PAL-V, the first flying car to be allowed on the road in Europe, is now also the first flying car to complete full certification with the European Union Aviation Safety Agency (EASA). The PAL-V Liberty (flying car) went through 10 years of testing, and now is in the final phase of compliance demonstration before becoming available to customers.
PAL-V CEO, Robert Dingemanse, said, “Although we are experienced entrepreneurs, we learned that in aviation everything is exponentially stricter. Next to the aircraft, all aspects of the organization, including suppliers and maintenance parties must be certified.”
In 2009, PAL-V worked with EASA to amend the Certification Specifications for Small Rotorcraft, CS-27, as a starting point for certification of its flying car. Ultimately, together they amended the complete list of more than 1,500 criteria to make it applicable for PAL-V. The final version of these criteria was published last week. Note that this development only occurred after more than 10 years of analysis, test data, flight tests, and drive tests.
This EASA certificate is valid in Europe AND is also accepted in about 80 percent of the world’s market, including the United States and China.
In this episode of the podcast (#204) we’re joined by Josh Corman of CISA, the Cybersecurity and Infrastructure Security Agency, to talk about how that agency is working to secure the healthcare sector, in particular vaccine supply chains that have come under attack by nations like Russia, China and North Korea.
Incidents like the Solar Winds hack have focused our attention on the threat posed by nation states like Russia and China, as they look to steal sensitive government and private sector secrets. But in the vital healthcare sector, nation state actors are just one among many threats to the safety and security of networks, data, employees and patients.
Joshua Corman is the Chief Strategist for Healthcare and COVID on the CISA COVID Task Force.
How is the U.S. government responding to this array of threats? In this episode of the podcast, we’re bringing you an exclusive interview with Josh Corman, the Chief Strategist for Healthcare and COVID for the COVID Task Force at CISA, Cybersecurity and Infrastructure Security Agency.
In this interview, Josh and I talk about the scramble within CISA to secure a global vaccine supply chain in the midst of a global pandemic. Among other things, Josh talks about the work CISA has done in the last year to identify and shore up the cyber security of vital vaccine supply chain partners – from small biotech firms that produce discrete but vital components needed to produce vaccines to dry ice manufacturers whose product is needed to transport and store vaccines.
To start off I asked Josh to talk about CISA’s unique role in securing vaccines and how the Federal Government’s newest agency works with other stake holders from the FBI to the FDA to address widespread cyber threats.
Last week, the Executive Order on Protecting the United States from Certain Unmanned Aircraft Systems (UAS) expanded the U.S.-China drone controversy to North Korea, Iran, and Russia.
The Order also provides the Secretary of Commerce with the authority to designate “any other foreign nation, foreign area, or foreign non-government entity engaging in long-term patterns or serious instances of conduct significantly adverse to the national or economic security of the United States,” in addition to China, North Korea, Iran, and Russia.
The purpose of the Order is to, “prevent the use of taxpayer dollars to procure UAS that present unacceptable risks and are manufactured by, or contain software or critical electronic components from, foreign adversaries, and to encourage the use of domestically produced UAS.” However, this Order is not necessarily a “cease-and-desist” order; instead, it requires federal agencies to review their “authority to cease” procuring, funding or contracting the “covered UAS” of such foreign adversaries within the next 60 days. A “covered UAS” includes a drone that:
is manufactured, in whole or in part, by an entity domiciled in an adversary country;
uses critical electronic components installed in flight controllers, ground control system processors, radios, digital transmission devices, cameras, or gimbals manufactured, in whole or in part, in an adversary country;
uses operating software (including cell phone or tablet applications, but not cell phone or tablet operating systems) developed, in whole or in part, by an entity domiciled in an adversary country;
uses network connectivity or data storage located outside the United States, or administered by any entity domiciled in an adversary country; or
contains hardware and/or software components used for transmitting photographs, videos, location information, flight paths, or any other data collected by the UAS manufactured by an entity domiciled in an adversary country.
The Order also requires federal agencies to inventory covered UAS that already are owned or operated by the agency, and to then report their existing security protocols. However, and particularly with respect to China, several federal agencies have already conducted this inventory and assessment. No later than 120 days after the inventory reports are completed, the Director of National Intelligence, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Science and Technology Policy, and the heads of other agencies will review the reports and submit a security assessment to the President, including recommended mitigation steps for decreasing the risks associated with these UAS and whether any UAS’ use should be discontinued completely by federal agencies.
