A look into Corporate fraud in Australia, Stranglehold of Monopolies, Telecom's Oppression, Biased Law System, Corporate influence in politics, Industrial Relations disadvantaging workers, Outsourcing Australian Jobs, Offshore Banking, Petrochemical company domination, Invisibly Visible.
It's not what you see, it's what goes on behind the scenes. Australia, the warrantless colony.
Note: Site has more info in desktop mode or 'web version' as seen at bottom of page, when on smartphone.
Profits before
health, we’ll deal with the litigation IF it ever arises, (lol - at
the litigants) where we’ll even gaslight them if we must.
We’ll even scam
the consumer on an extended warranty, while we're at it!
SO, here’s the
deal.
A watch sold by JB
Hi-Fi, namely the NOTHING brand’s CMF Watch Pro 2 carries a couple of serious health
warnings.
On the back of the
original box, the warning states:
“CANCER AND
REPRODUCTIVE HARM-”
Source: TechSpurt
The watch also does not have WiFi or celluar connectivity, only Bluetooth and GPS.
Well, you can’t
argue that you weren’t told, right?
After it’s too
late and you bought the product, or you missed that warning?
BUT on cigarette
packaging the cancer warning is conspicuous, right?
Why?
Because of
liability, so you can't sue the corporations of billions of dollars in profits producing addictive poison, laced with chemicals that give you cancer?
Well, no health
warning from JB Hi-Fi on the product they’re selling, but they’ll
try so scam you extra for warranty that you already are privy to
under Australian consumer law.
A flaw in Kia's dealer system allowed attackers to take control of any Kia using just a license plate number.
A flaw in Kia's dealer system allowed for attackers to remotely unlock and start any Kia using just the car's license plate
The vulnerability was patched by Kia in about two months
It's yet another wake-up call for automotive security in the connected car sector
Kia isn't having a great couple of years in vehicle security. From
the Kia Boys making the world realize there were 5 million vehicles
without immobilizers on the market to new pocket-size GameBoy-style
devices, it's never been easier to be a thief targeting Korean cars.
But wait, there's more.
A new proof of concept released this week—simply called Kiatool—is
probably the most powerful attack against any Kia we've seen yet. And,
frankly, this one is probably the scariest, too. Thankfully, it's
already been patched, but I want you to hear about it anyway because it
tells an extremely important story about the future of automotive
cybersecurity.
Meet Sam Curry. He's one of my favorite security researchers who focuses on the automotive sector. And he has a special knack for breaking into cars. Not by brute-forcing a
window with a hammer, of course, but by using some carefully crafted
keystrokes to achieve the same effect. Today's victim was "pretty much
any Kia vehicle made after 2013."
His latest attack takes
advantage of Kia Connect. For those unfamiliar, that's the connected
service that pairs a vehicle with the internet so an owner can
conveniently unlock their car or turn on the heat when it's cold
outside. With a bit of studying, Curry was able to figure out how to
hack into virtually every single connected Kia sold in the United States
over the last decade—and only took about 30 seconds.
Have a look at a demo of the tool in the video below:
You've Gotta Be Kia'dding me
Let's dig into what's going on here. What is being exploited, and how was it found?Ultimately, the attack boiled down to a flaw in Kia's Application Programming Interface. An API is essentially an intermediary which allows two applications to talk to one another without exposing certain functions of one app to another. It's how your car can display your Spotify playlists or pull in traffic data to overlay on its maps.
Curry, as curious as ever, wanted to know how Kia's app talked to its cars. In short, it assigns an authenticated user a session token (think of it like a virtual permission slip that's only valid for a short amount of time) that permits them to send commands to Kia's servers, which then pushes the action down to the car in real life. How could Curry get one of these permission slips and keep it long enough to perform an attack on the vehicle?
That's when Curry figured out he could take advantage of the method that dealers use to assign new cars to owners using Kia's KDealer platform. Curry used a flaw found in the KDealer API which allowed him to impersonate a dealership looking to register a customer's car.
Next, Curry was able to use a third-party API to pull the victim's car's Vehicle Identification Number (VIN) using a license plate, similar to getting a quote for your used car and entering your plate number instead of the VIN. The VIN could be coupled to the forged dealer request and voilĂ . Instant remote access to virtually any of Kia's nearly 20 models produced over the last decade.
You're Exposed
There's a couple of issues here. First is the glaring threat to the vehicle itself. I mean, let's cut right to the chase—you can unlock and start the car with just the license plate.
That... really bad. Like a relay attack on steroids. And it could all
done without the owner ever noticing a thing (except for an eventual
missing car or belongings).
Even scarier is the privacy issue at
play. The exploit allows the attacker to fetch information about the
owner's name, phone number, email address, the location of the vehicle,
and, in some cars, even allows the vehicle's cameras to be accessed
remotely.
In theory, this would allow for an attack chain that
lets a driver pull up to a car at the grocery store to get the plate,
silently add a burner email account to the owner's Kia account, find its
location later on, then check the cameras to make sure nobody is around
when they want to snatch it. Or, worse, use it to target the owner.
Scary stuff.
The Hole Is Plugged
The good news is that Kia has already fixed the problem and that the automaker had confirmed that it hasn't been used maliciously in the wild. Phew.
Like any good security researcher, Curry ethically disclosed this flaw to the automaker when he discovered it back in June. Kia's developers patched the flaw about two months later in mid-August, and Curry gave it another month before he disclosed the findings publicly yesterday.
"There are tactical and more strategic steps that automotive companies need to take," Tim Erlin, Security Strategist at security firm Wallarm, told InsideEVs in an email. "They absolutely need to fix the vulnerabilities that have been discovered, and they need to put in place testing to ensure that these kinds of vulnerabilities are found before they can be exploited. Rigorous testing and a good bug bounty program can help.
"Longer term, manufacturers should include threat modeling into their development process to reduce the possibility of these types of issues in the future," he added. "Having their development teams 'think like an attacker' as part of the process will help identify risky architectures earlier in the manufacturing process."
The real lesson here isn't that about Kia's flaw, as impressive as it was, but is about connected cars in general. It's a reminder that when something is addressable on the internet, a flaw can translate into real-world consequences quite easily.
We, as a society, have become a bit numb to cybersecurity-related events. You hear about ransomware frequently, about leaked social security numbers. It's becoming mundane. But give an attacker a virtual coat hanger to pop your car's door lock using their cell phone and things become a bit more... tangible. And that's scary.
'Australia is a lucky country, run mainly by second-rate people who share its luck.'
The first part of the quote from the book by Donald Horne from the mid 1960's, is what that mainstream media tells the serfs, but they DELIBRATELY neglect to follow up with the full sentence, which factually condemns the people in control.
Some 60 years later Matt Barrie, states a more realistic and accurate description.
Australia ‘should be the richest country in the world’ but instead is ‘f**ked’.
The colony's (deliberately) incompetent 'leaders' are plunging the population into a totalitarian state 'upgrading' it from an (oligarchical) authoritarian one, but that's another topic for another day.
Freelancer chief executive Matt Barrie who appeared on the Equity Mates podcast last week for a wide-ranging discussion covering the housing market, mass immigration, energy policy and cost-of-living, has given an accurate and brutally honest description of the state of Australia, period.