Secure your Tesla Model S!

Written on 26 October 2018, 10:45pm

Tagged with: , ,

Update 8 December 2018: Don’t buy a Tesla!

Even if it has wheels and wipers, your Model S is ultimately a computer. A very good looking one if you ask me, but, as any other computer, it can be pwned. The recent news shows an increased incidence of Model S thefts across Western Europe, and apparently the thieves are exploiting a vulnerability in the way the car communicates with the key fob:

Like most automotive keyless entry systems, Tesla Model S key fobs send an encrypted code, based on a secret cryptographic key, to a car’s radios to trigger it to unlock and disable its immobilizer, allowing the car’s engine to start. After nine months of on-and-off reverse engineering work, the KU Leuven team discovered in the summer of 2017 that the Tesla Model S keyless entry system, built by a manufacturer called Pektron, used only a weak 40-bit cipher to encrypt those key fob codes.

Wired:  Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob

Long story short, it only takes about $600-worth of equipment, a decent computer and less than 2 seconds to crack the 40-bit cipher. According to Wired, the vulnerability was responsibly disclosed in August 2017, and after about a year, Tesla reacted by addressing the root cause (upgrading the key fobs) in addition to implementing the PIN-to-drive feature. 
But this leaves a lot of room for the bad guys: there must be plenty of Model S manufactured before June 2018 and without the PIN-to-drive enabled. So what should you to secure your Tesla Model S and avoid a situation like this?

1. Disable passive entry

I don’t really like this option because you trade functionality for
security. The passive entry is a nice feature and Tesla should make it work securely, by upgrading the key fobs. But until then, this is a solid option to improve the existing security posture.

2. Enable PIN-to-drive

Again, an option that gets the job done, but leaves massive room for improvement. There are two major inconveniences: first, you must type your PIN in an environment where you cannot properly hide your keyboard. Second, your fingers leave traces when typing, and unless you are wiping the screen after every PIN entry, you are leaving a potential door open. This is simply not good enough, and I did not even mention how inconvenient is to input your PIN every time you start your car. 
Tesla can do better – how about FaceID-to-drive?

FaceID just proved how it can address the most security concerns while providing a seamless user experience. With time, software and hardware updates, it will get even better, and we will see FaceID on other computing devices like tablets or laptops.
And from there it’s easy to imagine a keyless future. How long until you unlock your car by looking at it?

A post that I wrote back in November 2017: FaceID: convenience and security

3. Additional measures

  • If your car was produced before June 2018, contact Tesla to replace your key fob so that the communication between the car and the key fob is properly encrypted
  • Get a Faraday pouch if you would like to keep the Passive Entry active. Store your key inside the pouch when you’re not using the car, but make sure that you don’t leave the key inside the pouch inside the car 🙂 Oh, and get another pouch for the second key
  • Install a hidden GPS tracker on your car. This will help locate the stolen car even when the bad guys would destroy the embedded connectivity module. Tesla won’t be able to remotely control your car, but, if you react quickly, you should be able to tell the police where it is  
  • Just use common sense when parking your car. Would you park your nice car in a shady, cheap and isolated area?
  • Think defense-in-depth: implement not one, but more security measures to protect your asset 🙂

If you plan to buy a new Tesla, here is my referral code:  https://ts.la/dorin16160

Best practices around incident reports

Written on 18 October 2018, 09:58pm

Tagged with: , , , ,

An incident is an event that is not part of the standard operation of a service and that causes an interruption or a reduction of service.
In simpler words, an incident is an unplanned interruption of service.

Contents of a post-incident report
(The post-incident report alternative names: incident report, postmortem report)

  • Timeline: what exactly happened and at what times?
  • Metrics: how well did we react?  (time to detect, time to react, time to close)
  • Procedures: were they adequate? were they being followed?
  • Root cause analysis: is the root cause understood?
  • Lessons learned: what corrective actions can we take?

Tip: If the incident caused financial loss, attach the current and potential security controls to the timeline. Which controls limited the loss, and which controls could be acquired in the future? Also, it’s a good idea to calculate potential losses if the existing controls would not have intervened. This will help establish the overall return of security investment (ROSI).

Why a post-incident report?

  1. To understand and address the root causes
  2. To build lessons learned
  3. To maintain an accurate archive of past incidents

Case study: How Google is learning from failure
https://landing.google.com/sre/book/chapters/postmortem-culture.html

A postmortem is a written record of an incident, its impact, the actions taken to mitigate or resolve it, the root cause(s), and the follow-up actions to prevent the incident from recurring.
When to create one? Interruption of service, data loss, monitoring failure, etc.
3 best practices: avoid blame, keep it constructive, collaborate and share.

For a postmortem to be truly blameless, it must focus on identifying the contributing causes of the incident without indicting any individual or team for bad or inappropriate behavior. A blamelessly written postmortem assumes that everyone involved in an incident had good intentions and did the right thing with the information they had.

The blameless culture

Bruges in October

Enterprise Cyber Security – post-event notes

Written on 23 September 2018, 04:22pm

Tagged with: , , ,

Some notes following the Enterprise Cyber Security Europe event, 19 September 2018, Amsterdam.

  • @ThomLangford: When trying to hire, look for passion. Technical skills can be taught later on. Also, look for the people who care about what they do, who are full of energy, who are constantly pushing their limits and who are filled with passion. 

  • Humans are indeed the weakest link in any security system, because brains are hard to upgrade and because emotional manipulation is easy. 
  • So how do you deal with the human risk? 3 possible avenues:
    • throw technology at it
    • improve your internal processes (ex: out of band validation)
    • or develop a continuous and adaptive security awareness program, where people at Terranova seem to know what they are doing. 
  • Awareness is for everybody, training is for similar groups of people (ex. a department), education is for the ones who genuinely want to learn
  • The story of the women codebreakers at Bletchley Park is fascinating
  • Total cyber crime revenues: in the region of $1.5 trillion annually
  • Time to detect a data breach: between 99 and 197 days depending on who you ask. Either way, it feels like an eternity
  • You can actually turn a data breach into a positive development for your organisation if you manage to be humble, transparent and willing to improve things
  • Booking.com is having an interesting ‘everything is a test‘ culture (over 1000 experiments going live at any given time). The company brands itself as a ‘developer-first enterprise’. You must make an effort to find a compromise solution between security and usability
  • Preparing for the GDPR should have been easy as long as you have a user-oriented mindset. Don’t forget about the tools for user data export and user data deletion.

Over Amstel, close to the venue