CISPA, Game Dev Breaches, and Android Plane Hack
Though I’m traveling in Singapore for a security conference, I still found a few spare minutes for my weekly InfoSec news summary. This week I cover some Bitcoin mining malware, CISPA returning from the ashes, some game related network attacks, and most interestingly, an Android smartphone hacking an airplane. For the details, watch the video below.
By the way, I apologize for the shaky camera. I forgot my tripod on this trip and shooting video with a busy schedule has its challenges. Don’t forget to check out the Reference section if you want to learn more.
(Episode Runtime: 7:53)
Direct YouTube Link: http://www.youtube.com/watch?v=8tke-MEdmtA
Episode References:
- Skype phishing leads to bitcoin mining trojan – Securelist Blog
- House Intelligence panel says OK to CISPA – Computer World
- Winnti Game Dev attack details – Securelist Blog
- uPlay hack allows criminals to steal Ubisoft games – Techspot
- Researcher shows how to hack an airplane with an Android smartphone – The Register
- Airplane hacking presentation by Hugo Teso [PDF] – HITB.org
- Extras:
- FBI gets Verizon to track an aircard – Wired
- Security experts don’t like Facebook Home – PC World
- Bitcoin hacker hunted – SC Magazine
- Brainwave passwords? – Techcrunch
— Corey Nachreiner, CISSP (@SecAdept)
Hugo Teso, with no doubt, attract public attention to the problem of weak protection of on-board aircraft systems and their sub-components (like ACARS and ADS-B). And it happened just in time. I’ll try to explain why.
1. “Many different data types to upload” and “Many FMS (Flight management system) manufacturers, models and versions” interpreted by Hugo as main vulnerabilities (in his presentation). But I’ve also see “other side of the coin”. If there are many manufacturers, models and versions – then exploiting one particular set of devices from Rockwell Collins (on a particular version of particular real-time OS) doesn’t mean compromising Honeywell set of devices (worked under another real-time OS). It’s not the same, as create exploit for Windows 7, for example. Windows 7 installed on millions of PCs around the world, but for aircraft sub-systems there are a lot of base real-time OS_ems, like: vxWorks, INTEGRITY-178B, LynxOS, Qnx etc. “Once created – widely used” it’s not a case for hacks like this (with “SIMON” toolkit or similar).
2. This particular hack shows that “hack of aircraft on-board systems is possible”. It’s not a sign of “big disaster coming”, or something like that. Hugo spent three years developing the code to create stand model on a particular set of devices. But it’s great, that “hack on-board systems” concept was presented right now, then “Many FMS manufacturers, models and versions” are created, and then manufacturers, ground service providers and airlines can take preventive measures protect on-board systems. Long before active/massive hacking of such systems will be possible.
What you published made a bunch of sense. But,
consider this, suppose you composed a catchier post title?
I ain’t suggesting your information is not solid., however what if you added something that makes people want more? I mean WatchGuard Security Week in Review: Episode 59 – Android PlaneSploit | WatchGuard Security Center is a little vanilla. You should look at Yahoo’s
home page and see how they write article headlines to grab people interested.
You might add a related video or a related pic or two to get people interested about
what you’ve written. In my opinion, it might bring your posts a little bit more interesting.