Connect with us

Technology

Hacker Claims He Can ‘Turn Off 25,000 Cars’ At The Push Of A Button

Published

on

Every day millions of us rely on tech to protect our cars from thieves. Immobilizers, for instance, ensure only the owner of the right key fob can start the vehicle.

But now that technology has become a security threat, after hackers told Forbes they could lock down up to 25,000 cars at once. It’s all thanks to a vulnerability (now fixed) that made it frighteningly simple to quickly take remote control of a car’s immobilizer and prevent drivers from starting their vehicle.

Your car’s immobilizer is  supposed to be used for good. If a crook steals your car, it’s possible for you to connect to the immobilizer, which tracks the vehicle and allows you to stop anyone from turning on the engine.

READ MORE | Hack Breaks Your Visa Card’s Contactless Limit For Big Frauds

But with one particular immobilizer – the U.K.-made SmarTrack tool from Global Telemetrics – an easy-to-hack vulnerability meant it was simple for researchers at Pen Test Partners to turn on the immobilizer permanently, without the customer knowing a thing.

To prove it was possible, the researchers from British cybersecurity company Pen Test Partners hacked the vehicle of one of their own employees, disabling his car whilst they were in the U.K. and he was in Greece, not long before he was due to head to a wedding.

‘We own your immobilizer’

Ken Munro, cybersecurity researcher and partner at Pen Test Partners, first described the hack to Forbes at the DEF CON convention in Las Vegas.

He found that it was possible to turn the immobilizer on and the car off by sending a simple request via a browser. Once he’d entered the command, it took less than a second for the immobilizer to be triggered.

It was as if Munro was acting as one of the SmarTrack call center employees who were permitted to turn the immobilizer on. SmarTrack systems just weren’t correctly checking that the commands were being sent by an authorized user, Munro said.

READ MORE | Google Is Making Android As Difficult To Hack As iPhone—And Cops Are Suffering

Munro warned that it would be impossible for anyone to start the car again with the immobilizer fitted. The only option would be to have the tech removed entirely, he added. “We now control the immobiliser, so only we can de-immobilize the car.”

And, if the hacker turned the immobilizer on when the car is moving, it would simply prevent the car from running as soon as the engine stopped. As Munro noted, that could be “quite nasty” if the car has an auto start and stop function (such a feature is found in many modern models to help cut emissions in traffic).

Munro was also critical of Thatcham Research, the industry body which had given accreditation to the SmarTrack devices, saying it was safe to use. “People buy these devices thinking that the accreditation means something. We’ve shown that in some cases, fitting a theft tracker makes your car less secure,” Munro said.

Thatcham said that it accredits security products against a minimum set of requirements, including alarm and driver identification functionality. “The process also includes an attack test where the system on the vehicle needs to resist physical deactivation for two minutes,” the spokesperson added. “We do not, however, test the security of the vehicle system or the surrounding ecosystem.”

READ MORE | #30Under30: Technology Category 2019

Fixes available

Fortunately for SmarTrack customers, the flaws have now been addressed. “All potential vulnerabilities have now been resolved,” a Global Telemetrics spokesperson said. “Our customers can be assured that no password or personal details were compromised by this process and there are no security or safety concerns with any of our products.

“Security has always been and remains of paramount importance to us and as a result of the contact from Pen Test Partners we now have reassessed our ongoing security improvement project to ensure we remain market leaders in security and safety.”

To deal with the issues, Global Telemetrics brought in cybersecurity consultancy Hedgehog Security. Peter Bassill, founder of  Hedgehog, confirmed that what Munro claimed to have found was accurate.

READ MORE | Navigating Bitcoin, Ethereum, XRP: How Google Is Quietly Making Blockchains Searchable

Of the ability to shut down 25,000 cars at once, Bassill said: “It’s one of those assertions security researchers make… but there’s certainly capability where that could’ve happened… it certainly would’ve taken longer than one line of code, but the art of the possible is certainly possible.”

He said the vulnerabilities were likely down to developers writing code without enough attention to security. But Bassill has been working with new developers on the SmarTrack team to patch the vulnerabilities and set up processes to make sure issues are fixed quickly in the future.

