Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape
andrew.gertz@t…
Thu, 01/16/2025 - 16:30
Thales | Cloud Protection & Licensing Solutions
More About This Author >
If you work in compliance for a financial services organization, chances are you have been focused on the March 31st deadline for the implementation of the Payment Card Industry Data Security Standard version (PCI DSS 4.0). However, as important as PCI may be, United States financial services organizations operate in one of the world’s most stringent and complex compliance landscapes. Financial institutions must navigate a maze of requirements on the road to compliance and it is important to understand how to simplify and streamline compliance efforts across multiple regulations to achieve a faster time to compliance.
Understanding the US FinServ Compliance LandscapeThe US financial services industry is subject to a vast number of laws and regulations. Some of the most important are Gramm-Leach-Bliley Act (GLBA), the National Association of Insurance Commissioners (NAIC) Data Security Model Law, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, and the National Credit Union Administration (NCUA) cybersecurity guidance. Here is a quick summary of the most relevant regulations:
Gramm-Leach-Bliley Act (GLBA)The GLBA mandates that a broad range of financial institutions based or operating in the United States, from banks and brokerage firms to payday and tax preparers, protect consumers’ personal financial information. It emphasizes the need for encryption, data governance, and secure information-sharing practices to prevent and mitigate cyber threats.
The most important components of the GBLA include the Federal Trade Commission (FTC) Safeguards Rule, which requires the development of a written information security plan, and the Financial Privacy Rule, which governs how financial data is collected and shared.
Compliance with the GBLA requires prioritizing data encryption and robust access controls to protect sensitive consumer information throughout its lifecycle.
NAIC Data Security Model LawDesigned to secure non-public information (NPI) within the insurance industry, the NAIC Data Security Model Law’s requirements closely resemble the GLBA requirements. It includes expectations for implementing comprehensive security programs, including risk assessments, incident response plans, periodic reporting, and controls like governance frameworks and application security protocols.
The NAIC, which applies to all insurance providers in the United States, is a perfect example of the value a unified approach to compliance can provide because its requirements overlap significantly with broader, well-established cybersecurity best practices, such as those found in the NIST Cybersecurity Framework.
NYDFS Cybersecurity RegulationThe NYDFS Cybersecurity Regulation (23 NYCRR 500) is arduous. While it is a state regulation, because it applies to any financial organization that operates in the state of New York, it ends up applying to most organizations in the United States. The regulation is incredibly stringent and sets an unusually—albeit necessarily—high bar for cybersecurity practices. More than any other FinServ regulation, it includes unique components, such as the requirement for a Chief Information Security Officer (CISO) and an annual compliance certification.
That said, many of the requirements – establishing a risk-based cybersecurity program, maintaining secure access controls, and conducting regular penetration testing, for example – are either strongly recommended or mandated by the other regulations. Moreover, other compliance requirements included in the NYFDS, such as encryption, cloud security, and governance, are ubiquitous across US FinServ frameworks.
National Credit Union Administration (NCUA) GuidanceThe NCUA guidance applies to credit unions and focuses heavily on data protection, vendor risk management, and incident response planning. Like other regulations, the NCUA calls for encryption to safeguard member data, governance policies to ensure accountability, and application security measures to protect against cyber threats. Access to resources can be a genuine concern for credit unions. As such, implementing a simplified, consolidated compliance strategy that addresses multiple frameworks at once is especially important.
Bringing it All TogetherNow that you have a broad understanding of the US financial services regulatory landscape, you might notice that many of these regulations have significant overlaps. Every single one of the US financial services regulations mandates that organizations implement:
Therefore, most requirements can be addressed with the same core technologies, without the need to duplicate efforts and dramatically reducing the time, effort, and resources necessary to achieve compliance. Differences between regulations can be addressed on a case-by-case basis.
Thales: Forging a Simplified Path to ComplianceAs a leader in data security and cloud protection, Thales offers a comprehensive suite of solutions tailored to address financial institutions’ unique challenges. Partnering with Thales will help address the vast majority of requirements included in PCI DSS 4.0, GLBA, NAIC, NYDFS, and NCUA regulations – including risk assessment, encryption, governance, cloud security, access controls, and application security – and simplify the path to compliance so you can focus on the essentials: innovation, growth, and offering the best possible service to your customers.
I hope you will take the opportunity to review our new eBook to learn more about how Thales helps Financial Institutions operating in the United States to meet compliance requirements. It contains a detailed mapping of our cyber security capabilities to specific regulation requirements in the United States.
Schema {January 16, 2025
The post Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape appeared first on Security Boulevard.
Learn how one of Europe's largest healthcare tech leaders transformed their Secrets Security with GitGuardian, cutting incidents by half without compromising developer productivity.
The post How a Large Healthcare Company Slashed Their Secrets Incidents by Half appeared first on Security Boulevard.
Previously, we covered the internals of the Autel MaxiCharger where we highlighted each of the main components. In this post, we aim to outline the attack surface of the MaxiCharger in the hopes of providing inspiration for vulnerability research.
