In recent weeks, a bumper crop of computer security scare stories have revealed that hackers could remotely attack your Jeep, your Android phone, your Mac and even a Brinks safe.
Security flaws are discovered all the time but, in recent years, it might have seemed as though everything breaks all at once in late July and early August. The timing is no coincidence, though. These hacks are released to generate buzz ahead of the two high-profile conferences in computer security held in Las Vegas this week: Black Hat, which began Aug. 1, and Def Con 23, which starts on Thursday. Here's a short list of the improvements we need.
Hackers remotely kill a jeep on the highway – with me in it
The season of digital horrors began with a July 21 story from Wired's Andy Greenberg detailing how researchers Charlie Miller and Chris Valasek took command of a Jeep Mr. Greenberg was driving, turning off the transmission and cutting the brakes. Worse, they did so without needing direct access to the car: A flaw in the in-car entertainment system was accessed using the vehicle's wireless Internet connection (yes, some cars have those now). Chrysler Fiat had to issue a recall on 1.4 million cars. More details will be revealed at Black Hat on Wednesday and Def Con on Saturday.
It only takes one text to hack 950 million Android phones
On July 27, Joshua Drake, a researcher with Zimperium, detailed how a text message could let hackers break into millions of smartphones powered by Google's Android operating systems, even on its most recent Jelly Bean version. The bug was in a media protocol called "Stagefright" that in some cases allowed an attacker to break in and delete the malicious text, so users wouldn't know they had been hacked. Google rushed a fix out to its manufacturing and phone carrier partners but, in the past, such updates have taken a long time to reach actual users. Zimperium promises more details at Black Hat on Wednesday.
Hackers tell how they cracked Brink's safe in 60 seconds
This seems like something somebody should have mentioned to the world-renowned physical security company Brinks: Don't put a computer in a safe if you want to keep the contents, well, safe. Two researchers – Oscar Salazar and Dan Petro from Bishop Fox – told reporters on July 27 that the CompuSafe Galileo sealed its own doom by offering an external USB port, allowing them to hack the strongbox with a USB stick and about 100 lines of code. More details Aug. 8 at Def Con.
Researcher hijacks remote access to OnStar
Samy Kamkar, an independent security researcher and entrepreneur, made a device that would sniff out WiFi transmissions between General Motors Corp.'s OnStar mobile app "RemoteLink" and any nearby cars, which the device can then use to locate, unlock and remote-start the target vehicle. He described the "OwnStar" device in a YouTube video on July 30, and GM immediately updated its apps. More details will be given at Def Con on Friday in a speech called "Drive it like you hacked it: new attacks and tools to wirelessly steal cars."
Researchers hack air-gapped computer with simple cellphone
This last vulnerability won't be at either Black Hat or Def Con, but will be detailed at the Usenix Security Symposium to be held in Washington, D.C. starting Aug. 12. One tenet of computer security is "don't connect it to the Internet." The term "air gapped" means a device has no wireless or physical network connection. But an Israeli team from Ben-Gurion University figured out how to make a basic GSM phone "listen" to the radiation coming from these air-gapped PCs in order to steal passwords or encryption keys.
In other words, nothing is safe.