But, as Bassill and Munro are warning, there are many immobilizers being used in millions of cars across the world. With many similar devices potentially containing security weaknesses, something we use every day without thought could very quickly become the latest weapon in a hacker’s arsenal.

-Thomas Brewster; Forbes

Continue Reading
Advertisement
Comments

Technology

Facebook Is Still Leaking Data More Than One Year After Cambridge Analytica

Published

on

By

Facebook said late Tuesday that roughly 100 developers may have improperly accessed user data, which includes the names and profile pictures of individuals in certain Facebook Groups.

The company explained in a blog post that developers primarily of social media management and video-streaming apps retained the ability to access Facebook Group member information longer than the company intended.

The company did not detail the type of data that was improperly accessed beyond names and photos, and it did not disclose the number of users affected by the leak.

Facebook restricted its developer APIs—which provide a way for apps to interface with Facebook data—in April 2018, after the Cambridge Analytica scandal broke the month before. The goal was to reduce the way in which developers could gather large swaths of data from Facebook users.

But the company’s sweeping changes have been relatively ineffective. More than a year after the company restricted API access, the company continues to announce newly discovered data leaks.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted,” Facebook said in a statement.

The social media giant says in its announcement that it reached out to 100 developer partners who may have improperly accessed user data and says that at least 11 developer partners accessed the user data within the last 60 days.

Facebook has been reviewing the ways that companies are able to collect information and personal data about its users since the New York Times reported that political consulting firm Cambridge Analytica harvested data of millions of users. Facebook later said the firm connected to the Trump campaign may have improperly accessed data on 87 million users.

The Federal Trade Commission slapped Facebook with a $5 billion fine as a result of the breach. As part of the 20-year agreement both parties reached, Facebook now faces new guidelines for how it handles privacy leaks.

“The new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products,” Facebook’s director of platform partnerships, Konstantinos Papamiltiadis, wrote in a Facebook post.

“As we work through this process we expect to find examples like the Groups API of where we can improve; rest assured we are committed to this work and supporting the people on our platform.”

Michael Nuñez

Continue Reading

Technology

How A BlackBerry Wiretap Helped Crack A Multimillion-Dollar Cocaine Cartel

Published

on

By

On August 18, 2017, four men travelling in a dual-engine speedboat carrying 1,590 pounds of cocaine were intercepted by the U.S. Coast Guard northwest of the Galapagos Islands.

The federal agents manning the channel chose to launch a helicopter to hover over the boat. With this aggressive move, the men began to jettison the bales of coke, each with their own GPS tracker so they could be picked up at a later date, according to the government’s narrative. They attempted to flee, and when they ignored the warning shots from the helicopter, the chopper fired rounds directly at the boat, disabling it.

After the bales were collected, the government realized they had just stopped a huge amount of cocaine from entering the U.S. In total, it carried a street value of $25 million. The four men, all Ecuadorians, were swiftly arrested and charged.

Though the cartel had set up a sophisticated, multilayered operation that sought to slip coke into the country and up to Ohio via land, air and sea, they had made a crucial error: They used BlackBerry phones. As the drug barons chatted about shifting cocaine and how to avoid the narcs over BlackBerry Messenger, a wiretap on a server in Texas was quietly collecting all their communications.

In a case that’s Narcos meets The Wire, federal agents have, since June 2017, been listening in on that server. And beyond that interception, Forbes can exclusively reveal it is yielding results. On Friday, an Ohio court is unsealing charges against one of the crew’s top brass: Francisco Golon-Valenzuela, 40.

Known as El Toro, Spanish for The Bull, the Guatemalan was extradited from Panama earlier this week and is appearing before a magistrate judge today. (Forbes hasn’t yet made contact with his counsel for a response but will update if comment is forthcoming.)

Described as one of various organizers and leaders of the unnamed cartel, El Toro is charged with conspiring to distribute at least 5 kilograms or more of cocaine on the high seas. As a result, he’s facing between 10 years and life in prison.

