Security News

Six vulnerabilities in the MiCODUS MV720 GPS tracker that's used by organizations around the world to manage and protect vehicle fleets could be exploited by attackers to remotely cut fuel to or abruptly stop vehicles. The MiCODUS MV720 is a hardwired GPS tracker through which fleet owners can track vehicles, cut off fuel to them, geofence them so they can't be driven outside specific areas, and generally have remote control over the vehicles.

A team of security researchers found that several modern Honda car models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely. Called Rolling-PWN, the weakness enables replay attacks where a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle.

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points.

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

Kali Linux 2022.2 released: Desktop enhancements, tweaks for the terminal, new tools, and more!Offensive Security has released Kali Linux 2022.2, the latest version of its popular penetration testing and digital forensics platform. VMware issues critical fixes, CISA orders federal agencies to act immediatelyVMware has released patches for a privately reported critical vulnerability in VMware's Workspace ONE Access, VMware Identity Manager, vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products, and is urging administrators to patch or mitigate immediately, because "The ramifications of this vulnerability are serious."

A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas. "An attacker can falsely indicate the proximity of Bluetooth LE devices to one another through the use of a relay attack," U.K.-based cybersecurity company NCC Group said.

A Bluetooth Low Energy vulnerability discovered by NCC Group researchers may be used by attackers to unlock Teslas, residential smart locks, building access systems, mobile phones, laptops, and many other devices. "Many products implement Bluetooth Low Energy-based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby," they explained, and added that the possibility of relay attacks against BLE proximity authentication has been known for years, but existing tools came with detectable levels of latency and were not capable of relaying connections employing link layer encryption.

San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations. A handful of tech giants have pledged more than $30 million to implement a plan to improve open-source and software supply chain security.

Software made unsafe by dependencies should be fixed without users needing to interact with the source of the problem, according to US National Cyber Director Chris Inglis, who serves in the Executive Office of the President. Speaking to The Register at the Black Hat Asia conference in Singapore on Friday, Inglis said that when a faulty component in a car needs to be replaced, the manufacturer who chose that component takes responsibility for securing safe parts and arranging their installation.

This will only get more prevalent: “The SFPD claims it has already obtained evidence from autonomous vehicle cameras.”