Looking to learn to hack, try your skills out at https://www.hellboundhackers.org/
Original Article from http://www.bbc.co.uk/news/technology-23443215
Next time you have a passenger in the back seat of your car offering infuriatingly “helpful” advice about your driving skills, count yourself lucky that they aren’t doing anything more sinister in their attempts to guide your vehicle.
Two security experts in the US have demonstrated taking control of two popular models of car, while someone else was driving them, using a laptop.
Speaking to the BBC ahead of revealing their research at security conference Defcon in Las Vegas in August, Charlie Miller and Chris Valasek said they hoped to raise awareness about the security issues around increasingly computer-dominated car control.
“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Mr Miller, a security engineer at Twitter.
“We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
Their work, funded by the Pentagon’s research facility Darpa, has so far received a mixed reaction from the manufacturers themselves.
How they did it
The researchers used cables to connect the devices to the vehicles’ electronic control units (ECUs) via the on-board diagnostics port (also used by mechanics to identify faults) inside a 2010 model Ford Escape and Toyota Prius.
Contained within most modern vehicles, ECUs are part of the computer network that controls most aspects of car functionality including acceleration, braking, steering, monitor displays and the horn.
The pair were able to write software which sent instructions to the car network computer and over-rode the commands from the actual drivers of the cars.
They filmed themselves in the back of one of the vehicles steering it left and right, activating the brakes and showing the fuel gauge drop to zero, all while the vehicle was under driver control and in motion.
A spokesman for Toyota told the BBC that because the hardware had to be physically connected inside the car, he did not consider it to be “hacking”.
“Altered control can only be made when the device is connected. After it is disconnected the car functions normally,” he said.
“We don’t consider that to be ‘hacking’ in the sense of creating unexpected behaviour, because the device must be connected – ie the control system of the car physically altered.
“The presence of a laptop or other device connected to the OBD [on board diagnostics] II port would be apparent.”
Expensive and difficult
Mr Miller and Mr Valasek say this is not the point.
Their work builds on earlier research carried out by researchers at the University of Washington and the University of San Diego in 2010, who demonstrated that it was possible to control a car remotely and developed a tool, which they called CarShark, for the purpose.
“We’re big fans of their work but we figured they already proved you can remotely get into a car’s network,” Chris Valasek, director of security intelligence at consultancy IOActive told the BBC.
“We wanted to see how much control would you have once that’s happened.”
They admitted that they had destroyed a few cars while refining their technique.
“It’s very expensive and difficult to do the research to show you can hack into a car. It’s not like you can just download something and look at it,” said Mr Miller.
“I wouldn’t dare do this to my own car,” added Mr Valasek.
They said the cars did not appear to acknowledge the address from where a command was being sent, only the instruction itself.
“There’s no authentication,” said Mr Miller.
“But there are restrictions – the car has to operate very fast. If you run into a wall you need to kill the engine immediately, engage the airbag.
“Car manufacturers don’t have the luxury PC software makers have – if something doesn’t work in a car that can’t happen, it needs to function.”
Mr Miller and Mr Valasek intend to make their research openly available following the conference.
“The information will be released to everyone. If you’re just relying on the fact people aren’t talking about the problem to stay safe, you’re not really dealing with the problem,” said Mr Miller.
Toyota said it invested heavily in security research.
“Our focus, and that of the entire automotive industry, is to prevent hacking into a vehicle’s by-wire control system from a remote/wireless device outside of the vehicle.
“Toyota has developed very strict and effective firewall technology against such remote and wireless services. We continue to try to hack our systems and have a considerable investment in state of the art electro-magnetic R&D facilities.
“We believe our systems are robust and secure.”
Ford also told the BBC the company takes electronic security seriously.
“This particular attack was not performed remotely over-the-air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers on any mass level,” it said in a statement.
“The safety, privacy, and security of our customers is and always will be paramount.”
Security expert Prof Alan Woodward, Chief Technology Officer at consultancy Charteris, said that car hacking hasn’t been widely discussed because as yet there has been no criminal incident of it.
