48 comments

[ 3.0 ms ] story [ 102 ms ] thread
> "Honda can confirm that a cyber-attack has taken place on the Honda network," the Japanese car-maker said in a statement. It added that the problem was affecting its ability to access its computer servers, use email and otherwise make use of its internal systems. "There is also an impact on production systems outside of Japan," it added.

The article suggests ransomware.

It is ransomware, and I believe the word is it's the Ekans ransomware which specifically targets industrial machinery and control systems. This would've targeted the Honda America Manufacturing network in the United States, as where as anywhere else that has since been affected.

People have been sent home from some factories in the US.

https://jalopnik.com/honda-seems-to-be-the-victim-of-a-ranso...

> on the Honda network

Is that saying it was internal eg. someone plugged in a USB/executed code in person... hmm

article said possible downloaded "booby-trapped files"

> article said possible downloaded "booby-trapped files"

They gave that as a general example, not for this attack specifically. The article doesn't rule out an attack originating from outside the network (ie: phishing).

Specifically the Ekans ransomware, which apparently targets industrial control systems.
I wonder to what extent this attack was related to work-from-home.

The hasty manner in which many companies were forced to adapt + open up their computer networks to accommodate working from home may have created opportunities for attacks like this on large organizations.

And the shame for any businesses who fall back on this excuse is, their disaster recovery or business continuity plans should have already taken into account the necessity that a large section of their workforce may need to work outside the corporate network. There's zero reason not to have this planned out as a real possibility. Natural disasters, fires, terrorism, power outages, the list of possibilities is almost endless for reasons why business can't be done at one planned location.

I work as a security consultant and I've had companies tell me they can't plan on working from home because of culture issues (aka bosses want to see their employees in front of them). And yet all of them have disaster recovery datacenters or multi-zone cloud setups because they know inevitably a tornado or earthquake or fire or ice storm or something will impact their main datacenter. But no plans for their employees because of "culture".

Do you wear a hard hat all the time ? If not, then how do you plan for an evitable brick falling on your head ?
People at construction sites are required to wear a hard hat all the time just like company policies require firewalls to be placed on corporate networks. Not really sure why you're making this comparison, because connecting to the Internet is very much like walking into a construction site where bricks could be falling everywhere and even aimed directly at you.
We have a pretty good idea as to where bricks are likely to fall on our heads. We require people to wear hardhats in all of those locations.
How much good do you think those disaster recovery datacenters actually do?

Adapting all our software for multi-region was an epic lift. Really, we had to stop thinking of it as "the backup datacenter" and instead run a portion of traffic there continuously. Most teams dragged their feet until we started weekly failover drills, which would usually break something in a big way. Application owners got embarrassed into compliance over the course of a few years. They're less exciting now, but still the proximate cause of some outages.

Given all that, I just can't imagine that a company which has never actually cut over (or attempts it only in quarterly/annual all-hands-on-deck events) is going to have a fun time when it becomes necessary to flip the switch for real. We fought tooth and nail to build this capability and it still takes balls of steel to press the button.

I have never worked with a client who did not test their DR solution. If they were not under regulation to test, they had customers who demanded they test. Although yes it’s mostly quarterly.

You’re right it’s not fun. It’s not easy. It’s all hands on deck at most companies. But disaster recovery isn’t something you can build after the fact so even a neglected DR solution is better than none. If a tornado or earthquake rips through your main DC, you’re not getting those machines or that data back. How much good that does depends on how much you like staying in business.

So is the goal just to have something to work with in order to get back online? I guess that is more achievable than trying to maintain continuous service, which is what ours are about (failover isn't just for black swan events, but for ordinary outages too).
We tend to differentiate between disaster recovery (where downtime is acceptable) versus high availability (where downtime is not acceptable). High availability is much harder and more expensive.

DR typically means your business is down and all hands bring it back at another location at bare minimum capacity just to keep money flowing.

Firmware engineering and IOT is a huge mess

At least in my experience, there aren't many opportunities for career growth in that area unless you switch to regular app/web development, or you move to a snazzier company like Microsoft, Apple, Amazon, etc. (Or start a disruptive startup..)

I wonder if there's a "brain drain" effect that's causing this industrial software to be persistently low quality and susceptible to attack

Well, some 'growth' happens just by raising your rates. Not a lot of folks willing to do IoT and firmware. I just charge more every year.

And yes its a mess. Folks resist using real security on their phone or desktop. Imaging an embedded device they buy and want to forget about. They sure don't want any passwords or keys that they'll promptly forget! How many times have I reset my router to factory defaults because, who knows what the admin password is I set two years ago and never used since?

I've put security into devices, and had the client want it taken out. Because their installers find it onerous. And, 'nobody is going to attack my pool pump controller!'

There is probably a good reason for this that I don't know, but why haven't physical keys replaced passwords yet? Want to manage your IoT device? Just slot in a USB key, do your thing, and unslot it.

You don't really have to sweat the security of the key laying around because its mere existence requires an attacker perform physical penetration which is a different attack profile from someone just cruising Shodan.

