Author: James Tyrrell

Race report: Circuit Zolder, 15 June 2021

Nothing unlucky about finishing P13 at Zolder. A strong race in Belgium sees Copper Horse Racing move up two places in the overall standings.

Car 59 had performed well at two practice races held over the weekend at Circuit Zolder – a track opened in 1963 and designed by John Hugenholtz of Suzuka fame – so, on paper, things were looking promising. The challenge would be executing on race day, when emotions can run high. 

Close up: car 59 badged with logos, which include all Secure-CAV partners

Dry conditions for both race and qualification set the scene for some fast track times and close racing, with drivers able to push hard and focus their energy on battling each other on-track. In terms of passing, the main overtaking opportunities are at the first corner and coming into the last chicane – at least according to former DTM driver Robin Frijns

In qualifying, there were plenty of sector highlights for the white and green 2015 Lamborghini Huracan GT3, but some swift laps by the other competitors pushed Copper Horse Racing down to P24 on the timing screen, with nearly the entire field lapping within three seconds of each other. 

Race day  

As we know from previous races, cold tyres and brakes make the first two laps potentially treacherous for all on circuit. However, car 59 dodged any early tangles despite being tapped from behind and, one lap later, oversteering off-circuit when a rear-tyre touched the grass. All wheels back on track, Copper Horse Racing began its march up the order pulling a nice overtake on last week’s winner El Tigre Blanco. However, it wasn’t long before the hot pink Aston Martin V8 Vantage had re-passed – a battle that would have to wait for another day. 

Back in front: last week’s winner El Tigre Blanco retakes the position

But there was still plenty to play for and clean and consistent driving meant that Copper Horse Racing was well placed at the halfway point. And, for the first time since the Barcelona race, could make its own call on when to take the mandatory pitstop rather than having the decision forced through mechanical damage. 

Everything connected… 

Watching the cars go around the circuit, it’s clear that Zolder has some interesting scenery – particularly the wind turbines. In previous posts, we’ve mentioned cyber security threats to vehicles, where the attack surface grows as developers add connectivity to their products. The same holds true for operational technology powering industrial systems such as electricity generators and water treatment plants. There are lots of benefits to being able to monitor components remotely such as improved maintenance scheduling, but the methods of protection have to adapt to the change as physical security alone is no longer sufficient to deter bad actors.  

Scenic view: some of the sights at Zolder

With everything becoming connected as part of the ‘Internet of Things’ (IoT) these days, attention is finally turning to the amount of legacy that exists within systems. Protocols in use often originate in the 1970s and have no ability for authentication or to provide integrity protection for the data going across them. Add to that the fact that the hardware and software has not been designed for security and rarely gets updated and you have all the jigsaw pieces for a security (and safety) nightmare.  

Industry and governments are in a race to improve cybersecurity in all the different ‘verticals’ whether it be automotive, industrial, or consumer IoT and there’ll have to be a lot of work to either replace or monitor the legacy insecure equipment and services that are left behind. 

McLaren versus Lamborghini: there were some great battles to watch as race 6 unfolded

Returning to the on-track action, Car 59 spent the final phase of the race behind Dutch driver Teis Hertgers, in a McLaren, trying to open up an over-taking opportunity. And with the pressure of the race-clock ticking, David Rogers made his move – at turn 1 where the Lamborghini was quicker. The move didn’t come off and David lost a little time; the battle now turning to the Ferrari 488 of Ulmer Gallium who loomed large in the Lamborghini’s mirrors. This time it was Gallium who over-pressured, making a pass before the first chicane, but overshooting into the sand, giving back the number 13 position to car 59. 

Before: dry conditions allowed drivers to push hard
After: a nice chance to take in the amazing livery on Ulmer Gallium’s Ferrari 488

With 60 minutes around Zolder complete, the series had a new race winner – P1 qualifier Mar Coolio of Finland. Scott Ullmann, who came third in the last race at Mount Panorama, went one better this week to take second. And Scott Cranston, who had placed well earlier in the season at Donington and in Barcelona, completed the podium in third. 

Race winner: Mar Coolio crosses the line in a McLaren 720S

Next up is Imola for the penultimate race of season 7. You can follow the action live on Tuesday the 22nd of June by tuning into Twitch from 19:30 hrs, UK time. See you then! 

About the author 

James Tyrrell is a threat modelling analyst at Copper Horse.

Race report: Bathurst Mount Panorama, 8 June 2021

Heartbreak avoided as a strong drive by car 59 recovers all but one of the 13 places dropped in first lap chaos on the mountain. 

Changeable weather meant that drivers had to know their setups inside out to make progress at Bathurst Mount Panorama – a 6 km ‘scenic drive’ with no shortage of excitement. Put a foot wrong on the mountain section, which includes a string of tough turns such as ‘The Esses’ and ‘The Dipper’, and it can easily be game over with barriers either side of the track leaving little margin for error. 

