Для чего предназначена функция lojack
Для чего предназначена кнопка Shift Lock на автоматических коробках передач
Современный автомобилист высоко ценит автоматическую коробку за простой принцип её применения. Здесь, в отличие от механических КПП, нет необходимости всякий раз выжимать сцепление, чтобы переключиться на другую передачу. Отсутствие педали сцепления и автоматических процесс перехода с одной скорости на другую, не считая заднюю передачу, существенно упрощает жизнь водителю.
Но функционал АКПП вовсе не такой ограниченный и скудный, как может показаться. Помимо основного рычага, на коробке присутствует ряд кнопок, каждая из которых отвечает за определённые функции или переход в тот или иной режим работы трансмиссии. И у всех кнопок есть своё собственное название и предназначение.
Разобраться в назначении кнопок не сложно. Порой достаточно посмотреть, что на ней нарисовано или написано. В случае с Shift Lock также присутствует подпись. Только вот когда водитель нажимает на неё, ничего не происходит. Отсюда и возникает закономерный вопрос касательно того, зачем эта кнопка нужна и что она делает.
Производительное решение для вашего бизнеса
Вашему предприятию требуются широкие возможности. Необходима скорость и производительность. Ноутбуки Vostro представляют собой полнофункциональное бизнес-решение — беспрецедентное сочетание мощности и портативности.
- Операционная система: Windows® 7 Professional
- Победа над конкурентами: бесперебойная многозадачность и молниеносная производительность благодаря памяти DDR3. Новый уровень деловых возможностей за счет объединения процессоров Intel ® Core™ следующего поколения с обновлением.
- Интеллектуальная графическая система: повышение производительности при работе с графикой с помощью переключаемой графической системы Vostro. Для выполнения задач, включающих в себя большое число графических операций, в ноутбуках Vostro 3750 используется высокопроизводительная видеоплата NVidia®. При снижении требований к мощности она автоматически переключается на интеллектуальную встроенную плату Intel HD, что позволяет увеличить время работы от аккумулятора.
- Интеллектуальная графическая система Vostro 3750: повышение производительности при работе с графикой с помощью переключаемой графической системы Vostro. Для выполнения задач, включающих в себя большое число графических операций, в ноутбуках Vostro 3750 используется высокопроизводительная видеоплата NVidia. При снижении требований к мощности она автоматически переключается на интеллектуальную встроенную плату Intel HD, что позволяет увеличить время работы от аккумулятора.
- Высокоскоростная передача данных: иногда ваш бизнес просто не может ждать — так почему должны ждать вы? Два порта USB 3.0 обеспечивают десятикратное повышение скорости передачи данных по сравнению с портами USB 2.0. Ноутбуки Vostro также оснащены модулями Bluetooth ® 3.0, которые передают данные со скоростью до 24 Мбит/с, что позволяет перемещать большие файлы за считанные секунды.
How to decode Lojack?
Or push your state to enhance the $ Insurance discount since it is a recovery device, not just a theft-deterant
The LoJack system was actually designed prior to the existence of GPS. It is based around use of the 422 Hz doppler shift carried on the tracking pulses to locate the vehicle as outlined in patent 4908629. Police cars equipped with LoJack typically have four antennas mounted in a square pattern atop the vehicle to properly decode the doppler shift technology used by the LoJack system.
Some of the LoJack commercials actually tout the fact that LoJack works where GPS cannot. Here is one such commercial: LoJack Commercial
There are many stolen vehicles being driven around the country which have LoJack installed that have not been recovered because no one knows where the vehicle is located. Some say this is outdated technology but it works. No other company can come anywhere close to the results that LoJack has achieved in stolen vehicle recoveries and with assisting police officers with safety by given them advanced warning of what they are up against before confronting the criminals. I was just reading where in 2013 alone LoJack assisted with the recovery of more than $121 million in stolen vehicles equipped with LoJack. Article Here. And, on the LoJack website it states, «The LoJack Stolen Vehicle Recovery System has been installed in over 9 million cars and light trucks worldwide and has helped law enforcement to recover over 300,000 vehicles to date globally.»