The Federal Aviation Administration (FAA) must also lay out restrictions on the use of UAS on or over critical infrastructure within 270 days of the Order; the FAA already has the power to issue a Temporary Flight Restriction (TFR). At present, TFRs can be requested only by national defense, national security, and federal intelligence departments and agencies. However, other government or private sector entities can, in the interest of national security, request those agencies to sponsor a TFR over critical infrastructure, (e.g., oil refineries and chemical facilities). The goal of the Order is perhaps to provide a direct line from private industry to the FAA.
We’ll see if the Order has staying power and the funding to support it. Stay tuned.
2020 will go down as one of the most stressful in my career as a cybersecurity professional. I have been working in this area of law full time since 2003. So that says a lot.
On top of the stress of the spread of the coronavirus, this has been a particularly stressful year assisting clients with security incidents, ransomware extortions, data security in migrating from on premises to work from home, and keeping employees educated and vigilant. Indeed, it has been difficult and exhausting. And I’m just the lawyer.
Your IT professionals have been through HELL this year. They are working beyond capacity, with limited resources, trying to keep organizations safe from highly sophisticated hackers and nation states, including Russia and China. They are doing their very best to find the right tools to keep the bad guys out of networks and systems, at the same time trying to get their users not to click on links, attachments or phishing emails. They are getting attacked from within and without. It is a war for them every day.
Give them some love. A thank you goes a long way. Our IT professionals are losing sleep every night, working long hours, keeping our data safe, and dealing with attacks that you can’t even begin to fathom.
They battle for us in the background, on the front line, and never get any credit for how important their job is to our ability to do our job.
So this holiday season, take a little time and reach out to your IT professionals and say “Thank you.” They deserve a ton of credit and LOVE from all of us.
The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets.
Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.”
“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”
As reported by The Security Ledger last month, independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets. The first, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
The second vulnerability, CVE-2020-28055, would have allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.
In a statement to The Security Ledger, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.
While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones. Owners must authorize the company to access cameras and microphones, however, according to a company statement.
The company did not address in its public statements the question of whether prior notification of the update was given to TCL owners or whether TV set owners were given the option to approve the update before it was installed.
Sick Codes, in a phone interview with The Security Ledger, said the company’s ability to push and update code to its deployed sets without owner approval amounted to a back door that could give TCL access to audio and video streams from deployed sets, regardless of the wishes of owners.
“They can update the application and make authorization happen through that. They have full control,” he said.
Such concerns obviously raised alarms within the Department of Homeland Security as well, which has taken steps to ban technology from other Chinese firms from use on federal networks.
In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).
This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.
“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.
The statement is part of escalating tensions between Washington and Beijing. On Friday, Commerce Secretary Wilbur Ross announced export controls on 77 Chinese companies including the country’s biggest chipmaker, SMIC, and drone maker DJI that restrict those firms’ access to US technology. The order cites those firms alleged ties to China’s military.
TCL did not respond to an email request for comment prior to publication of this story. We will update this story as more information becomes available.
Editor’s note: this story was updated to add reference to John Jackson, who helped discover the TCL vulnerabilities. – PFR 12/22/2020
Last week, AutoX, a start-up company backed by Alibaba, Media Tek and Shanghai Motors, announced that it will roll out a fleet of autonomous vehicles in downtown Shenzhen, China, called RoboTaxis. While autonomous vehicle programs have been popping up all over the world, this is the first time these vehicles will be deployed in China without safety drivers onboard or remote operators monitoring the vehicle.
However, in order to meet the stringent government safety requirements for autonomous vehicle testing, these self-driving cars had to conduct more than 18,600 miles of “perfect test driving” on open, public roads before also undergoing a safety evaluation on a closed test track.
The vehicles that will be hitting the public streets will use artificial intelligence (AI) that has been used to transport more than 100,000 passengers across 27 cities around the globe. Note that, while these vehicles will be considered autonomous and without a human driver onboard, there will be human assistance “on-call” for emergency purposes through AutoX’s 5G Remote Driving Service. This service helps to create an extra level of safety. This fleets’ operation will allow these RoboTaxis to gradually reduce human intervention, which is a key step to the widespread commercialization of autonomous vehicle technologies. Where will these driverless vehicles end up next? Stay tuned.
Between Black Friday and Cyber Monday, consumers across the U.S. spent the weekend snapping up deals on home electronics like smart TVs, game consoles and appliances. Total season-to date holiday spending, including Cyber Monday, is over the $100 billion threshold according to data from Adobe.
