09 April 2020

IRM Weekly Cybersecurity Roundup: Automotive security flaws and more

Automotive security test tricked car to speed to 85mphTesla Model S - Source Tesla

McAfee has been exploring automotive security through testing a camera system, MobilEye EyeQ3 (often used in Tesla cars). The research has shown that they were able to make a Tesla Model S autonomously speed up to 85mph after manipulating the AI technology to misread the nearby speed limit sign which actually read 35mph.

This is relevant research considering the level of connected cars that are on the road with sign-reading functionality. These innovations are designed to make driving safer, but can more often than not open up various channels for criminals, as proven by this study.

You can read more here.

Zoom forms cybersecurity council to combat backlash

Zoom, the video communication company, has formed a ‘CISO Council’ made up of chief information security officers from various industries. The CISOs are from companies including VMwre, Netflix, Uber and EA.

The CEO of Zoom, Eric Yuan, said the aim of the Council was to enable him to “be a more effective and thoughtful leader and will help ensure that privacy and security are at the forefront of everything we do at Zoom”.

This is just one move out of Zoom’s 90-day plan which has been set up to tackle some of the backlash from the security flaws discovered in the platform last week. Martin Needs, one of IRM’s Principal Technical Consultants, examined the weaknesses in Zoom’s platform in our recent blog post here.

You can read more here.

Data protection fines delayed for British Airways and Marriott

The fines for British Airways and Marriott’s data protection wrongdoings have yet again been delayed, this time until June 2020.

The fines were already postponed in January of this year for three months as lawyers at both organisations are preparing to appeal the fines.

The Coronavirus has been a huge influence on the delay of the fines. British Airways has been threatened by the economic stress of cancelled flights. Similarly, Marriott has experienced another breach since January, meaning they are still dealing with the fallout.

Nevertheless, the £99 million Marriott fine and £183 million British Airways fine still stand and are expected to be paid to the Information Commissioner’s Office in June.

You can read more here.

Mozilla vulnerabilities uncovered

This week, Mozilla has released two critical patches for Firefox and Firefox ESR which are currently being exploited by hackers.

They are:

  • CVE-2020-6819: A use-after-free flaw caused by a race condition while running the nsDocShell destructor
  • CVE-2020-6820: A use-after-free caused by a race condition when handling a ReadableStream

Any Firefox users are advised to install these software updates as soon as possible.

You can read more here.

Ford and Volkswagen automotive security flaws uncovered

which-logoAutomotive security testers working on the behalf of Which? uncovered serious security flaws with a Ford Focus Titanium Automatic 1.0 petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol (chosen as they are the two most popular cars in Europe).

Whilst the exact technical details are being undisclosed to avoid criminals getting hold of the information, the experts were able to able to tamper with the vehicles via the infotainment system.

They were able to change the electronic driving controls (including braking and steering) via the Polo’s powertrain and found the infotainment system vulnerability could essential adversely affect driving if done without warning.

On the Ford, testers were able to intercept messages to the tyre-pressure monitoring system meaning they could potentially extend this to read false messages about the tyre pressure to the vehicle’s information screen.

You can read more here.

Quick-fire Updates

Upcoming webinar “Infinite versus Finite Cybersecurity”: Phil Mason, Software Director for IRM, will be presenting a webinar on the 22nd April from 11:30 – 12:10 BST. The webinar will explore what ‘Game Theory’ is, how this applies to cybersecurity, examples and case studies of organisations who are adopting finite and infinite cybersecurity strategies and how you can enhance your objectives to avoid the perils of cybersecurity failure. Register here.

Beer delivery postponed due to cyber-attack: A popular supplier of beer in Alberta, Canada (Brewers Distributor Ltd) were the victim of a cyber-attack two weeks ago leading to issues delivering the beloved product to customers. A spokesperson said they were having to resort to manual order management to get orders completed. Read more here.

Want the IRM weekly cybersecurity roundup sent straight to your inbox? Sign up to our newsletter.