Research Reveals Top-Selling Car Keyless Theft Risk
Research by consumer Group Which? has revealed that hundreds of popular models of car are vulnerable to “keyless theft”.
Keyless Car Theft
Keyless car entry systems enable owners to unlock the doors of their car with the brush of a hand if the key fob is nearby. If the car has keyless start-stop, once inside the car, the keyless system allows the user to simply press a button to start and stop the engine.
These systems work by using an identity chip in the fob that constantly listens out for radio signals broadcast by the car. These radio signals can only travel short distances, usually less than five metres.
The Which? Research
The Which? research involved the analysis of data on keyless/relay attacks of tests held by the General German Automobile Club (ADAC), a roadside recovery organisation.
Top-Selling Cars At Risk
The ADAC test highlighted by Which? showed that, of the 237 keyless cars tested, all but three were susceptible to keyless theft.
The 237 keyless cars tested and found to be vulnerable to this type of attack included many of the UK’s top-selling cars such as the Ford Fiesta, Volkswagen Golf, Nissan Qashqai and Ford Focus. Of the top-selling cars in the UK, only the Vauxhall Corsa was found to be safe, only because it isn’t available with keyless entry and ignition.
Jaguar Land Rover’s latest models of the Discovery, Range Rover, and 2018 Jaguar i-Pace, were all found to be secure.
Car Theft Figures – Rising
England and Wales police figures show that the highest number of offences of theft of (or unauthorised taking of) a motor vehicle since 1990 were reported in the year to March 2018 (106,000). This worrying rise in the level of car theft comes despite improvements in vehicle security aided by the use of new technology.
Less Than 0.3% Stolen
Mike Hawes, head of the Society of Motor Manufacturers & Traders (SMMT), is reported as saying that, aided by technology, new cars are more secure than ever with, on average, less than 0.3% of the cars on the roads stolen.
Not The First Time Concerns Raised
This is certainly not the first time that concerns have been raised about keyless security in cars. For example, as far back as 2011, Zurich-based researchers highlighted how radio signals emitted by a car could be boosted, thereby tricking systems into thinking the key fob was nearby.
Also, in 2014, many Range Rover thefts led to police advising owners to fit a steering wheel lock as a second line of defence, after keyless security had been breached by thieves.
There have also been reports of Police investigating cases of criminals blocking the signals from keyless devices, so that car doors never lock, and of thieves using blockers in service station car parks in order to steal items from cars.
What Does This Mean For Your Business?
For car manufacturers, there is likely to be an ongoing battle with thieves, and the need for continuous investment to ensure that car entry and ignition systems are as secure as possible. It is likely that this may even require a move into biometrics.
The SMMT has also been calling for action to stop the open sale of equipment which serves no legal purpose but that helps criminals steal cars e.g. grabbers and jammers, which can be purchased online for as little as £40.
The advice from security experts to owners of cars with keyless systems is to keep keyless entry keys away from doors and windows and in a shielded protection case. This is because some thieves are known to be able to steal the signal to replicate an owner’s key wirelessly, from outside of their house.
Apple’s Video-Calling ‘Eavesdropping’ Bug
Apple Inc has found itself at the centre of a security alert after a bug in group-calling of its FaceTime video-calling feature has been found to allow eavesdropping of a call’s recipient to take place prior to the call being taken.
Sound, Video & Broadcasting
As well as allowing the caller to hear audio from the recipient’s phone even if the recipient has not yet picked up the call, if the recipient has pressed the power button on the side of the iPhone e.g. to silence / ignore the incoming call, the same bug was also found to have allowed callers to see video of the person they were calling before that person had picked up the call. This was because pressing the power button effectively started a broadcast from the recipient’s phone to the caller’s phone.
Data Privacy Day
Unfortunately for Apple, insult was added to injury as news of the bug was announced on Data Privacy Day, a global event that was introduced by the Council of Europe in 2007 in order to raise awareness about the importance of protecting privacy. Shortly before news of the Apple group FaceTime bug was made public, Apple’s Chief Executive, Tim Cook, had taken to Twitter to highlight the importance of privacy protection.
It Never Rains…But It Pours
To make things even worse, news of the bug was made public on the day before Apple was due to announce its reduced revenue forecast figures as part of its quarterly financial results. Apple has publicly reduced its expected revenue forecast by £3.8bn. Apple’s chief executive put the blame for the revised lower revenue mainly on the unforeseen “magnitude of the economic deceleration, particularly in Greater China”. He also blamed several other factors such as a battery replacement programme, problems with foreign exchange fluctuations, and the end of carrier subsidies for new phones.
Feature Disabled
In order to close the security and privacy hole that the bug created, Apple announced online that it had disabled the Group FaceTime feature at 3:16 AM on Tuesday.
