Transport

Conference Talks – October 2020

This month, members of NCC Group will be presenting their work at the following conferences: Dirk-Jan Mollema, “Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities,” to be presented at Black Hat Asia 2020 (Virtual – October 1 2020) Sanne Maasakkers, “Improve Security Awareness Campaigns by…


Secure Device Provisioning Best Practices: Heavy Truck Edition

The complexities of the heavy truck ecosystem poses challenges to the security of the ECU networks contained within the vehicles. This paper describes some of the major sources of complexity, and how each can be addressed to design and implement a secure robust ECU provisioning system. Such a system is…


The Sorry State of Aftermarket Head Unit Security

Authored by Colin Brum At NCC Group, we like to give our interns real world hacking challenges. Over the course of a semester, we teach our students about software and hardware security. For a final project, we challenge our interns to apply what they’ve learned to find a vulnerability and…


UK government cyber security guidelines for connected & autonomous vehicles

The Department for Transport, in conjunction with Centre for the Protection of National Infrastructure (CPNI), has created eight key principles of cyber security for connected and autonomous vehicles. The guidance has been produced in response to the large (and growing) attack surface presented by connected and autonomous vehicle technology, as…


The Automotive Threat Modeling Template

Threat mitigation is an important part of the security development lifecycle (SDL) and at NCC Group we have been performing a number of threat modeling workshops focused specifically on the automotive sector. Considering the increasing research and media attention in relation to connected cars, it is fundamental to understand the threats…


Building WiMap the Wi-Fi Mapping Drone

We’ve published a whitepaper about how we built WiMap, which is a Wi-Fi mapping drone.  The paper includes details of the methods used to create, from parts, a hexacopter capable of being controlled over 3/4G and equipped to perform wireless and infrastructure assessments. We’d love to hear your feedback. Download…


Drones: Detect, Identify, Intercept, and Hijack

Drones have become readily available and more affordable. They are quite easy to use now and gone are the days whereby stable flight relied on the dexterous skills of an experienced operator. With the addition of GPS positioning, a drone operator can program a flight path using point-and-click software and…


Vehicle Emissions and Cyber Security

Vehicle emissions and cyber security Recently Volkswagen admitted to installing “defeat devices” (software that manipulates the level of emissions of gases such as nitrogen oxide (NOx) from their vehicles during regulatory testing) in millions of its diesel cars. However, excessive levels of NOx are not the only concerning emissions from many of today’s…


Build Your Own Wi-Fi Mapping Drone Capability

This blog, as the name implies, discusses how I went about designing and building our initial Wi-Fi mapping drone capability (and you can too, hopefully). Before we begin, a brief disclaimer: we sought legal advice and complied with relevant laws. Before you embark on such a project, make sure you…


Broadcasting your attack – DAB security

Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that the vehicle occupants interact with to control anything from what music is playing, to making…


DARPA OnStar Vulnerability Analysis

In a report [1] by US TV show “60 Minutes” about DARPA [2] and the Internet of Things, the Department of Defence has shown that it can hack the General Motors OnStar [3] system to remotely control a last-generation Chevrolet Impala. DARPA has been investigating the cyber security of vehicle systems and…