Month: August 2018

In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he found shocked him. Not only did an Internet scan show that 40,000 such gateways were running in other networks, but a large percentage of them were exposing a staggering amount of sensitive data about the networks they were connected to.

Affecting human life

Worse still, it turned out that many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, but they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.

An informal probe at the time found that 47 municipalities and 29 police forces were using the unsecured devices. At one point early on, Shattuck, who is principal threat researcher for F5 Networks, tracked several vehicles as they drove around Houston. By tracking their locations over time and noticing the places they stopped regularly, Shattuck soon figured out they were police cruisers.

Shattuck said he has spent the past 22 months investigating the problem and helping wireless gateway providers—which, besides Sierra Wireless, also includes Moxa and Digi—to begin fixing it. Despite the efforts, he said scans regularly show large numbers of unsecured devices continue to expose not only emergency first responders but also remote pipelines, hydrogen refueling stations, traffic monitoring systems, tolls, bridges, and airports. Now, after almost two years of keeping the problem a carefully guarded secret, he plans to discuss it in detail Thursday at the Black Hat security conference in Las Vegas.

“It’s time to talk about this,” Shattuck told Ars. “This affects human life in ways you only see in movies.”

Shattuck said one of his chief concerns is that the unsecured devices reveal a host of sensitive information about first responders in real time. When someone first starts monitoring a feed, it’s not immediately clear that it’s coming from a device located in a police car or ambulance, but with a small amount of tracking it quickly becomes clear. A vehicle, for instance, that regularly shows up at the same precinct every eight hours is almost certainly a police cruiser. Similarly, a vehicle that frequently visits hospital emergency rooms is likely an ambulance. Often, Shattuck would see police cruisers regularly stop at a residence and stay there for several hours, an indication that the location might be the home of the officer.

Divulging that information over the open Internet presents a variety of risks. The most serious is the danger to first responders when their real-time location is broadcast without their knowledge. Police officers often rely on the secrecy of their location. Criminals or organized terrorists who got a hold of a feed might use it in a physical attack or to evade law enforcement. Because unsecured devices also give up configuration details about the networks they connect to, skilled hackers might also use the information to access police or hospital networks, monitor or erase dash cam footage, or monitor drivers’ Internet or radio communications.

“If someone can tell where those police officers are, then you can start to reroute them,” Shattuck said. “You can monitor them. You can tamper with the trusted device by taking it offline or man-in-the-middle the service.”

No easy fix

Fixing the problem has proven vexing, in part because it doesn’t stem from a single cause. In some cases, it’s the result of firmware bugs that don’t properly restrict Internet-reachable devices to authorized users. In other cases, it’s because the devices shipped with default login credentials that no one changed. In still other cases, someone configured services that leak sensitive data. The devices affected include Sierra Wireless Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50; the Digitransport WR44; and the Moxa Oncell G3.

“The central issue is that devices have been deployed with the configuration UI exposed to the public Internet instead of making use of a platform such as ALMS [short for Airlink Managed Service] for secure remote management and/or using product security features such as Trusted IP to restrict access to the device to approved hosts,” Larry LeBlanc, the chief security engineer for Sierra Wireless, said of the cause of his company’s products being unsecured. In many cases, third-party services are installing the devices using static, publicly accessible IP addresses and not changing default credentials.

Over the past few years, Sierra Wireless has issued six advisories here, here, here, here, here, and here. New Sierra Wireless products now ship with all available security patches and a secure-by-default posture—for example, the configuration interface hasn’t been enabled by default.

The company has also established a free security concierge service to help users secure their devices. Anyone who operates Airlink gateways reachable from the public Internet can use the service by calling Sierra Wireless Technical support at 877-552-3860. People who use gateways from other manufacturers should contact their technical support departments.

Shattuck said that despite how overlooked the small devices are, they represent a risk to emergency first responders.

“To them it’s just a black box in the ambulance,” he said. “They have no idea that little black box you hit your head on is the thing that lets people in. The point is we can control services connected to the device.”

WASHINGTON — California air regulators on Tuesday said they plan to keep tightening state vehicle emissions rules despite a

Trump

administration

proposal

last week that would strip the state of the ability to set its own limits.

The California Air Resources Board (

CARB

) proposed maintaining strict Obama-era rules mandating rising

fuel efficiency

requirements annually through 2025. The Trump administration has proposed freezing federal vehicle emissions requirements at 2020 levels through 2026.

“California will take all actions to ensure that the smart standards we developed in partnership with the auto industry to cut greenhouse gas emissions from vehicles stay in place,” said CARB Chair

Mary Nichols

in a statement from Sacramento.

“Dirty, gas guzzling vehicles are a direct assault on public health, and foreclose our ability to rein in air pollution and greenhouse gases,” she added.

California’s decision is nationally significant because the state is the largest U.S. auto market. Also, a dozen states and the District of Columbia have adopted California’s emissions rules, accounting for more than a third of all U.S. vehicle sales.

California is seeking public comments on ways to make the rules more flexible while still meeting goals to reduce carbon emissions.

The Trump administration said the Obama era rules were “not appropriate” and its freeze would help make vehicles more affordable. It said that under its proposal vehicles would average 37 miles per gallon in 2026, compared with 46.8 mpg under the Obama rule.

California and 18 other states said last week

they will fight the Trump administration’s freeze

in court, a legal battle that could leave automakers in regulatory limbo for years.

Last month, Nichols told Reuters California wants to work with automakers on revisions and she sees a “window” for a deal in coming months.

Two trade groups representing

General Motors Co

,

Volkswagen

AG,

Toyota Motor Corp

and other major automakers, sent letters to California Governor Jerry Brown and U.S. President Donald Trump last week urging negotiations for a compromise on one set of nationwide rules.

Automakers want changes to address shifts in consumer demand but also favor efficiency requirements continuing to rise.

California said under the Trump administration’s preferred option, emissions could increase by almost 14 million metric tons per year by 2025. The administration says freezing the limits would have little impact on average global temperature, even as projected U.S. oil consumption would increase by about 500,000 barrels daily.

California has received a waiver to set its own emissions rules as well as authority to require automakers to build a rising number of zero-emission vehicles. The Trump administration has proposed revoking that authority.

Reporting by David Shepardson.

Related Video:

Android 9 Pie launch day was yesterday, and while a major new version of Android is always a big deal, today Android hit another big milestone: the first ever day-one update on a non-Google phone.

For years, the Android ecosystem has made updating the OS of a device seem like an impossible task. Some of Android’s biggest OEMs take anywhere from three to six months to update their flagship phone, and this is the best support they offer—many devices do not get updated at all. Consider that Android 8.0 Oreo is about a year old now and has shipped on a whopping 12 percent of the Android active install base. The terrible state of Android updates has led some people to call Android a “toxic hellstew of vulnerabilities” due to all the devices running old software.