Fix On The Way
Apple has announced that a fix for the bug will be available later this week as part of Apple’s iOS 12.2 update.
What Does This Mean For Your Business?
Apple has disabled the Group FaceTime feature with the promise of a fix within days, which should provide protection from any new attempts to exploit the bug. Those users who are especially concerned can also decide to disable FaceTime in the iPhone altogether via the phone’s settings.
Even though the feature has been disabled, the potential seriousness of allowing eavesdropping of private conversations and the broadcasting of video from a call recipient’s phone appears to have been a major threat to the privacy and security of some Apple phone users. This has caused some tech commentators to express their surprise that a bug like this could be discovered in the trusted, trillion-dollar company’s products, and concern to be expressed that those users who, for whatever reason, don’t update their phones to the latest operating system, may not be protected.
No More Windows 10 Mobile Support – Microsoft Suggests Switching
Microsoft has formally announced on its support pages that, as of December 10th 2019, Windows 10 Mobile users can no longer expect security updates and support, and Microsoft recommends that customers then move to a supported Android or iOS device.
Windows 10 Mobile
Windows 10 Mobile is a mobile OS that was released in 2015 as the successor of Windows Phone 8.1 and is essentially an edition of Windows 10 running on devices that have less than a 9-inch screen.
The end of Windows 10 Mobile support comes just over four years after Microsoft’s failed acquisition of Nokia’s devices and services businesses, which led to Microsoft having to write off $7.6 billion in 2015. At the time, tech commentators wondered why Microsoft had got into the low-margin, highly competitive phone business, and Microsoft shifted its strategy from the standalone phone business to a strategy to grow the Windows ecosystem. This effectively put the writing on the wall for Windows 10 Mobile, and many tech commentators have been waiting over the years for the formal announcement for the end of support to come.
What Is Coming To An End?
In this announcement, Microsoft has said that new security updates, non-security hot-fixes, free assisted support options, or online technical content updates from Microsoft for free will end for users of Windows 10 Mobile as of December 10, 2019.
Microsoft has also stressed that, although third parties or paid support programs may still provide ongoing support, Microsoft support will not publicly provide updates or patches for Windows 10 Mobile after that date.
The announcement does not mean that Windows 10 Mobile devices will shut down with the cessation of support, but that continuing to use the devices afterwards will mean higher risks because of issues such as the lack of security updates and the phasing-out of backups.
Which Models?
Microsoft says that only device models that are eligible for Windows 10 Mobile, version 1709 are supported through the December 10th end date. Also, for Lumia 640 and 640 XL phone models, Window 10 Mobile version 1703 was the last supported OS version and will reach end of support on June 11th, 2019.
What Now?
The suggestion from Microsoft itself to Windows 10 Mobile customers is to move to a supported Android or iOS device.
Those customers who plan to keep using their Windows 10 Mobile device after the December 10th support cut-off date have been encouraged by Microsoft to manually create a backup before that date. This can be done using Settings->Update & Security->Backup>More Options and then tapping on ‘Back up now’.
What Does This Mean For Your Business?
This announcement from Microsoft is certainly not unexpected. Where commercial customers are concerned, they have the same cut-off dates as domestic customers, but Microsoft has said that it will be working with many commercial customers to ensure a successful migration to a supported platform prior to the end of support date.
This is an acceptance and acknowledgement by Microsoft that most of the partners and customers of businesses already use Android or iOS platforms and devices.
Some commentators have suggested that the move to end support for Windows 10 Mobile may also be a way for Microsoft to clear the decks ready for the introduction of a new folding smartphone, codenamed ‘Andromeda’. This remains to be seen.
ICO Urges Businesses To Prepare For No-Deal Brexit
In a Westminster eForum event on GDPR practice in London, the director of strategic policy at the Information Commissioner’s Office, Jonathan Bamford, is reported to have urged businesses to prepare for a no-deal Brexit in terms of planning to stop interruption in data flows from Europe.
Why?
As explained by parliament.uk, three-quarters of the UK’s cross border data flows are with EU countries, and when the UK leaves the EU, it will leave the legal framework for moving data between the UK and the EU. This means that businesses may need to act to make sure that data flows can continue uninterrupted between the UK and the EU. With a no-deal Brexit, this is going to be of particular importance because there may be no ‘adequacy agreement’ in place for some time.
What Is An Adequacy Agreement?
A decision of adequacy/adequacy agreement is made by the EC if they consider a country outside of the EU, which the UK will be after 29th March, as somewhere that provides a level of protection which is equivalent to that of the EU. A ‘decision of adequacy’ will allow data to flow into and out of the EU without the need for other safeguards.
Unfortunately, if there is a no-deal Brexit, and there is no adequacy decision in place for some time, businesses and institutions may find themselves having to use alternative legal mechanisms that could be bureaucratic, costly, and could cause delays.
