The Nigerian Communications Commission (NCC) has alerted telecom consumers and public members on an ongoing cyber-vulnerability that allows a nearby hacker to unlock vehicles, start their engines wirelessly, and make away with them.

This is contained in the latest advisory released by the Computer Security Incident Response Team (CSIRT) established by the NCC and shared by the commission’s spokesperson, Ikechukwu Adinde.

“The fact that car remotes were categorised as short-range devices that use Radio Frequency (RF) to lock and unlock cars informed the need to alert Nigerians on this emergent danger.

“The vulnerability is a Man-in-the-Middle (MitM) attack or, more specifically, a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car.

“It manipulates these signals and resends them later to unlock the car at will,” it stated.

The advisory stated that the latest cyber-attack gives room for easy manipulation of captured commands and re-transmitting them to achieve a different outcome altogether.

The commission’s spokesperson, however, said that the NCC-CSIRT, in the advisory, had offered some preventive measures or solutions that car owners could adopt to prevent falling victim.

According to the cyber-alert unit of the commission, when affected, the only mitigation is to reset your key fob at the dealership.

“Additionally, vulnerable car users should store their key fobs in signal-blocking ‘Faraday pouches’ when not in use.”

He advised car owners in these categories to choose Passive Keyless Entry (PKE) as opposed to Remote Keyless Entry (RKE), which would make it harder for an attacker to read the signal because criminals would need to be at close range to carry out their nefarious acts.

In a related advisory, he said that the NCC, based on another detection by CSIRT, wishes to inform the general public about the resurgence of Joker Trojan-Infected Android Apps on the Google Play Store.

“This arose due to the activities of criminals who intentionally download legitimate apps from the Play Store, modify them by embedding the Trojan malware and then upload the app back to the Play Store with a new name.

“The malicious payload is only activated once the apps go live on the Play Store, enabling the apps to scale through Google’s strict evaluation process.”

According to the advisory, the apps request for permissions and once granted, have access to critical functions.

“As a consequence, a compromised device will subscribe unwitting users to premium services, billing them for services that do not exist. A device like this can also be used to commit Short Messaging Service (SMS) fraud while the owner is unaware,” he said.

Mr Adinde said that the app could click on online ads automatically and even use SMS One-Time Password (OTPs) to approve payments without checking bank statements secretly.

The NCC also advised telecom consumers to ensure that apps installed from the Google Play Store are heavily scrutinised by reading reviews, assessing the developers, perusing the terms of use and only granting the necessary permissions.

(NAN)