8/11/16 Weekly News Highlights, Vulnerabilities in Samsung Pay, Volkwagen locks, and Bluetooth doors, oh my!

Welcome back to Astria Horizon, your source for practical information news across the web. If you use Samsung Pay, our article today will inform you about a current vulnerability, as well as explain how to avoid the risks yourself. Plus major news in vulnerabilities in the remotes used to unlock Volkswagen vehicles from 1995-2016, and why you need to do some research before buying a Bluetooth door lock. Read on for our summaries of these articles.


1. CSO Online,"Samsung both denies and admits mobile payment vulnerability."

Last week's Black Hat security conference brought all sorts of presentations about vulnerabilities, and one that's caused a stir is in the contact-free payment method, Samsung Pay. According to CSO Online's article, security researcher Salvador Mendoza discovered a vulnerability in the payment method, where the data tokens from an unfinished transaction could be used to steal a victim's credit card for use on another contactless payment device. Samsung initially denied the vulnerability existed, but since has released a more detailed statement essentially saying that the attack is possible, but extremely unlikely.

The attack would require an attacker to be very near to the phone to access the NFC field of the phone, generally within inches. Small devices to read the tokens generated for payment can be created however, and even be designed to be worn around the wrist, hidden under a sleeve. The simplest way to prevent this type of theft if you use Samsung Pay is to simply be careful not to create any transactions you do not intend to finish. This prevents an unused token from being generating, and thereby leaves nothing for a cyber-criminal to steal. If you do end up starting a transaction without completing it, be sure not to let any strangers handle your phone. Keeping tabs on your device is one of the best countermeasures to this vulnerability.

2. Security Week, "Millions of Cars Vulnerable to Remote Unlocking Hack."

As cars become more and more integrated with software and new technology, new cyber-threats to our main method of transportation are bound to pop up. This article from Security Week however discusses a method of unlocking vehicles made as early as 1995, primarily by Volkswagon. It seems that the company uses very few encrypted codes to secure the signal to unlock their vehicles with a remote, and a thief who obtains this encryption could use it to recreate the signal sent from any remote to unlock VW vehicles within a 300 ft. radius. The newest VW vehicles are fortunately not affected by this vulnerability.

Other vehicles too were found to have weaknesses in their remote entry. HiTag2, another method of securing the signal to unlock cars with a remote, is found in vehicles made by Ford and Chevrolet, and has weaknesses of its own. The encrypted key needed to make sense of the signal for these models is based on a series of 4-8 rolling codes, which also could be obtained by a relatively unskilled hacker. The additional difficulty here is that the hacker would have to record the victim pressing the unlock button on the car several times, but even this is little challenge for a patient thief.

Unfortunately, with so many vulnerable vehicles on the market, it's unlikely that either of these will be patched for current vehicles. Fortunately the researchers have not publicly disclosed their findings, and so it is possible criminals will be unaware of how to perform these attacks. Still, the only way to entirely prevent it is unfortunately just to use the standard key to unlock your car.

3. Tech Hive, "Many Bluetooth Locks Open Easily for Attackers."

Image Credit: Poly-Control

Yet more vulnerabilities have turned up in the recent security conferences, this one affecting a newer technology, Bluetooth based smart locks. These are newer devices, locks that require you to enter a code with a special app on your phone to unlock the door. But according to the Tech Hive article, researchers have found exploitable flaws in most of the Bluetooth locks on the market, and many were able to be hacked with very minimal effort. Four of the 16 locks they tested even transmitted the unlock signal in plain text, so that anyone with a basic Bluetooth sniffing device could obtain the code needed to open the door themselves.

The more concerning issue is that few of the manufacturers seem to care about these exploits. One company even went so far as to state they were aware of the flaw and had no intentions of fixing it. This seems to be increasingly common in newer "smart home" devices, and many items such at WiFi enabled thermostats and lightbulbs only end up creating more weaknesses in security. In the case of door locks, the weakness could even give access to your home to thieves. Many of these devices are simply still very new, and haven't been properly tested. The best advice is to avoid such technology for the moment, or at the very least don't buy the door locks that transmit plain text.


That's all for this week, thanks for stopping in at Astria Horizon. If you'd like more information on how the experts at Astria Business Solutions can help you stay secure, visit our website at AstriaBiz.com