Some of the newer LoJack models, typically those which offer the early warning system, appear to allow external devices to be connected to the LoJack transponder via RF/Wifi. The early warning system will notify the owner immediately if someone drives the vehicle without a special key fob inside the vehicle. Some type of GPS technology may be used in the external device as I recall reading that the vehicle is only allowed to move so many feet without the key fob inside the vehicle before the owner is notified. However, the backbone of the LoJack system itself is doppler shift based.
The standard LoJack system is not encrypted. A stolen vehicle only transmits a five-character code useful only to the police to obtain additional information regarding the vehicle and details surrounding the theft. There is no private or location based information transmitted so no real requirement for encryption. There are other competitors that do transmit GPS coordinates of stolen vehicles however their success rate is not that great.
Anyway, it is a good system. If I could afford it I would purchase one and have it installed in my truck. On rare occasions I have seen where they have given one away free in a contest.
I checked with my insurance and they would waive the deductible if stolen as I already receive a discount for a theft deterrent. I thought possibly it would pay for itself but in my case such is not the case.
Off Topic : Insurance Discounts
Arizona (AZ): Save up to 25%
California (CA): Save up to 33%
Colorado (CO): Save up to 25%
Connecticut (CT): Save up to 25%
Delaware (DE): Save up to 25%
Washington DC (DC): Save up to 25%
Florida (FL): Save up to 25%
Georgia (GA): Save up to 25%
Illinois (IL): Save up to 25%
Louisiana (LA): Save up to 25%
Massachusetts (MA): Save up to 35%
Maryland (MD): Save up to 25%
Michigan (MI): Save up to 25%
New Jersey (NJ): Save up to 25%
Nevada (NV): Save up to 25%
New Hampshire (NH): Save up to 25%
New York (NY): Save up to 25%
Pennsylvania (PA): Save up to 25%
Rhode Island (RI): Save up to 35%
Texas (TX): Save up to 30%
Virginia (VA): Save up to 25%
Florida, Georgia, Massachusetts, New Jersey, New York, Rhode Island, and Texas have mandatory insurance discounts.
For more specific information on LoJack products, visit LoJack.com.
Even if your state is not listed, it does not mean you can’t get an insurance discount, so please check with your insurance company or agent and ask them specifically if you could get a discount for an installed LoJack.
I checked with my insurance and they would waive the deductible if stolen as I already receive a discount for a theft deterrent. I thought possibly it would pay for itself but in my case such is not the case.
During the tracking of this stolen vehicle this morning there was an unusual side ID which began this morning and ended just prior to the police announcing they had a suspect at gunpoint. If the unusual site IDs are actually the speed-up commands, then a stolen vehicle transponder should be noticed to slow down to a rate of one tracking pulse every 15 seconds about 30 minutes after the last unusual site ID was broadcast.
Denny, I was also thinking about the false reply codes which appear in SDRTrunk on average once a day or once every other day on my end which in the future may set off false alerts. I was wondering if it would be possible to implement something similar to the following to eliminate most of the false reply codes:
If the received function code is E and CRC does not correct the function code then it is a Function E with unknown purpose.
If the received function code is F and CRC does not correct the function code then it is a Function F with unknown purpose.
If the received function code is E and CRC does correct the function code to a Function F then it is a Function F stolen vehicle tracking pulse/reply code.
A second possibly better option may be to only have the program activate the reply code «alert» feature when two identical reply codes are seen to occur back to back (next to each other).
Just thinking of ways to eliminate false reply code «alerts».
Mystery LoJack System = Colorado LifeTrak System?
I discovered today that about ten miles North of my house I can receive (albeit very weak) one of the mystery system transmissions.
The following are the start and stop times (in minutes and seconds into my recording) when the mystery signals were noted to occur:
So from the above, it appears this mystery system transmits approximately once every 15 minutes and 2.75 seconds.
With additional evidence of a tower closer to home it may motivate me to do a little fox hunting tomorrow and possibly work toward solving this little mystery. Everything (especially the specific areas I have received transmissions from this mystery system) is pointing toward this being the Colorado LifeTrak system (which is located in at least three Colorado counties).
LoJack Full Circle of Events Captured (Function 8=Speed-Up!)
I was able to verify the full circle of events today for one LoJack transponder. It started this morning when Airborne 1 began to receive a LoJack hit before 9:00 AM in the Denver area (presumably around 8:45 AM).
