Is Your Car Secure? Perhaps Not.

We’ve all probably heard the stories about people hacking the internet of things.  Breaking into our toasters, washing machines or expresso makers and indeed any other device which is ‘internet enabled’.  Indeed the problems these devices generate by being online seem to far outweigh the advantages.

 

After all what’s the point in having your toaster internet enabled? To order more bread, emergency crumpet supplies or maintain your bagel supplies at a certain level? Hardly important stuff and personally I couldn’t imagine anything worse than having an army of electrical devices having the ability to order stuff to my house!

Having said that, you might argue that lying awake at night worrying if your toaster has been hacked by a Russian cyber criminal gang might be a bit paranoid too.  At least right up to the point when the police come to investigate why thousands of pedophiles are connecting to an IRC server hosted on your internet connection.

The problem is that however trivial the device sounds, anything internet enabled can potentially act as a either a host or a portal to attack anything else online.  The device is sometimes irrelevant it’s merely your internet connection and IP address that is important.  Although they can also be used to sniff personal details and steal more than bandwidth too.   Each and every device that you have in your home which is connected to the internet is potentially a threat to your privacy and anonymity online.

However there’s always one device that’s increasingly becoming internet aware that worries me a lot and that’s our cars.  It concerns me for a variety of reasons, firstly I am a lot more worried about someone stealing my car than I am my refrigerator.  Secondly the idea that anyone has remote access in any form to a metal device which I hurtle down the motor ways at 80 miles an hour somewhat worrying.

It seems that I have even more cause for concern as a recent study group determined at the last Kaspersky Security Analyst Summit last month.  In the workshop the y demonstrated how simple it is to introduce software into modern internet enabled cars to steal data, take control of functions, bypass alarms and key systems even crashing the car.

Frankly I can think of tons more things to worry about having my car hacked than all the other internet enabled crap sitting in our living rooms and kitchens out together.  Someone accessing my car is very scary indeed, after all even having your computer hacked doesn’t put you into actual physical danger.

Automotive security is important and it doesn’t seem to be taken seriously by most manufacturers.  One of the researchers involved bought a car and ran through a serious of attacks to see how difficult it would be to hack into.  They found it surprisingly easy, even turning the car into a war driving machine with a built in facility to spot and log into open Wi-Fi connections.

One of the attacks involved was actually found on a car hacking site, a piece of code which claimed to give root access to all the car’s control systems.  The researcher installed the code easily using the car’s USB port which was configured to auto-run any code it found.  Instantly the researcher had full access to the car’s infotainment system.

This revealed a surprising and slightly disturbing non-documented feature of the car.  It had previously crawled and downloaded his address, book, email list, SMS messages and even the list of last visited locations.  All of these details were stored and recorded in clear text within the car’s data storage.

There were lots more facets to the investigation including extensive control and manipulation of the car’s built in Wi-Fi system.   There were some even more worrying research into the feasibility of controlling the automatic braking software although nothing conclusive was created.

Safety and privacy issues were not the only concern and one of the more practical problems of car security is the potential for theft.  Keys were considered a huge area of weakness, with many electronic keys have extremely small number of combinations.  Although the biggest potential threat in this area is the technology known as signal amplification technology.  Indeed there is a kit available online which only costs about £50 which can pick up the signal from car keys and copy them to the car directly – both unlocking the car and disabling the alarm system.

BBC Block VPN Connection Services

It was a move greeted by shock, disbelief and to some extent even despair suddenly the BBC started to block VPN connections from across the world.     Just to roll back a little, for years the BBC had insisted that all it’s media content was only available to domestic viewers i.e those who were physically located in the United Kingdom.  However although this was official policy, the BBC did very little to actually enforce this other than a basic IP check which blocked anyone accessing from a non-UK IP address.

BBC Block VPN Connection

This IP blocking method although effective was actually extremely simple to bypass, all one needed was a way of hiding your location.

Initially this could be achieved by using a simple proxy server although in 2016 BBC started to block these following the lead of most global media companies.   There was another method left, using something called a VPN which stands for virtual private network which also allowed users to hide their physical location and IP address.

A VPN connection is virtually impossible to detect and so these have continued to work and many have switched from using proxy servers.  Unfortunately VPN services are more expensive to run and therefore these are almost always require a paid subscription.  The free ones are filled with advertising, share your internet connection with strangers and are all frustratingly slow to use which means that everything involves extensive buffering.

Here you can see in this video, a demonstration of a VPN program being used to access the BBC from outside the UK.

