Domain: dhanjani.com
Stories and comments across the archive that link to dhanjani.com.
Stories · 5
-
Security Evaluation of the Tesla Model S
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars." -
Hacking Lightbulbs To Cause a Sustained Blackout
An anonymous reader writes "Researcher Nitesh Dhanjani just published an evaluation of the Philips Hue wireless lighting system that is available at Apple stores (and online). These lightbulbs come with a wireless bridge that you can control from your iPhone. Dhanjani has published a video demonstrating a vulnerability he found that can be exploited by malware to cause a sustained blackout. The video shows how the malware script can continuously turn the light bulbs off. Dhanjani also discusses other scenarios such as the systems' tie in with IFTTT (If This Then That) to cause a blackout by tagging a Facebook user on a completely black photo. Lots of interesting ideas on security vulnerabilities targeting future malware and smart devices. The paper can be downloaded here (PDF)." -
Hacking Lightbulbs To Cause a Sustained Blackout
An anonymous reader writes "Researcher Nitesh Dhanjani just published an evaluation of the Philips Hue wireless lighting system that is available at Apple stores (and online). These lightbulbs come with a wireless bridge that you can control from your iPhone. Dhanjani has published a video demonstrating a vulnerability he found that can be exploited by malware to cause a sustained blackout. The video shows how the malware script can continuously turn the light bulbs off. Dhanjani also discusses other scenarios such as the systems' tie in with IFTTT (If This Then That) to cause a blackout by tagging a Facebook user on a completely black photo. Lots of interesting ideas on security vulnerabilities targeting future malware and smart devices. The paper can be downloaded here (PDF)." -
Apple Fixes Safari "Carpet Bomb" Windows Vulnerability
Titoxd writes "Apple has released a new version of Safari that fixes the carpet bomb vulnerability in Safari 3.1 for Windows. This comes in the heels of Microsoft recommending against using Safari in Windows, as well as the release of code exploiting this vulnerability." -
Microsoft Urges Windows Users To Shun Safari
benjymouse writes "The Register has picked up on a recent Microsoft security bulletin which urges Windows users to 'restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.' This controversy comes after Apple has officially refused to promise to do anything about the carpet bombing vulnerability in the Safari browser. Essentially, Apple does not see unsolicited downloads of hundreds or even thousands of executable files to users' desktops as being a security problem." Now while downloading a hundred files to your desktop won't automatically execute them, Microsoft's position is that a secondary attack could execute them for you.