Posted in Commentary with tags Kia on September 27, 2024 by itnerd
This is the second time in a week that I am going to say this. My wife and I are keeping our current car until it dies. But instead of potential privacy issues, it’s due to the fact that cars these days are connected to the Internet. Which means that they could be pwned. Here’s an example of that:
Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.
“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It’s been two years, there’s been a lot of good work to fix this problem, but it still feels really broken.”
This isn’t just a bad look for Kia. It’s a bad look for the entire car industry. George McGregor, VP, Approov Mobile Security had this to say:
“This shows how mobile app security and backend API security must be considered together. The attacker was able to copy the apps behavior and the backend checks were not sufficient to distinguish these requests from those from a valid app.
“In fact the API needs contextual information about what is going on in the device and the app to be able to prevent this kind of vulnerability being exploited. And the assessment of device and app needs to be thorough and happen continuously so that every request is validated as being legitimate.
“An effective app attestation solution such as the one from Approov can easily stop unauthorized apps, bots, cloned mobile apps or scripts from accessing your APIs and provide a Zero Trust approach that prevents this kind of exploit. “
The car industry simply needs to do better when it comes to security. Because at present, it looks like they as a whole don’t take security very seriously. Though they are free to prove me wrong at any time by describing how they are going to do better on this front and how long that will take.
The UAC prompt is essential for preventing unauthorized actions by providing a security checkpoint for administrators. However, this exploit removes that safeguard, enabling attackers to execute high-level tasks without detection or administrative approval. This could have significant consequences, particularly in environments where elevated permissions are tightly controlled, such as corporate networks or government systems.
Impact: Allows unauthorized escalation to high integrity without UAC, introducing serious post-compromise risks
Affected Systems: Windows 10, Windows 11, Windows Server 2019/2022 (with all updates applied)
Current Status: Microsoft has not classified this as a vulnerability according to their security criteria, but Fortra urges organizations to be aware of the risks, as this exploit can be used for privilege escalation post-compromise.
Fortra has developed a full working proof of concept and provided detailed insights into the vulnerability’s two-stage process, all of which can be found on theirSecurity and Trust Center page: https://www.fortra.com/security/advisories/research/fr-2024-002.
Posted in Commentary with tags Samsung on September 26, 2024 by itnerd
Samsung today unveiled the Galaxy Tab S10 Ultra and Galaxy Tab S10+, Samsung’s first tablets purpose-built for AI. The premium hardware includes 14.6-inch and 12.4-inch Dynamic AMOLED 2X displays — the ideal canvas for the intuitive S Pen bundled with both models. Performance upgrades for the Galaxy Tab S10 Ultra include an 18% increase in CPU, 28% increase in GPU, and 14% increase in NPU compared to the Galaxy Tab S9 Ultra.
This improved processing power enables faster and more responsive Galaxy AI features, which are now easily accessible with written prompts using the new Galaxy AI Key on the Book Cover Keyboards to customize the AI assistant. Innovative software includes features such as Note Assist and Drawing Assist, optimized for the tablet form factor. The Galaxy Tab S10 series also acts as a home AI device, with a 3D Map View available through SmartThings that gives a visual overview of the home and all connected devices to streamline device management across the SmartThings ecosystem. Robust Samsung Knox security also provides data privacy and control.
Built on Samsung’s legacy of providing powerful experiences, the Galaxy Tab S10 Ultra and Galaxy Tab S10+ harness significant leaps in AI processing power to deliver a supercharged experience. The Galaxy Tab S10 Ultra includes an 18% increase in CPU, 28% increase in GPU, and 14% increase in NPU compared to the Galaxy Tab S9 Ultra. Coupled with a long-lasting battery life and Super-Fast Charging, the Galaxy Tab S10 series can be used for longer, with less time spent waiting for it to charge.
The Galaxy Tab S10 Ultra’s 14.6-inch display and Galaxy Tab S10+’s 12.4-inch display both feature innovative Dynamic AMOLED 2X technology and offer a vibrant yet natural viewing experience, even outdoors. Details are clear with its advanced anti-reflective technology, minimizing distracting glare and reducing reflection. The series’ quad speaker setup is further enhanced with AI-powered Dialogue Boost, which amplifies voices over unwanted noise to create ultra-clear audio. And for use on the go, the Galaxy Tab S10 series offers an IP68 rating further protected by enhanced Armour Aluminium.
