Tag Archives: cybersecurity

A Lesson in Security

A few days ago, my truck was broken into. Fortunately, nothing was stolen. I don’t leave anything in my vehicle for this very reason, and unfortunately, this wasn’t my first experience with someone breaking into my vehicle. With nothing visible, what motive could someone have to break into my truck? It seemed to me like a high-risk/low-reward opportunity. After discussing the incident with the detective, I was wrong. It was not high risk.

Ford has built an inherently insecure vehicle. Or maybe, to be fair, attackers have discovered flaws and can now quickly and easily exploit them. Ford may have improved on the design features in later models. I just dont know, and if anyone from Ford would like to discuss it, please contact me. However, it does not appear to be the case. A 2019 F150 was stolen with ease right out of an owner’s driveway. The entire incident takes less than 30 seconds. Hardware vulnerabilities are difficult to fix, especially in a vehicle. It would require a mass recall, so it seems in the best interest of the car manufacturer to just leave it because it is not a life safety issue.

The culprits were professionals. They were able to disconnect the horn and then pry open the door handle in a way that allowed them to rotate the lock. This forced the lock from the mount and destroyed the entire locking mechanism, giving them full access to the vehicle. And with the horn disconnected, they were able to remain undetected (they subverted the intrusion detection and prevention systems). There was no visible damage to the steering column, indicating they were not looking to steal the vehicle, and nothing was taken. There was evidence that they looked through the glove compartment, other storage areas, and under the seats. So what were they looking for? What was the motive for them to break in? They were looking for firearms.

In many ways, I am sure the people who did this took a lot of the same steps that we take when conducting a penetration test. Information gathering, OSINT, enumeration, evasion, and then in this instance, a physical break-in. I have to admit I was impressed by the ingenuity of the attack and baffled that Ford had designed something with such poor security. Then again, I know I shouldn’t be surprised; unfortunately, a lot of hardware is inherently vulnerable. And there are no updates to download to “patch the system.”

In the end, this served as a great life lesson for me to share with my son, who is just starting his journey in cyber. We discussed the similarities between how these attackers could get into my truck and how someone might use the same techniques to break into a computer system. I doubt the people who did this will ever be caught, but I guess that is just the game we play.

The Importance of Fundamentals

Yesterday I learned a hard lesson.  During the OSINT phase of a network vulnerability assessment (NVA) I collected information.  Still, I failed to analyze and recognize what I had gathered.  This failure (maybe oversight is a better word) prompted me to add the following reminder to the top of my Tools & Syntax page. 

                -Simply knowing how to run a tool isn’t enough.

It seems like common sense, but I have realized how easy it is to overlook things.  How quickly we can begin to develop a tendency to rely heavily on tools to provide us with answers.  I took for granted something I thought I understood well.  My arrogance was weaponized against me.  The lesson for me here is to make no assumptions.  Do not assume that what you found or are looking at is “noise” or unimportant.  Verify independently and continue to revisit the fundamentals.  Fine-tune your knowledge and understanding of the basics.   

Key takeaways:

  1. Planning is key.  Indeed, most plans don’t survive first contact with the enemy, but that does not mean it isn’t worth having one. 
  2. Just because you understood it once doesn’t mean you still appreciate it.
  3. Test, review, poke/prod, and question everything you are looking at.  Do not take anything for granted.  MAKE NO ASSUMPTIONS.
  4. Fundamentals need to be reapplied regularly.