“I think [car hacking] is one of the most scary things out there – [the hacking of] cars and medical devices are the two things nobody talks about,” he told the BBC.
“You’ve heard of ransomware – imagine that happening inside a car. It won’t take criminals that long.”
Ransomware is a computer virus that freezes a victim’s computer or threatens to release personal files unless a payment is made.
A car crash caused by a hacked car featured as a storyline on the US TV series Homeland but was widely dismissed as fantasy, he added.
“There was loads of talk afterwards saying it was rubbish. I remember saying on Twitter, ‘I’m sorry, it’s not.'”
However both the researchers and Prof Woodward agree that hacking into a car is not easy.
“This is a very technical attack, it requires a great deal of technical knowledge,” Prof Woodward said.
“A lot of manufacturers are doing work on security software but they don’t talk about it. It’s not about anti-malware software, it’s more about penetration testing – finding any holes left in the system.
“When people build things based on software, it is built with Intention A. They never think about intention B – which could be all sorts of nefarious purposes.”
please note that i did not write this article, it was written by Zoe Kleinman from BBC News. ~b1nhAcz
Want to learn to hack? Here are some good ideas from one group of Anonymous hacktivists..
How To Became A Great hacker ?
1. Learn TCP/IP, Basic Information gathering, Proxies, Socks, SSL, VPN, VPS, RDP, FTP, POP3, SMTP, Telnet, SSH.
2. Learn Linux, Unix, Windows – You can do this using vmware or any virtual desktop utility.
3. Learn a programming language that’s compatible with all OS – Perl, Python, C, ASM
5. Learn Reverse engineering and crack some programs for serials easy ones like mirc, winzip, winrar or old games.
6. Code a fuzzer for common protocols – ftp, pop3, 80, 8080 – Pick some free software like ftp server, mail server, apache or iis webserver or a webserver all-in-one pack, or teamspeak, ventrilo, mumble.
7. Code a tool that uses grep to sort out unique code in source codes.
8. Make a custom IPtable, IPsec firewall that blocks all incoming traffic and out going traffic and add filters to accept certain ports that your software or scripts use.
9. Pick a kernel in linux or unix, also pick a Microsoft OS version lets say Winxp pro sp2 put them on the virtual desktops (vmware) and find and code a new local exploit in those versions, then install a Apache webserver on the Linux/Unix and a IIS webserver on the winxp pro and attempt to find and code a new local reverse_tcp_shell exploit.
10. Learn Cisco Router and Switch configuration and setup.
11. Learn Checkpoint Setup and Config
12. Learn Wifi scanning, cracking, sniffing.
13. Pick a person in you phonebook for the area code you live in or city then ring the person on a anonymous line like skype or a payphone or a carded sim and attempt to social engineer the person for his name, address, data of birth, city born, country born, ISP connected with, Phone company connected with, What bank he/she uses and anything else you can get. Then Attempt to ring using a spoof caller ID software with the person’s phone number – call the ISP and try reset the password to his/her internet connection/web-mail, get access to bank account or ask them to send out a new *** to a new address (drop) with a new pin, reset of phone company passwords.
14. Use your information gathering skills to get all the information off a website like a shop then use the spoof caller-id software or hack your phone to show a new number of the Webserver’s Tech Support number then ring the shop owner and try get the shop site password.
15. Do the same thing but attempt to use a web attack against a site or shop to gain admin access.
16. Once got access upload a shell and attempt to exploit the server to gain root using a exploit you coded not someone else s exploit.
17. Make your own Linux Distro
18. Use your own Linux Distro or use a vanilla Linux gnome (not kde) keep it with not much graphics so you can learn how to depend on the terminal and start from scratch install applications that you will only need for a blackbox (Security test box), make folders for fuzzers, exploits, scanners..etc Then load them up with your own scripts and other tools ( By this stage you shouldn’t need to depend on other peoples scripts).
19. Learn macosx and attempt to gain access to a Macosx box whether it be your own or someone’s else.
20. Create a secure home network and secure your own systems with your own Security policies and firewall settings.