The Galaxy Tab S10 series offers an efficient experience — enhancing productivity —and serves as the ideal canvas to let out your creative side.
With Note Assist and the intuitive S Pen, notetaking is a breeze on the tablet’s large display. Schoolwork, note-taking, and personal journaling become more efficient with automated transcriptions and summaries provided by AI.
With PDF Overlay Translation, the Galaxy Tab S10 series can also seamlessly translate PDFs via an on-screen overlay.
Handwriting Help cleans up untidy handwritten notes, too.
Galaxy AI’s Sketch to Image makes the Galaxy Tab S10 Ultra great for turning imagination into reality, acting as a creative assistant for overcoming mental roadblocks.
With Circle to Search with Google on the Galaxy Tab S10 series, you can Circle to search anything without switching apps. Instantly translate anything you see on your tablet with Google. Without switching apps, you can translate any image, video or text in two taps. Quickly get the info you need, then get right back to what you’re doing. Circle to Search can even recognize and outline steps for solving physics and math problems.
The Galaxy S Pen’s Air Command provides instant access to your AI Assistant features without toggling between menus. These AI Assistant apps can also be easily launched by the Galaxy AI Key on the Book Cover Keyboard with written prompts, making it easier for users to choose between Samsung’s Bixby and Google’s Gemini for a customized AI experience.
I had a look at these new tablets earlier this week and here’s my first impressions:
This is a picture of the S10 Ultra with the optional keyboard case. But the S10+ version has an option for the keyboard case as well.
And what’s cool about the case is that you can hide the S Pen underneath a flap on the case so that you don’t lose it.
Posted in Commentary with tags Samsung on September 26, 2024 by itnerd
Samsung today announced the Galaxy S24 FE in addition to the Canadian retail availability of the Galaxy Ring, the latest expansion to the Galaxy AI ecosystem that delivers new premium mobile and wearable experiences to users.
I had a look at both items recently and here’s a few shots that I took:
The big thing that gets my attention is the fact that it comes with a 120Hz screen. That’s something that the equivalent iPhone doesn’t offer.
It has the look and feel of Samsung’s other premium phones. So there’s no FOMO for buyers.
And there’s some fun case options for buyers to choose from.
Powered by the AI-based ProVisual Engine and Galaxy AI’s Photo Assist features, Galaxy S24 FE showcases an enhanced camera setup that empowers users to be more creative. It’s a great device for gaming on the go with a 6.7-inch Dynamic AMOLED 2X display, a long-lasting 4,700mAh battery, and a powerful Exynos 2400 series chipset. Galaxy S24 FE offers premium Galaxy AI tools and ecosystem connectivity to enhance communication, productivity and creativity, all housed in an iconic design and protected by robust Samsung Knox security.
Galaxy S24 FE makes it easy for anyone to take stunning photos and videos. Its premium camera setup features a 50MP wide lens and 8MP telephoto lens with 3X optical zoom, both supported by optical image stabilization (OIS), plus a 12MP ultra-wide lens and a 10MP selfie camera.
The camera system’s capabilities are further elevated by Samsung’s dynamic ProVisual Engine, an AI-driven camera engine that takes visual quality to incredible heights. A new feature to the FE series, ProVisual Engine’s technology leverages advanced AI algorithms to deliver breathtaking detail and remarkably subtle textures:
Nightography with AI image signal processing (ISP) to improve low light performance, enabling beautiful night portraits
Works with the 50MP Adaptive Pixel Sensor of wide camera, to enable optical-quality performance at zoom levels from 2x, in addition to the optical 3x zoom. AI Zoom also enhances image quality at distances between digital zoom lengths.
Object-Aware Engine recognizes scenes and optimizes colours in SuperHigh Dynamic Range (HDR), providing vibrant and lifelike photos and videos.