Granted, a USB key doesn't make sense for every device, but e.g. it seems like it would make a lot of sense for my router.

I wish thats how a lot of things work, but I imagine it would end up encouraging some to create "proprietary" ones (only ours that has special certificate) to work.

Then charge like crazy the same way dealers do with car keys.

except dealer keys are software. so I guess car firmware is already the worst of both? which further reinforces the point of the top comment in this thread we are in.
(comment deleted)
I remember when IoT was getting big. They talked about how one day, hackers might be able to take over your Nest or other smart thermostat and set the temp to 90-something degrees until you paid them. I laughed at that. I also remember when a bunch of refrigerators died or something because the screen used a software that was deprecated. I would be pretty upset to pay all that money for a fridge just to have it die on me in such a manner.
OTOH I could run Skyrim on my fridge. Kill some time waiting for my fridge to make ice, etc.
Where do you live that you can charge rates for your firmware work? In my area, firmware development is only full time employment.
After 20 years in the industry, I have several regular clients. Been contracting for decades.
> Firmware engineering and IOT is a huge mess

@ bryan cantrill amirite

(comment deleted)
The only solution is that Industrial networks must be physically isolated from the internet.
I recall reading about some pen-tester or white hat security tester who, when confronted with a physically isolated system, asked "How do you update it?" However updates were applied was the potential attack vector.
I wonder how long until we see a global car manufacturer get compromised to the point that the products are slowly compromised with the data stolen initially?

Imagine any car with ECMs that can receive OTA updates turned into a herd of bots of some type.

It's an entertaining avenue of thought to consider every Honda with OTA capabilities mining bitcoin from this day on.

Most car manufacturers haven't moved towards OTA updates, probably because they know exactly the risk you describe.

I think Tesla has done remarkably well and I suspect they were able to do it because they were small and nimble when OTA capabilities first became feasible.

On a different note, Nissan's manufacturing was disabled[1] a few years ago when WannaCry was endemic.

[1] https://www.bbc.com/news/uk-england-39906534

> I think Tesla has done remarkably well and I suspect they were able to do it because they were small and nimble when OTA capabilities first became feasible.

I think Tesla have done well for another reason: they are strictly a software engineering company that just happens to make cars on the side. Tesla could easily port their software to any other existing car (Autopilot, mobile app + services, touchscreen OS), but then the Tesla cars would be just another bland electric car offering much like the others. It's the software that defines the Tesla experience, and that's why they have focused on cybersecurity since the beginning.

There certainly were some fun hijinks on the way I'm sure, like the engineer whose NDA expired and explained that the way OTA was done on the first batch of Model S was to have a massive bash script ssh into each car and run apt-get or a similar command.

>that's why they have focused on cybersecurity since the beginning

That sounds to me like a voting machine company saying they've had antivirus software on their machines since day one. "Strictly speaking, it's better than the alternative..."

> On a different note, Nissan's manufacturing was disabled[1] a few years ago when WannaCry was endemic.

I remember Wannacry quite vividly, I was at BMW doing logistics and supply chain at the time and I was on the phone with the IT guys about potential vulnerability to our systems, specifically those tied with our shipping partners we used on a daily basis.

Luckily nothing was affected, and we did a network wide update and changed passwords but I still have the picture of the internal letter we got about updates to the Windows 7 machines we were using, total POS OS, and since I always had a Linux box with me I only found out about it on the day of when I got into work. Since some guys at work knew I was a Bitcoiner they were none to pleased to hear it was ransomware demanding payment in BTC.

False equivalence if there ever was one, I suppose. But I was so glad I went back to VW not long after that.

Given that my 2015 Odyessy takes about 8 seconds to pause audio, those hackers would be disappointed with their bitcoin yield!
If somebody compromised a car ECM why would they do anything as childish as running a botnet or mining bitcoin? If they just make every car of a specific model engage their ABS system to disable the brakes and set the cruise control to 200 km/hr at rush hour they could easily kill tens of thousands of people in a minute without giving any warning or leaving any ability to respond which would completely destroy any car manufacturer in an afternoon. They could literally blackmail billions of dollars from any car manufacturer instead of mining bitcoin for pocket change.
Hope it doesn't infect the thinly papered over Android based "OS" on my car's dashboard.

I authorized the car to my home's WiFi in hopes that there would be updates. Instantly regret. :/

Do I dare even turn it on now?

Block internet access from your car at the router if you're that worried about it.
Adversaries can leverage telematics(free Linux box and LTE module that works like Google Analytics for manufacturers) module or passenger’s phones
If that's an actual, founded concern, in your threat model then you should not get in any vehicle with an ecm, nor have a consumer cell phone. I suppose if you strip out the wireless com module may negate most issues, however your vehicle would still be susceptible to various other attack vectors that you won't have in purely mechanical vehicles.
Indeed. I ended up turning off home network, starting it up and removing all remote connection profiles. :shrug:
Stuxnet also was a high-end targeted hack that had direct help from the power plant vendors. Big differences with other SCADA software.