Around noon, I did notice a few tracking pulses however they were extremely faint and off in the distance. At about 1:30 PM, the tracking pulses suddenly became strong in the area of a shopping center. I stopped in a busy store parking lot and monitored the signals for about an hour capturing both slow-down and speed-up events while catching up on a little reading.
In all four of the separate instances in which I noticed the tracking pulses either speed-up or slow down, the data for a specific unusual site ID corresponded precisely in time to all these transitions. When first activated, it appears the transponder is in the slow mode (sending out pulses once every 15 seconds). When the unit begins to be tracked, a Function 8 frame is sent containing a specific address to that transponder which transitions it from the slow mode to the fast mode (pulses sent once every few seconds) for a period of 30 minutes after which time the transponder automatically transitions back to the slow mode. I even captured on recording one outstanding example of a slow tracking pulse which immediately transitioned to a fast tracking pulse at the end of the tower transmission which contained the required unusual site ID to speed up the transponder. The unusual site IDs are definitely the speed-up/tracking command. Unusual site IDs in our data reveal that a vehicle in range of the tower is actively being tracked.
What do I mean by unusual site IDs? In my area there are three towers I receive each minute. The first tower is FA-40 and then 8 seconds later FA-81 and then 8 seconds later FA-80. 64 seconds after FA-40 was last received the process repeats. FA-40, FA-81 and FA-80 are the normal site IDs in my local area. Other site IDs other than FA-40, FA-81 and FA-80 which are seen to occur frequently (not just a single occurrence) are what I am referring to as unusual site IDs. In the normal site IDs the first 3 characters change and the last 4 remain the same in each transmission. However, in the unusual site IDs the entire address remains the same in each transmission.
A side note of interest, I noticed that a speed-up command issued while the transponder is in the fast mode does not add an additional 30 minutes to the fast mode. The speed-up commands appear to only be valid when the transponder is in the slow mode.
During the cycle of events today, I captured in the tower data the time the tower first issued the activation command, a recording of the reply code, four separate verifiable occurrences of speed-ups or slow-downs that corresponded to a specific unusual site ID and the time the tower sent the deactivation command (which occurred precisely at the time I noted when the transmissions ceased). (There were no Function 3 or Function 6 frames during the entire time period.) (The activate commands were falling into both the 7th and 8th frames. The unusual site IDs were falling into the 6th, 7th and 8th frames.)
So what does this mean?
1.) Function 8 frames are the speed-up commands for most if not all LoJack units. Function 8 can be re-labeled in SDRTrunk to «Speed-Up/Site-ID» or similar.
2.) The set rate command may not be used at all or used infrequently as the transponder will automatically transition into the slow mode after 30 minutes.
3.) In SDRTrunk we currently have Function 3 labeled as the «speed-up» and Function 6 labeled as the «set rate». We may consider changing these back to «unknown» until their purpose is understood? Or, possibly they are labeled correctly however only apply to certain older LoJack transponder models?
4.) By comparing unusual site IDs across the country is it possible to verify the approximate block of addresses (presumably just the last four of the address) which are set aside to only be used as tower IDs?
One thing which occurred to me today, which applies to all types of digital radio signals, is that it is possible to audibly hear digital signals on a scanner even before they are capable of being properly decoded. This may potentially mean that a scanner has a couple of advantages: 1.) The ability to know weak signals are present, and 2.) Due to #1, the ability to locate the general area of a signal sooner.
The police did find the exact location of the vehicle. On the scanner it was reported as unoccupied and they were preparing to tow it off the last I heard.
Beware this malware: it can even survive operating systems being reinstalled
Fancy Bear (also known as APT18, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) is a Russian cyber espionage group specialized in cyberattacks that are classified as Advanced Persistent Threats (APTs). As we explained in a previous post, APTs are characterized by their sophistication, for how they tend to target certain select companies or organizations, and for their capacity to outwit traditional defense mechanisms.
And Fancy Bear’s most recent development fits in perfectly with this level of sophistication: it is called LoJax, and it is a piece of malware that is able to survive an operating system being reinstalled. This makes it especially dangerous for companies and institutions that are lacking protection against this kind of attack.
How does LoJax work?