When it is time to edit, Photo Assist features breathe life into ideas. Since its introduction with the Galaxy S24 series devices, Galaxy AI has become invaluable for editing images and expressing creativity:
Generative Edit reassembles the world through object moving and removal capabilities, allowing more creative freedom
Portrait Studio reimagines selfies as cartoons, comics, watercolour paintings, or sketches to add flair to online profiles
Edit Suggestions quickly remove pesky flaws, such as reflections, with the press of a button
Instant Slow-mo captures every second of life’s important moments in a snap
The powerful Exynos 2400 series chipset enables a gaming experience compatible with innovative features such as Ray Tracing. In a world where every bit of speed and efficiency counts, Galaxy S24 FE utilizes several key features:
An 1x larger vapor chamber improves cooling to maintain peak performance for longer durations.
The bigger 4,700mAh battery allows for longer use.
A 7-inch adaptive Dynamic AMOLED 2X display – the largest display used yet in the FE series – with a up to 120Hz refresh rate provides a smooth and stunning viewing expereince.
Vision Booster optimizes colour and contrast to game even in sunlight.
Galaxy S24 FE incorporates the same advanced AI experience as the Galaxy S24 series. Designed to enhance work, simplify communication, and increase connectivity, Galaxy AI on the S24 FE offers tools that unlock new possibilities:
Circle to Search with Google satisfies curiosity with unprecedented ease
Interpreter instantly translates in-person conversations, even when offline
Live Translate breaks down communication barriers on phone calls
Chat Assist easily adjusts tone, grammar, and vocabulary in messages
Note Assist streamlines the note-taking process and automates formatting and translation. In Samsung Notes, you can get transcription, translation, and summarizing of voice recordings directly. Texts in PDF files also can be translated and overlaid through PDF overlay translation
Browsing Assist on Samsung Internet creates summaries or translates entire webpages
The Galaxy S24 FE will be available for order starting October 3, 2024, in the Blue, Graphite, Gray, and Mint colours.
Now over to the Galaxy Ring. Galaxy Ring offers a simple approach to everyday wellness, featuring Samsung’s proprietary sensor technology in a small unobtrusive form, and provides insights that help you understand yourself easily. Designed for 24/7 wellness monitoring, with Galaxy Ring, you can enjoy around-the-clock customized insights and becomes more intelligent over time thanks to the advanced technology of Galaxy AI. The data and insights are integrated into Samsung Health[16] for seamless access within one cohesive platform. Starting with sleep, the Galaxy Ring features Samsung’s sleep analysis and a sleep AI algorithm to help you easily understand your sleep patterns and build better habits. With Cycle Tracking, you can track your menstrual cycle through overnight skin temperature monitoring.
Holistic insights and motivational encouragement provided by Galaxy Ring empower you to wake up refreshed and ready to take on your day.
Here’s the inside of the Galaxy Ring where you can see the sensors that the Galaxy Ring users.
Here’s the Galaxy Ring in its charging case. There’s a button in the middle that if you press it, you can get the level of charge of the case.
The charging case charges via USB-C.
If you go into the store, you will have to use this kit to find your ring size. It should be snug but not tight. If you however order online….
You will get this kit on the right to do the same thing. Then Samsung will send you your ring on the left.
The Galaxy Ring will be available for purchase in Canada starting October 3, 2024. Visit your nearest Samsung Experience Store to try out the new Galaxy Ring with hands-on experiences and use the sizing kit to find your comfortable fit before purchasing your Galaxy Ring. Galaxy Ring will be Device available for order at samsung.com/ca, Samsung Experience Stores, and participating authorized Canadian retailers.
Posted in Commentary with tags Redbird on September 26, 2024 by itnerd
Despite general advances in AI and LLMs in recent years, enterprise organizations have largely struggled to successfully use chat-based approaches for business intelligence in a way that is accurate, secure, and customized to their business. While consumer-centric tools like ChatGPT have shown great promise for more surface-level tasks rooted in general information from the internet, there has been a gap when it comes to applying the same technology to the deeper data analytics that enterprises need to run on their complex data ecosystems.
