SS-NEWS-139: Maximum Overdrive Apocalypse?

Episode 136 March 25, 2024 00:29:41
SS-NEWS-139: Maximum Overdrive Apocalypse?
Security Serengeti
SS-NEWS-139: Maximum Overdrive Apocalypse?

Mar 25 2024 | 00:29:41

/

Show Notes

This week we discuss eSIM Stealing (not swapping!), the EPA attempting to secure water systems again, and the coming, future Maximum Overdrive like Apocalypse where Big Rigs become the dominant life form.

Article 1 - SIM swappers hijacking phone numbers in eSIM attacks
Supporting Articles:
About eSIM on iPhone
I Stopped Using Passwords. It’s Great—and a Total Mess

Article 2 - US task force aims to plug security leaks in water sector
Supporting Articles:
Official says 'hack' of Oldsmar city water treatment plant in 2021 didn't happen
Top Cyber Actions for Securing Water Systems

Article 3 -  Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

If you found this interesting or useful, please follow us on Twitter @serengetisec and subscribe and review on your favorite podcast app!

View Full Transcript

Episode Transcript

Transcript is generated via AI and there ARE errors. 
 [00:00:00] 
 David: Welcome to the Security Serengeti. We're your hosts, David Schwendinger and Matthew Keener. Stop what you're doing and subscribe to our podcast and leave us an awesome five star review and follow us at SerengetiSec on Twitter. 
 Matthew: We're here to talk about cybersecurity and technology news headlines, hopefully provide some insight, analysis, and practical applications that you can take in the office to help you protect your organization. 
 David: And as usual, the views and opinions expressed in this podcast are ours and ours alone and do not reflect the views or opinions of our employers. 
 Matthew: We have an announcement that we'd like to make. Saturday Night Live has acquired this podcast and David and I are going to be added to the writers room at SNL. We are finally being recognized for our true talents, writing jokes. 
 That's not a comment. There it comes. 
 David: No, I'm just waiting for that first check to clear. 
 Matthew: Yeah. Yeah. Finally made it. We finally made it. 
 David: All right. First article, SIM swappers hijack phone numbers and e SIM attacks. This comes to us from bleeping computer. So SIM swappers are now stealing target phone numbers [00:01:00] by porting the new porting it into new e SIMs that they control. So I would actually call this SIM stealing rather than SIM swapping. 
 Cause the old method, what's that? 
 Matthew: You're not swapping anything. There's nothing being swapped. 
 David: Yeah, exactly. The old, the old method in attack, you know, you would convince a telco or, or have a telco insider swap the SIM that's associated with the phone number to one that the attack controls. But in this instance, technically it's the same SIM. It's just the phone and the owner have changed. So, 
 Matthew: it. This is, we're good to go. I 
 David: So the embedded subscriber identity module, that's what the eSIM stands for, is a virtual SIM card that's stored on the chip in a mobile device and acts like a physical SIM, but the eSIM can be remotely reprogrammed, provisioned, deactivated, and swapped and deleted. What could possibly go wrong with that, right? 
 Matthew: mean, it's super useful. Like, to get your sim swapped, you've got to go to a store. Whenever something's wrong with your sim. But with [00:02:00] the digital ones you can do it remotely. It's very convenient. 
 David: Well, I mean, here's another advantage that I didn't even realize until I looked it up. But if you have an iPhone, you can install eight or more eSIMs on an iPhone and use two phone numbers at the same time. 
 Matthew: That's really cool, actually. Mm hmm. 
 David: And it's pretty neat because imagine, you know, you, what's always annoying is carrying around two phones for your personal phone and your work phone. You just have. Two phones on one phone, essentially that would be handy, but I mean, that wouldn't necessarily work out in the corporate environment, really, because they want you to have email and Webex or whatever chat on your business phone too. 
 So that doesn't exactly work out. Right. 
 Matthew: Like if you use something like Zemperium, it doesn't look at necessarily look at everything on your phone. It only, it keeps like the corporate stuff separate and keeps it walled off. So you could still have two phone numbers. So you don't have to give out your home phone number, your personal phone number. 
 You can give out a separate phone [00:03:00] number. In fact, you could frankly almost use them like those email addresses. You know, having like a spam email address and you see, oh, they're calling this phone number. This is the one that I give out to all the vendors. Ignored. Of course, you could just do that with Google Voice. You don't need to have multiple phone numbers on your phone. So, 