LoJax acts like a rootkit, that is, a program or set of tools that provides access to a computer or network’s administrative levels whilst staying hidden. But what makes LoJax so special is that it is the first rootkit to be detected that directly attacks the Unified Extensible Firmware Interface (UEFI).
And what is the UEFI? UEFI is the successor of BIOS, the key to any computer, since both are firmware stored in a separate memory found on the motherboard, and both contain the instructions that control the operations on the computer’s circuits, all of which means that it does not rely on operating systems.
Accordingly, LoJax takes advantage of a vulnerability in Computrace LoJack, a piece of software that comes preinstalled on many computers’ UEFI. This software sends information about the location of the computer, as well as allowing files to be deleted or blocked in case of theft. As it is an anti-theft mechanism, LoJack was designed to remain on a computer even if the operating system is reinstalled or replaced on the hard drive, since these are both elements that thieves usually alter after stealing a laptop.
The way that LoJax accesses both the UEFI and LoJack is by using binary files that, from the operating system, compile information about its hardware. From there, they patch the UEFI, hide the malicious code, and write on it again, all from Windows. This way, the cyberattacker can take total control of the UEFI.
How to avoid attacks like LoJax
LoJax isn’t dangerous simply because of the infection of the UEFI itself, but also due to the fact that many cybersecurity solutions, including corporate cybersecurity solutions that are present in many companies, completely overlook Computrace LoJack and the UEFI software, as the classify it to be safe. For this reason, LoJax throws into sharp relief the fact that organizations must take cybersecurity measures that go beyond those aimed at protecting operating systems. Below, we’ve detailed some of our recommendations:
1.- Secure Boot Mode: the good news is that Fancy Bear’s rootkit is not properly signed, i.e., securely registered like the rest of the common hardware installed and detected on the UEFI. The first security measure, therefore, is to activate the UEFI’s Secure Boot Mode on the company’s computers. When this mode is activated, all the components of the firmware must be properly signed, and it does not allow those that show any anomalies, as would be the case of LoJax.
2.- Modernization of computers’ chipsets. The vulnerabilities discovered in Computrace LoJack that allow the LoJax attack only work with old UEFI settings. The series 5 Intel chipsets, first introduced in 2008, have platform controller hubs, which have been proven to be immune to LoJax.
3.- 360º security solutions. In any case, to provide general protection from malware, it is advisable to have 360º security solutions that go beyond detecting vulnerabilities in entrypoints, and also take into account security on the endpoint. It is vital to have solutions that automatize the prevention, detection, containment and response to any advanced threat, like APTs. Our advanced cybersecurity suite, Panda Adaptive Defense, is capable of totally monitoring all possible cyberattacks and unwanted accesses. What’s more, it has a complementary module that takes care of an aspect that is often overlooked: the installation of patches and updates. Our 360º solution combines detailed visibility of the activity on the endpoints, control of all running processes and reduction of the attack surface, to keep companies from falling victim to attacks, no matter how sophisticated they are.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
The line of ESPION Powered by LoJack products includes:
• ESPION, which is designed for every type of vehicle owner, combines proven theft prevention and deterrence capabilities along with multiple recovery devices
• ESPION Alert offers the same capabilities as the Espion system, as well as an added notification system that electronically warns a vehicle owner by e-mail, automated phone call or text message if their vehicle moves without authorization
• ESPION Alert Plus features the core components of the Espion system, plus additional recovery devices and personalized notification by Boomerang Security Central to a vehicle owner if the vehicle moves without authorization
In the event that an ESPION Powered by LoJack-equipped vehicle is stolen, it now can be tracked by local police departments as well as by Boomerang’s Security recovery teams. The first department to work directly with Boomerang is the Richelieu-Saint-Laurent Intermunicipal Police Board in the Richelieu Valley (Régie intermunicipale de police Richelieu/Saint-Laurent), an agency that encompasses 17 municipalities in the Montérégie region of Quebec. Boomerang Tracking is in the process of rolling out its advanced tracking computers, training and support to other law enforcement agencies in Quebec – all at no cost to the agencies.
“The technology that Boomerang Tracking offers for law enforcement is a great help in the fight against vehicle theft. The tracking computers that have been installed in our police vehicles are not only simple to use and efficient, but will also help us effectively recover stolen vehicles and dismantle criminal networks,” said François Bigras, director of the Richelieu/Saint-Laurent Intermunicipal Police Board. “Thanks to this technology, vehicle owners living in and visiting Richelieu-Saint-Laurent will feel safer.”
The original ESPION system is a proven theft solution with a better than 50 percent reduction in instance of theft and has a 90+ percent recovery rate in Quebec. Now with Radio Frequency technology, direct integration with law enforcement in Canada and the U.S., and electronic automatic theft notification features, the new ESPION product line provides even more unparalleled vehicle protection.
Lojack’d: Pwning Smart vehicle trackers
This research is by @evstykas with help from @Yekki_1 and @TheKenMunroShow.
Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered.
Probably the most well-known is LoJack, also known as Tracker in Europe. We also looked at TrackStar as it is approved by several car manufacturers for fitting by the dealer themselves.
Finally, we looked at SmarTrack. All three trackers were also accredited by the UK’s Thatcham Research vehicle safety & security research organisation. This was set up by many insurers to help drive vehicle safety and security. All three trackers were accredited to the ‘S5’ security standard.
We spent several thousand pounds having the trackers fitted to our own vehicles, so that we could carry out independent security research.
We had fun working with Scott Helme on this project, as he had a TrackStar device fitted to his car.
All three tracker app APIs had authorisation vulnerabilities, which would allow a hacker or thief to take over the account, track individual cars in real time, suppress theft alerts and extract personal data.
Theft alerts could also be deleted, so if a car alerted as stolen, the thief could prevent further action
One tracking device could be remotely triggered to immobilise the vehicle, stopping it from being driven. Any car with this tracking device fitted could be immobilised, remotely, unauthenticated.
Conclusion: it would be trivial for a smart vehicle thief to prevent the trackers alerting the user that the car had been stolen. It may also be possible to prevent the vehicle being recovered.
The Thatcham accreditation appears to be ONLY about device functionality, not whether it’s effective, secure or introduces worrying vehicle safety issues. Thatcham appeared to be unconcerned about this when we reported it to them
The Tracker Touch mobile app allows one to locate the car in real time, also setting up a geo-fence. If the vehicle is moved, an SMS and phone alert is triggered.
If the owner confirms that the movement wasn’t intentional, then the police are alerted who go out to track and recover the car. That’s how LoJack get such a high stolen vehicle recovery rate.
The mobile app API allows users to update their email address. The request to do this contains a numeric field – the ‘ClientId’ – that identifiers the user account. It’s possible to change this ClientId and change the email address for any account. The attacker can then trigger a password reset, receive an email to their own account, and then take full control. Only the thief will get the theft alert!
Track any vehicle
Now that the account has been compromised, one can track any vehicle in real time!
The vulnerability is an insecure direct object reference, one of several:
Delete ‘geo-fence’ alerts
If the car is moved outside of a defined area (e.g. your street) then that triggers a potential theft alert.
There’s a similar insecure direct object reference on the POST request for ‘UnsubscribeIndividualAlert’ allowing any theft alerts to be deleted as they’re issued. The case is closed and the police aren’t alerted.
Or you can do it from the web app, given the account is already compromised:
TrackStar account takeover
TrackStar doesn’t have as much functionality as Tracker. We only found one vulnerability on TrackStar, but that was enough. This request didn’t check that the user was authorised:
‘Subscriber_rno’ is an incremental number that gives you access to login, telephone number of all users, and allows you to remove all devices that are associated with the device.
Also, you can add your own device, which gives you the password for the mobile app (which never changes) and full mobile app access to all cars.
Then you can add & remove geofences, locate car, track the user in real time etc, just like Tracker.
Here’s my car at our office:
Like TrackStar, the SmarTrack mobile app doesn’t have that much functionality, but still provides tracking and geo-fencing of your vehicle.
That’s one of our cars at our office.
Here’s a similar insecure direct object reference, so one can simply delete the geo-fence and a theft isn’t triggered.
Authorisation checks aren’t applied to this request, so the geo-fence email alerts are switched off. Car stolen? No alert.
Yes, that’s an HTTP request too.
