Not long ago, we wrote about the commjacking stories that surprised us. They were stories about the realities and possibilities of commjacking from the least-likely places, including smart doorbells and drones.
On the surface, they shouldn’t have been shocking. After all, commjackers can figure out almost any security obstacle. All they need is patience and just about any of the low-budget tools available on the open market.
But here are the commjacking stories that really rocked our world because of their impact and implications – past, current and future:
You Can’t Checkout of the DarkHotel
“DarkHotel” is a type of commjacking that involves several methods to steal valuable business data from executive travelers. Executives are often on the road, so a DarkHotel greatly increases the risk of commjackers getting access to sensitive business data on laptops, smartphones, tablets and wearables.
One such method has commjackers cracking weak digital signing keys to generate certificates for signing their malware, to make malicious files appear to be legitimate software. If a victim’s device unveils valuable information, a commjacker will place a backdoor on the system and take documents and data.
DarkHotel attackers have been active since probably 2007 but weren’t discovered until years later. One network of DarkHotel commjackers had broad reach; they were tied to the commjacking of WiFi networks at 5,000 high-end hotels in 2014.
But putting a number on how much money has been lost and how many businesses have been affected overall by DarkHotel — or by commjacking, for that matter — is difficult to say because very few businesses go public about their losses. Still, there’s no denying commjackers have little difficulty taking weakly-encrypted or unencrypted data, especially so in the shadows of a DarkHotel.[Tweet “You Can’t Drive Away from a Commjacker”]
In early 2015, BMW found a flaw in its ConnectedDrive software, the system that connects a BMW to the Internet for a variety of services, including navigation systems, real-time traffic and remote door locking. Researchers imitated the company’s servers and sent unlocking requests remotely. Similarly, researchers remotely killed a Jeep as it drove on a highway. The unlocking requests and long-distance hack show that this is only the beginning of car commjacking dangers.
You Can’t Fly Away from a Commjacker
Commjackers can also aim sky high. A cybersecurity expert claimed in 2015 that he commjacked the entertainment systems of flying airplanes as many as 20 times, enabling him to access flight control systems and at least one time cause an aircraft to climb in altitude.
If that wasn’t alarming, consider that the U.S. Justice Department reportedly accessed the data of flight passengers’ mobile phones through devices on planes that mimicked cell phone towers. And early in 2016, a USA Today reporter encountered turbulence when, while using the free WiFi on an American Airlines flight, a commjacker broke into his email account. Remember, the friendly skies aren’t always friendly when you’re accessing sensitive data from a comfy first-class seat.
Not Even LTE Networks Are Safe
Many people believe they’ll avoid commjackers entirely by shutting off the WiFi capabilities of their devices when out in public and instead rely on a cellular signal. But not even LTE networks are safe from the reach of commjackers.
That’s right: researchers demonstrated in 2015 that LTE networks are indeed susceptible. They can be commjacked with equipment that cost only around $1400. The researchers were able to commjack an LTE network by using the radio layer to force the device into giving away its location, thus allowing them to access apps held on the device. Before this breach, LTE networks were believed to be unbreakable because of the way they concealed their locations.
We’re sufficiently shocked. Are you? Hopefully these stories alert you to the dangers of commjacking and prompt you to take strides to protect the sensitive data on your wireless devices, whether you’re using WiFi or cellular signals.