 David: Yep. But the handset manufacturers, they're happy to reclaim the physical space that, that, that the physical SIM takes up right now. Right. To allow, you know, the construction of smaller devices or to use that space for something else. 
 Matthew: or just save a couple bucks and not put something in there. 
 David: Yeah, I'm sure it does save some money on wiring or, or whatever that, that, that eSIM slot has to connect into and everything as well. 
 The way that they get in initially is the attackers. Attack the user's mobile phone account, know, so they brute force it or use stolen creds or whatever in order to get into the mobile phone account. That's how they initially get in and then they port the victim's phone to another device without involving the, the telco [00:04:00] directly. 
 They just use it, do it through the, the victim's telco account. 
 Matthew: mean, I could use some help with that. I can't even get into my own damn telco account. 
 David: That's by design. Well, 
 Matthew: laugh, but I have not been able to log in. I have, I still have to go into the damn store. 
 David: I guess you can't fix it when you go into the store either. Cause the online account and the store are 
 Matthew: told me they fix it. They told me they fix it. They're like, yeah, you should be good to go. And I never am. 
 David: Awesome. 
 Matthew: Yeah, it's amazing. 
 David: And of course the second that they, the SIM is swapped, then the old, the old, the, the original owner or the old handset stops working. So they have to go then go to a physical location or user, or you use a computer to contact the telco and, and figure out what the problem is. 
 Matthew: Because once they, once their phone number no longer works, although I guess they could potentially log into their account if they can, but given that most places don't do decent chat support or anything like that by the time you get it fixed, it's probably way too late. 
 David: Well, the thing is, if the attacker [00:05:00] has control of your telco account, they could change your password and you're not going to do anything over the computer either. You're going to have to go to a physical store and get it sorted out there. 
 Matthew: Sounds about right. 
 David: And of course, once, once the attackers have. Your phone number, then any SMS MFA codes or whatever are going to be sent to them now. And they could also use your phone number for any messaging apps that are tied to that phone number also. 
 Matthew: And this really seems like the best the best use case for them. Because this is always something I've always really wondered about. A little SIM swapping to break into somebody's account. It just seems like such a pain. You have to figure out, you know, what phone number they have, what what telco they have, you have to go and find somebody willing to actually physically make the sim swap for you. 
 It always seemed very fraught, and now with this eSIM, like, ah, we can just do it from our, you know, relaxing hotel rooms in China, or Russia, or Eastern Europe, or London, like, we can just do [00:06:00] it from wherever now. 
 David: And you don't have to have any foreign knowledge either, because what you, what you do is you break into their, their telco account, right? You don't know 
 Matthew: Yeah. Now you've got their phone number too. 
 David: You just do that automatically. It's the, like the, The telco account and your email account are like the two accounts you absolutely do not want to lose control over under any circumstances or, you know, have an attacker break into either one of those two. 
 Matthew: Yeah. I mean, they still have some work to do because breaking into the phone number. Like you break into that telco account and you're like, all right, so now I have a phone number, but then I guess, okay, nevermind, no, because to break into the telco account, you may have the email already, because you may, you may and then 
 David: if nothing else, you're going to have their profile that's associated with the telco account, which is going to have their email 
 Matthew: have an email, yeah, and then you go and check out the leaks and figure out where they have accounts, even if they've changed the password, they still have that account, and then you can use the 2FA, or you can use the leaked password with your, their bank, where you weren't able to get into it before because you needed 2FA, and now you have the 2FA. 
 David: [00:07:00] Right. Exactly. 
 Matthew: Yeah, so at this point, they're hitting targets of opportunity. They're not targeting people specifically. They're getting into anybody's account, then going back and seeing if they have, or I guess they could be, and I shouldn't say that they are doing that. I don't know if that's what they're doing, but then they could go back and check the leaked data and see like, all right, well, what can we do with this? 
