It is the company Expleo, a global engineering, technology, and consulting service provider, that announce that they have developed the testing tool – in the form of a portable briefcase – called the “ExpleoSmeeta Briefcase”. The tool provides the platform for combining their cybersecurity testing framework “ExpleoSmeeta OS” with hardware components, in order to conduct security assessments, cyber forensics, and pen test related to the automotive sector.
With this physical cyber resilience testing briefcase-platform, Expleo’s engineers can carry out in-depth cybersecurity tests on vehicles wherever they are, and support OEMs and Tier 1’s to look at and verify proprietary solutions. Another part of their intensions is to further integrate cybersecurity by design into the product development and anticipate future cybersecurity risks.
Threat vectors that this briefcase claims to include is:
- Keyless entry where RFID being used to access and start vehicles via electronic key fobs,
- GPS-spoofing of the vehicles’ GPS-system for hiding stolen vehicles,
- Compromise vehicle sensors which potentially can put a driver or passenger at risk,
- Mitigate the vehicles’ wireless connection, in order to enabling personal data to be taken or malicious firmware to be uploaded to a vehicle.
Helmi Rais, Group Cybersecurity Practice Leader at Expleo Group, says:
“The automotive industry must be able to respond to an ever-changing set of threats. That’s why we developed ExpleoSmeeta to help combine the knowledge of the cyber community with Expleo’s automotive and digital expertise so that OEM and Tier1 automakers can test, secure, and protect their products, making them more resilient, sustainable, and most importantly, safer for consumers.”
Expleo demoed their briefcase at the Paris Motor Show at the end of October, this year.
A “childish” animated video demonstrating the briefcase-platform, from Expleo Group, can be found on YouTube: https://www.youtube.com/watch?v=PgR_SezYOUI
Uber
In our previous newsletter, we reported that Uber had had a massive security breach by being hacked by the LAPSUS$ hacking group. And speaking of Uber, recently it was exposed that the former security chief at Uber was convicted for not disclosing a massive data breach to Uber networks, in 2016. Apparently, the breach affected the personal data of more than 57 million riders and drivers, as Uber’s former security chief failed to inform the authorities or the public about the 2016 breach and settled the matter by issuing a payment of 100 000 USD to the hacker. Since Uber then was under an investigation by the FTC, for an even earlier security breach in 2014, Uber’s security chief was found guilty of concealing a felony from authorities.
Tesla
Security researchers have detected a security vulnerability, known as CVE-2022-42430, impacting Tesla model 3. By exploiting this vulnerability, an attacker could execute code and gain root privileges to the affected vehicles. The affected vehicle part is unknown but upgrading to the latest software updates version of Model 3, eliminates this vulnerability.
JBL
Paris police authorities discovered a modified JBL Bluetooth speaker to break into vehicles during an arrest of two suspected car hackers. The JBL Bluetooth speaker contained a digital start key that enabled the hackers to remotely start the vehicle. Such device can be found on the dark web and listed for around 5 000 EUR. Cars to be stolen, in less than a minute, with such modified device were Peugeot, Lexus and Toyota vehicles.
Written by Joakim Rosell