The Night the Horn Sounded - Cyber Security Around 2010

The Night the Horn Sounded - Cyber Security Around 2010

Around 2010, the United States was in a period of heightened delinquency risk in the wake of the Lehman Brothers collapse and the simultaneous shift of lifestyle infrastructure online. The idea of "managing cars over the Internet" permeated the automotive sales scene as well, and small devices that could remotely control engine startup or sound the horn as a warning began to spread. Texas Auto Center, for example, installed a "black box" in each vehicle it sold that received commands wirelessly, and introduced a web-based collection system that could shut off the ignition and sound the horn if the vehicle was unpaid. The company soon had more than 100 vehicles equipped with the devices.

However, in February 2010, the company experienced an unusual situation in which customers' cars, even those with no payment problems, were stopped one after another and their horns kept honking on street corners. Even when police officers arrived, they could not stop the horns until the battery wiring was physically disconnected, and over 100 purchasers who had lost their means of transportation were unable to go to work, causing widespread confusion. Although initially ruled a "mechanical failure," the reality was that there had been an unauthorized intrusion into the Texas Auto Center website, and the remote shut-off device had been abused in turn.

The culprit was Omar Ramos Lopez, a young accounts receivable collector at the company. After he was fired, he used his inside knowledge and a former colleague's password to hack into the system, rewrite the vehicle database records, and replace the owner's name with a celebrity name such as "Jennifer Lopez" or a deceased rapper. He even played a malicious prank by replacing the owner's name with a celebrity, such as "Jennifer Lopez" or the name of a deceased rapper.

The "fun" of this incident lies in the graphic nature of the exchange. Customers pouring into the store, the police fretting over the incessant honking of horns, and a former employee intervening from "outside the conversation". The everyday scene of loan collection is transformed into a "social switch" that can instantly constrain people's movements with a single web screen. Behind this transformation is the reality that automobiles are no longer machines but computers, and that they have become attractive targets for attackers. In the United States, it has been mandatory since 1996 for all vehicles to be equipped with a standardized on-board diagnostic board (OBD), which paves the way for a physical connection to the central computer. Combine this with RFID and wireless telematics, and the "hanger-opening" of thieves is being replaced by "car hacking.

From a technology perspective, a Texas Autocenter-type device consists of three layers: a black box connected to the immobilizer and body controls in the car, a wireless modem, and a centralized web panel. Weak authentication or the misuse of insider credentials could result in "legitimate" remote control of the windshield wipers, audio volume, seatbelt warnings, and even the ignition and airbags. Research demonstrations have shown that it is theoretically possible to turn up the radio volume, activate the windshield wipers, stop the engine, steer the car suddenly, and even cause the airbags to suddenly inflate.

Remote shutdown has also been widely implemented in theft deterrence use cases. Services such as OnStar offer the ability to prevent the engine from starting in the event of theft for a number of vehicle models, and the flip side of convenience and safety can be the basis for a coordinated attack on a "swarm" of vehicles of the same model and year. The more platforms are deployed, the more vulnerabilities become "amplifiers" for simultaneous attacks.

The explosion of connectivity is also important in the context of the times, with the number of connected devices growing exponentially even in 2010, and billions more "things" coming online to share data with each other, according to the book. Metcalfe's Law, which states that the value of a network increases as the square of the number of nodes, and IPv6's theoretically astronomical address space of 340澗, have removed physical constraints on IoT expansion. The result is an exponential expansion of the attack surface as well as the benefits.

On the home side, it has already been pointed out that home appliances such as irons and water heaters can participate in home Wi-Fi and serve as a springboard for spreading malware to PCs on the same network. This is not a "neat example," but a security challenge that is inevitably proliferating as billions of devices are sucked into the global information network.

Industry enthusiasm is strong, and while the world's leading R&D companies are pushing to build IoT and stay ahead of the market, in-house IT security departments struggle daily with the threat of zero-day attacks and malware. --That was the urgency behind the conversation at Texas Auto Center.

In short, this episode was an incident in which the three-layered structure of "financial instability, the dawn of IoT, and insider threats" around 2010 hit "mobility," the smallest unit of life. Horns roared from the fingertips of the web, and cars were silenced. Technology is a tool for conversation that helps people, but at the same time it can also be a statement of command that holds society hostage. It is this ambivalence that most vividly illustrates the spirit of the times.