 David: Right. And imagine if a telco does lose control of user accounts and they're, they're involved in a breach, you know, say, say AT& T, you know. Right. Gets all their user account data stolen. 
 Matthew: Oh boy, 
 David: You know, that would be very bad. 
 Matthew: a little bit, a little bit. 
 David: But what you can do about it is you really need to secure that telco account to your best to your, the best of your abilities. You know, like if they offer it switch to pass keys rather than a username and password for it. 
 Matthew: So PASCY, so this is interesting. This is actually, there's an article that we did not look at that I kind of wish we had that came out about a month ago from WIRED, [00:08:00] try and find it and stick it in the show notes. But it's talking about a guy who decides to go ahead and try the whole PASCY thing. And it turns out he has a lot of trouble making it work. 
 So PASCYs, we've talked about this before. They are they use asymmetric cryptography. You keep a. Encrypted piece of information on your system. And then you use the login for your computer, you know, the password for your computer, the face I. D. On your phone or whatever that allows that certificate validate. 
 You are who you say you are. The problem is, is that little piece of code only resides on one machine at a time if you don't have a way to share it. So if you set up your past key on your computer, the past key only works on your computer unless you you have some easy way to share between them and password managers is the obvious answer here. 
 Password managers already kind of do that for your passwords, but some of them do not support pass keys just yet. So in the article, he specifically mentions that he uses Bitwarden and Bitwarden does not use pass keys. [00:09:00] So he ended up with some pass keys on his phone, some pass keys on his computer. And it turned out to be a bit of a pain in the butt. 
 David: Well, if you use a pass key to get into your password manager, then what do you do? 
 Matthew: I don't know. I don't know. I, I honestly, and then the article, you know, talked to somebody and they said the, some expert in this, and they said that the technology on the backend is mature and ready to go, but the technology on the front end is not a hundred percent there yet. So that's it. They're, they're working on it. 
 Everybody's pushing it. At this point in time, every time I log into Amazon, it's asking me about a pass key. Every time I log into Google, it's asking me about a pass key. So I don't know, maybe I'll try it. Maybe, maybe we should do that. We should do an in depth investigation of passkeys. 
 David: Cause nobody, nobody else has done that before. 
 Matthew: Well, it'll be our first that'll be the first skit that we work on for SNL. So it'll be funny and we'll be educating people. Yeah. 
 David: It'd be like schoolhouse rock. 
 Matthew: Oh my God. Did you ever [00:10:00] see the SNL with the the, the, the railway guy and Will Farrell and Cameron Diaz? And they're, they're, they've got letters on their front and they're spelling out words. Yep. 
 David: no, no, you, you, you stand over here. 
 Matthew: Yeah. Yeah. And he keeps like trying to go over to the front of the line and he like tackles him and attacks him. Back when SNL was funny. 
 David: yeah. All right. But if you don't use pass keys and you are in, you're setting up MFA, use a time based token if that's offered versus SMS. 
 Matthew: And you know what, and don't take it, don't take my word for it on the PASKEYS thing. I read an article, this is third hand knowledge, like maybe it's already improved or maybe your password manager supports PASKEYS and that is yeah, so don't, don't just like listen to me. I know that I'm an influencer and our audience of thousands 
 David: Well, at least going back to the, going back to the Bitward, Bitwarden has that on the roadmap. So they're, they are working on that. 
 Matthew: I need to check at mine [00:11:00] supports that. 
 David: And of course, for the password for your telco account, make sure it's an extremely strong and random password that you're storing in your password manager. And also have MFA set up on your telco account. 
 Matthew: Yeah they guessed my password of one, two, three, four, five, six. So I have increased the complexity and it is now one, two, three, four, five, six, seven, but the seven is a word. 
 David: Genius. 
 Matthew: That's actually probably not terrible. 
 David: Better than most. Or some, anyway. 
 Matthew: Better than some. 
 David: Alright, going on in the second article, U. S. Task Force aims to plug security leaks in water sector. 
 Matthew: How clever. Is that a register headline? 
 David: Of course it is. 
 Matthew: Ah, look at it. 
 David: Any witty headline is going to be the register. 
 Matthew: Yeah, so true. 
