In September, Uber reported a massive security breach. Uber got hacked by the LAPSUS$ hacking group which is known for their successful social engineering attacks. LAPSUS$ started in 2021 by hacking Brazil’s Ministry of Health and in the year 2022 they can already name many prominent victims, e.g., Samsung, NVIDIA, Ubisoft and Microsoft.

The report by Uber details that the access credentials of one of its external contractors were likely purchased on the dark web. With these credentials, the hacking group started a so-called MFA fatigue attack (or MFA bombing attack) which is a technique that exploits the increasing use of multi-factor authentication. Using this technique, the attacker sends a high load of authentication requests to the victim with the ambition that the victim is accepting a request at some point. The same happened in the Uber hack, first, the external contractor denied the authentication requests, however, at some point the contractor accepted one of them.

Accepting the authentication request once, was already enough to give the hackers a foothold into the system. From that onwards, the hacker explored the system and claim to have found a network storage with PowerShell scripts which contained the admin credentials for the company’s Thycotic PAM (Privileged Access Management) server which ultimately opened the doors to many services such as GSuite, AWS and Duo.

Multi-factor authentication (MFA) was long seen as the holy grail to cope with insecure passwords or password re-use – it is simple and requires the attacker to overcome another barrier. There are various implementations of MFA, for instance, using one-time passwords via text messages. Attacks against this specific technique were demonstrated early on and found in the wild where attackers only needed to convince the mobile carrier to transfer the phone number to a new SIM (called SIM-swapping attack). NIST also removed SMS based MFA in their recommendations since 2016. On this note, one may also argue that the well-known and often used TOTPs (Time-based One-time Passwords) are not the best alternative as it requires both, the user and the server to store the shared secret. There are many more different implementations, one of them, the open Universal 2nd Factor (U2F) standard which seems to be promising when also considering the usability of the method.

When cars are talking

Students at KTH have analysed in collaboration with Vi Bilägare where data of various vehicles is being sent and how much. The report by Vi Bilägare summarises their findings. They show that vehicles by MG, which is owned by the Chinese state, are sending continuously data to servers in China owned by Tencent.

As the data of all analysed vehicles was encrypted with state of the art methods, one cannot tell what kind of data is being transmitted, i.e., whether it contains personal information. Regarding MG, they first responded that no personal data is being stored – it is rather logs when a music application crashes. The security student Jacob Ingers, who performed the tests, however, said that the app didn’t crash once during their tests and when confronting MG with these finding they answered that it is the bug reporting component which is performing regular check-ups.

Other vehicles, such as the examined Seat Leon is also communicating to different servers located in Europe. In total they found out that the vehicle was communicating to 158 different IP addresses during their analysis. The Nissan Qashqai and Seat Leon were also sending data outside the European Union, i.e., to the USA. In summary, their investigations showed that the MG MARVEL R is communicating to servers located in China, Ireland, France and Germany; the Tesla Model 3 is talking to servers in Ireland; the Nissan Qashqai sends data to the USA, Germany, Italy and the United Kingdom, and the Seat Leon communicates with servers in the USA and Italy.

This analysis highlights that modern vehicles are quite talkative. Sending data outside the European Union is also not illegal if it is not personal data. The interviewee Joakim Söderberg highlights, however, that it is not easy to identify which data is to be considered personal data as one could argue that nearly all data contains a unique pattern that is different across vehicles.

Short News 

  • Europol dismantled car theft ring who used vulnerabilities in the keyless-entry functionality. The operation led to the arrest of 31 suspects. Link.
  • Car retailer Pendragon (UK) was victim of a hack. Held to a 60 million Dollar ransom. Link.
  • NTT Communications and DENSO (who also were victims of a ransomware attack in March this year) are partnering to develop a Security Operation Center for Vehicles (VSOC). Link.

Written by Thomas Rosenstatter