Not In Place Before Brexit
The ICO has warned that an adequacy agreement will not be in place before Brexit, hence the need for businesses to think about making some plans.
What Sort of Things May Be Affected?
Examples of things businesses may need to consider in order to maintain data flow post-Brexit include:
- Organisations that receive data from Europe, and use cloud services based within the EU may need to think about what risks and disruption they could face if no adequacy agreement is in place, and what other mechanisms and agreements they may need to seek.
- Finding out where company data is stored and who has access to it may be an issue. Is your data stored in the UK or EU? There is also a need to understand data flow.
- Possibly needing to renegotiate data services supplier contracts for GDPR (as some banks have done).
- Global organisations operating in multiple jurisdictions may need to look at how data is transferred within their organisation and whether corporate rules need to be changed.
- Organisations may need to look at where their riskiest and/or more important data transfers are, and plan to get Standard Contractual Clauses (SCCs) implemented i.e. contractual forms approved by the EU Commission as offering adequate protection for the personal data of individuals.
Absorbed in UK Law
For most businesses, because GDPR will be absorbed into UK law at the point of Brexit, there should no major changes to the basic data rules that businesses need to follow.
Approved Industry Codes
Some business commentators have suggested that data transfers to ‘third countries’ could be carried out under an EDPB (European Data Protection Board) approved industry code if there was no adequacy agreement in place. This, however, looks unlikely to materialise in time for Brexit.
What Does This Mean For Your Business?
The UK must be able to move data between itself and the EU in order to maintain a healthy trading relationship after Brexit. Also, UK citizens need to be assured that their personal data will be safeguarded after the UK leaves the EU. Yes, GDPR will be absorbed into UK law as the Data Protection Bill on leaving the EU, which should bring satisfactory parity between UK and EU data laws, but it is worrying to think that UK businesses (and consumers) could be exposed to risks because there is unlikely to be an adequacy agreement in place for some time.
A no-deal Brexit could, therefore, threaten post-Brexit data and create more bureaucracy for UK businesses that will need to work to ensure that they are seen to be ‘safe importers’ of data in data transfers agreements.
This is a complicated-enough subject for businesses anyway without considering the need to look at more pieces of the puzzle. Businesses can find more information on the subject by studying the ICO’s guidance on ‘Data Protection if There’s No Brexit Deal’ here: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal/ and by studying the ICO’s ‘Leaving the EU – Six Steps To Take’ here: https://ico.org.uk/media/2553958/leaving-the-eu-six-steps-to-take.pdf.
Biggest Personal Data Breach Puts Password Effectiveness In The Spotlight
Password-based authentication has long been known to be less secure than other methods such as multi-step verification or biometrics, but a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations recently shared on hacking forums has brought the inherent weaknesses of password authentication into sharp focus.
What Leak?
The massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service.
In his post, Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources. The data contains 772,904,991 unique email addresses, and 21,222,975 unique passwords, all of which can be put into 1,160,253,228 unique combinations.
Risks
Clearly, Mr Hunt has an interest in publicising the existence of Collection #1 and the fact that it has been incorporated into his service to help publicise the ‘Have I Been Pwned’ service, but as Mr Hunt points out, if your password/email combinations are part of the collection and have not been changed since, you could face some serious risks. For example:
- Credential stuffing attacks. In this case, 2.7 billion of the username and password combinations could be put into a list and used for credential stuffing. This is where cyber-criminals rely on the fact that people may use the same username and password combinations for multiple websites, and therefore, the criminals use software to automate the process of trying the breached username/password pairs on many other websites to see if they can gain access.
- Phishing attacks. The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.
- Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.
What Does This Mean For Your Business?
This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.
Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One tool that can help is a password manager. Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.
If you’re worried that people in your organisation may be using passwords that have been stolen, Troy Hunt has provided a list of them here: https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/ and provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
Google’s £44 Million GDPR Fine
Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.
Who?
Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL. The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).
Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.
Ad Personalisation & Google
Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the Web on Google’s partner websites and apps based on their browsing history, and on Google Search based on their previous activity such as previous searches.
What & Why?
The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.
The reasons for Google receiving the fine were that:
- Google failed to provide its users with transparent and understandable information on its data use policies. This was because the “essential information” that users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents. This meant that it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant that users were unable to exercise their right to opt out of data-processing for personalisation of ads.
- It was also found that the option to personalise ads was “pre-ticked” when creating an account. This meant that users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent. Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.
Other Complaints
Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is that when people request a copy of the personal data that these companies hold on them, some of it may not be supplied in a format that can be easily understood. GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.
What Does This Mean For Your Business?
Even before GDPR was introduced, many technology and security commentators predicted that the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case however, the fact that the complaints have created a record-breaking fine shows that there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely that Google will need to make some significant modifications to some aspects of its services now, and that this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.
This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on business agenda.