 David: All right. So the U S government is urging state officials to band together to improve cybersecurity of the count, the country's water sector. 
 Matthew: Yeah, because an [00:12:00] Iran backed group attacked the municipal water authority of Al Aqeeba and some other utilities that weren't named and has generated, quote, heightened awareness, unquote, of the security vulnerabilities of water utilities. 
 David: Did you look up how to pronounce that? That sounded actually pretty, pretty rehearsed. 
 Matthew: No, I did 
 David: I would have totally mutilated that. 
 So of course this means you should be afraid of Iran and China. That's the whole point of this. 
 So let us say volt typhoon is seen as pre positioning itself for potential war slash conflict. And unless you're unaware Volt Typhoon, that is associated with the Chinese government, according to them. 
 Matthew: I can't believe it. They would never do such a thing. 
 David: No. I mean, the, the, the thing is that, if China wanted to mess with the United States, they would not do this. They have much more devastating ways to, to, to mess with the United States. And then to attack our water supply, but it sounds scary to the average American. 
 Matthew: How long would it take for [00:13:00] us to go without showers? Just imagine. The whole world. But it's a magic, the gathering convention. 
 David: Well, I think magic get the gathering conventions already smell like that. 
 Matthew: That's my point. The whole world's going to smell like that. We're all going to smell like that. All right. 
 David: But Michael Reagan, the EPA administrator is quoted as saying the EPA and the national security council take these threats very seriously. And we'll continue to partner with state environmental health and Homeland Security leaders to address the pervasive and challenging risk of cybersecurity attacks on water systems. 
 Matthew: That was a lot of fine sounding words. We can all relax now. I think 
 David: Yep, they've got this well under control. 
 Matthew: top men. 
 David: So the EPA is looking to create a task force to address this because a task force will certainly solve any of these problems for disparate water systems of which there are thousands, if not tens of thousands of them across the entire United States. [00:14:00] Thanks. But they will be building upon a existing initiatives like the 2023 roadmap to secure and resilient water and water waste sectors. 
 Matthew: Well, thank God. 
 David: Yeah, I don't. It sounds like they solved this last year with that initiative. 
 Matthew: this next part is going to be real fun. 
 David: But there was a meeting that just occurred on the 21st between the state secretaries of environment, health, and Homeland security departments that will discuss recommendations. So I'm sure a lot of really great ideas are going to come out of that. 
 Matthew: It seems like those are the right people to have in the room to solve the problem. What was it? Secretaries. Yeah. Yeah. Yeah. Secretaries of environmental health and Homeland security departments. Yep. Those are the experts in cybersecurity and in water systems. 
 David: Yeah. And we've seen how great they've done at all these things. 
 Matthew: Get the feeling you're not serious. 
 David: I'm never serious. But the EPA is [00:15:00] stating that even the basics are not being done with these water municipalities leaving default manufacturer passwords and failing to patch. 
 Matthew: All right. This actually pisses me off. I. Like there's another article we're going to talk about next. It's very similar. Cyber security as a, as a industry is like 30 plus years old. Like I get it in the eighties, it was kind of in its nascency, the nineties, it started really coming to its own. And in the two thousands was really when everybody, so it's like, Oh, we have to do this security thing. 
 But how are we still, and the news is full of ransomware stories. Like every day we're bombarded with news stories about other countries breaking in and ransomware and just, and we are still, companies are still delivering equipment with default passwords assigned and companies are still not patching anything. 
 I do not understand how these people are in charge of anything. 
 David: Well, they just need more money, [00:16:00] Matt. 
 Matthew: Jesus Christ. 
 David: All right, but this is the second time the EPA has tried to address this. The first time multiple state attorney generals filed lawsuits stating it was infringing, infringing upon state sovereignty. 
 Matthew: Yeah, I, and honestly, I do see this as kind of a weird place where the state sees that there is a problem and I'd agree that there is a problem. Like, if. These places are truly not patching and using default , using default credentials and stuff like that. I don't know though. How do you solve it? 
