Car Hacking: CAN it be that simple?

The Internet of Things (IoT) has expanded the reach of technology at work, at home, and even on the road. As Internet-connected and self-driving cars become more commonplace on our highways, the cybersecurity of these “data centers on wheels” is of greater concern than ever. Highly publicized hacks against production cars, and a relatively small number of crashes involving autonomous vehicles, have brought the issue of securing smart cars to the forefront as a matter of public and individual safety. This article describes the integration of a module on car hacking into a semester-long ethical hacking cybersecurity course, including full installation and setup of all the open-source tools necessary to implement the hands-on labs in similar courses. The author demonstrates how to test an automobile for vulnerabilities involving replay attacks using a combination of open-source tools and a $20 commodity CAN-to-USB cable. Also provided are an introduction to the CAN (controller area network) bus in modern automobiles and a brief history of car hacking

Car Hacking: Accessing and Exploiting the CAN Bus Protocol

With the rapid adoption of internet-connected and driver-assist technologies, and the spread of semi-autonomous to self-driving cars on roads worldwide, cybersecurity for smart cars is a timely concern and one worth exploring both in the classroom and in the real world. Highly publicized hacks against production cars, and a relatively small number of crashes involving autonomous vehicles, have brought the issue of securing smart cars to the forefront as a matter of public and individual safety, and the cybersecurity of these “data centers on wheels” is of greater concern than ever. However, up to this point there has been a steep learning curve involved in applying cybersecurity research to car hacking. The purpose of this paper is to present a clear, step-by-step process for creating a car-hacking research workstation and to give faculty, students, and researchers the ability to implement car hacking in their own courses and lab environments. This article describes the integration of a module on car hacking into a semester-long ethical hacking cybersecurity course, including full installation and setup of all the open-source tools necessary to implement the hands-on labs in similar courses. This work demonstrates how to test an automobile for vulnerabilities involving replay attacks, and how to reverse-engineer CAN bus messages, using a combination of open-source tools and a commodity CAN-to-USB cable or wireless connector for under $100 (USD). Also provided are an introduction to the CAN (controller area network) bus in modern automobiles and a brief history of car hacking

Automated Reverse Engineering of Automotive CAN Bus Controls

This research provides a means of automating the process to reverse engineer an automobile’s CAN Bus to quickly recover CAN IDs and message values to control the various systems in a modern automobile. This approach involved the development of a Python script that uses several open-source tools to interact with the CAN Bus, and it takes advantage of several vulnerabilities associated with the CAN protocol. These vulnerabilities allow the script to conduct replay attacks against the CAN Bus and affect various systems in an automobile without the operator’s knowledge or interaction. These replay attacks can be accomplished by capturing recorded network traffic and resending them to find which traffic conducts certain actions. Automobiles are becoming more reliant on computer systems and networks to operate, including the integration of wireless interfaces to interact with these systems (Avatefipour & Malik, 2018). These systems contain numerous vulnerabilities as they were not built with consideration to hacking (Wolf, Weimerskirch, & Paar, 2004). Creating a tool to automate the reverse engineering process allows for a better understanding of the CAN Bus and its vulnerabilities. The aim of this script is to allow the user to identify what specific packets captured from CAN Bus traffic will initiate selected actions in the automobile’s controls. The results show the user can repeatedly split and send log files to the CAN Bus to narrow down the files to a single packet that is starting the selected outputs of the CAN Bus using this script

Structure Preserving Large Imagery Reconstruction

With the explosive growth of web-based cameras and mobile devices, billions of photographs are uploaded to the internet. We can trivially collect a huge number of photo streams for various goals, such as image clustering, 3D scene reconstruction, and other big data applications. However, such tasks are not easy due to the fact the retrieved photos can have large variations in their view perspectives, resolutions, lighting, noises, and distortions. Fur-thermore, with the occlusion of unexpected objects like people, vehicles, it is even more challenging to find feature correspondences and reconstruct re-alistic scenes. In this paper, we propose a structure-based image completion algorithm for object removal that produces visually plausible content with consistent structure and scene texture. We use an edge matching technique to infer the potential structure of the unknown region. Driven by the estimated structure, texture synthesis is performed automatically along the estimated curves. We evaluate the proposed method on different types of images: from highly structured indoor environment to natural scenes. Our experimental results demonstrate satisfactory performance that can be potentially used for subsequent big data processing, such as image localization, object retrieval, and scene reconstruction. Our experiments show that this approach achieves favorable results that outperform existing state-of-the-art techniques

Effectiveness of Tools in Identifying Rogue Access Points on a Wireless Network

Wireless access points have greatly improved users\u27 ability to connect to the Internet. However, they often lack the security mechanisms needed to protect users. Malicious actors could create a rogue access point (RAP), using a device such as the WiFi Pineapple Nano, that could trick users into connecting to an illegitimate access point (AP). To make them look legitimate, adversaries tend to setup RAPs to include a captive portal. This is very effective, since most public networks use captive portals as a means to provide genuine access. The objective of this study is to examine the effectiveness of RAP identification tools in identifying WiFi Pineapple RAPs. Three common RAP identifications tools were used, namely Aircrack-ng, Kismet, and inSSIDer. The result indicated that RAPs could easily be identified through actively monitoring networks using tools such as Aircrack-ng, Kismet, and inSSIDer

