5 April 2019
Security experts fool a Tesla car into driving on wrong lanes
Tesla’s Autopilot feature has come under the scanner after white hats tricked one of its cars to drive into a wrong lane. Security researchers from Tencent’s Keen Security Lab experimented with the lane recognition technology in the Autopilot feature and found that it could be misled with the use of lane stickers laid out on the road. Furthermore, the researchers remotely accessed the software in Autopilot and even controlled the steering system. Enhanced Autopilot in Tesla Model S 75 was tested in terms of both the related hardware and software. While the software ran 2018.6.1, the hardware version was 2.5. The researchers devised two approaches known as ‘Eliminate Lane attack’ and ‘Fake lane attack’ to trick the Autopilot feature. The former approach involved disturbing lane markings to make it look blurred. However, the lane recognition technology worked well under these circumstances. The latter approach involved placing three square-shaped stickers at an intersection. These would serve as interference patches. The Autopilot failed to realise that these were stickers and followed a wrong lane. The report also covered inaccuracies found in Tesla’s Auto Wipers, as well as in the steering system. The experts mention that adversarial examples were referred extensively to design the manipulation. “We used an improved optimisation on algorithm to generate adversarial examples of the features (autowipers and lane recognition) which make decisions purely based on camera data, and successfully achieved the adversarial example attack in the physical world,” the researchers wrote. Currently, Tesla has only acknowledged the remote access issue in the software and has fixed them with patches. However, it did not find the research credible enough since the lane attacks were performed in a controlled environment.
Bithumb cryptocurrency exchange hacked; $20 million worth EOS and Ripple cryptocurrencies stolen
Bithumb cryptocurrency exchange platform suffered a cyberattack on March 29, 2019. The cryptocurrency exchange stated in a security notification that it detected an abnormal cryptocurrency withdrawal on March 29, 2019, via its abnormal trading monitoring system. Attackers have stolen 3 million EOS worth $13.4 million and 20 million Ripple coins (XRP) worth $6 million. Bithumb disclosed that all the cryptocurrencies stolen were from the company’s wallet and members assets are secure in the cold wallet. An internal inspection revealed that the incident is an ‘accident involving insiders’. Upon detecting the abnormal transaction, Bithumb blocked any deposit or withdrawal requests and secured all cryptocurrency with a cold wallet. The company is working closely with KISA, Cyber Police Agency and security companies to conduct investigations on the incident. It is also working with big exchanges in order to recover the stolen cryptocurrencies. The cryptocurrency exchange is developing an internal workforce verification system to avoid such an incident from happening in the future. It is working in order to resume deposit and withdrawal as soon as possible. “Bithumb exchange is certified ISMS and applied to multi-signature withdrawal scheme. We constantly monitor and block external hacking. However, it was our fault that we only focused on defense of outside attack and lack of verification of internal staff,” Bithumb said.
Bug in the Skype Android app makes it automatically answer incoming calls
Android device owners are complaining about a bug in Skype that makes it automatically answer incoming calls. The Skype Android app has a setting called ‘Answer incoming calls automatically’ which is an accessibility feature for disabled users to automatically answer calls and for other users to remotely check on their children and pets when they’re away. However, users reported that the Skype Android app automatically answers incoming calls even when the feature is disabled. Users complained about the Skype Android app bug in Microsoft’s answers forum. A user complained that his Skype app automatically answered incoming calls after a few seconds even when his phone was in his pant pocket. The user noted that his Android device was paired with a smartwatch. Many other users also reported that calls were being answered automatically when their Android device is paired with a smartwatch. A user noted when his smartwatch pairing was disabled, Skype stopped answering calls automatically. However, it should be noted that not all users who faced this issue had a paired smartwatch. A Microsoft support agent started enquiring users who complained on the forum about the issue and promised that a fix is on the way. Microsoft updated the Skype for Android app at the end of March, but this update has not fixed the issue. Microsoft is already working on a fix and has already fixed the issue in the latest Skype preview app. Therefore, an official security update is expected to be released soon.
JS-sniffers infect 2440 websites worldwide to steal customers’ payment card details
Almost 540 million Facebook user records left exposed on Amazon cloud servers
Researchers from UpGuard uncovered two misconfigured Amazon cloud servers belonging to third-party companies that contained over 540 million Facebook user records. The first AWS S3 storage bucket belonged to a Mexican-based company named ‘Cultura Colectiva’. This server was 146GB sized and stored almost 540 million Facebook user records. The exposed Facebook records include users’ account names, Facebook IDs, comments, likes, and more. Upon discovering the leaky server, UpGaurd contacted Cultura Colectiva twice but received no response. Later, they notified Amazon Web Services about the unprotected server and received a response that the owner of the server has been made aware. However, the server was not secured. UpGuard then notified Bloomberg about the issue, who in turn contacted Facebook for comment. It was then the server was finally secured after almost 3 months. The second AWS S3 storage bucket belonged to ‘At the Pool’ Facebook game. This storage bucket stored Facebook records such as users’ Facebook ID, list of Facebook friends, likes, photos, groups, checkins, and user preferences like movies, music, books, and interests. The leaky server also contained passwords in plain text for almost 22,000 users. The server belonging to ‘At the Pool' had been secured even before UpGaurd sent a formal notification email. Despite Facebook having best of cyber-security experts and security-related features, date leaks related to Facebook occurs every other day. Even though data exposed by third-parties is beyond Facebook’s control, Facebook and the third-party app developers on Facebook should jointly take responsibility and work towards protecting users’ private data.
Newly discovered malware ‘Xwo’ scans for default credentials and exposed web services
Researchers from AT&T Alien Labs spotted a new malware dubbed ‘Xwo’ which is capable of scanning for default credentials and exposed web services. This malware is related to two other malware families namely MongoLock ransomware and XBash. This malware does not include any ransomware or exploitation capabilities. Researchers detected Xwo being served from a server with a file named xwo.exe. Upon execution, the malware performs an HTTP POST request with a random User-Agent from a hardcoded list of choices. It then receives instructions from its C&C server with an encoded public network range to scan. After scanning for services and collecting information, it sends back the collected information to its C&C server via an HTTP POST request. Researchers recommend network owners to avoid the use of default service credentials. Further, they should ensure that publicly accessible services are restricted when possible.