 You just let the countries do what they want to. And if they screw up and kill some of their citizens, you're like, well, that's what you get for living in that state. 
 David: Well, the thing is, this is not going to be solved by a top down directive because there's too many individual organizations that need to address this. I'd have to think more about it, exactly how I would address this, but there has to be some kind of incentives or something in order to, 
 Matthew: Economic incentives. You don't get any more government funding. If you don't patch your shit, you get off the government [00:17:00] teat. 
 David: Well, maybe. 
 Matthew: Yeah. Could do that with a lot of things. I think of course. 
 David: Well, you know, then the, then the water municipalities would just turn that around and just say, well, our, our citizens are just going to drink shit then because we don't have the money to actually treat the water. 
 So of course they said, well, the reason that we even need to do this is there's precedent behind these, these the necessity to do this work, right? And of course, the first one is the Municipal Water Authority of Alpiquba in Western Pennsylvania. That happened last November where a compromised programmable logic controller made by Utronix the device screen for it displayed an anti Israeli message. 
 And based on what I read, that was, that device is attached to a pump of some sort and get specific about what it pumped or anything, but it didn't even do anything necessarily other than have this display on the screen. So the, the idea there is that it could have done something, but it didn't. [00:18:00] So there could have been a risk there, but didn't, but the other one that's pretty big that everybody probably heard about what initially happened was the Florida, Florida Pinellas County. 
 Old smar water treatment system which was supposedly hacked a couple of years ago, where the water supply was flooded with levels of sodium hydro hydro dioxide more than a hundred times more than the normal account. But it turns out that that is not exactly what happened. So Alan Braithwaite, the old smart city manager said it was a non event, which may have been caused by a mistake by the same employee who was called. 
 A hero for catching the problem 
 Matthew: I mean, he could have not caught the problem. 
 David: or he could have fessed up to say, yeah, my bad, instead of saying I was hacked, I didn't do it. 
 Matthew: Yeah, I don't know. I don't know if he. Knew it or not. 
 Yeah, I mean it could have been worse and frankly I'm a little astounded that there [00:19:00] weren't safeguards in place to prevent an employee from accidentally poisoning people in the water plant water treatment plant 
 David: well, I think the reason that he caught it is it flashed up a warning and said, Hey, this is incorrect. 
 Matthew: Hmm. 
 David: Ratio, and he's like, oops, and then he changed it back. And probably when his supervisor came and yelled at him, he's like, I didn't do it. It was a hacker. It 
 Matthew: Wasn't me 
 David: wasn't me. 
 Matthew: saw me turning on the valves wasn't me 
 David: All right. And of course, this is just more government fear mongering. So you need to be afraid and giving them more power and more money to do whatever is, whatever shenanigans they're going to do. Because here's the list of what their top cyber actions for security water systems are. These are awesome. 
 So you get a pen and paper, get ready to write these down, because you probably have not heard this before. Reduce exposure to the public internet, conduct regular cybersecurity assessments, change default 
 Matthew: how are they gonna work [00:20:00] from home If they don't have remote access into their systems, how are they going to turn the water on and off from home? That 
 David: That is a good point, Matt. 
 Matthew: Oh boy. 
 David: Change default passwords immediately, induct an inventory of operational technologies, assets, develop and exercise cybersecurity incident response and recovery plans, back up OT IT systems, reduce exposure to vulnerabilities 
 Matthew: My God. 
 David: and conduct cybersecurity awareness training. 
 Matthew: Oh, I mean, they hadn't been patching vulnerabilities and reusing the default configs apparently anyway. So maybe they did need to be told this. 
 David: Yeah, well, they could have asked CHAT GPT and CHAT GPT would have given them as good a list, if not better. 
 Matthew: Yeah. But think of all the six figure consultants that this is keeping in business 
 David: Well, that's what the task force is for 
 Matthew: Yeah. Yeah. We're job creators now. 
 David: and that's what the government does. 
 Matthew: You're not [00:21:00] wrong. I find, aren't they like the largest employer in the United States? 
 David: I think so. 
 Matthew: second 
 David: Well, virtually, if you look at the jobs reports that have been coming out, Almost all of them are dominated by government employee jobs. 
