The Last Of Us | Main | Dirty Bi-sexual Sex Video [OregonMuse]
July 27, 2013

Hackaz: we in U ride'n medical stuff

Last night's ONT linked a story about some guys who got a Prius to break bad and do all sorts of unexpected nasty stuff by farkling it up through the (mandated by the govt BTW) onboard diagnostic port.

Industry apologists will whine that they had to do it with a hardwired connection to a laptop to make the bad things happen, yada, yada, yada.

That's fine, but the OBD ports are typically tucked away out of sight in most cars, so slipping something like an Arduino processor in there tucked up under the dash to do the damage at some prescribed time when a specific set of conditions are met isn't out of the realm of possibility.

The real problem is that the OBD micro-controller firmware even allows an external device to initiate dangerous vehicle actions (like applying brakes, farkling steering, etc) when the vehicle in motion.

The lesson of the past 20 years regarding tech and hacking is this: if something is physically possible then someone with malice in their heart is gonna figure out how, and eventually do it.

Oh my -- more vehicle hacking fun. Some boffin has cracked the remote control keyfob encryption used in a slew of higher end luxury cars.

A British-based computer scientist has been banned from publishing an academic paper revealing the secret codes used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis as it could lead to the theft of millions of vehicles, a judge has ruled.
Problem averted, world saved by the judge, right? Well, maybe not so much...
It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.
The industry position seems to be one of stonewall and denial that they have a problem that needs fixing. If owners were aware of this issue, they'd rightly be demanding recalls and retrofits of a more secure system. Since in reality the cat has been out of the bag for 3+ years now, denial may not be the best course of action because: (eastern European hackerz + organized crime = profits). Again:
if something is physically possible then someone with malice in their heart is gonna figure out how, and eventually do it.

In years past, the FDA was kind of in the dark about security vulnerability evaluation of various life critical medical devices, but they appear to be getting on board now that various hackers have exposed numerous vulnerabilities in medical gear out in the field. Having FDA behind a problem seems to help cut through a lot of manufacturer stonewalling and denial.
...Last year, Barnaby Jack, a security researcher with IOActive, showed he could force some Medtronic pumps to dispense fatal insulin doses from up to 300 feet away. He also has a Black Hat talk planned this year on a new vulnerability in wireless pacemakers and defibrillators. Jack said he notified the FDA in both cases.

"It's been primarily positive," he said. "They don't have the expertise on board to be able to make a thorough check, but they're certainly open to hearing about vulnerabilities. They certainly open the right doors for us."...

Barnaby was scheduled to give a talk at this years Blackhat Hacker conference in Las Vegas about vulnerabilities in medical devices, but died suddenly a couple of days ago. He was 35yo. BTW, the NSA's Gen Alexander will be giving the keynote at Blackhat on July 31. I see this as a pretty positive thing.

If you want to be paranoid for the rest of the day, peruse the list of speakers and topics for Blackhat. Here's a small sampling:

  • We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.

  • The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature [I sidebar'd this one a few days ago]

  • The Bad: Bluetooth Smart's key exchange is weak. We will perform a live demonstration of sniffing and recovering encryption keys using open source tools we developed. The Ugly: A passive eavesdropper can decrypt all communications with a sniffed encryption key using our tools

  • earn how to build an Android SpyPhone service that can be injected into any application. The presentation will feature a live demonstration of how phones can be tracked and operated from a Web based command and control server and a demonstration of how to inject the SpyPhone service into any Android application.

digg this
posted by Purp at 01:12 PM

| Access Comments

Recent Comments
Braenyard: "Elon stuck his dick in Cray Cray Posted by: Dr. ..."

Axeman: "Since when should an axis to describe real world t ..."

Apu He/Him/Fuck/You: " JROD has never been laid. *joke* ..."

Common Tater: "The Nazis commented on the inherent feministic asp ..."

Duke Lowell : "Or cut it with a pair of scissors.... Posted by: ..."

Braenyard: "Why was / is ... Posted by: Lizzy at October 17 ..."

[/i][/s][/b]Cybersmythe: "[i]I found engineering textbooks from the 1950s du ..."

Brother Northernlurker just another guy : "I do like how Young's sportswriter father Scott go ..."

Martini Farmer : "It's not so much what Neil Young writes... it's to ..."

CharlieBrown'sDildo: "If you only cut grass off 1/4" at a time maybe eve ..."

[/i][/u][/b][/s]Oddbob: "[i]I've no illusions about Neil Young and his poli ..."

Dr. Weevil: "Hadrian (#25): Don't forget phrenology, invented ..."

Recent Entries

Polls! Polls! Polls!
Frequently Asked Questions
The (Almost) Complete Paul Anka Integrity Kick
Top Top Tens
Greatest Hitjobs

The Ace of Spades HQ Sex-for-Money Skankathon
A D&D Guide to the Democratic Candidates
Margaret Cho: Just Not Funny
More Margaret Cho Abuse
Margaret Cho: Still Not Funny
Iraqi Prisoner Claims He Was Raped... By Woman
Wonkette Announces "Morning Zoo" Format
John Kerry's "Plan" Causes Surrender of Moqtada al-Sadr's Militia
World Muslim Leaders Apologize for Nick Berg's Beheading
Michael Moore Goes on Lunchtime Manhattan Death-Spree
Milestone: Oliver Willis Posts 400th "Fake News Article" Referencing Britney Spears
Liberal Economists Rue a "New Decade of Greed"
Artificial Insouciance: Maureen Dowd's Word Processor Revolts Against Her Numbing Imbecility
Intelligence Officials Eye Blogs for Tips
They Done Found Us Out, Cletus: Intrepid Internet Detective Figures Out Our Master Plan
Shock: Josh Marshall Almost Mentions Sarin Discovery in Iraq
Leather-Clad Biker Freaks Terrorize Australian Town
When Clinton Was President, Torture Was Cool
What Wonkette Means When She Explains What Tina Brown Means
Wonkette's Stand-Up Act
Wankette HQ Gay-Rumors Du Jour
Here's What's Bugging Me: Goose and Slider
My Own Micah Wright Style Confession of Dishonesty
Outraged "Conservatives" React to the FMA
An On-Line Impression of Dennis Miller Having Sex with a Kodiak Bear
The Story the Rightwing Media Refuses to Report!
Our Lunch with David "Glengarry Glen Ross" Mamet
The House of Love: Paul Krugman
A Michael Moore Mystery (TM)
The Dowd-O-Matic!
Liberal Consistency and Other Myths
Kepler's Laws of Liberal Media Bias
John Kerry-- The Splunge! Candidate
"Divisive" Politics & "Attacks on Patriotism" (very long)
The Donkey ("The Raven" parody)
Powered by
Movable Type 2.64