This constant barrage of FUD from the cybersecurity community is exhausting. The real story here is that a combination of misconfigurations resulted in a system being exposed to remote exploitation. Until we in security move away from producing this noise about the latest clickbaity hack and start professionally addressing underlying hygiene, root causes, and config laziness at scale, we will never drive the conversation forward. But that doesn't get your talk accepted at Black Hat.
The point is not to deliver a measured and realistic view into the specific security threats, for the entertainment of experts. The point is to show the broad public what the logical extremes of vulnerability are, so that the public exerts some market pressure, and seeks out the help of third parties to insure that things within this realm do not happen in their cars.
We have to acknowledge that the underlying issues here won't ever be understood by the broader public. These kinds of "here's what happens when..." stories are among the most important ways that we can get your message across.
Many hardware manufacturers simply don't understand the danger of using software willy-nilly. You can tell them all day long about using sane defaults, but they won't listen.
Malfunctioning hardware that physically damages their customers' property, on the other hand, is something the significance of which they will understand immediately. A few lawsuits here and there, a few percents off of their stock price -- these are the language they speak, and we must learn to speak it too if we want to encourage them to do something.
Same issues as those faced in the field of scientific research, really. Pressure to put out something flashy coupled with sensational journalism adding even more fantastical hype over the top.
Question is, what did we used to have that drove research efforts in the more beneficial ways we used to see?
Sure but I mean - What was the secret sauce that drove us to have PARC and Bell? What motivations were there then that have gone away now? Can we get them back?
Well, yes. But at the same time what other mechanism would you suggest to educate the large segment of the population that has absolutely no inkling of the mechanics of security? I don't see any and stories like this illustrate in a way that is accessible to all what the consequences of lax security could be. As such I think it serves a valid purpose, even if to those more knowledgeable like you it comes across as FUD.
And even within the security community there is a shift in the last couple of years with sexy names and bespoke websites for specific vulnerabilities. Apparently there is a need to get security out of the technical realm and into the public eye for reasons that transcend FUD.
If there is no scenario the public can understand the problems will just be waved away using arguments such as 'I don't care, I don't have anything to hide', 'Perfect security is impossible, it's good enough' etc.
This view is increasingly outdated. The public view/ed the internet as something harmless but the moment they are real world consequences they will inform and take things seriously very quickly. Self preservation is universal.
Given that the state of the situation now is often "learn one password, pwn the entire class of devices", a default that was vulnerable to literally any other vector of attack seems like a marked improvement. Its easier to protect against a brute force or dictionary attack on any individual device than it is to protect against a single magic default admin credential being discovered - rate limit password submissions, lock outs after subsequent failures, etc.
Sure, if someone can look at the sticker on the bottom of my router and see the serial number and learn the default password that way without having to attack it iteratively, thats still a problem. But a random default password would have to be communicated to the end user somewhere, too... and as with most things, by the time an attacker has physical device access you've already lost.
While i agree there's a lot of clickbait from cybersecurity that really has to stop because some of them are really ridiculous and causes the cry wolf syndrome. Like the ones where "Researchers can find out what you are thinking by just listening to scans of your brain from your wifi router!!1". Where they conveniently leave out the detail that they first require physical access to your wifi router to implant a special program, then a training set targeting exactly you built up over 10 years in a perfectly controlled environment, then the attack must be performed in this exact environment, they have just identified one type of thought and that they only managed to repeat the attack once where the result was more likely to be a fluke than deliberate.
But i don't think this looks one of them, they seem have a very easy and reproducible attack entry point open for everyone and the consequences are very tangible.
This is an excellent illustration of how software failsafes are unacceptable in internet connected pieces of hardware interacting with human beings. At a minimum you want all your interlocks to connect to a logic board with an FPGA that can not be upgraded remotely (to avoid someone overriding the FPGA programming using an updated bitstream).
True, sorry. User wpietry already posted the link, I just wanted to point out that the whole story is available there, which includes answer to his question.
I don't understand how the arm sprays water on passengers while they are inside the car. I can imagine this working if you knew where the cabin air intake is, but the article is very vague on this point (which is the only claim that is remotely surprising to me...)
>> They could also manipulate the mechanical arm to hit the vehicle or spew water continuously, making it difficult for a trapped occupant to exit the car
They've simply extrapolated on this capability to make the headline more clickable
Rios says he became interested in the car washes after hearing from a friend about an accident that occurred years ago when technicians misconfigured one in a way that caused the mechanical arm to strike a minivan and douse the family inside with water. The driver damaged the vehicle and car wash as he accelerated quickly to escape.
It is not explicitly said, but I suspect that the arm smashed a window and that allowed the water inside the van.
"All systems—especially internet-connected ones—must be configured with security in mind," Gerald Hanrahan of PDQ wrote. "This includes ensuring that the systems are behind a network firewall, and ensuring that all default passwords have been changed. Our technical support team is standing ready to discuss these issues with any of our customers."
Kind of customer-blaming. Maybe it's true that the hacks were done on poorly-protected systems but apart from having better security, it seems like all these companies need better communications, too.
> "We believe this to be the first exploit of a connected device that causes the device to physically attack someone," Billy Rios, the founder of Whitescope security, told Motherboard.
I won't argue that, but at the same time I was very reminded of this:
