1. CSO Online,"Samsung both denies and admits mobile payment vulnerability."
Last week's Black Hat security conference brought all sorts of presentations about vulnerabilities, and one that's caused a stir is in the contact-free payment method, Samsung Pay. According to CSO Online's article, security researcher Salvador Mendoza discovered a vulnerability in the payment method, where the data tokens from an unfinished transaction could be used to steal a victim's credit card for use on another contactless payment device. Samsung initially denied the vulnerability existed, but since has released a more detailed statement essentially saying that the attack is possible, but extremely unlikely.
The attack would require an attacker to be very near to the phone to access the NFC field of the phone, generally within inches. Small devices to read the tokens generated for payment can be created however, and even be designed to be worn around the wrist, hidden under a sleeve. The simplest way to prevent this type of theft if you use Samsung Pay is to simply be careful not to create any transactions you do not intend to finish. This prevents an unused token from being generating, and thereby leaves nothing for a cyber-criminal to steal. If you do end up starting a transaction without completing it, be sure not to let any strangers handle your phone. Keeping tabs on your device is one of the best countermeasures to this vulnerability.
2. Security Week, "Millions of Cars Vulnerable to Remote Unlocking Hack."
As cars become more and more integrated with software and new technology, new cyber-threats to our main method of transportation are bound to pop up. This article from Security Week however discusses a method of unlocking vehicles made as early as 1995, primarily by Volkswagon. It seems that the company uses very few encrypted codes to secure the signal to unlock their vehicles with a remote, and a thief who obtains this encryption could use it to recreate the signal sent from any remote to unlock VW vehicles within a 300 ft. radius. The newest VW vehicles are fortunately not affected by this vulnerability.
Other vehicles too were found to have weaknesses in their remote entry. HiTag2, another method of securing the signal to unlock cars with a remote, is found in vehicles made by Ford and Chevrolet, and has weaknesses of its own. The encrypted key needed to make sense of the signal for these models is based on a series of 4-8 rolling codes, which also could be obtained by a relatively unskilled hacker. The additional difficulty here is that the hacker would have to record the victim pressing the unlock button on the car several times, but even this is little challenge for a patient thief.
Unfortunately, with so many vulnerable vehicles on the market, it's unlikely that either of these will be patched for current vehicles. Fortunately the researchers have not publicly disclosed their findings, and so it is possible criminals will be unaware of how to perform these attacks. Still, the only way to entirely prevent it is unfortunately just to use the standard key to unlock your car.
3. Tech Hive, "Many Bluetooth Locks Open Easily for Attackers."
Image Credit: Poly-Control |
The more concerning issue is that few of the manufacturers seem to care about these exploits. One company even went so far as to state they were aware of the flaw and had no intentions of fixing it. This seems to be increasingly common in newer "smart home" devices, and many items such at WiFi enabled thermostats and lightbulbs only end up creating more weaknesses in security. In the case of door locks, the weakness could even give access to your home to thieves. Many of these devices are simply still very new, and haven't been properly tested. The best advice is to avoid such technology for the moment, or at the very least don't buy the door locks that transmit plain text.
That's all for this week, thanks for stopping in at Astria Horizon. If you'd like more information on how the experts at Astria Business Solutions can help you stay secure, visit our website at AstriaBiz.com