 Matthew: yeah, 
 David: And those that aren't are usually part time or service sector hospitality sector jobs. So not great. 
 Matthew: no, definitely not great. I listened to an interesting podcast about the Luddites earlier today. 
 David: Now with the shoes and the looms 
 Matthew: no, not the, not the, 
 David: not the original Luddites. 
 Matthew: Yeah, the one, these are the ones in Britain. But they were artisan workers, and they were sabotaging, because that's where sabotage comes from, is the Dutch word for sabo, for chew. But no, these were the English. And it was like a Sherwood y myth about someone named Ludd. 
 Anyways, that's totally not related to what we're talking about, so. 
 David: guess we're the, it was started off with the Dutch and then realized the Luddites were British.[00:22:00] 
 Matthew: No, I think, I think sabotage is Dutch. I think that the Luddites is definitely British. 
 David: All right. And for the last article, we have truck 
 Matthew: hold on, this is mine, go away. 
 David: All right. All right. All right. Go ahead. 
 Matthew: So we have a bonus article. We had three articles and then I added this one because I am greedy and so we're probably going to split this into two separate discussions and you'll hear the rest of it next week. This article is From the register as well. They're all, it's all from the register. 
 Truck to truck worm could infect and disrupt entire us commercial fleet. So summary us commercial trucks are required to use ELDs, electronic logging devices, which monitor the driving hours, the miles driven engine usage, et cetera. If you're one of our many singles of listeners outside of the U S yes. 
 Commercial truck drivers are pretty limited. They have a certain number of hours they can drive during the day and this is part of how they keep watch over them. So it turns out you can connect to these ELDs via Wi Fi and Bluetooth. Probably makes it easier to offload the data. You know, the truck drivers [00:23:00] can connect their laptop in it and, you know, check how many hours they've driven, miles they've driven, etc. 
 And they use the control area network bus to communicate with the engine. You added this. I think, isn't that the bus that like runs along 
 David: the CAN bus is what controls the entire vehicle. 
 Matthew: Yeah. Just plugged right directly into that. 
 David: Well, one thing to note here that a lot of people don't realize is on the larger trucks the entire truck is Wi Fi enabled and they will actually adjust the engine from the centralized control point for the trucking company based on where the truck is at. Based on their GPS location. So if the truck is about ready to go up a steep grade it'll relay those GPS coordinates back to the central computer at the, at the trucking company and the trucking company will then adjust the engine on the fly to be ideally configured to, in order to go up that steep grade. 
 Matthew: Interesting. I had no idea. We're just, we're so close to self driving trucks, which [00:24:00] makes the rest of this that much worse. 
 David: Yeah, it makes me think of you've seen Logan, right? The last Wolverine movie 
 Matthew: Mm hmm. 
 David: where they had the trucks, which were basically just flatbeds, Holland all hauling cargo, there were no like cabs or anything on them. 
 Matthew: Yeah. All right shockingly, much like apparently water systems these have no security. They ship with a default open API that allows over the air updates. I see no way this can go wrong. 
 David: No, you're talking about all the advantages, Matt. I don't, not seeing the downside here. 
 Matthew: This is how they, this is how they update it. They just drive by and update it as they go by. So there's a story. Called trucks in Stephen King's night shift where the trucks become sentient and start killing people. This was turned into the movie Maximum Overdrive. 
 David: Yeah. And we lose. 
 Matthew: And I hadn't seen a future where this could become reality. I was actually talking with my wife about this last night. And I was just, just kind of verbally spitting, like just verbally figuring out all the things you [00:25:00] could do with this. I was like, you know, what if, what if you had a self driving truck and somebody created a worm that went around and infect all the trucks it could. 
 And on a certain date, it turned off recognition of humans. In the road as something to stop for, like just all of a sudden you'd have just trucks, like running over people that were crossing in front of them or turn off stop signs or something like that. Just mess with the self driving algorithm. 
 Probably take you a couple of days to figure out what's going on. Or the opposite. Like, I don't know, maybe you can make them seek out humans. It'd be really anyways. Oh, 
