[Security Weekly] Volkswagen and Ford Vehicles Discovered With Security Vulnerabilities

3rd Week of April 2020


1. Critical security vulnerabilities found on Volkswagen and Ford vehicles


The Consumers’ Association, branded as “Which?”, is a British charity that promotes informed consumer choices. In early April, Which? teamed up with cybersecurity professionals to examine the connected elements of two most popular cars in Europe – the Volkswagen Polo SEL TSI Manual 1.0 L gasoline, and the Ford Focus Titanium Automatic 1.0 L gasoline.

The examination resulted in the discovery of several serious vulnerabilities that pose privacy and safety risks to the vehicle owners. First of all, the examiners were able to hack into the infotainment system of the Volkswagen Polo by exploiting a vulnerability found in the electronic traction control system. The infotainment system contains the personal data of the user, including their whole phone contact list, call history, and location history.

Another vulnerability involved significant safety concerns. The examiners obtained access to the front radar module by simply opening up the VW emblem from outside the car. Gaining access to the radar system allows hackers to tamper with the collision detection and warning system. This could cause life-threatening consequences, especially if the vehicle were to travel in autonomous mode.

The examiners were also able to interfere with the messages sent from the tire pressure monitoring system on the Ford Focus, and trick the system to display that the tires are fully-inflated when they are actually flat.

As vehicles become increasingly connected, cybersecurity measures are especially important to both keep the user’s data protected, and to keep the vehicle functioning properly. [Penta Security’s security solution for connected mobility AutoCrypt is dedicated to providing a private and safe transportation experience for the connected age. Learn more at: AutoCrypt.]

Source: Which?


2. San Francisco Airport discloses data breach with stolen device login credentials


San Francisco International Airport (SFO) suffered a data breach that occurred in late March, affecting the users of two of its websites – SFOConnect.com and SFOConstruction.com.

SFOConnect.com provides airport employees with the updated airport security information, including the latest guidelines for COVID-19. SFOConstruction.com provides details of the airport construction projects, as well as information on bids and contracts for third parties.

According to a notification posted on both websites, the data breach affected those who visited the websites using an Internet Explorer browser installed on either a PC or any other device that is not maintained by SFO. Attackers injected malicious codes into the web application and obtained the users’ device login credentials.

The interesting thing here is that, usually when a malicious code is injected into a website, the login credentials for the web application get stolen. However, in this case, the login information of the users’ end device was stolen instead, which is very strange. Security experts suggested that this could happen in two ways; the attackers either injected a fake form on the website asking the visitors to fill in their device login information, or the malware that got embedded into the website may have been capable of injecting additional codes onto the devices themselves.

SFO claimed that they reset all their SFO-related passwords on March 23, just in case some users may have used the same password for their SFO account as their device password. The airport also prompted all visitors to the website who used an Internet Explorer browser to reset their device passwords.

Cybersecurity firm ESET later suggested that the attack was likely carried out by Dragonfly, also known as Energetic Bear, a hacker group widely believed to be sponsored by the Russian government.

[A web application firewall like Penta Security’s WAPPLES can effectively prevent the injection of malicious codes into websites. Learn more at: WAPPLES.]

Sources: Threatpost, SC Media, ESET


3. More than 500,000 Zoom user accounts sold on the dark web


Just as we thought it couldn’t get any worse, Zoom received another blow this week, this time with over 500,000 login credentials compromised.

Beginning on April 1, Zoom’s user account credentials started to appear on hacker forums. Some of the credentials were posted for sale, while others were shared for free. Accounts related to specific organizations were compiled together. These include accounts related to companies such as Chase and Citibank, as well as those related to educational institutions such as the University of Florida, the University of Colorado, and Dartmouth.

Security researchers have confirmed that most of the login details were correct. However, these posted data do not appear to come from any particular data breach. Instead, experts speculate that the login credentials were likely obtained from other data breaches in the past. Hackers likely attempted to login to Zoom with these stolen login credentials, and compiled the credentials that led to successful logins.

All Zoom users are suggested to reset their passwords immediately. This incident shows the importance of setting unique passwords for each website, so that when a data breach happens on one of the sites, it would not put all the other accounts in danger. Read here to learn more about how to create easy and safe passwords.

Source: BleepingComputer


4. Google removes 49 malicious Chrome extensions stealing cryptocurrency


According to a report published exclusively by ZDNet this Tuesday, Google has removed 49 Chrome extensions that were found to be stealing the users’ crypto wallet keys and mnemonic phrases.1

First discovered by Harry Denley, the Director of Security at MyCrypto, these extensions were believed to be created by the same hackers who seemed to be located in Russia. They were made to look like legitimate cryptocurrency wallet applications, faking as the official application for well-known crypto wallets including MyEtherWallet, Ledger, Trezor, Jaxx, and many more. All 49 of them have the exact same functions, but are branded differently to lure users of all kinds of wallets.

The extensions were injected with malicious codes, so that any information the users input during the initial sign-in process got directly sent to the hackers’ servers. Security experts have found that some of the previously reported crypto wallet thefts were related to these extensions. However, due to the anonymous nature of cryptocurrency, it is impossible to track the attackers and bring them to justice.

Source: ZDNet

1 A mnemonic phrase is a sequence of words that acts as a backup key to a crypto wallet. It allows direct access to the wallet, and thus must be kept safely. It should never be used as the primary authentication method, and should only be used for recovery.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt