Homework: Security Topics #1

Research and create a writeup of a security incident, security vulnerability, or other similar probelm according to an assigned topic. The hand-in format requirements are slightly different for this assignment, so please pay close attention! Most students should expect spend in the range of 30 minutes to 2 hours on this assignment, with longer times mostly because you find the topic interesting enough to be worth exploring in depth.

• You will be assigned a "group" on Canvas for this assignment (get your assigned topic number from the People section on Canvas). However, this is an INDIVIDUAL ASSIGNMENT. The "Group" is solely for efficiently communication to each student which topic number from the list below they are assigned. DO NOT communicate with any other student about this assignment. (For group projects groups will indeed be groups; this use of the Canvas group mechanism is a special case.)
• This is an INDIVIDUAL assignment completed by you and you alone.

The writeup except for any references/citations must cover the following items and fit onto ONE wide-format (16:9 aspect ratio) slide:

• Story number and name from the list (e.g., "#3 US Colonial Pipeline attack (2021)") as the slide title
• Summary of the security issue with an illustration (e.g., from news or analysis article)/ A couple bullet points are fine if you are cramped on space. What's the headline here? A clipped news story headline and a paragraph or two of news or other text is fine if it gets the job done. You've seen this done many times in our class lectures by now. Just put enough there that you can remember what the story is when called upon.
• Security requirement: what security requirement does the security problem violate for this system? (Is it keeping information secret? Keeping the system available to the user? Privacy? Something else?)
• Threat: Who attacked the system, and what was the motivation of the attacker (extortion, fame, military, something else)?
• Vulnerability: How did the system get attacked? Was it a technical vulnerability or did they trick users into giving up passwords (social engineering), or something else?
• Mitigation: How was the problem mitigated (or how could it be mitigated?)
• Cost: what was the cost, number of systems affected, or other consequence of the attack overall?
• Put your name and Andrew ID somewhere at the bottom of the slide so we can keep them straight. ALSO, put the NUMBER of the security topic in the slide header or text box at the top of the slide so we can organize presentations by topic number.

You should plan to present your topic in about 1-2 MINUTES in class. Yes, that's pretty quick, but it will let us get through all the topics in a single class meeting. This means that you should rehearse giving your presentation, which should follow the outline given above for slide contents. If you want to have written notes to work from that's perfectly fine.

If desired you can have a second slide with more detailed references and any additional notes. However, only the FIRST slide will be shown in class. Everything you want to show in class MUST fit on that one slide! All students will be presenting this homework in class, and you'll only be able to talk to your one primary slide.

The hand-in format MUST be an Adobe Acrobat (.pdf) format as a SLIDE IMAGE (not a microsoft word style document; not powerpoint). "Slide image" means 16x9 aspect ratio with large fonts legible in the classroom when projected full screen. Ideally just the one single slide. An optional second slide can be included. This means no separate name slide, no multi-slide substantive presentations, and no animations. It MUST be in Acrobat so that the instructor can put all the presentations into a single file before class to avoid wasting time opening a new file for each presentation. Make sure that the acrobat file is cropped so that the image substantially fills the entire page. (If it has large margins around the slide, nobody will be able to read it when on the screen). For example, the acrobat format of the the web version of course slides for this course is what we're after. Be sure to embed fontsso it displays properly.

Topics: Select the topic corresponding to your attendance number. If your attendance number is higher than the highest topic number, do appropriate modular arithmetic to wrap around down to a defined topic number.