With the launch of its AI chat platform, Redbird is filling this void through AI agents designed to perform advanced data analytics on top of tooling that securely integrates with an organization’s data ecosystem. Users can engage these AI agents in natural language through chat interactions that don’t require technical knowhow. This enables the true self-serve analytics that legacy dashboarding tools like Tableau, Looker and PowerBI have promised but ultimately failed to deliver on given the limitations of a more rigid dashboarding approach.
Redbird’s AI platform leverages proprietary AI agents trained to do specific analytical tasks equivalent to what specialized human resources currently do. For example, Redbird has developed AI agents that can do data collection, data engineering, SQL analysis, data science, reporting, and domain-specific data analytics. These AI agents have access to Redbird analytical tools and can orchestrate as well as execute multi-step analytical tasks to answer user questions. Redbird AI has access to an admin layer where domain experts within an organization can load business logic, definitions, data ontologies, and existing assets like presentations or documents that provide the context needed for the AI to produce accurate results.
Redbird also solves for the infrastructure and security challenges involved with enterprise AI implementations through turnkey on-prem deployments that can run LLMs within contained environments on the enterprise’s own cloud. This means that all enterprise data is securely contained within that enterprise’s AI ecosystem and never used to train an LLM for use by other enterprises.
Throughout 2023, many enterprises watched developments in the LLM space from the sidelines wondering how the technology could be used within their organization. In 2024, they have started to test different approaches and allocate budget in search of an AI solution that actually works for them. Unfortunately, efforts to build solutions in house have proven costly and ineffective given the complexity of fusing LLM technology with unique, messy enterprise data ecosystems. 3rd party AI products like Microsoft Copilot have also failed to deliver the depth needed and instead opted for more of a surface level assistant approach. Redbird’s AI product is quickly gaining traction with some of the largest enterprise brands as an alternative to complicated in-house builds or surface-level 3rd party options.
Since raising its seed round in 2022, Redbird has increased its customer count 7X, tripled its team size, and built out an extensive AI ecosystem on top of its core data analytics automation platform, which it is now making accessible to enterprises more broadly. Redbird is now working with 8 of the Fortune 50 brands and also in the process of onboarding some of the largest government organizations in the US.
Founded by Erin Tavgac and Deren Tavgac, data analytics and AI experts with deep enterprise experience across the world’s largest brands, Redbird works with enterprise customers across diverse verticals. Since its founding, the Redbird team has expanded rapidly to include key AI engineering hires to help accelerate the development of Redbird’s AI product.
Redbird is excited to bring its AI product to the market to help enterprises unlock the potential of conversational BI for their organization, and recognizes this as a huge leap forward in its mission of democratizing data analytics.
A recent discovery by cybersecurity researcher Jeremiah Fowler revealed a concerning data breach at ChoiceDNA, a genetic DNA testing and DNA Face Matching service provider. The breach exposed over 8,000 biometric images for facial recognition, along with sensitive metadata such as names, email addresses, phone numbers, and order details.
This breach poses serious risks including non-consensual exposure of facial images, identity theft, targeted phishing attacks, and potential extortion. The unprotected database was easily accessible through a non-secure WordPress folder and contained personal information like racial or ethnic identity and reasons for facial DNA analysis.
Here are some highlights of our MagSafe Wallet: An Easy-Access Three-Card Wallet
Made with vegetable-tanned leather that devops a beautiful unique patina over time, that is rather gold by the Leather Working Group for environmental standards.
With top rated protection to keep your cards safe. Includes easy to attach, with silicone stripes with slip resistance for MagSafe compatible products.
Lined with luxurious Japanese microfiber lining with a satin-like finish.
Now available in two new colours, Green Smoke and Livid Green, shipping this October.
Posted in Commentary with tags Format on September 26, 2024 by itnerd
Format, the leading portfolio website provider for artists, designers, photographers, and creative professionals, is proud to partner with Kickback, an organization dedicated to empowering underserved youth through arts and sports. As part of this collaboration, Format is providing participants in Kickback’s Portfolio program with a free year of its portfolio services. As part of the Kickback program, youth photographers have an extraordinary opportunity to document the Canada Basketball Youth U15 & U17 tournament in Toronto, held from August 5-10, 2024—marking the first professional opportunity for many of these aspiring photographers.