Lots of factors drive consumer decisions to buy one product over another: price and features chief among them. But what about cyber security? Unlike, say, the automobile marketplace, concerns about safety and security are not top of mind when consumers step into a Best Buy or Wal Mart looking for a new flat screen TV. And ratings systems for cyber security, from organizations like UL and Consumer Reports, are in their infancy and not widely used.
found to have numerous, serious security flaws that could have left it open to remote access and data theft – all without need of a login or password. And TCL acknowledged to Security Ledger that access to on-board cameras and microphones is available to company support personnel, though only with the permission of the owner, according to a company statement.
But concerns about the cyber security of smart home electronics go way beyond TVs. As our guest this week, Yossi Appleboum of the firm Sepio Systems tells us, software and hardware supply chains are rife with vulnerable – if not compromised components. And companies, like consumers, often have no idea whether a product they’ve deployed might be secretly spying on them, or channeling sensitive data to an unknown party or country.
While many organizations think the notion of keyboards, monitors and other hardware “spying” on them as the stuff of “James Bond” movies, Appleboum says that the threat is real – and much more common that either companies or consumers are aware.
Appleboum’s firm, Sepio Systems, provides visibility, policy enforcement and “rogue” device mitigation capabilities, to organizations concerned about the risks posed by hardware assets.
In this conversation, Yossi and talk about the supply chain security risk and how concerned consumers should be about the security of electronic devices being pushed on them this holiday season.
Today marks two weeks since Election Day 2020 in the U.S., when tens of millions went to the polls on top of the tens of millions who had voted early or by mail in the weeks leading up to November 3.
The whole affair was expected to be a hot mess of suffrage, what with a closely divided public and access to the world’s most powerful office hung on the outcome of voting in a few, key districts sprinkled across a handful of states. Election attacks seemed a foregone conclusion.
Election Attack, Anyone?
Memories of the 2016 Presidential contest are still fresh in the minds of U.S. voters. During that contest, stealthy disinformation operations linked to Russia’s Internet Research Agency are believed to have swayed the vote in a few, key states, helping to hand the election to GOP upstart Donald Trump by a few thousands of votes spread across four states.
Adam Meyers is the Vice President of Threat intelligence at the firm Crowdstrike.
In 2020, with social media networks like Facebook more powerful than ever and the geopolitical fortunes of global powers like China and Russia hanging in the balance, it was a foregone conclusion that this year’s U.S. election would see one or more cyber incidents grab headlines and – just maybe- play a part in the final outcome.
But two weeks and more than 140 million votes later, wild conspiracy theories about vote tampering are rampant in right wing media. But predictions of cyber attacks on the U.S. presidential election have fallen flat.
From Russia with…Indifference?
So what happened? Did Russia, China and Iran decide to sit this one our, or were planned attacks stopped in their tracks? And what about the expected plague of ransomware? Did budget and talent constrained local governments manage to do just enough right to keep cyber criminals and nation state actors at bay?
Allan Liska is a Threat Intelligence Analyst at the firm Recorded Future,
To find out we invited two experts who have been following election security closely into the Security Ledger studios to talk.
Allan Liska is a Threat Intelligence Analyst at the firm Recorded Future, which has been monitoring the cyber underground for threats to elections systems.
Joining Allan is a frequent Security Ledger podcast guest: Adam Meyers the Senior Vice President of Threat Intelligence at the firm Crowdstrike back into the studio as well. Crowdstrike investigated the 2016 attack on the Hillary Clinton presidential campaign and closely monitors a wide range of cyber criminal and nation state groups that have been linked to attacks on campaigns and elections infrastructure.
To start out I asked both guests – given the anticipation of hacks targeting the US election – what happened – or didn’t happen – in 2020.
Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set’s owners.
The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission.
Two Flaws, Lots of Red Flags
In a report published on Monday, two security researchers described two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.
That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports.
John Jackson is an application security engineer at Shutterstock.
The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle “Sick Codes,” said the flaws amount to a “back door” on any TCL Android smart television. “Anybody on an adjacent network can browse the TV’s file system and download any file they want,” said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.
CVE-2020-28055 was particularly worrisome, Jackson said. “It was clear that utilizing this vulnerability could result in remote code execution or even network ‘pivots’ by attackers.” That would allow malicious actors to move from the TV to other network connected systems with the intention of exploiting systems quickly with ransomware, Jackson observed. That, coupled with a global population of millions of TCL Android TVs, made the risk considerable.
Nobody Home at TCL
The researchers said efforts to alert TCL about the flaws in October initially fell on deaf ears. Emails sent to a designated email address for reporting security issues bounced. And inquiries to the company on October 16 and 20th went unanswered. Furthermore, the company did not appear to have a dedicated product security team to reach out to, Jackson said in a phone interview.
