Security News This Week: Hackers Take Control of a Moving Tesla’s Brakes
Plenty of hacking targets hit the news in recent days, including Tesla and Cisco, as we recount in our roundup below. But it’s a fair bet that no one’s week was as badly ruined by hackers as Yahoo’s. The web giant revealed that it had been the victim of a state-sponsored hacker attack in 2014 that compromised the personal information of at least half a billion users, a revelation that comes just as the company is trying to close a $4.8 billion deal to sell itself to Verizon.
Digital security appears to have tripped up the alleged bomber who planted improvised explosive devices in two Manhattan trash cans, as police used a cellphone detonator in one of the IEDs to track him down. A member of Congress introduced new bills aimed at shoring up the security of America’s voting systems—likely too late for the upcoming election. On a lighter note, we chronicled the hacker tricks and easter eggs in the television show Mr. Robot as its second season came to a close. Google offshoot Jigsaw showed WIRED an AI-powered software program designed to automatically detect and help fight trolls online. And the web security firm Cloudflare launched a three-pronged initiative to improve web encryption.
And there’s more: Each Saturday we round up the news stories that we didn’t break or cover in depth but still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Car hacking is no longer just an American pastime: Chinese hackers at the tech giant Tencent have shown in a video they were able to wirelessly take over a Tesla S. The hackers have yet to reveal the details of their technique but demonstrated that it can open the car’s trunk, mess with its mirrors, and even activate its brakes while the car is moving. Tesla downplayed the attack, claiming that it only works when the car connects to a malicious Wifi hotspot and the driver performs certain actions in his or her web browser. The company fixed the problem with impressive efficiency, pushing out an over-the-air patch that updated its software just ten days after the hackers reported it to the company.
When a team of NSA hackers itself gets hacked—a rare phenomenon— it’s no surprise the fallout will continue for weeks. A month after a group calling itself Shadow Brokers published a collection of data stolen from an NSA hacking team, Cisco revealed that the data includes a vulnerability that affects its firewall equipment, allowing hackers to steal the decryption keys for certain older versions of Cisco’s encrypted VPNs meant to allow remote workers to safely access a firewalled network. More than 840,000 devices may be affected, according to scans of the internet. And worse, an FBI investigation found that the NSA failed to warn Cisco, despite knowing that one of its operators had mistakenly left the hacking tools vulnerable to theft.
On Tuesday, Brian Krebs’ security news website was was targeted in a massive and sophisticated distributed denial-of-service (DDoS) attack. KrebsonSecurity.com’s cloud and security services company Akamai successfully defended the site against one large attack and then another, ongoing one. The initial attack bombarded the site with 620 Gbps of malicious traffic, almost double the next largest attack Akamai had ever recorded at 336 Gbps. The one that struck KrebsonSecurity.com, though, took a more brute-force approach, walloping the site from a huge hacked computer network. On Thursday, Akamai informed Krebs that it was ending their business relationship and would no longer offer services to his site. Akamai had been working with KrebsonSecurity.com pro bono, and the cost of defending it seems to have been too great. Akamai withdrew its support of the site, which went offline Thursday night. Krebs planned to reinstate the site as early as Friday.
A 19-year-old hacker worked for 24 hours to exploit bugs in the newly released iPhone 7 and iOS 10 to jailbreak the phone, thus gaining control of it to pull off hacks like installing apps that aren’t approved by Apple. Luca Todesco, who goes by his hacker name qwertyoruiop, seems to be the first to jailbreak the iPhone 7. He posted a video of his jailbreak, but hasn’t released specific details about the vulnerabilities he exploited. Todesco told Motherboard that he may submit them to Apple’s recently established bug bounty program. Todesco added that Apple’s security features on the iPhone 7 “definitely made my life harder,” but noted, “I don’t think it will ever be enough. They can raise the effort required, but there will always be someone willing to invest enough time to do it.”
Following a suicide attempt in July and resulting disciplinary hearing on Thursday, Chelsea Manning will be penalized with 14 days in solitary confinement. The U.S. Army soldier, who sent hundreds of thousands of sensitive and classified military files to WikiLeaks, is serving a 35 year sentence for espionage in a Kansas military prison. The solitary confinement punishment is also related to a book (Hacker, Hoaxer, Whistleblower, Spy, by hacker anthropologist Gabriella Coleman) that Manning had on her cellphone in violation of prison rules. It’s unclear when Manning will enter solitary confinement, and seven of the 14 days will be eliminated from the punishment if she shows good behavior for the next six months. Manning, who is a transgender woman, went on a hunger strike for five days earlier this month, eventually succeeding in convincing the Army to offer her gender transition surgery. She has been incarcerated for the past six years in men’s facilities.
Google released its smart messaging app, Allo, on Wednesday, but the Verge quickly noticed that it stores messages differently on Google’s servers than the company had said. Allo doesn’t offer full end-to-end encryption by default, because Google’s artificial intelligence systems need to analyze the data users send on the platform in order to offer the adaptive “smart” features that are Allo’s hallmark. The app does have an Incognito Mode that offers full encryption, though using it mitigates Allo’s special functions. To address potential concerns, Google had told the Verge in May that chat logs and other data sent on Allo would only be stored “transiently,” not permanently on its servers. This seemed to balance prioritizing privacy with giving Google the access it needs to deliver AI integrations. It turns out, though, that Google isn’t going to do transient data storage after all, and that Allo chats will remain on its servers until users manually delete them or set a time for them to expire. Though Allo’s Incognito Mode is still available, privacy advocates like Edward Snowden decried Google’s about-face. “What is Allo,” he tweeted. “A Google app that records every message you ever send and makes it available to police upon request.”