Significant security flaws were recently uncovered in the Nissan LEAF electric car, and in the vast majority of wireless, non-Bluetooth keyboards and mice.
Security company Bastille uncovered the MouseJack vulnerability in wireless mice and keyboards, which it says could expose billions of PCs to remote exploitation. “MouseJack is essentially a door to the host computer,” Bastille engineer Marc Newlin, who discovered the flaw, said in a statement.
The vulnerability, which can be exploited using $15 worth of hardware from up to 100 feet away from the device, affects wireless keyboards and mice from manufacturers including Logitech, Dell and Lenovo. A full list of affected devices is here.
“MouseJack poses a huge threat, to individuals and enterprises, as virtually any employee using one of these devices can be compromised by a hacker and used as a portal to gain access into an organization’s network,” Bastille CTO and founder Chris Rouland said in a statement.
“The MouseJack discovery validates our thesis that wireless IoT technology is already being rolled out in enterprises that don’t realize they are using these protocols,” Rouland added.
Separately, security researcher Troy Hunt says the Nissan LEAF’s air conditioning and heating system can be controlled remotely over the Internet by leveraging functionality that’s not officially available through the car’s Nissan Connect app — and that functionality can easily be accessed by an attacker.
“Being able to remotely turn on the A/C for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it. … If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it… You’d be stranded,”Scott Helme, who researched the flaw with Hunt, said.
The other issue, Helme said, is that all of a given vehicle’s historical driving data can easily be accessed. “That’s the details of every trip I’ve ever made in the car including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost two years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”
“It’s not even like they just missed auth or didn’t check, it’s actually not implemented,” Helme said. “It was built, intentionally, without security.”
A recent Pwnie Express survey of more than 400 information security professionals found that 67 percent of respondents are more worried about connected device threats than they were a year ago, and 86 percent believe connected device threats will be a major security issue in 2016.
Fifty-five percent of respondents have witnessed an attack via wireless device, and 38 percent have witnessed an attack via mobile device.
Thirty-seven percent of respondents can’t tell how many devices are connected to their network. Eight-nine percent can’t see Bluetooth devices, 87 percent can’t monitor 4G/LTE devices in real time, 71 percent can’t monitor off-network Wi-Fi devices in real time, and 56 can’t monitor on-network IoT devices in real time.
“Companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable,” Reiner Kappenberger, global product manager for HPE Security – Data Security, toldeSecurity Planet by email. “The developers have the best intentions and do a terrific job creating those applications. However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated.”
“Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before,” Kappenberger added.