A screen capture showing the full, browsable file system on an Internet-connected TCL television set.
Only after reaching out to a security contact at TCL partner Roku did Sick Codes and Jackson hear from a security resource within TCL. In an email dated October 29th, Eric Liang of TCL wrote to the two researchers thanking them for their discovery and promising a quick fix.
“Here is how is it going on now: A new version to fix this vulnerability is going to release to SQA on Oct. 29 (UTC+8). We will arrange the upgrade plan after the regression test passes.”
Silent Patch Raises More Questions
Following that, however, there was no further communication. And, when that fix came, it raised more questions than it answered, the researchers said.
According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. “They updated the (TCL Android) TV I was testing without any Android update notification or warning,” Sick Codes said. Even the reported firmware version on the TV remained unchanged following the patch. “This was a totally silent patch – they basically logged in to my TV and closed the port.”
Sick Codes said that suggests that TCL maintains full, remote access to deployed sets. “This is a full on back door. If they want to they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
Jackson agreed and said that the manner in which the vulnerable TVs were updated raises more questions than it answers. “How do you push that many gigabytes (of data) that fast with no alert? No user notification? No advisory? Nothing. I don’t know of a company with good security practices that doesn’t tell users that it is going to patch.”
There was no response to emails sent by Security Ledger to Mr. Liang and to TCL media relations prior to publication. We will update this story with any comment or response from the company when we receive it.
Questions on Smart Device Security
The vulnerabilities raise serious questions about the cyber security of consumer electronics that are being widely distributed to the public. TCL, a mainland Chinese firm, is among those that have raised concerns within the U.S. Intelligence community and among law enforcement and lawmakers, alongside firms like Huawei, which has been labeled a national security threat, ZTE and Lenovo. TCL smart TVs are barred from use in Federal government facilities. A 2019 U.S. Department of Defense Inspector General’s report raised warnings about the cyber security risks to the Pentagon of commercial off the shelf (COTS) technology purchased by the U.S. military including televisions, laptops, surveillance cameras, drones and more. (PDF)
TCL has risen quickly in the past five years to become a leading purveyor of smart television sets in the U.S. with a 14% market share, second behind Samsung. The company has been aggressive in both partnerships and branding: teaming with firms like Alcatel Mobile and Thompson SA to produce mobile phones and other electronics, and sponsoring sports teams and events ranging from the Rose Bowl in Pasadena, California, to The Ellen Show to the 2019 Copa América Brasil soccer tournament.
TCL’s TV sets are widely available in the US via online e-tailers like Amazon and brick and mortar “box stores” like Best Buy. It is unclear whether those retailers weigh software security and privacy protections of products before opting to put them on their store shelves. An email to Best Buy seeking comment on the TCL vulnerabilities was not returned.
Buyer Beware
The security researchers who discovered the flaw said that consumers should beware when buying smart home electronics like TV sets, home surveillance cameras, especially those manufactured by companies with ties to authoritarian regimes.
“Don’t buy it just because a TVs cheap. Know what you’re buying,” said Sick Codes. “That’s especially true if it’s hooked up to the Internet.”
The National Security Agency (NSA) issued a Cybersecurity Advisory on October 20, 2020, entitled “Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities,” alerting IT professionals to 25 vulnerabilities that Chinese state-sponsored hackers are using against U.S. businesses that “can be exploited to gain initial access to victim networks using products that are directly accessible from the internet and act as gateways to internal networks.” The Advisory is designed to share information with security professionals to urge them to update systems to protect against the attacks.
According to the notice, “[W]e hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”
The Advisory further provides general mitigation steps that companies can employ:
“Keep systems and products updated and patched as soon as possible after patches are released.
Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes and reviews of accounts a good practice.
Disable external management capabilities and set up an out-of-band management network.
Block obsolete or unused protocols at the network edge and disable them in device configurations.
Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.”
The vulnerabilities are listed in detail in the Advisory and companies may wish to confirm that all of the vulnerabilities listed have been patched on their systems.
 100vw, 295px”><figcaption>Yossi Appleboum is the CEO of Sepio Systems. </figcaption></figure>
</div>
<p>So “cyber” isn’t influencing buying, but it probably should. As Security Ledger has reported, a brand of Android television made by the Chinese giant TCL was <a href=)
found to have numerous, serious security flaws that could have left it open to remote access and data theft – all without need of a login or password. And TCL acknowledged to Security Ledger that access to on-board cameras and microphones is available to company support personnel, though only with the permission of the owner, according to a company statement.
