Author Archives: Felix

Source Mapper v1.3 released

Almost exactly one year ago SourceMapper v1.2 was released. Today we announce the release of SourceMapper v1.3!

This version sees some bug fixes and some functionality improvements. Specifically SourceMapper now:

  • Raises alerts within Burp Suite when it finds configurations that need investigating and may be minor issues.
  • Can identify embedded Source Maps as well as linked Source Maps.
  • Has improved basic sanity and syntax checking for found Source Maps to help reduce false positives

The main improvement of this update means that the plugin doesn’t just inject Source Map headers and optionally inject local content for the browser to use. Now it also can be used to raise your awareness of any present map files.

Please see the GitHub repo here!

The security behind: Trains and railways

Felix introduces the topic of railway cybersecurity, encompassing various types of railways globally, including passenger and freight trains. He acknowledges the public’s concern over the potential hacking of trains and the disruptions it can cause. Felix notes that railway suppliers have recently begun to take cybersecurity more seriously, a change driven by the need to update industrial control systems and address vulnerabilities, especially in older legacy systems.

Felix then delves into the extensive attack surface of rail networks, dividing it into three main categories: track-side equipment, train equipment, and operations centres. He describes the complexities involved in each category, such as power distribution, presence sensors, heating for points, signalling, and various train systems including engine management, electronic doors, communications, and passenger amenities. Operations centres, he notes, handle aspects like platform management, traffic control, display boards, timetabling, and police communications, adding further layers to the network’s complexity.

The podcast discusses the motives behind attacking train networks, considering them critical national assets. Felix lists potential attackers including state-aligned groups, terrorists, activists, disgruntled employees, and individuals seeking free travel. The aim of these attacks usually revolves around disrupting or stopping train operations. He explains that stopping a train could involve a range of strategies affecting various aspects of the train and track systems, with each type of attack requiring different levels of skill and determination.

Felix recounts several high-profile cyber attacks on railways, such as the four attacks on the UK rail network in 2016, the hacking of Indian railways in 2022 leading to the theft of passenger records, and a ransomware attack on the Swiss railways in 2023. These incidents highlight different methods of cyber attacks, from operational disruptions to data theft.

He also describes low-end attacks, like the one by activists in the United States in 2016 using car jumper cables to disrupt track signals, and a simple attack in Poland in 2023 that triggered emergency stops on trains. These attacks, while simpler, effectively demonstrate vulnerabilities in railway systems.

The podcast touches on the issue of digital rights management (DRM) in railways, discussing a case where trains were rendered inoperable due to built-in lockout mechanisms by the manufacturer, highlighting ethical and legal concerns in cybersecurity.

The security behind: Cars

In this episode we see that while car hacking is a well-known issue in the cybersecurity community, many people are unaware of the digital fragility of today’s vehicles and the extensive attack surface they present.

Felix explores various motivations for hacking cars, ranging from targeting public figures for eavesdropping or disruption, to stealing high-end cars, to accessing the contents of a vehicle. He mentions more complex motives like environmental extremism or cyberterrorism, where the goal might be to cause widespread disruption. He also speculates about the use of cars as tools for mass data collection, though he deems this unlikely due to the effort involved compared to existing methods.

The podcast delves into the different attack surfaces of cars. These include user and mechanic facing equipment like keys and diagnostic ports, components interacting with the external environment like cameras and sensors, and internet-connected features such as navigation updates and emergency services. Felix acknowledges that while some might consider these risks theoretical, there have been practical demonstrations of car hacking. He cites examples, including hobbyist devices tracking cars through tire pressure monitoring systems, and reports of foreign entities modifying cars to track movements.

Felix highlights a significant event in the field of automotive cybersecurity: the first Pwn2Own automotive competition in Tokyo, where security researchers demonstrate exploits for vulnerabilities in cars. The competition is divided into categories such as Tesla-specific challenges, in-vehicle entertainment systems, electric vehicle chargers, and automotive operating systems.

The podcast focuses on the CAN bus system used in cars, a network protocol connecting various car components. Felix explains its lack of authentication, making it vulnerable to attacks where any device can imitate another. He also discusses the evolution of car networking from a single CAN bus to multiple networks, which has inadvertently improved security by limiting the attack surface.