Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Black Box Attacks. Show all posts

Ways Automobile Companies Collect Customer Data

Automobiles collect data on a variety of aspects, including your identity, travel history, driving style, and more. The utilization of this information, according to automakers, will improve driving efficiency and driver and vehicle safety. However, without rules or regulations regulating consumer privacy in cars and what automakers do with your data, users are left to conjecture.

Rent-a-car firms may undoubtedly take advantage of every chance to increase their revenue and have better control over their fleet. Technology for surveillance is already in use. They can easily track their customers as a result. This function was first created to avoid high insurance costs, reduce the likelihood of automobiles being stolen, and add new levies.  

Companies that rent cars can keep records of the whereabouts and activities of their customers. They can quickly pick up on the client's behavior. Leading businesses disclosed the installation of cameras and microphones in their vehicles. Top firms have disclosed placing cameras and microphones in their vehicles. Customers can feel assured since they don't turn them on arbitrarily. 

How Automakers Gather User Data:
  • Camera: Dashboard and reverse cameras can record an accident for insurance officials to view. However, in addition to providing date, time, and road position information, they can also show the route taken by the vehicle.
  • Key fob: The VIN, the total number of keys that have been associated with a certain vehicle, and the most recent times the car was locked and unlocked are some of the data that are recorded in a fob.
  • Informational system: It was previously possible to listen to music while driving on a simple cassette or CD player. But over time, Bluetooth, wifi, and USB gadgets that can be controlled by touch screens or dashboard displays replaced these systems.
  • Black boxes: They are gadgets that track a driver's performance while operating a car. A driver's premium can be reduced if the black box data shows they are performing effectively while driving.
Tracking devices aid in preventing thefts, recovering vehicles that have already been taken, and saving people in an accident. However, since all of this data is transmitted over an Internet connection, it is susceptible to interception. Additionally, the servers on which this data is housed are vulnerable to hacking. You continue to be in the dark regarding the collection and sharing of your personal data by automakers. It can be challenging, but in the future, one might have to find a workable solution to this dilemma. Always examine the security of your data, and from the outset, become familiar with the potential of the vehicles you rent or purchase.  






















Diebold Nixdorf ATM Bugs Allowed Attackers to Alter Firmware & Steal Cash

 

Security researchers at Positive Technologies have disclosed information on several vulnerabilities in Diebold Nixdorf ATMs that could have permitted an intruder to change the system's firmware and take cash. 

The vulnerabilities, known as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs' CMD-V5 and RM3/CRS dispensers – one in each device – and were patched a few years ago. In 2016, Diebold acquired Wincor Nixdorf, and the two firms eventually merged. 

During research approved by the vendor, Positive Technologies found that, while the ATMs had a range of security mechanisms in place to combat blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually easy to get past them.

The researchers found out the command encryption between the ATM computer and the cash dispenser, bypassed it, swapped the ATM firmware with an older version, and abused the flaws to direct the device to distribute cash. 

While encryption is utilized to protect against blackbox attacks, the researchers observed that an attacker might steal the encryption keys and then spoof their own firmware to load on the compromised ATM. The researchers were able to determine the elements involved in the check process in the code responsible for confirming the firmware signature and in the firmware, particularly the public key and the signed data itself. 

Positive Technologies explained, “As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length.” 

An attacker requires to discover a means to transmit orders to the dispenser and define the amount of money in each cassette before withdrawing money from the ATM. Diebold Nixdorf, which published fixes for these vulnerabilities in 2019, suggests activating physical authentication when an operator conducts firmware installation to further prevent unauthorised access. The firm warned earlier this year that jackpotting assaults against RM3-based Cineo systems in Europe were on the surge.

Two Belarusian Arrested in Black Box ATM Attack

 

The Polish authorities have detained two individuals committing so-called ‘Black Box’ attacks, targeting ATMs, whereby criminal offenders attach electronic devices to cash machines and electronically force them into spraying all the money. The Polish authorities did this with the assistance of Europol. 

Following the ATM 'jackpotting' attack, which fraudulently led cash machines throughout Europe to deliver Euro 230,000 ($273,000), two Belorussian residents have been arrested. 

According to a press statement released on July 29 by Europol, criminals gained access to ATM cables by piercing or mounting pieces, that further connect the equipment to a laptop physically. This was then used to send relay commands to distribute all of the cash in the ATM. 

An ATM black-box attack is an ATM cash-out sort, a fraud concerning the financial system where the culprit bores troughs in the top of the cash machine, to obtain access to the internal infrastructure of the ATM. The money dispenser of the ATM is then connected to an outside electronic device, or black box, which employs native ATM commands to discharge money, circumventing the necessity for a card or transaction authorization. 

Coordinated by the EU Law Enforcement Agency and its Joint Cyber-Crime Action Task Force (J-CAT), the investigation highlighted that dozen of such "Blackbox" attacks have been committed by criminals in at least seven countries in Europe. 

The hackers attacked only a certain ATM model; Europol stated. The company refused to disclose in its assessment the specific cash machine brand susceptible to attack technology. Meanwhile, the Polish police in Warsaw, Poland on 17 July detained both suspects. The investigation also engaged German, Austrian, Swiss, Slovak, and Czech law enforcement authorities. 

While ATMs are indeed a lucrative target, they often have major physical and virtual weaknesses. ATM vulnerabilities have been a frequent issue since hacker Barnaby Jack persuaded an ATM in 2010 in Black Hat USA at a security conference in 2010 to dump all its money on stage.