A key to BlackBerry 

For any organized crime operation, BlackBerry has always been a poor choice. No longer extant since being decommissioned in spring this year, BlackBerry Messenger did encrypt messages, but the Canadian manufacturer of the once-ubiquitous smartphone had the key. And all messages went through a BlackBerry-owned server. If law enforcement could legally compel BlackBerry to hand over that key, they would get all the plain-text messages previously garbled into gibberish with that key.

Compare this to genuine, end-to-end encrypted messaging apps like WhatsApp or Signal; they create keys on the phone itself and the device owner controls them. To spy on those messages, governments either have to hack a target device or have physical access to the phone. Both are tricky to do, especially for investigations of multinational criminal outfits. Police can put a kind of tap on a WhatsApp server, known as a pen register.

This will tell them what numbers have called or messaged one another, and at what date and time, but won’t provide any message content. This makes those apps considerably more attractive to privacy-conscious folk than those where the developer holds the keys, though sometimes to the chagrin of law enforcement.

It’s unclear how or when the DEA got access to the BlackBerry server. A so-called Title III order was issued, granting them court approval to carry out the wiretap, though that remains under seal.

It proved vital to the investigation. “There would be no case without the without the Title III on BlackBerry Messenger,” said Dave DeVillers, who was recently nominated as U.S. Attorney for the Southern District of Ohio. “The defendants, the seizures, the conspiracy were all identified with the Title III.”

A spokesperson for BlackBerry said: “We do not speculate or comment upon individual matters of lawful access.” The company has, however, previously made its stance on encryption public: Unlike other major tech providers like Apple or Google, BlackBerry will hand over the keys if it’s served with a legitimate law enforcement request.

If the police did receive a key from BlackBerry, it wouldn’t be the first time. Back in 2016, it emerged that the Royal Canadian Mounted Police (RCMP) had decrypted more than one million BlackBerry messages as part of a homicide investigation dating back to 2010.

As per reports from that time, it’s possible to use one of BlackBerry’s keys to unlock not just one device’s messages, but those on other phones too. Forbes asked the DOJ whether investigators would’ve been able to access other, innocent people’s BlackBerry messages as part of this wiretap, but hadn’t received a response at the time of publication.

Fishermen and spies

However those BlackBerry messages were intercepted, they helped illuminate a dark criminal conspiracy constructed of myriad parts. As revealed in today’s indictment, made known to Forbes ahead of publication, the gang employed “load coordinators.” Think of them as project managers, helping locate drivers for trucks and boats while finding people to invest in the cocaine.

Fishermen and other maritime workers were also allegedly recruited. They would help both in refueling the drug baron’s ships, but also helping transport the powder, prosecutors said.

Other individuals became ad hoc spies, sharing information on the activities and locations of police and military personnel trying to intercept shipments, according to the government’s allegations. Other coconspirators sheltered individuals who were at risk of extradition—not that it saved El Toro.

Forbes first became aware of the investigation in 2017, when a search warrant detailed various BlackBerry intercepts. In one, a pair of cartel employees discussed having to put some cocaine transports on hold because of a multinational maritime exercise—the Unitas Pacifico 2017—taking place in their shipment lanes, according to the warrant. BlackBerry wasn’t the only major tech provider to help on the case; That search warrant was for a Google account linked to one of the suspects, which investigators believe was used for further logistics.

The investigation has revealed that the 2017 seizure wasn’t the only time the cops had disrupted what was evidently a criminal enterprise worth hundreds of millions. In May 2016, long before the BlackBerry wiretap went up and the investigation into the cartel had begun in earnest, U.S. authorities intercepted 1,940 pounds of coke near the Guatemalan-Mexico border, worth another $30 million.

Despite such successes, DeVillers told Forbes the American government will never interdict its way to ending the drug trade. “We can only disrupt it,” he added. “And if we turn the tools used by the cartels to run their organization against them, we do just that.”

-Thomas Brewster; Forbes

Continue Reading

Health

How Virtual Therapy Apps Are Trying To Disrupt The Mental Health Industry

Published

on

By

Millions of Americans deal with mental illness each year, and more than half of them go untreated. As the mental health industry has grown in recent years, so has the number of tech startups offering virtual therapy, which range from online and app-based chatbots to video therapy sessions and messaging. 