Keeping it tight: drivers had to observe close barriers on the mountain section

The YouTube video below illustrates just how bizarre some of the crashes have been at the real-life Bathurst circuit – in this example from 2020, the car (also a GT3 Lamborghini) comes to rest on a fence! 

Lamborghini on the barriers: if you hadn’t seen it, you wouldn’t have believed it

In qualifying, Copper Horse Racing placed a very encouraging P17, before becoming derailed by a slow car rejoining the track towards the end of the session. Back in the pits, we’d prepared a number of race setups as it was forecast to rain. It wasn’t certain as to whether the race would be dry, fully wet or changeable. As it turned out, the race ‘weekend’ gave us heavy rain for the race itself. 

First lap chaos in the wet: car 59 did its best to navigate crashes on the left and right of the track

Within seconds of the lights going green, multiple incidents and cars littered the mountain, leading to an unavoidable crash and damage which sent car 59 tumbling down the order to P30 and forced the strategy into taking a very early pitstop. On the up side, this had the benefit of clearing a stop-go penalty from the previous race imposed by the stewards and also dealt with the mandatory tyre change, meaning that we could stay out for the remainder of the race.  

Voice activated

Many, if not all, of the sim racers taking part are using Crew Chief – an outstanding app that plays dual roles of spotter and race engineer, providing words of wisdom throughout every session. What’s more, the communication is two-way and Crew Chief can be programmed to listen out for instructions – for example, to prepare a set of tyres ahead of a pitstop. 

Battered but not broken: an unavoidable collision on lap one forced an early pitstop for car 59

Voice assistants can be found in real cars too – for example, to program heating or cooling in the cabin, change the volume on the radio, adjust the ambient lighting, set a destination for the Sat-Nav and even to activate a back massage. As well as bespoke offerings, vehicle OEMs are teaming up with tech giants such as Amazon and Apple, integrating ‘Alexa’ and ‘Siri’ into their products. Also, recent versions of Android Auto, which is reportedly available for over 50 different brands of vehicle, feature ‘Google Assistant’. 

But inviting microphones into the cockpit could have its downside. In 2010, researchers at the Universities of Washington and California San Diego pointed out that telematics units in vehicles could provide a path for bad actors to capture audio from the vehicle. In 2020, the paper – which explores a wide range of threats to a modern automobile – was given a ‘Test of time’ award from the IEEE; recognising the momentum that the study has added to the field of automotive cybersecurity. 

As you might have gathered from the first blog post in this series, the rig that’s used to compete in the Apex Online Racing GT3 Season 7 league functions as a vehicle hacking simulator outside of races. The setup can be configured to recreate numerous automotive cyber-attacks, including some of those first mentioned in the 2010 study, and follows from our activities within Secure-CAV

Back on track

At Bathurst, the white Lamborghini  drove a lonely few laps, with a clear track to pull its way back into contention after its early pitstop. The hot stint helped Copper Horse Racing to reel in drivers who were struggling ahead and positions were gained too as competitors took their mandatory single pitstop. 

Lonely laps: the middle section of the race felt like a hot stint

On the last lap of the race, a chance emerged to take 17th place from the car in front after a mistake on the mountain. Coming up to the last corner, as the race ticked out its final seconds, a successful do or die overtake would have restored car 59 to its qualifying position, however it just wasn’t to be. But there were no complaints from the team (or Jim, our vocal engineer in Crew Chief) with the P18 finish – the best race result so far for David Rogers in the series. 

Gotta go for it: Copper Horse Racing was on a mission to recover all of the places lost from the early crash and almost made it back to P17

On the top spot, with their first visit to the podium, was El Tigre Blanco who had shown they could be quick over a lap in qualifying. Dave Bramhall bested his familiar P3 by one to finish second and Scott Ullmann took third. A special mention in the blog also goes to Philippe Riehl of France who gained a monster 19 places to finish P9. 

See you at the next race (Tue 14 Jun, from 19:30 UK time) which takes place over Belgium’s Zolder circuit. And remember you can tune into the fun as we’ll be streaming live on Twitch.  

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

Race report: Circuit de Barcelona-Catalunya, 18 May 2021

Best result so far for Copper Horse Racing, as David Rogers gains 12 places during the race to finish P20.

Under pressure: Car 59 had the competition on its tail for the first phase of the race

Dried off and ready for a slightly longer race 3, car 59 was lapping well in practice around Circuit de Barcelona-Catalunya, but stringing together a clean lap during qualification proved difficult. A familiar track to Formula 1 fans, the Barcelona circuit is quick to punish mistakes with lost time. In the twisty final sector, misjudging slow corners such as the 180 degree bend starting at ‘La Caixa’ (turn 10) will soon undo any gains made earlier in the lap. And getting a clean exit out of
the final chicane is crucial to cutting the timing beam at top speed.

At the end of qualifying, Copper Horse’s 2015 Lamborghini Huracan was lined up in 32nd position, 2.874 secs off the fastest Tier 10 lap time of 01m:45s.243 set by Italian driver Gianluca Cappellini in a Porsche 991. In Tier 1, Maciej Malinowski – also driving a Porsche – travelled the same distance in an unfathomable 01m:42s.684.

But the race is won after 90 mins not over a single lap, and a lot can happen in that time – especially when you have a 1047m long start/finish straight terminating in a sharp right-hand turn! Plus, there’s a refuelling stop to calculate – get it right and you’ll fly home with fumes in the tank, get in wrong and it’ll cost you valuable lap time.

Crunch time: Copper Horse’s white Lamborghini skirts around the carnage at turn one.
Pitstop action: refuelling added to the complexity of the 90 minute race.

Following last week’s rain-soaked race at Donington Park, competitors were happy to see a change in the weather at the Barcelona circuit. For race 3, sim-racing league organisers Apex Online Racing had dialed in dazzling sunshine, catching drivers in the eyes coming into sector 3 and driving out of sector 1.

Sunshine and clear skies: no need for windscreen wipers at race 3.

Blinding the Technology
Linking this scenario to our threat modelling work for automotive, it’s worth mentioning that it’s not only the driver that gets blinded by the sun. Bright light can trouble advanced driver assistance systems (ADAS) too. There are examples on YouTube showing how Tesla’s lane change feature can fail when sun glare prevents the vehicle’s forward-facing cameras from distinguishing the white lines on the road. Similarly, Comma.ai’s ‘Openpilot’ – a lower cost alternative for non-Tesla owners, which is based on a smartphone that looks out through the vehicle’s windscreen – has also been observed to lose tracking under sunny conditions.

Other products besides ADAS can also be vulnerable. If you have a robot vacuum cleaner, you might want to close the curtains before letting it loose, as Terence Eden (@edent) and many other customers have found that streaks of sunlight can stop such gadgets in their tracks.

Close racing: Lamborghini and McLaren drivers battling for position

Back in Barcelona, it was hard to blame the sun for a tap on the side that nudged car 59 off the track as close racing was pushed to its limit. But even with a couple of lost places, Copper Horse Racing’s driver David Rogers was still well up on qualifying, finishing P20 and bringing momentum into race 4. It wasn’t as comfortable a drive as it appeared though, as a mischosen set of brake pads struggled to last the full 90 minutes with the car suffering from brake fade in the second half of the race.

Podium Positions and Driver of the Day
At the top of the table, Canada’s Justin Dawson took the #1 spot for the second time in a row, while P1 qualifier Gianluca Cappellini slid back one position in the race to come second. Completing the podium, for the third time in three races, Dave Bramhall finished P3.

Driver of the day – a stat based on the number of positions gained during the race – goes to Marc André Stoltenberg of Germany in car 24 who gained 18 places to finish P16.

Driver of the day: Marc André Stoltenberg in the black Audi takes the inside line.

Next week, the driving conditions will change again as competitors experience the league’s only night race of the season at Laguna Seca Raceway – a scenario that will make track knowledge more important than ever and the track’s infamous corkscrew even more perilous.

Tune in next week for more updates on car 59’s progress in Apex Online Racing’s Assetto Corsa Competizione GT3 League Season 7.

About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Automotive threat modelling: off-the-shelf solutions

Copper Horse’s automotive cybersecurity posts, including Automotive threat modelling: off-the-shelf solutions, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Threat modelling connected and autonomous vehicle cybersecurity: an overview of available tools

Copper Horse’s automotive cybersecurity posts, including Threat modelling connected and autonomous vehicle cybersecurity: an overview of available tools, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

What is SIM swap?

Over the past couple of years, there has been a lot of awareness raising in the press about the issue of ‘SIM swap’. David Rogers explores the problem.

Customer chips: subscriber identity modules (SIMs) for use in mobile devices. Image credit – James Tyrrell

An unauthorised individual gets a victim’s SIM reassigned to them in order to gain access to the victim’s mobile phone account. In the past this would have been practiced by fraudsters who might want to run up calls against the victim’s account, perhaps in a more organised fashion combined with other types of fraud and criminality.

New incentive

Steadily this began to change. In sub-Saharan Africa, SIM swaps started to occur against users of mobile money services; a new incentive to make money using this method. There was a rise in password compromises in online accounts, led by large-scale data breaches, leading to credential stuffing — the automated injection of breached username/password pairs — based on the leaked information as well as weak implementations of access control. This meant that there was an increasing need to have ‘out-of-band’ methods of validating users that would be acceptable as a ‘second factor’ to passwords, increasing security. The most common and straightforward to implement solution to this was to use the mobile phone and SMS – it was the thing that most people carry and there was commonality in the means by which users could receive the message, almost instantaneously. The user could then, with relative ease, get access to their account. The company providing the service – be it a bank or social media app, could also have reasonable confidence that the user was genuine, raising the bar significantly against attacks on users, their passwords and individual transactions protected by the second factor.