Possible SQL injection
One path on the telematic API endpoint server (https://svr.gtp03.com/1) appeared to host a backup file that was not correctly processed. The code seemed a little naïve in terms of security: raw database requests were passed with no filtering to the underlying database
Whilst this is probably a backup to the main site, we’re confident that it would be possible to bypass authentication, but haven’t proved it as we don’t want to go exploiting SQLi without permission
Global fleet immobilise?
This path was a little concerning:
It’s supposed to be the call centre that triggers vehicle immobilising at the request of the police or owner. Based on what we’ve seen already, it should be possible to immobilise EVERY vehicle with this tracker fitted.
To prove the point, we sent the command to immobilise our own vehicle.
And then our car wouldn’t start. It took less than a second for the immobiliser to be triggered. The only way to resolve this would be to have the tracking device physically uninstalled.
And that’s @Yekki_1 ‘s car remotely immobilised, unauthenticated. I was in Greece when we did this and the car was in north Bucks, UK. Next time @thekenmunroshow asks if we can fit a immobiliser to your car for research, just say no!
This could be a real safety issue for cars with engine stop/start – the immobiliser is activated, the driver pulls up to traffic lights, the engine automatically stops & now won’t start again.
That is crazy – why on earth is this function on a public server?
LoJack were a little slow to respond. We had contacts at the US HQ via our work on the Viper alarm, but we had no response. Then we got hold of the UK operation, who did get back to us.
Viper is owned by Directed inc, who implemented an API from Calamp in the Viper alarm. Calamp own LoJack and also Tracker.
As far as we could make out, the API vulnerabilities were present only in the European implementation of Tracker, probably a legacy issue. The offending API endpoint for LoJack was hosted at calamp-ts.com, which you may remember from our smart alarm work. However, the European environment was hosted separately.
As a result, the LoJack flaw was unintentionally (?) fixed when we reported the Viper flaw back in February, but wasn’t fixed in LoJack/Tracker’s EU environment
Tracker UK took action and fixed the bug in Tracker just prior to public disclosure.
TrackStar is owned by Teletrac Navman, part of Fortive, an S&P500 conglomerate
We sent them an email but had no reply initially. After a little poke on Twitter and one of their execs in the US stepping in, we had a constructive call with the UK operation. The vulnerability was mitigated within 30 minutes.
SmarTrack is owned by Global Telemetrics, a UK firm.
We contacted Global Telemetrics by email asking for a response. We then called customer services, who explained that the relevant department would get back to us ‘if they were interested’
We had another reply a couple of days later stating that they had engaged a 3 rd party cyber security company to review their security. That’s fine, but it doesn’t address the pressing security issues.
We needled them on Twitter too, which had an unexpected result: we had contact from another security professional who it transpired had just been engaged to review their security.
Once we had contact with him, everything changed: With some serious hard work on their part, all the bugs we reported were fixed in 48 hours.
Independent accreditation by Thatcham Research
The UK insurance industry relies on safety and security ratings given to vehicles. This information issued to set insurance premiums.
This includes crash-worthiness, resistance to theft and even rates cyber security of vehicles.
Hence, Thatcham is seen as an independent body, helping to drive forward safety and security. Much of their work has been of great value, undoubtedly saving lives.
However Thatcham also accredits car trackers, in the case of these to their ‘Category5: Stolen Vehicle Recovery’ standard:
“Thatcham Security Certification is a robust verification programme for the assessment and recognition of automotive security products. The certification concentrates on verifying functionality, design and performance of a product.”
We have serious concerns that these products have been certified by an independent expert body. They do not perform the functions intended in a secure manner.
Thatcham gave this statement to us:
The security flaws were only identified through our intervention. We have only looked at a subset of the accredited tracking devices and have only carried out a limited range of testing.
We are very concerned that Thatcham have issued cyber security ratings for vehicles and question what value these have, in light of the glaring omissions seen above.
We also noticed that Thatcham are now publishing security ratings for cars, e.g.
How can anyone have any faith in Thatcham security ratings given the scope of the immobiliser certification process?
We haven’t looked at the firmware on the devices themselves, mostly because we didn’t want to accidentally immobilise one of our own cars and get stuck at work, unable to drive home!!
However, now that we’ve completed the API testing, we will likely remove the devices and see what else there is to find.
There are interfaces with the vehicle CAN for example to facilitate remote immobilising of the car.