Still a nascent industry, with most startups in the early seed-stage funding round, these companies say they aim to increase access to qualified mental health care providers and reduce the social stigma that comes with seeking help. 

While the efficacy of virtual therapy, compared with traditional in-person therapy, is still being hotly debated, its popularity is undeniable. Its most recognizable pioneers, BetterHelp and TalkSpace, have enrolled nearly 700,000 and more than 1 million users respectively. And investors are taking notice.

Funding for mental health tech startups has boomed in the past few years, jumping from roughly $100 million in 2014 to more than $500 million in 2018, according to Pitchbook. In May of this year, the subscription-based online therapy platform Talkspace raised an additional $50 million, bringing its total funding to just under $110 million since its 2012 inception.

The ubiquity of smartphones, coupled with the lessening of the stigma associated with mental health treatment have played a large role in the growing demand for virtual therapy. Of the various services offered on the Talkspace platform, “clients by far want asynchronous text messaging,” says Neil Leibowitz, the company’s chief medical officer.

Users seem to prefer back-and-forth messaging that isn’t restricted to a narrow window of time over face-to-face interactions. At BetterHelp, founder Alon Matas notes that older users are more likely to go for phone and video therapy sessions, whereas younger users favor text messaging.

“Each generation is getting progressively more mobile-native,” says John Prendergass, an associate director at Ben Franklin Technology Partners’ healthcare investment group, “so I think we’re going to see people become increasingly more accustomed, or predisposed, to a higher level of comfort in seeking care online.”

The ease and convenience of virtual therapy is another draw, particularly for busy people or those who live in rural areas with limited access to therapy and a range of care options.

Alison Darcy, founder and CEO of Woebot, a free automated chatbot that uses artificial intelligence to provide therapeutic services without the direct involvement of humans, says that with Woebot and other similar services, there is no need to schedule appointments weeks in advance and users can receive real-time coaching at the moment they need it, unlike traditional therapy. The sense of anonymity online can also lead to more openness and transparency and attracts people who normally wouldn’t seek therapy.

Along with stigma, the cost of therapy has historically acted as a barrier to accessing quality mental-health care. Health insurance is often unlikely to cover therapy sessions. In most cities, sessions run about $75 to $150 each, and can go as high as $200 or more in places like New York City. Web therapists don’t have to bear the expense of brick-and-mortar offices, filing paperwork or marketing their services, and these savings can be passed on to clients. 

BetterHelp offers a $200-a-month membership that includes weekly live sessions with a therapist and unlimited messaging in between, while Talkspace’s cheapest monthly subscription at $260-a-month, offers unlimited text, video and audio messaging.

But virtual therapy, particularly text-based therapy, is not suitable for everyone. Nor is it likely to make traditional therapy obsolete. “Online therapy isn’t good for people who have severe mental and relational health issues, or any kind of psychosis, deep depression or violence,” says Christiana Awosan, a licensed marriage and family therapist. 

At her New York and New Jersey offices, she works predominantly with black clients, a population that she says prefers face-to-face meetings. “This community is wary of mental health in general because of structural discrimination,” Awosan says. “They pay attention to nonverbal cues and so they need to first build trust in-person.”  

Virtual therapy apps can still be beneficial for people with low-level anxiety, stress or insomnia, and they can also help users become aware of harmful behaviors and obtain a higher sense of well-being. 

Sean Luo, a psychiatrist whose consultancy work focuses on machine learning techniques in mental health technology, says: “This why some of these companies are getting very high valuations. There are a lot of commercialization possibilities.” He adds that from a mental health treatment perspective, a virtual therapy app “isn’t going to solve your problems, because people who are truly ill will by definition require a lot more.”

Relying on digital therapy platforms might also provide a false sense of security for users who actually need more serious mental-health care, and many of these apps are ill-equipped to deal with emergencies like suicide, drug overdoses or the medical consequences of psychiatric illness. “The level of intervention simply isn’t strong enough,” says Luo, “and so these aspects still need to be evaluated by a trained professional.

Ruth Umoh, Diversity and Inclusion Writer, Forbes Staff.

Continue Reading

Trending