X X X X X X X X X X X X X X X X security Craig Smith έχει αναπτύξει μια συσκευή για να ελέγχει αν τα διαγνωστικά μηχανήματα που χρησιμοποιούνται στις αντιπροσωπείες αυτοκινήτων για το έλεγχο και την ρύθμιση των σύγχρονων αυτοκινήτων μπορούν να πέσουν θύματα hacking και στη συνέχεια να χρησιμοποιούνται ως σταθμοί μόλυνσης για τη διάδοση malware σε άλλα οχήματα και από εκεί και σε άλλα συνεργεία.
Craig calls this scenario an "auto brothel" and warns that his machine has found many car diagnostic brains vulnerable to a number of simple techniques. hacking.
He presented his research project during this year's DerbyCon, a conference on better safety and the piracy, which took place in Louisville, Kentucky, USA (Louisville, Kentucky).
A $ 20 worth device to check if the car diagnostic tool is hackable
At the same conference, Craig also presented a special device he created to check the diagnostic brains of cars that are present in the workshops of the network of official dealerships. He named this machine ODB-GW (Ol' Dirty Bastard Gateway). The software for this tool, named Unified Diagnostic Services (UDS) Server is also available for download from GitHub.
As Craig explains, the ODB-GW device was created to act as a honeypot (hacker trap), making the car's diagnostic brain think it's connected to a car.
On the other side of ODB-GW, Craig connects a laptop computer, from which he is now able to carry out basic tests and identify weaknesses in the auto diagnosis machine.
The technique used by the ODB-GW device to find vulnerabilities is called "fuzzying", which sends large random pieces of data to the car diagnostic machine and then sees how this machine reacts and when and how it sticks.
Car diagnostics are susceptible to a malware outbreak
Mr Smith says that once a hacker learns what the vulnerabilities in a diagnostic machine are, they can create malware that will be able to hack and infect the device and then use the diagnostic machine to spread and in others cars that may be connected to this device, or even spread through the WiFi network of the commercial agency to the cars that have WiFi and are in the workshop.
"As a safety auditor I definitely suggest you try it out, [...] it's a great market that hasn't been considered," says Smith, referring to the fact that the automaker has put in place minimal safety practices.
“Delegations are relatively vulnerable, have a very low level of security and usually do not yet have an internal IT department.
“You can build a malicious car, take it to a dealership for regular maintenance, and from there attack the dealership. For example when you plug in the diagnostic machine to see why the check engine light is on, the malware to enter the diagnostic machine. And then through that machine the software to get into any other car will connect to it, so you'll have a car brothel."
Mr. Smith then goes deeper into the hacking scenario, stating that experts who manage to infect cars or dealerships with ransomware could charge exorbitant sums to unlock the cars, either from the individual owner of each car or from the car dealership which is responsible for their care and proper operation.
Craig Smith is his founder Open Garages, the author of the manual Car Hacker's Handbook, and today runs his own independent security research firm, Theia Labs.
Μπορείτε να δείτε την παρουσίαση του Craig στο DerbyCon Craig παρακάτω. Προσοχή, εκτός του ότι είναι στην Αγγλική language, η παρουσίαση γίνεται με πολλές αναφορές στην ορολογία του αυτοκινήτου και του hacking, οπότε όλα αυτά ίσως σαν φανούν λίγο κορακίστικα.