Format sponsored a behind-the-scenes photoshoot of the Kickback youth in action, documented by sports photographer and Kickback alumni, Nicholas Williams. The partnership with Canada Basketball has provided these young photographers with a platform to gain real-world experience.
This year’s collaboration between Kickback and Canada Basketball is a testament to the value of mentorship and the positive impact of providing opportunities to underserved youth in the community. Format and Canada Basketball remain committed to fostering young talents and empowering the next generation of photographers.
Kickback is a non-profit organization that has been in existence since 2016. Founded by Jamal Burger, Kickback began with the belief that a new pair of shoes has the power to keep kids out of trouble. The organization provides sneakers and helps kids reframe the narrative by facilitating experiences and opportunities in sports, art, and education. Kickback is committed to creating a world of opportunity at the intersection of art and sport.
Format is a platform designed to help creative professionals—from emerging talents to seasoned experts—showcase their work and manage their online presence. Joining Zenfolio Inc. in 2021, Format has remained dedicated to supporting and empowering creatives at all stages of their careers.
Posted in Commentary with tags Nelson on September 26, 2024 by itnerd
As Ministries of Education introduced new curricula in Ontario, Alberta and other provinces across Canada this school year, school boards need to ensure teachers have the latest, accurate and trustworthy resources for their classrooms. To address those requirements,Nelson Education, Canada’s leading education content provider, has incorporated further updates to Edwin, the company’s digital learning ecosystem, for the 2024/2025 school year to reflect the recent curriculum changes. By popular demand, the company has also enhanced its “browse by curriculum” feature on Edwin, making it easier for teachers to access the latest curriculum-linked content for their subjects.
Committed to the individualized needs of students, teachers and administrators, Nelson aligns with the priorities set by Ministries of Education across Canada with digital content built for Canadian classrooms. It works with school boards and districts nationwide to deliver and update content that is relevant and curriculum-aligned for all learners. Some of the curriculum changes this year include Grades 4-9 Language, Grade 9 Science and Grade 9 Mathematics in Ontario; and Grades 4-6 English Language Arts and Literature, and Social Studies in Alberta, among others changes.
With Edwin, teachers can build culturally relevant, engaging and differentiated learning plans to support classroom equity. Multiple modes of content including text, audio and video enable students to learn and collaborate in ways that are right for them. With all subjects’ resources, interactive tools and notes in one place,the easy-to-use platform can relieve the time pressures felt by teachers.
One month into the school year, Nelson has already seen an 89 per cent increase in the number of teachers trained on Edwin at the end of the first week of school this year compared to last year.
Nelson helps teachers and improves student engagement
Nelson disrupted the education industry by launching Edwin in 2017, virtually reinventing itself from a century-old publisher into a digital content provider. Year over year, Edwin has been proven to reduce strains on teachers and help drive improved student outcomes. In a national survey conducted in January 2024, teachers reported saving almost one hour per week in lesson planning, finding resources and creating assessments by using Edwin, an equivalent of one prep period per week or one full week a year. They gave an A or A+ to Edwin’s subject content, classroom success and support. In 2021, a school board in Ontario also showed a 14 per cent increase in students who met or exceeded the provincial standards in Mathematics after using Edwin.
Engaging and reliable resources to support a variety of learning subjects
Educators rely on Edwin to provide timely, creative lesson ideas. For example, Edwin saw a 70 per cent spike in usage in November 2023 with teachers and students accessing not only curriculum related content, but also content about Remembrance Day, Indigenous Veterans Day and Recognize Treaty Rights and Relationships.
Edwin’s rich library of online resources supports core disciplines, other subjects and contemporary topics.It also goes beyond traditional classroom materials with learning tools to let students explore, create and collaborate. One major difference between Edwin and traditional textbooks or eBooks is users never get just one grade of content; it provides access to multiple grades to cover a wide range of student needs.
Edwin’s Classroom Success Team, made up entirely of educators, provides support for teachers and students throughout the school year. Free, monthly Live Lessons are also available for everyone. Most recently, a three-part series of Live Lessons: Truth and Reconciliation: Then, Now, Tomorrow was developed. Students can take a journey through Truth and Reconciliation in Canada by exploring three key aspects: Learning from the Past (Sept. 25), Navigating the Present (Sept. 30), and Inspiring the Future (Oct. 9).
