The Nigerian Communications Commission (NCC) has issued a warning to Nigerians on an ongoing cyber-vulnerability which allows nearby hackers to unlock vehicles, start their engines wirelessly and make away with them
In a statement signed by the Director, Public Affairs, NCC, Dr Ikechukwu Adinde, the commission said multiple pieces of research have shown “a vulnerability, which is said to be used by a nearby attacker to unlock some Honda and Acura car models and start their engines wirelessly.”
The NCC said this was contained in the latest advisory released by the Computer Security Incident Response Team (CSIRT), the Cybersecurity Centre for the telecom sector.
According to CSIRT, the vulnerability is a Man-in-the-Middle (MitM) attack or, more specifically, a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-sends them later to unlock the car at will.
The NCC-CSIRT, however, provided solutions to be adopted by car owners to prevent falling victim to the attack. They include: Resetting the key fob at the dealership and storing the key fob in signal-blocking ‘Faraday pouches’ when not in use.
“Besides, the affected car manufacturer may provide a security mechanism that generates fresh codes for each authentication request, this makes it difficult for an attacker to ‘replay’ the codes thereafter”, the commission further said.
Car owners are also advised to choose Passive Keyless Entry (PKE) rather than Remote Keyless Entry (RKE). This the commission says “would make it harder for an attacker to read the signal” since they have to be in close proximity to carry out the nefarious act.
In a related advisory, the NCC also advised the general public on “the resurgence of Joker Trojan-Infected Android Apps on Google Play Store.”
Based on another detection by CSIRT, the commission said criminals deliberately download apps from Play Store, modify the apps by embedding the Trojan malware and upload back to Play Store with a different name.
The unit said a compromised device will subscribe users to premium services and bill them for non-existing services without the user’s knowledge.
Such a device can also automatically click on online ads, use SMS One Time password (OTPs) to secretly approve payments and be used to commit Short Messaging Service (SMS) fraud while the owner is unaware. Other crimes, such as stealing data, contacts and text messages are also possible.
As a precaution, therefore, the NCC advised Android users to avoid downloading unnecessary apps, installing apps from unofficial sources and to “ensure that apps installed from the Google Play Store are heavily scrutinized by reading reviews, assessing the developers, perusing the terms of use and only granting the necessary permissions”.
When such apps are installed and granted permissions, the unit said they would have access to critical functions such as text messages and notifications.
The unit recommended that telecom consumers check unauthorised transactions against any installed app and delete apps not in use while they ensure to patch their device always and update to the latest software.