Health IT Security: An Examination of Modern Challenges in Maintaining HIPAA and HITECH Compliance

This work describes an undergraduate honors research project into some of the challenges modern healthcare providers face in maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH (Health Information Technology for Economic and Clinical Health) Act. An overview of the pertinent sections of both the HIPAA and HITECH Acts regarding health information security is provided, along with a discussion of traditionally weak points in information security, including: people susceptible to social engineering, software that is not or cannot be regularly updated, and targeted attacks (including advanced persistent threats, or APTs). Further, the paper examines potential violations of HIPAA involving vulnerabilities in commonly-used enterprise health records systems. Finally, we compare these challenges to the challenges of the United States healthcare system prior to 1995, specifically looking at information handling procedures, how procedures have changed, and how effective those changes have been

Planning and Implementing a Successful NSA-NSF GenCyber Summer Cyber Academy

The GenCyber program is jointly sponsored by the National Security Agency (NSA) and the National Science Foundation (NSF) to help faculty and cybersecurity experts provide summer cybersecurity camp experiences for K-12 students and teachers. The main objective of the program is to attract, educate, and motivate a new generation of young men and women to help address the nationwide shortage of trained cybersecurity professionals. The curriculum is flexible and centers on ten cybersecurity first principles. Currently, GenCyber provides cyber camp options for three types of audiences: students, teachers, and a combination of both teachers and students. In 2016, over 120 GenCyber camps were funded, serving 5,000+ students and teachers, and the NSA hopes to double the program in 2017. GenCyber camps can be offered at colleges, universities, public or private school systems, or non-profit institutions. The purpose of this paper is to describe the GenCyber program, provide lessons learned from a successful program implementation, and encourage PI’s to plan and implement a GenCyber summer cyber academy

Learning to Program in Python – by Teaching It!

The US Bureau of Labor Statistics predicts over 8 million job openings in IT and computing, including 1 million cybersecurity postings, over the current five-year period. This paper presents lessons learned in preparing middle-school students in rural Georgia for future careers in computer science/ IT by teaching computer programming in the free, open-source programming language Python using Turtle graphics, and discusses exercises and activities with low-cost drones, bots, and 3D printers to get students interested and keep them engaged in coding. Described herein is one pair of instructors’ (one middle-school, one university) multi-year, multi-stage approach to providing engineering and technology courses, including: how to code Turtle graphics in Python; how to engage children by using short, interactive, visual programs for every age level; building cross-curricular bridges toward technology careers using 3D printing, robotics, and low-cost drones; and, how to build more advanced programming skills in Python

Voice Hacking: Using Smartphones to Spread Ransomware to Traditional PCs

This paper presents a voice hacking proof of concept that demonstrates the ability to deploy a sequence of hacks, triggered by speaking a smartphone command, to launch ransomware and other destructive attacks against vulnerable Windows computers on any wireless network the phone connects to after the voice command is issued. Specifically, a spoken, broadcast, or pre-recorded voice command directs vulnerable Android smartphones or tablets to a malicious download page that compromises the Android device and uses it as a proxy to run software designed to scan the Android device’s local area network for Windows computers vulnerable to the EternalBlue exploit, spreading a ransomware-like application to those PCs, and executing it remotely. The demonstrated proof of concept, with relevant source code included in the appendix, can be extended and adapted to allow other voice-enabled, mobile, and IoT devices to perform multi-platform attacks against traditional PCs, as well as other mobile and IoT devices, and even critical infrastructure systems. In addition to describing the proof-of-concept attack in detail, the authors propose several remedies individuals and organizations can employ to prevent such attacks

What You See Is Not What You Know: Deepfake Image Manipulation

Research indicates that deceitful videos tend to spread rapidly online and influence people’s opinions and ideas. Because of this, video misinformation via deepfake video manipulation poses a significant online threat. This study aims to discover what factors can influence viewers’ capability of distinguishing deepfake videos from genuine video footage. This work focuses on exploring deepfake videos’ potential use for deception and misinformation by exploring people’s ability to determine whether videos are deepfakes in a survey consisting of deepfake videos and original unedited videos. The participants viewed a set of four videos and were asked to judge whether the videos shown were deepfakes or originals. The survey varied the familiarity that the viewers had with the subjects of the videos. Also, the number of videos shown at one time was manipulated. This survey showed that familiarity of subjects has a statistically significant impact on how well people can determine a deepfake. Notably, however, almost two thirds of study participants (102 out of 154, or 66.23%) were unable to correctly identify a sequence of just four videos as either genuine or deepfake. Overall, the study provides insights into possible methods for countering disinformation and deception resulting from the misuse of deepfakes