Nigerian Communications Commission (NCC) would like to inform telecom consumers and members the public about an ongoing cyber-vulnerability which allows a nearby hacker unlock vehicles, launch their engines wirelessly and steal the cars.
Given that car remotes are short range devices that use radio frequency to lock and unlock cars, the Commission felt the need to inform the public about this emerging threat. Hackers can exploit these vulnerabilities to open and start compromised vehicles.
According to the Computer Security Incident Response Team CSIRT (the Cybersecurity Centre for Telecom Sector established by the NCC), the vulnerability is a Man-in-the-Middle or a replay attack. An attacker intercepts RF signal from a remote key fob and alters them to unlock the car.
It is possible to manipulate captured commands to re-transmit them for a different outcome.
“Multiple researchers disclosed a vulnerability, which is said to be used by a nearby attacker to unlock some Honda and Acura car models and start their engines wirelessly.
The attack consists of a threat actor capturing the radio frequency (RF) signals sent from your key fob to the car and resending these signals to take control of your car’s remote keyless entry system,”The advisory was clear.
The NCC-CSIRT has provided some solutions or precautionary measures that car owners can adopt to avoid being a victim of the attack.
According to the Cyber-Alert Unit of the Commission “When affected, the only mitigation is to reset your key fob at the dealership. Besides, the affected car manufacturer may provide a security mechanism that generate fresh codes for each authentication request, this makes it difficult for an attacker to ‘replay’ the codes thereafter.
Additionally, vulnerable car users should store their key fobs in signal-blocking ‘Faraday pouches’ when not in use.”
Importantly, car owners with the following categories should opt for Passive Keyless Entry rather than Remote Keyless Entry. This will make it easier for an attacker to read your signal because criminals would need close proximity to perform their crimes.
The PKE is an auto security system that unlocks the vehicle’s doors when the user is within close proximity.
The RKE system, on the other hand, represents the standard solution for conveniently locking and unlocking a vehicle’s doors and luggage compartment by remote control.
In a related advisory, NCC, based upon another detection by CSIRT wishes to inform the public about the resurgence in Joker Trojan-Infected Android apps on Google Play Store.
This was caused by criminals who downloaded legitimate apps from Google Play Store and modified them with Trojan malware. Then they uploaded the app to the Play Store under a new name.
The malicious payload is only activated once the apps goes live on the Play Store, which enables the apps to scale through Google’s strict evaluation process.
Once downloaded, these apps will ask for permissions. Once granted, they can have access to important functions such as notifications and text messages.
A compromised device can be used to subscribe users unwittingly to premium services, billing them for services they do not have. This device can be used to commit SMS fraud, even though the owner is not aware.
It can click on online ads and use SMS One Time Password (OTPs), to approve secret payments.
The user will not be aware that an online service has been subscribed to if they don’t check their bank statements. You can also steal text messages, contacts and other data from your device.
Android users are advised not to download unnecessary apps or install apps from unofficial sources in order to avoid being manipulated by hackers who deploy Joker Trojan-Infected Android apps.
NCC wants to remind telecom consumers that they should ensure that any apps downloaded from Google Play Store are thoroughly reviewed by reviewing reviews and assessing developers to make sure that permissions are only granted to the required.
NCC recommends that all unauthorised transactions against any app be verified. Apps that are not being used should be deleted. Users are advised to make sure their devices are always updated with the most recent software.