Tag Archives: Security

Broadcom Wi-Fi Chipset in Recent Devices Vulnerable to Attack

There is a proof-of-concept example code that shows a vulnerability in the firmware of two wireless chips produced by Broadcom, the BCM4325 and the BCM4329.

Some of the recent devices that have these Broadcom wireless chips are:

    • iPhone 4,
    • iPad
    • iPad 2
    • HTC Droid
    • Incredible 2
    • Motorola Droid X2
    • Some Edge model cars manufactured by Ford with built-in Wi-Fi

When executing the vulnerability the attack renders the Wi-Fi connection unusable for the duration of the attack. Once the attack is over, the device will work normally. Other features of the device are unaffected by the Wi-Fi disruption.

According to Andrés Blanco, a researcher from Core Security told Ars Technica, “The only requirement to exploit the vulnerability is to have a wireless card that supports raw inject of 802.11 frames,”

Andrés Blanco did say, “We are not sure that we could retrieve private user data but we are going to look into this,” which does make this vulnerability seem less threatening.

Android Apps Expose Personal Data Because of Flaws in SSL Implementations

German researchers analyzed a sample of 13,000 Android applications and found that more than 1,000 contained serious flaws in their SSL implementations.

The researchers from Leibniz University in Hannover and Philipps University of Marburg published this paper (PDF), showing their findings. They found that 17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.

The researchers claim they were “able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime”.

In addition, since virus software also uses SSL, “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”

This issue has come about because of developers misusing the SSL settings the Android API offers.

Examples given by the researchers including apps that are instructed to trust all certificates presented to them. (There were 21 of 100 apps selected for a MITM test) of that 20 of the MITM-tested apps were configured to accepts certificates regardless of its associated hostname (for example, an app connecting to PayPal would accept a certificate from another domain). Other issues included SSL stripping and “lazy” SSL implementations by developers.

The researchers also noted that a number of apps provided insufficient feedback to users, for example, failing to tell the user whether or not it was using SSL to transmit user credentials.

BMW Cars Vulnerable To Blank Key Attack

Most modern vehicles, like the BMW, have an on-board computer hidden in them. This computer basically controls the engine and makes sure everything is working correctly.

One of the functions this computer controls is the car’s electronic key that all BMWs have had since 2006. This electronic key communicates with the computer via radio signal and that allows you to start the vehicle. The electronic key has been made to allow a new key to be programed, should the old one be lost.

Someone has cracked BMW’s technology for programming the keys and managed to simplify the process. This process used to take 40 minutes and required specialist equipment.

Now there is a device that exists which allows anyone to access the on-board computer and program a blank key. It’s very easy to use and the process only takes little more than three minutes to complete. This device was actually designed and marketed for garages and recovery agents among other things.

With this key criminals are able to reuse them and make different keys for different vehicles. And as it works on many models of BMW and as it can be used repeatedly, although the price is high the criminals are happy to pay.

Video Breaking into BMW.

A BMW spokesperson response:

Criminal activity of all kinds is becoming increasingly sophisticated and particularly in this electronic age evolves with incredible speed. For highly complex, valuable and desirable products like cars, this has been a constant battle for manufacturers, legislators, the police and of course the owners of these cars. Organised crime has turned its attention to profits which can be made when stealing premium cars to order and selling them under false identities or, more often, breaking them up for parts and selling them piecemeal.

Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed. This does not mean the car companies have done anything wrong, neither are they legally obliged to take any action.
However, BMW has always taken security extremely seriously and has worked closely with police forces around the country (and the world), with Thatcham and with the industry body, the SMMT (The Society of Motor Manufacturers and Traders) to understand and mitigate against car crime wherever possible. Therefore, when we were made aware of this new form of attack, we took it very seriously and immediately launched an investigation.

A vital point to acknowledge here is that there is no such thing as the ‘unstealable’ car, as Ron Cliff knows well. If a criminal decides they want your car, they will find a way to take it. Our job is to make it as difficult as possible.

Can BMW confirm it is aware of the issues raised above?
We are aware of this new type of high-tech car crime, which is certainly not restricted to BMW, but is an industry wide issue. Manufacturers and police forces are in a constant battle against the increasing sophistication of organised car criminals.

When did BMW become aware of the security issues outlined above?
We have a close working relationship with the Metropolitan Police and with Thatcham and first became aware of this new type of car crime in autumn 2011. We immediately started an investigation, which was a complex process to establish the exact method of attack and the technical implications.

What is BMW doing to rectify the security problems?
There is no specific BMW security issue here, this is something which affects many brands, however organised criminals have targeted particularly desirable cars, with higher value parts and that is why BMW is amongst the brands affected.

BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems, and after extensive research we are clear that none of our latest models – new 3 Series, 5 Series, 6 Series and 7 Series – nor any other BMW built after September 2011 can be stolen using the method you have highlighted.

For cars built before this date our investigations, jointly with the police, have identified late model BMW X5 and X6 as cars which have been focused on by organised criminals. We are now taking steps to mitigate against this type of theft for these two models and are contacting customers accordingly. For obvious security reasons we cannot say what these measures are.

Other models, including earlier M cars, as featured in your programme, are also being looked at to see if similar measures might be applied.

What advice can you offer your customers?
We agree with the general advice to customers given by the Police:

When using remote locking, ensure the car has actually locked by checking a door.
Be careful with your keys and who you give them too keys (e.g. valet parking). There is a risk that they could be cloned.
Where ever possible park your car out of sight, in a locked garage or under the cover of CCTV cameras

In addition: We recommend servicing your BMW at dealerships capable of providing software updates (e.g. authorised BMW Dealerships) on a regular basis to give the opportunity of further enhancing theft protection.

I am pleased to say that we have now had further information from our technical team which means that we will be able to offer the same mitigating measures mentioned in relation to X5 and X6, to any concerned BMW owners, starting within the next eight weeks. This will mean that the car cannot be taken using the piece of equipment you highlight. Of course this will not render the car unstealable, but it will address this particular form of attack.

Any customer who is concerned about this issue can contact our customer service department on 0800 083 4397 or their dealer, either of which will happy to advise.