Security

At Least Five LiDAR Challenges for Vehicles

Leave a comment

Sensors Online has a nice summary of the current product management view for LiDAR manufacturers. They spell out these five concerns:

  1. Size
  2. Cost
  3. Reliability
  4. Range
  5. Eye Safety

Conspicuously missing from the list (pun not intended) is integrity of the data.

Reliability in the above list refers only to environmental risks (“replace the moving parts with a solid-state alternative with each component able to meet Grade 1 temperature and qualification”) instead of the sort of overconfidence in imagery I’ve spoken about in the past (August 2014 “Babar-ians at the Gate: Data Protection at Massive Scale,” Blackhat USA)

To be fair, the article is kind of a hidden marketing pitch, written by a company promoting its new line of products:

…patented flip-chip, back-emitting VCSEL arrays that combine high pulsed power arrays, integrated micro-optics, and electronic beam steering on a chip.

So it makes sense they aren’t going to talk about the more fundamental flaws in LiDAR that their company/product isn’t solving.

Energy, Security

EV Charging Station Vulnerability

Leave a comment

Anyone else read this article about the bug in a Schneider product?

At its worst, an attacker can force a plugged-in vehicle to stop charging

At its best, an attacker can give away power for free.

That’s basically it. A hardcoded password meant the power could be disabled, although really that means it could be enabled again too. Breaking news: a switch installed in public places could be switched without special switching authorization.

It’s kind of like those air pumps at gas stations that say you need to insert $0.25 when really you just have to push the button, or at least yell at the person in the station booth “hey I need some air here, enable the button so I can push it” and you get air for free.

Breaking news: I got some air for my tires without inserting a quarter. Someone call TechCrunch journalists.

Seriously though, it would be news if someone actually had to pay for a plugged-in tire to start filling.

If a gas station owner insists that you have to pay for air even after you’ve used the pump, stand your ground. If that doesn’t work, here’s the form to report the station to state officials.

That’s right, and speaking of denial of service…an attacker could even run off with a gasoline pump hose (they have safety release mechanisms) or an air hose. Such a brazen attack would leave cars that have tires and gas tanks without services when they pull into a station.

Fuel host disconnects do happen fairly often, by the way. So often there are even videos and lots of news stories about why and where it happens (protip: bad weather is correlated):

And yet TechCrunch wants us to be scared of EV cables being disconnected:

…unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.

Safety first, amiright? Design a breakaway and attackers can walk away with the cable…for safety.

Such a “vulnerability story” as this EV one by TechCrunch makes me imagine a world where the ranking of stories has a CVSS score attached…a world where “news” like this can theoretically never rise above stories with a severity actually worth thinking about.

An attacker could disable or enable a charging point, where charging status is something easily monitored and on a near-continuous basis. Did your car just stop charging? It’s something you and the provider ought to know in the regular course of using a power plug.

This ranks about as low as you can go in terms of security story value…yet a journalist dedicated a whole page to discuss how a public power-plug can be turned on and off without strong authentication.

Security

Dust-sized battery-free AI sensor with RF-free wireless

Leave a comment

The title of this post is the announcement I just received in a CES invite to assess product security. Well, technically it was a “VIP lounge” invite more than a “please break our product” invite, but I treat them the same if you know what I mean.

Perhaps most infamously when I went to CES many years ago and met with 3Com to review their brand new wifi access points (first to market), I immediately pointed out that hard-wired WEP keys was a VBI (very bad idea). 3Com product managers were unapologetic, citing usability as their ace card. “Nobody will use wifi if we make key management hard” they said like a blackjack player scooping all the chips into their lap. We both were right, but they no longer exist (acquired 2010 by HP and never heard from again).

I suppose today what stands out to me most about this new announcement is the “dust-sized” marketing.

Some may remember I have presented in by “big data security” talks specifically on the paranoia that should accompany any developments in dust level of tracking devices, as well as the ironic fact that if you walk in an obfuscating level of dust (more probably sand) it leaves obvious tracks.

Cretaceous period (127m year old) dust printsCretaceous period (127m year old) dust print

I’m looking forward to breaking this new product to point out the VBIs, and maybe even coming up with something like “sweep deprivation” models.

History, Security

IBM Watson Sued by LA County for Secretly Tracking Users

Leave a comment

Let’s get one thing out of the way. IBM’s Watson was instrumental to the Nazi Holocaust as he and his direct assistants worked with Adolf Hitler to help ensure genocide ran on IBM equipment.

When IBM’s director of worldwide media relations, John Bukovinsky, was asked about the disclosures in 2001 and 2002 of the company’s involvement in facilitating the extermination of millions of Jews, Gypsies and others, he replied, “That was six years ago [sic].” When a reporter pointed out that the Holocaust itself was some 60 years ago, Bukovinsky quipped, “So what. What is the point?”

The idea that IBM would want to market their big data system after the man notorious for meeting with Nazi leaders to deliver counting machines for genocide…it’s a pretty big sign that the evils of Watson are something to keep an eye out for even in the present day.

As Edwin Black wrote in “IBM and the Holocaust: The Strategic Alliance between Nazi Germany and America’s Most Powerful Corporation“:

Thomas Watson was more than just a businessman selling boxes to the Third Reich. For his Promethean gift of punch card technology that enabled the Reich to achieve undreamed of efficiencies both in its rearmament program and its war against the Jews, for his refusal to join the chorus of strident anti-Nazi boycotters and isolators and instead open a commercial corridor the Reich could still navigate, for his willingness to bring the world’s commercial summit to Berlin, for his value as a Roosevelt crony, for his glitter and legend, Hitler would bestow upon Thomas Watson a medal — the highest it could confer on any non-German.

Fast-forward to today and IBM’s Watson has been charged with user location tracking using an innocent-sounding weather app.

In a complaint filed Thursday in California state court, the city alleges IBM used detailed location data from users for targeted advertising and to identify consumer trends that might be useful to hedge funds, while at the same time telling consumers their location would only be used to localize weather forecasts. The suit doesn’t allege personally identifiable information was sold.

“Unbeknownst to many users, the Weather Channel App has tracked users’ detailed geolocation data for years,” the complaint alleges, calling the Weather Channel’s actions “unfair and fraudulent.” The complaint also says the Weather Channel profited from the data, “using it and monetizing it for purposes entirely unrelated to weather or the Weather Channel App.”

Again, it’s hard to fathom that IBM would want to name a big data machine Watson. It’s even harder to fathom that someone in IBM thought lying about user location tracking to monetize ill-gotten data was a good move…but then I just go back to them naming their machine Watson.