 David: than that, though, and tie it into a larger global conspiracy, so you know where everyone's cell phone is at, then you only turn it off when you want to kill the person whose cell phone is near the truck, and just have the truck run them over, 
 Matthew: Yeah. Cause it would only, it'd be an accident. I'd be like, Oh no, something went wrong with this up. You're right. Cause if it, if trucks everywhere started running over people, they'd figure out pretty quickly, something drawn, it'd be like, turn off the trucks. 
 David: Yeah, so you use it for targeted assassination.[00:26:00] 
 Matthew: Oh, that's wild. Yeah, because if it happens, you know, if it happened even a half a dozen times, they'd be like, Oh, you know, it happens. It's not perfect yet, but it's still better than, you know, human accidents. Hmm, I wonder if we probably do that with cars too. All right, anyways, 
 David: Yeah, and they actually did the testing on this on a moving 2014 Kenworth T270 truck, which is a big truck. 
 Matthew: yeah, 10 year old truck too. I'm kind of surprised that it had that much computing power on it, that it'd be vulnerable to this. But I guess they all have to have these ELD devices. Yeah. 
 David: Yeah, I mean, it probably retrofit whenever, did you I didn't read anything in there about the law that dictated this, but I'm sure they went back and there was some law that said it had to be in there and then they went back and retrofitted any truck that didn't have it. 
 Matthew: I guess the question is on the older trucks, like how much actual control it has over the truck. 
 David: Mm hmm. 
 Matthew: Like a read only or something like that. 
 David: Right. 
 Matthew: So the article points out you can literally do this as a drive by and I collapsed [00:27:00] into laughter after reading that because that was the funniest thing that I had heard all day. Literally just different drive bys. So of course the idea behind this is you can infect one truck and you can let it infect every other truck it meets until, you know, whatever D Day is that you decide to do it. 
 David: Yep. And imagine if you did this at a truck stop or at a weigh station, then you could infect a whole bunch of trucks almost all at once. 
 Matthew: And then they all go different 
 David: And then they all go in different directions. And it's like a epidemic. 
 Matthew: My wife gives me weird looks when I start talking about stuff like this. It's like. 
 David: Why would she do that? 
 Matthew: I don't know. She's just, I guess she's not expecting me to start hypothesizing how to, you know, bring about the ruination of 
 David: The collapse of the world. 
 Matthew: you know, the collapse of our supply chain by screwing with all the truck, all the trucks. 
 All right. So what should we do about it? I have an idea. How about we stop having everything connect to the internet with open APIs and default credentials? I know, [00:28:00] I know it's a stretch and it's wild. Okay. I know, what do you think, David? 
 David: I think I would not know my toast is like, if I don't have my toaster connected to the internet, whether it's brown sufficiently or not. 
 Matthew: yeah, yeah, you gotta, you gotta be able to look into your refrigerator so you can see what to buy when you're at the store. We, we don't have any technology to solve that problem, except for cameras in our fridges. 
 David: It's set off an alarm when you go in and get that extra couple ice cream, 
 Matthew: Actually, I could probably use that, honestly. Yeah, he yells it and like texts my wife and says, he's eating more sugar. 
 David: but yeah, if you recall back in episode 70, we talked about the 
 Matthew: don't. 
 David: Threatened 1. 5 million vehicles with disruption, which was a similar problem with a GPS add on to fleet vehicles. 
 Matthew: oh, that was the one where you could buy it from like AliExpress or something. 
 David: Yeah. For like 20 
 well, that looks like that's all the articles we have for today. Thank you for joining us and follow us at SerengetiSuck on Twitter and subscribe on your favorite [00:29:00] podcast app. 


Other Episodes

Episode 29

October 04, 2021 00:35:04
Episode Cover

SS-RPRT-029: Verizon 2021 DBIR

In this episode we dive into the 2021 Verizon DBIR at a medium level of depth.  Rather than going through all (100+!) pages in...

Listen

Episode 125

September 12, 2023 00:32:26
Episode Cover

SS-SUBJ-125: Detection Posture Management

Today we take a look at some tools that provide "Detection Posture Management", which is the fanciest way I found to describe it.  These...

Listen

Episode 24

August 29, 2021 00:35:44
Episode Cover

SS-NEWS-24: Amazon monitoring keystrokes, CAPTCHA's hiding Cred stealing

In this week's episode, we discuss Amazon tracking keystrokes, attacker's using CAPTCHA's to hide credential stealing sites, and a bonus article that we decided...

Listen