1. GPS spoofing (many years; pick an example)
2. Point of Sale malware (many years; pick an example; often abbreviated "POS")
3. Hyundai/Kia car thefts (2021-2024)
4. Intelight X-1 Traffic light controller security flaw (2024)
5. Saflok 3 million vulnerable hotel doors (2024)
6. Newag train hack (Poland) (2023)
7. Rivian secret diagnostic menu (2022)
8. Toronto Sick Children (SickKids) Ransomware (2022)
9. LastPass password manager (2022)
10. US Colonial Pipeline attack (2021)
11. ADT security cameras in Texas (2021)
12. SCRIPT SRC=HTTPS :/ / MJT . XSS . HT LTD (2021)
13. Oldsmar Florida water supply attack (2021)
14. GE radiology devices default password (2020)
15. Intel CPU firmware update secret key (2020)
16. Ultraloq door lock (2020)
17. Consumer Reports video doorbells (2020) (OK to pick one or give a general summary)
18. Temi Robots (2020)
19. ATM Jackpotting (Diebold Nixdorf PRocash 2050xe) (2020)
20. Dongguan Diqee 360 robotic vacuum (2020)
21. Minuteman III Maze ransomware (2020)
22. TCAS spoofing (2020)
23. Zoom SQL Injection (2020)
24. Philips Hue smart lightbulbs (2020)
25. August smart lock pro (2020)
26. Medtronic carelink (2020)
27. Apex Legends at PDX airport (2020)
28. Ring camera ransomware (2019,2020)
29. Voice deepfake CEO scam (2019)
30. 600,000 gps trackers (2019)
31. ZipaMicro Z-Wave smart hub (2019)
32. Blue Link remote car accessory control (2019)
33. Medtronic insulin pumps (2019)
34. Ford F-150 key fob (2019)
35. iTrack/ProTrack GPS tracking (2019)
36. Texas tornado siren (2019)
37. Xiaomi M365 scooter (2019)
38. Miura M010 Reader (2018)
39. Strava fitness app/military (2018)
40. Triton malware/Schneider Triconex attack (2018)
41. Amazon Key technology (2018)
42. Aldi store credit card skimmers (2018)
43. TSMC chip fab shutdown (2018)
44. Diqee robot vacuum (2018)
45. Satcom passwords on commercial shipping (PTP) (2018)
46. Tapplock (2018)
47. VingCard electronic locks (2018)
48. BMW Security report (Keen Secuirty) (2018)
49. Volkswagen Harman MIB attack (2018)
50. Pet trackers (Kaspersky) (2018)
51. POS Terminal card hacks (Kaspersky) (2018)
52. I-SIG traffic lights (2018)
53. CalAmp/vehicles (2018)
54. Fish Tank thermometer/casino hack (2018)
55. Fender guitar amp (2018)
56. Dell EMC VMAX (2018)
57. Hanwha SmartCam (2018)
58. Orangeworm/healthcare equipment (2018)
59. Prilex ATM malware (2018)
60. Aadhaar (2018)
61. UK School CCTV (2018)
62. MicroLogix PLCs (2018)
63. Philips imaging software (2018)
64. Gas pump fraud / Russia (2018)
65. iPhone unlocking by FBI (2017/2018)
66. Hospital smart pens (2017)
67. UK school heating controls (2017)
68. Lexmark Printer misconfigured (2017)
69. AMAG keyless entry locks (2017)
70. Furby (2017)
71. Vaultek VT20i handgun safe (2017)
72. Oneplus phones (2017)
73. Mercedes relay box (keyless entry) (2017)
74. LogicLocker (2017)
75. Alex the casino hacker (2017)
76. Romantik Seehotel ransomware (2017)
77. LG SmartThinQ (2017)
78. Mantistek GK2 (2017)
79. NHS WannaCry (2017)
80. Ethereum Parity Wallet (2017)
81. Brickerbot (2017)
82. Samsung TV (2017)
83. Vizeo ACR (2017)
84. Boeing 757 (2017)
85. Uber breach cover-up (2017)
86. Cloudpets Teddy Bear (2017)
87. Circle with Disney (2017)
88. Smiths Medical syringe infusion pump (2017)
89. Fitbit (2017)
90. LockState smart locks (2017)
91. Hikvision cameras (2017)
92. Subaru key fob (2017)
93. Intel management engine (2017)
94. Equifax (2017)
95. AdUps (2016)
96. Voting machine hack (Andrew Appel) (2016)
97. Frantic Locker on smart TVs(2016)
98. MUNI fare system (2016)
99. Mirai attack (2016)
100. Lappeenranta attack (2016)
101. Owlet baby monitor (2016)
102. Levin SQL injection (2016)
103. Hello Barbie doll (2015)
104. VTech hack (2015)
105. Progressive Snapshot dongle (2015)
106. Samsung smart fridge hack (2015)
107. Martel body cams (2015)
108. XCodeGhost (2015)
109. Nest thermostat (2014)
110. Trendnet Webcam (2013)
111. Satis toilet (2013)
112. Mifare classic (2008)
113. Keeloq (2007)
114. Siberian gas pipeline explosion (1982)

Hint, you should find it easy to find material if you enter the phrase for the topic and add one or more of the words: {hack, attack, vulnerability} to start your search for references. As always, Wikipedia might be an OK starting point but we'd like to see you take your material from a primary reference if at all possible. News stories and reputable on-line reporting sources are OK and often the only real source, but use the most credible source you can find with a few minutes of searching. Using multiple sources is fine if appropriately cited. If you want to use a second slide JUST for sources that's OK, but keep the presentation itself to a single slide.

RUBRIC:

• MUST BE IN ACROBAT FORMAT. This is a 100% hard requirement.
• One slide with
  • Topic # and topic name at top of slide
  • Summary bullets
  • Illustration/picture/photo/etc.
  • Security requirement violated
  • Threat
  • Vulnerability
  • Mitigation
  • Cost
• References (OK for this to be on second slide if needed)
• Format per HW #1. Page size and font size requirements are strictly required!

Supplemental Reading:

Selected Additional items (there are plenty more not on the list, also see examples in course slides):

• 10 Hacks in 10 Weeks (loosely automotive related): https://www.upstream.auto/blog/q1-2018-automotive-cyber-hacks/

If you get stuck, many entries in the list are part of the IoT Hall of Shame. There are WAY too many stories there for us to hit them all. Which is a problem...https://codecurmudgeon.com/wp/iot-hall-shame/

• Ross Anderson has a free (draft version) book on security that is the go-to starting point for this topic in the large: https://www.cl.cam.ac.uk/~rja14/book.html
• DirecTV Black Sunday story: https://blog.codinghorror.com/revisiting-the-black-sunday-hack/
• Story about someone in the middle of the DirecTV piracy events: https://www.wired.com/2008/05/tarnovsky/?currentPage=all
• Stories about going after end users: https://www.securityfocus.com/news/8472 | https://www.theregister.co.uk/2003/07/17/directv_dragnet_snares_innocent_techies/

• Computerphile / Electronic Voting Rant https://youtu.be/w3_0x6oaDmI
• Computerphile / Buffer Overflow https://youtu.be/1S0aBV-Waeo
• Computerphile / Hashing and Security https://youtu.be/b4b8ktEV4Bg