Although the move to paid services was upsetting to a lot of people, these subscriptions where relatively inexpensive and as they opened up all the UK TV channels are still extremely popular.   However during the second part of 2016 and into 2017 the BBC started to attack these services too.  In fact during specific times, literally thousands of people found themselves blocked almost overnight – one day they were happily watching the BBC the following day they were blocked. It almost seemed that suddenly they had figured it out, BBC iPlayer detecting VPN services – was it possible? Well no, they can’t detect them but it’s true that for many their BBC iPlayer VPN not working had suddenly occurred.

So if the VPN connection is virtually undetectable, how did the BBC manage to block so many of them?

How Does BBC Block VPN Connection Services

As mentioned, a properly configured and well run VPN service is almost impossible to detect.  Even the Chinese have thrown huge resources at identifying and blocking VPNs in order to control the huge use of them to circumvent their filtering and censorship.  They have not been completely successful and many Chinese routinely use VPN services to bypass the Great Firewall of China and indeed retain their anonymity in one of the most oppressive internet states in the world.  Other media companies have all tried in various ways too, most seem to settle with a partial success of blocking the simple proxies.  Nearly all media companies now block the easy targets so for example you can’t use a simple French proxy for M6 Replay either.

So obviously the BBC do not have anything like the technical expertise or resources to match this, however there are other options which can be fairly effective.  Firstly although the actual type of connection cannot be easily identified, they can identify when thousands of concurrent connections come from specific IP address ranges.  VPN servers will have limited numbers of IP addresses and when the BBC detects thousands of streams all being directed at the same ones then it’s likely they are some sort of proxy or VPN.

Secondly, many of these VPN services are easily identified by a little detective work.  Many of them openly advertise or display their TV watching services on their websites.  Type ‘BBC iPlayer abroad’ or ‘watch UK TV abroad’ into a search engine like Google and you’ll see some paid adverts for various websites.  All the BBC has to do is look up these services and block them manually, anything that looks like a TV watching service and not a proper security based VPN will be fair game. So there are some truth to these rumours, but it would be wrong to say that BBC iPlayer not working through VPN anymore

So in essence a little detective work and monitoring incoming connections can be a pretty effective way of blocking these VPN connections.  There is no real BBC iPlayer vpn workaround, merely selecting the right sort of VPN service.  Fortunately the older legitimate VPN services don’t advertise these facilities and also have large infrastructures with lots of servers to spread their connections. They have made little additional effort in blocking these services since the BBC iPlayer VPN 2017 purge, so the remaining companies should be fine – certainly I’ve been using Identity Cloaker for over a decade now without issues.

Companies like idc still work with all the UK TV stations despite these blocking efforts because they remain primarily security services not ‘TV watching’ proxies.

Mansfield Radio Station Hacked

Now this is class, a great example of a childish, yet sophisticated attack on an local radio station.    The station is Mansfield 103.2 FM a small local independent radio station based in Mansfield, Nottingham.   Since June 2017 the station has found it’s frequency hijacked by an unknown individual who has been transmitting an adult song called ‘The Winker’s Song’ sung by errmm Ivor Biggun (scroll down for song).

This is of course pretty funny, although some people of course have been offended.  The problem is that it’s actually quite difficult to stop this happening.   The attacker is obviously using some sort of high powered mobile transmitter, and the police would have to catch someone in the act to do anything.

It is apparently a criminal act with the communications regulator Ofcom trying to track the offender several times without success.  They have Spectrum Engineering Officers (cool job title!) working with the radio station in an attempt to identify the culprits.

Having listened to Mansfield 103.2 many years ago, I suspect it will have probably brought them a few more listeners waiting for the next attack.   The prankster had better be careful though as the kill joys have pointed out that maliciously causing radio interference carries a maximum punishment of two years imprisonment and an unlimited fine.

I for one would look carefully to people who have an association with the radio company, perhaps a disgruntled ex-employee.   The song selected has to be a big clue – it is of course a rude little ditty about mastrubation which basically loops through the words – “I’m a W*nker” to a George Formby type soundtrack.   It is also introduced by a male voice with a local Nottinghamshire accent, that song is a message dedicated to someone in the radio station I suspect.

To save you all googling – here’s the song –

The prankster also seems to be trying a little comedic timing too, with the latest hijack taking place half way through a live family broadcast from a local Mansfield event.    Hopefully he’ll now stop, because he’s bound to get caught eventually and we need more proper hackers around like this guy.

Maybe though, perhaps he’s a millionaire super hacker who’s adapted some long range drones with a radio transmitters controlled by a secure VPN and will never actually be caught – just the drone shot down. Only to mysteriously return and play the same song every time Nigel Farage does a radio interview somewhere, excellent….