to email or Drive, the end-to-end encryption will be lost and these chat history will not be protected. To ensure the security and privacy of the Watsapp chats, do not export the chat via email or upload the chat anywhere.

The data on iCloud or Google Drive is easily hacked and is not protected by WhatsApp's end-to-end encryption. You can upload it on the cloud only when you are inveigled that a stranger sees your content.

There is a basic problem with chatting. People chat in the moment. They say and do things just like an oral speech at that moment. Your private conversations with friends in the bar will not be archived. However, the chat history is archived and may bother you again.

A good way to protect your privacy is to not archive them. The Signal app is considered the most secure, trustworthy, and reliable application. Its message disappearing feature causes the message to disappear within a period of time after the recipient has read it. You can choose how long to keep the message, from five seconds to a week. WhatsApp does not have this feature and it is very much needed. Telegram has it.

  • In the case of Bollywood, it seems that deleted messages/data have also been recovered.
  • Even if you delete your WhatsApp or delete messages from WhatsApp, the messages can be retrieved through forensic research on your phone.
  • With the disappearance of messages on Signal, this may not be easy. However, even in the past, it was known to be not 100% safe.
  • There is no 100% security, but the disappearing message of Signal is much safer than letting random chat stay on your phone or cloud service for years.

If you happen to make any of the above mistakes, correct them before you get into trouble.

After the personal chats in the Sushant case were leaked, the company stated that WhatsApp would not read personal chats to its users. Now, WhatsApp repeats the same thing whenever it is asked about application privacy. The company statement came at a time when Bollywood actors' WhatsApp chats about drugs were leaked, causing WhatsApp users to worry about the privacy of their messages on the messaging platform.

Audio calls, messages, and video calls made on WhatsApp are completely encrypted. WhatsApp protects your data through end-to-end encryption, the company spokesperson claimed. End-to-end encryption means that third parties and WhatsApp can never access your personal data. When you and your message recipients use our app, the end-to-end encryption function of WhatsApp is available.

Several messaging apps only encrypt messages or data between them and you, but end-to-end Watsapp encryption assures that only you and the person you interact with can read the content sent, and no one in between can read or take it, not even WhatsApp. This is because your communication is protected with a lock, and only you and the recipient have the unique key required to unlock and read.

However, other people on the sender and receiver's devices can only access these messages. In other words, encryption is working, but the security of the message cannot be guaranteed.

Based on this information, we can protect the data with a little effort, but the data can be accessed by the country's eminent agency on the court's order or can be accessed through hackers.

  • Regarding security, the company spokesperson stated that the user data is not 100% safe or secure.
  • Even if you delete your data, hackers can still steal your data from the server.
  • The country's eminent bureau can access anyone's conversion/data on the court's order. 
  • There is no privacy law in India.
  • The data privacy law has been pending before Parliament for deliberation, but it is a weak draft.
  • Therefore, even if this law is passed, it will actually not do much to protect the privacy of citizens. 
  • It is designed to enable the government to easily access your data. 
  • Under the IT Act, data theft and hacking can lead to sections 43 and 66.

When you live in a country where the government has told the Apex Court that privacy is not a fundamental right, and people don't even have an independent right to over their own bodies, it's time to take phone privacy seriously.

Comments

Popular Posts

Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET

VPN browser extensions: Why you shouldn't use then - Tech Advisor

Police Target Criminal Users of Sky ECC Cryptophone Service - BankInfoSecurity.com