Monthly Archives: July 2011

Interesting Article on Hacking GSM attached devices

War Texting’ Attack Hacks Car Alarm System

Researcher will demonstrate at Black Hat USA next week how ‘horrifyingly’ easy it is to disarm a car alarm system and control other GSM and cell-connected devices

ul 25, 2011 | 09:57 PM | 2 Comments By Kelly Jackson Higgins
Dark Reading

It took researcher Don Bailey a mere two hours to successfully hack into a popular car alarm system and start the car remotely by sending it a message. 

Click here for more of Dark Reading’s Black Hat articles.

Bailey, a security consultant with iSec Partners, next week at Black Hat USA in Las Vegas plans to show a video of the car alarm attack he and fellow researcher Mat Solnik conducted. His Black Hat presentation is called “War Texting: Identifying and Interacting with Devices on the Telephone Network.”

Physical security systems attached to the GSM and cellular networks, such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are ripe for attack, according to Bailey.

War texting is something that Bailey demonstrated earlier this year with personal GPS locators. He demonstrated how to hack vendor Zoombak’s personal GPS devices to find, target, and impersonate the user or equipment rigged with those consumer-focused devices. Those low-cost embedded tracking devices in smartphones or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, he says.

His Black Hat research, meanwhile, focuses more on the infrastructure, as well as on fingerprinting or classifying these devices among millions of wireless phone numbers. Once those devices have been spotted by an attacker on the network, they then can be abused. Car alarms are vulnerable, for instance, because they connect and idle on Internet-ready cellular networks, and receive messages from control servers, Bailey says.

Bailey declined to reveal the car alarm vendor. He says these and other devices are being exposed to reverse-engineering and abuse via their GSM or cell connections. “Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn’t necessarily know what was going on under the hood,” Bailey says. “[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols.”

Bailey says an attacker can glean previously undisclosed aspects of the alarm device from the phone network. “Now that they’re OEM’ing GSM modules … they are leaving the whole business exposed. It’s serious from that angle: Attackers can finally get under the hood easily because they have a foot in the door with GSM,” he says.

Bailey plans to release new tools to help gather information about these devices. “[The tools] will show how easily you can set up a network connection for mass-scanning over the entire phone network,” he says. “The idea of war-texting communication with devices over the telephone network is simple.”

Bailey says the car alarm hack just scratches the surface of the inherent danger of having such devices GSM- and cell-connected. “What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary,” he says.

He says he was able to get enough reconnaissance on a handful of other devices to do the same type of hack. “I didn’t bother to reverse-engineer them. Knowing their modules and understanding their design is enough” to pull off a war-texting attack, he says.

So how do you shore up security for these devices? “The real answer is engineering: getting the people designing these systems to analyze their security in a thorough fashion, which they are not doing now,” Bailey says.


NMAP keeps getting better

Arguably one of the most if not the best used tools in the security profession is the NMAP made by the infamous Fyodor.  Since it has first came on the internet scene a decade or more ago, it has added so many capabilities such as using scripting engine and the cool GUI based tool called Zenmap to compliment the CLI version.

This post is not about NMAP’s feature since many books and websites have been dedicated for this purpose.  Just excited that a new version has been released as i always anticipate what new features they will contain.


Nmap 5.50 Released:Now with Gopher protocol support! Our first stable release in a year includes 177 NSE scripts, 2,982 OS fingerprints, and 7,319 version detection signatures. Release focuses were the Nmap Scripting Engine, performance, Zenmap GUI, and the Nping packet analysis tool.

Strategic planning for IS

Strategic planning for information security is a very important activity and part of a robust information security program for organizations.  Only with strategic planning will things will become clear and resources assigned appropriately.

Below is a good resource that i came across on this topic:



Thinking of SIEM?

Just a quick note on Security Incident and Event Management or as it is commonly abbreviated as SIEM, SIM, or SEM.  Since i had the opportunity of overseeing the implementation and day-to-day usage of  SIEM in our company, i would like to share few tips that have helped me in our implementation.

  • Tip Number 1
    Evaluate different solutions before you decide to buy.  Many vendors claim their solutions do wonderful things but don’t buy in until you evaluate them in your own environment.
  • Tip Number 2
    Implement SIEM in smaller chunks.  If you have any sizable IT infrastructure, putting an SIEM solution is not an easy task.  Therefore i recommend breaking up the devices and software that you want to collect logs into smaller sizes.  For example in our case i had to break up all SQL servers together so that i can work with DB administrators and network devices together and so on.
  • Tip Number 3
    Involve your administrators.  In order to collect the right information from your IT infrastructure you need to involve the administrators of various areas.  They are well of the systems they administer and know which logs are important and which are not.
  • Tip Number 4
    Fine-tune your rules.  If you really want to get the value of SIEM, then fine-tuning your rule set according to your own environment is a must and not just relying on out of the box rules.  It is an extensive task at the beginning but one that has to be done and will help you reducing your false positives.
  • Tip Number 5
    Automate as much as possible.  From my experience, SIEM solutions produce lots of alerts and reports.  Unless you will have a dedicated administrator just for watching these alerts, you need to use the auto-notification features of the system such as email, sms, dashboard alerts to reduce the effort of managing the system.
Tagged , ,