Owner security

White Hat Hacker Accesses Teslas | Avast

David Columbo, 19, a security researcher in Germany, was able to take over most functions of more than 25 Teslas worldwide by hacking their third-party software. While checking the security of a potential customer’s corporate network ports, Columbo came across TeslaMate, a self-hosted open-source data logger for Tesla. Exploring further, Columbo was able to execute commands on specific Teslas such as “disable sentry mode”, “unlock doors”, “open windows”, and even “start keyless driving”, although he did not cannot access the steering, accelerator and brakes. Importantly, this was not directly due to a flaw in Tesla’s infrastructure.

“We need more researchers like David Colombo, he’s done a fantastic job,” commented Luis Corrons, Avast Security Evangelist. “He discovered a number of issues that are responsible for the security issues he found, such as a lack of encryption or default credentials. The vulnerabilities can be found anywhere, but with software that are not developed with security in mind, the results are catastrophic. There are a number of lessons that can be learned here. Tesla and the makers of TeslaMate have secured the vulnerabilities after becoming aware of them. Learn More on this story, read Columbo’s report on Average.

Life360 plans to stop selling precise location data

In their last quarterly activity report, the founder and CEO of location-sharing app Life360, announced that the San Francisco-based company will be phasing out all of its location data offerings except for Allstate’s Arity. Currently, the company sells the precise location of its 35 million individual users to a dozen data brokers, but plans to move to aggregate rather than individual data. “Life360 recognizes that aggregated data analytics (e.g., “150 people driven by the supermarket”) is the wave of the future, and that companies will increasingly value insights into data that doesn’t not dependent on device level or other individual user-level identifiers,” the announcement reads. For more on this story, see markup.

Safari Flaws Allowed Browser and Webcam Takeover

A group of macOS vulnerabilities, which were patched by Apple in late 2021, allowed would-be attackers to take over the Safari browser, exposing users’ online accounts, open microphones and webcams. The exploits abused trusted features between iCloud and Safari, such as document sharing mechanisms. “The attacker basically punches a hole in the browser,” said researcher Ryan Pickren, who disclosed the vulnerabilities to Apple. “So if you’re logged into Twitter.com on a tab, I could jump on it and do whatever you can from Twitter.com. But that has nothing to do with Twitter’s servers or security; than attacker, I just assume the role you already have in your browser.For more information, see Wired.

LockBit 2.0 claims to have stolen files from the French ministry

Last week, ransomware group LockBit 2.0 posted on its data leak site that it had stolen more than 9,000 files from the French Ministry of Justice and would release the stolen data if the ransom was not met. paid before February 10. Cybercriminals using Lockbit 2.0 usually threaten to release data about victims who do not pay the ransoms it demands. This “double extortion” technique puts additional pressure on the victim to pay. “The Ministry of Justice took note of the alert and immediately took steps to carry out the necessary verifications,” a spokesperson said. Politicswithout giving more information on the scale of the operation.

FBI warns of recruitment scams

In one Message of public interest released this week, the FBI reported a current trend of scammers “exploiting security vulnerabilities on recruiting websites to impersonate legitimate companies, threaten company reputations and defraud job seekers “. The FBI claims that scammers can appear believable to the user because they use legitimate information to impersonate companies. As of early 2019, the average loss reported under this scheme is nearly $3,000 per victim (plus, the victim’s credit score also suffers). In the PSA, the Bureau provides a list of recommendations for employers and job seekers to recognize and avoid this scam.

Thisthis week’s “must read” on the Avast blog

At first glance, the Google Topics initiative appears to be a victory for privacy advocates. At this point, however, it’s still unclear how things will unfold over time. Listen to our team’s thoughts.