This week, we discuss the arrest of a well-meaning Hungarian teenager, vulnerabilities in Internet-connected car washes that could cause them to physically attack users, and data breaches at Italy’s biggest bank.
Hello and welcome to the IT Governance podcast for Friday, 28 July 2017. Here are this week’s stories.
There’s been outcry in Hungary after an 18-year-old was arrested for alerting Budapest’s transport authority, the Budapesti Közlekedési Központ (BKK), to an elementary security flaw in its online ticketing system that allowed travellers to choose how much they paid for their journeys.
The teenager found that simply by pressing F12 on BKK’s website he could enter the browser’s developer tools mode and alter the page’s source code to set his own ticket prices. There was no server validation, so transactions weren’t challenged.
As a responsible citizen, the young man contacted BKK to inform them of their basic error, but instead of admitting their mistake and rewarding him with a bug bounty, BKK called the police and then a press conference, in which Kálmán Dabóczi, BKK’s CEO, boasted that they’d thwarted a cyber attack and that their systems were secure.
Bleeping Computer reports that more than 45,000 Facebook users have now left one-star ratings on the company’s page, virtually all of which quote a statement from the so-called hacker in which he protests his innocence, the BKK website was taken down for several days by attacks, and, according to The Register, “a crowd of protestors gathered outside the main BKK offices in Budapest on Monday” to express their condemnation of the young man’s arrest.
They say there’s no such thing as bad publicity. You try telling that to BKK.
The Black Hat security conference is currently underway in Las Vegas, and we all know what that means: hackers demonstrating interesting IoT exploits. This week, Billy Rios and Jonathan Butts, of Whitescope and QED respectively, asked whether “an IoT device [could] be re-purposed to physically attack an unsuspecting user”. Unsurprisingly, the answer is yes. The device was a car wash.
Motherboard reports that vulnerabilities in PDQ Internet-connected car washes “would let an attacker open and close the bay doors […] to trap vehicles inside the chamber, or strike them with the doors, damaging them and possibly injuring occupants”.
PDQ car washes are fully automated machines that are popular in the US. According to Motherboard, Rios became interested in them after hearing of an incident in which “technicians misconfigured one in a way that caused the mechanical arm to strike a minivan and douse the family inside with water”. He first presented his findings about vulnerabilities at 2015’s Kaspersky Security Summit, but was only able to test them this year.
Gerald Hanrahan of PDQ said the company was aware of the issue and was working on fixing the vulnerabilities.
“All systems—especially internet-connected ones—must be configured with security in mind,” he wrote. “This includes ensuring that the systems are behind a network firewall, and ensuring that all default passwords have been changed. Our technical support team is standing ready to discuss these issues with any of our customers.”
Italy’s largest bank, Unicredit, has announced that it suffered two security breaches – one in September and October 2016, and the other in June and July this year – that affected 400,000 customers’ information.
Data related to personal loans was accessed via a third-party provider, but the bank noted that no data that would have allowed access to customer accounts was compromised, so attackers could not carry out unauthorised transactions.
According to the BBC, Unicredit shares fell by about 1% following the disclosure.
Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.