Skip to content
Salus Cyber

Salus News July 11th 2022

By Narcis Cristian Orvas,
11 July 2022

Honda Admits Hackers Can Access Cars

ROLLING PWN ATTACK

Modern vehicles tend to be equipped with remote keyless systems (RKE), allowing for contactless unlocking, or starting of vehicles. On the 7th of July 2022, Kevin2600 and Wesley Li publicly disclosed a vulnerability within Honda’s RKE, which allows an attacker to record a valid signal and propagate it for persistent access to the car. The vulnerability was confirmed on the ten most popular Honda models and is believed to affect all Honda vehicles with RKE on the market.

Automotive RKE systems utilise disposable rolling codes to make every key fob button send unique signals. This has proven to be an effective countermeasure against preventing simple replay attacks. Rolling Pwn Attack is a type of relay attack that bypasses the anti-relay countermeasures currently set in place by Honda. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. Even though the one-time code sent through the signal becomes invalid in rolling-code systems, a way to utilise and replay previously captured triggers a rollback mechanism in the RKE system.

Honda’s Reaction to the Vulnerability

Kevin2600 and Wesley Li have allegedly attempted to disclose the vulnerability to Honda since December 2021, but due to Honda’s poor reporting disclosure procedures, the method recommended to the researchers was to contact Honda’s customer service and file a report that way. Unfortunately, Honda never replied to them prior to the public disclosure.

When the vulnerability was initially publicly disclosed, Honda shot down the claims, arguing that the proof provided by the researchers was insufficient. However, in the following days, the vulnerability caught traction as people tested it and confirmed it using their own vehicles. The public pressure coupled with confirmations from internal company testing caused Honda to release a public statement officially confirming and addressing the vulnerability.

A Honda spokesperson has confirmed the vulnerability report but claimed that potential attackers would require “sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles of our”. The spokesperson also stated that “However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away”.

Honda has stated that they plan to address this issue in their new 2022 and 2023 vehicle models, but there are currently no plans from the manufacturer to address the issue for any existing vehicles.

References

Rolling PWN

Honda Admits Hackers Could Unlock Car Doors, Start Engines | SecurityWeek.Com

Maui Ransomware Targeting U.S. Healthcare Organisations

Maui Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory to provide information on the Maui ransomware, used by North Korean state-sponsored cyber actors to target the Healthcare and Public Health Sector since at least May 2021. CISA released the advisory in cooperation with the Federal Bureau of Investigation (FBI) and the Department of the Treasury. Services targeted by the ransomware campaign include electronic health records services, diagnostic services, imaging services, and intranet services.

Maui is different in a few aspects compared to the run-of-the-mill ransomware (predominantly ransomware-as-a-service) used by attackers. Maui ransomware needs to be manually operated; the threat actors need to specify the files or directories to be encrypted. Additionally, Maui does not leave a ransom recovery note, and it does not exfiltrate the data in any way. Maui ransomware also appears not to incorporate any lateral movement methods. On the surface, it appears that Maui is not as sophisticated as other existing ransomware. However, it is possible that its nature as a manually driven encryption process and network moment makes it less discoverable or more effective overall for the target environment.

Why the Healthcare Industry?

Although sinister in nature, targeting the healthcare industry is an obvious choice from the perspective of criminal syndicates and for-profit state-backed cyber groups. The public healthcare industry possesses high budgets, manages vast amounts of confidential data, and often utilises outdated firmware and software. Additionally, due to its critically important nature, the healthcare industry is more willing to pay ransom, to hopefully resume its services quickly. According to the Sophos’ State of Ransomware in Healthcare 2022, 61% of healthcare organisations surveyed chose to pay the demanded ransom, compared with the global average of 46%.

CISA Advice

Although Maui is slightly different from other generic ransomware variations, the methods to protect against it are still the same. The advice provided by CISA for the healthcare industry echoes the standard good practices for combating ransomware.

  • Backups of data
  • Cyber event response plan
  • Keep firmware, operating systems, and applications up to date
  • Require administrator credentials to install software

References

North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector | CISA

North Korean APT targets US healthcare sector with Maui ransomware | Malwarebytes Labs