Targeting two-factor authentication

Nothing in security remains static and it should be no surprise to anyone that criminals looked to target the two-factor authentication (2FA) mechanisms being used to protect accounts. The first serious attempt on SMS-based 2FA was against banks in Europe that used mTANs (codes for banking transactions) in late 2010 as part of the ZeuS banking trojan. The attack was relatively sophisticated and used a combination of social engineering and already compromised desktop machines to manipulate users into installing malware on Android devices which would intercept the SMSs and divert them to criminals. The attackers struggled with some of the security controls on the handsets, such as digital signing and the attack was not wholly successful, however it clearly demonstrated their intent.

By the late 2000s and following the Edward Snowden revelations, attackers were beginning to look at the network side. The legacy Signalling System No.7 network (SS7), originally designed in the 1970s, was an integral part of how mobile phones communicate to each other on both 2G and 3G networks. As networks became more open to the internet and the knowledge of how SS7 worked became more widely known, fraudsters and other criminals began to take advantage. Simply ripping out legacy networks is not an option in the mobile world, given the huge scale and reliance on mobile telephony services. Mobile network operators worked together with the security research community to build in monitoring and filtering mechanisms, together with signalling firewalls in order to prevent, detect and deter this vector.

Engineering account takeovers

Finally, social engineering of call centres has been a problem. This is an issue for all organisations that are required to service users directly. Indeed this form of “account takeover” is seen in many different sectors. With the prevalence of information available on the internet for most people, building up a legitimate picture of a user can be done with relative ease or with some initial social engineering against the user themselves. Whilst network operators need to ensure their call centre staff are trained to detect social engineering attempts, this is a tall order given that the whole aim of the social engineer is to convince the person at the other end of the phone that they’re legitimate. Phasing out legacy methods of authentication such as usage of secret information like mother’s maiden name and usage of user-selected passwords that need to be spoken is just part of the solution. Some network operators are now providing APIs (technical interfaces) for services such as banks to be able to connect to in order to establish whether a SIM swap has occurred recently.

This is the real heart of the issue for SIM swap – the target is now not really the network operator’s services, it is something else entirely. It’s a service that uses 2FA SMSs for which the only mechanism to compromise is to arrange for the SIM to be swapped. And there are lots of them – banks, messaging applications, social media apps, email accounts, bitcoin wallets – the list is ever-increasing. An increasing number of people are seeing ‘whole life takeovers’ – starting with a SIM swap, the user’s email account is compromised, followed by a succession of accounts for everything they interact with, from airlines to ride-sharing to shops leaving the user without money or even the ability to communicate. This is often a method of punishing someone or ‘taking them out’, a risk for people in the public domain such as journalists.

Rising rewards

The value of success is increasing too. In some cases millions of dollars of bitcoins have been swiped from wallets because the SIM was swapped. The motivation is high and the cost of attack is relatively low, but the gains are potentially life-changing for attackers. Recent attacks have seen technical attempts combined with social engineering to install remote desktop access so that criminals can initiate the SIM swaps themselves. Mobile network operators around the world need to ensure they’re on top of all aspects of the problem, implementing best practice and doing as much as they can to raise the bar of defence against such attacks. There is no boundary between human, telecoms and cyber security – it is all one big attack surface now.

Further reading

About the author

David Rogers is the founder and CEO of Copper Horse.

Computers on wheels and networks in the fast lane

Copper Horse’s automotive cybersecurity posts, including Computers on wheels and networks in the fast lane, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Copper Horse and Arm launch white paper on IoT security by design

“If you’re looking to deploy IoT, you need to do it right from the start and you need to think about what happens with that product throughout its lifetime, until you sunset it,” David Rogers MBE – founder of Copper Horse and author of the UK’s Code of Practice for Consumer IoT Security – told listeners at yesterday’s launch webinar (available to watch on-demand). “That means working with suppliers and partners who you can trust will take the right approach to security and platforms.”

Arm commissioned Copper Horse to offer an impartial guide to IoT security by design, and the 19 page white paper guides readers on how to appropriately and securely manage solutions at scale.

“If you’re deploying IoT in any kind of environment – for example, consumer, automotive, agricultural, industrial or medical, you need to consider security from the beginning,” David reiterates. “Regulation is coming so it can’t be ignored.”

Topics covered in the briefing include: the threat landscape; future regulation; software updates and device management; public key infrastructure (PKI); end-of-life and decommissioning; and a reminder on identifying and eliminating bad practices.

Full details can be found at – https://learn.arm.com/securingiotbydesign.html.