For more information on Nelson’s digital learning ecosystem, Edwin, visit: https://edwin.app/.
Posted in Products with tags Apple on September 26, 2024 by itnerd
Since moving my desk setup to having my MacBook Pro in clamshell mode, I’ve missed having a trackpad. The reason being that Apple’s trackpads support gestures that can make doing a lot of things way faster than using a mouse. So after months of stalling, I finally bit the bullet and handed over $169 CDN to Apple to get this:
Meet the Apple Magic Trackpad. It supports both Force Touch which is the ability for the touchpad to react to how hard you press it. That’s handy for apps that actually support this feature. It also has zero moving parts like the touchpads on Apple’s MacBooks. Thus everything you feel is simulated via Apple’s haptic feedback tech. So if you’re used to that, you’ll feel right at home. Finally, it supports multi touch gestures. More on that in a bit. It’s available in white or in the black that you see here. I don’t know about the white version of this, but the black version attracts fingerprints like crazy.
On the back is an on/off switch, as well as a Lightning port for recharging the trackpad seeing as it’s wireless. Much like the Magic Keyboard, I have to ask why do we not have USB-C on this in 2024? I guess that the EU needs to force Apple to get with the times as this is just dumb. For what it’s worth, the battery inside the trackpad lasts just over a month, and it comes with one of these:
It’s a USB-C to Lightning cable that is pretty good quality.
Back to why I got this for myself. Over the years I have come to rely on the multi touch gestures that Apple has offered in their notebooks to navigate and do things in macOS. If you’re interested in learning what these gestures are, this can help you. And that fact that this trackpad supports them immediately makes me way more productive at my desk. For example I often use apps in full screen and swipe between them using the trackpad. And doing that takes far less effort with the trackpad than it does with a mouse. Having said that this trackpad will not completely replace a mouse as it is simply not as accurate as a mouse. Thus I always have a mouse on standby should I need to do something that requires some level of accuracy. Color correcting a photo would be an example of that.
Here’s one thing that makes this trackpad worth considering. Unlike the Magic Mouse which for reasons only Apple understands requires you to flip the over to charge it, rendering it useless in the process, you can use the trackpad while you charge it. It makes me think that these two devices were designed by two groups of people who clearly didn’t talk to each other.
So would I recommend the Apple Magic Trackpad? If you want to accelerate your workflow and don’t mind spending spending some time to learn the multi touch gestures, then yes. If you’re used to how your MacBook behaves and you want to replicate that on your desktop, then yes for that as well. Just don’t throw away your mouse as that will come in handy from time to time.
Oh, I have a message for Apple. You need to move these accessories to USB-C. It’s 2024 and you really have no excuse anymore.
Kia Cars Can Be Pwned In Epic Fashion
Posted in Commentary with tags Kia on September 27, 2024 by itnerdThis is the second time in a week that I am going to say this. My wife and I are keeping our current car until it dies. But instead of potential privacy issues, it’s due to the fact that cars these days are connected to the Internet. Which means that they could be pwned. Here’s an example of that:
Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.
After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.
“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.
“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It’s been two years, there’s been a lot of good work to fix this problem, but it still feels really broken.”
This isn’t just a bad look for Kia. It’s a bad look for the entire car industry. George McGregor, VP, Approov Mobile Security had this to say:
“This shows how mobile app security and backend API security must be considered together. The attacker was able to copy the apps behavior and the backend checks were not sufficient to distinguish these requests from those from a valid app.
“In fact the API needs contextual information about what is going on in the device and the app to be able to prevent this kind of vulnerability being exploited. And the assessment of device and app needs to be thorough and happen continuously so that every request is validated as being legitimate.
“An effective app attestation solution such as the one from Approov can easily stop unauthorized apps, bots, cloned mobile apps or scripts from accessing your APIs and provide a Zero Trust approach that prevents this kind of exploit. “
The car industry simply needs to do better when it comes to security. Because at present, it looks like they as a whole don’t take security very seriously. Though they are free to prove me wrong at any time by describing how they are going to do better on this front and how long that will take.
Leave a comment »