All information has been obtained through reverse engineering, experimenting, and combing through the Autel MaxiCharger manual (PDF).
At the time of writing the following software versions were applicable:
· Autel Charge app v3.0.7
· Autel Config app v2.1.0
· Autel MaxiCharger modules:
· Charge Control v1.36.00
· Power Control v1.21.00
· LCD Control v0.99.31
· LCD Information v0.99.08
· LCD Resources v0.99.08
· LCD Languages v0.04.04
Mobile Applications
Autel has published two mobile applications for both Android and iOS. The main app is called Autel Charge and contains functionality intended for end users. Some of the features include:
· Defining charging schedules
· Load balancing
· Providing Wi-Fi credentials for the charger to use
· Forcing firmware updates
· OCPP server selection (including custom servers)
· Current limiting
· Finding other chargers on a map
· Checking charger version information
Upon loading the app on a rooted Android device a superuser request can be seen. This was unexpected and points towards the app employing anti-reversing measures. Denying the request loads the app normally.
Figure 1: Autel Charge superuser request
After denying the superuser request a new Autel account can be created using an email address.
The second app is named Autel Config and allows installers / technicians to configure chargers and manage tickets. Unlike the Autel Charge app, there is no option to register for an account and providing Autel Charge account credentials doesn't work. This suggests that installers / technicians have some other way of obtaining valid credentials.
Further research into these apps could be valuable to better understand how the apps and charger communicate.
Network Traffic Analysis
Using the Autel Charge app the MaxiCharger was configured to connect to a researcher controlled Wi-Fi network in order to monitor the network traffic. The app and charger were then left idling whilst the traffic was captured.
A few DNS requests were sent out from the charger (192.168.200.66) for Autel related infrastructure.
Figure 2: Charger DNS queries
The first query was for gateway-eneprodus.autel.com which is an alias of eneprodus-alb-internet-2014464356.us-west-2.elb.amazonaws.com. This resolved to the following IP addresses (shown in the order received):
• 54.185.127.160
• 52.36.153.97
• 44.240.206.177
• 34.215.58.124
Straight after the first DNS query response a TLS session was set up and encrypted data was sent by the charger on port 443 to 54.185.127.160. Data was sent back and forth between the charger and server a few times before another DNS query was sent. The charger issued another query for gateway-eneprodus.autel.com which, as before, is an alias and returned the same IP addresses but in a different order presumably due to load balancing. This time the DNS query returned the IP addresses:
• 34.215.58.124
• 44.240.206.177
• 54.185.127.160
• 52.36.153.97
Like previously, the charger used the first IP address that was returned but this time no TLS session was set up. Plain HTTP was used.
Figure 3: HTTP traffic
Looking a bit closer showed the charger periodically sending log data to the Autel server. The server always responded with JSON that had a null data value, a 200 code value and a message value of OK.
Figure 4: HTTP POST traffic
After a while the charger made another DNS request for gateway-eneprodus.autel.com, this time the 44.240.206.177 IP address was returned first. The charger then sent a HTTP POST to /api/app-version-manager/version/upgrade/ota with device related details such as the serial number and current firmware version. The server responded with JSON containing firmware update related information including a URL to download the latest version.
Figure 5: HTTP firmware related traffic
The charger then proceeded to send a DNS request for s3.us-west-2.amazonaws.com and directly downloaded the firmware update over HTTP.
The same pattern was observed multiple times as the device downloaded firmware updates for each of its modules. A list of these modules and their versions can be viewed in the Autel Charge app by navigating to the Charger Info page.
Figure 6: MaxiCharger module versions
After the firmware was updated and the charger rebooted no further HTTP traffic was observed to the logging or firmware update endpoint, instead only HTTPS was used.
Port scanning the charger over Wi-Fi showed no open TCP or UDP ports however UDP ports 6000 and 6666 appear to be listening over the Ethernet interface. The Ethernet interface is a valid target for the competition so these 2 listening services may be worth researching further.
Bluetooth Low Energy
By default the MaxiCharger uses the device serial number as the device name when advertising over Bluetooth. Once connected there are 4 available services that offer a total of 14 characteristics. Autel Charge uses these endpoints to communicate with the charger. A dump of each service and associated characteristics is shown below.
Further research into Autel Charge and Autel Config will likely assist in understanding the bluetooth services better.
Firmware
As mentioned in the previous blog the main microcontroller has readout protection enabled however this can be bypassed using techniques covered in Jonathan Andersson's and Thanos Kaliyanakis' Blackhat EU talk. Keep an eye out for future blog posts that will cover these techniques. One of which doesn't require glitching!
The main firmware can also be acquired by sniffing the charger update process (as described in the Network Traffic Analysis section) or by reversing the app to figure out the download URLs.
The firmware of ESP32 WROOM 32D module can be dumped using the standard esptool.py from Espressif. During research it was noted that the esptool.py would sometimes fail to dump the full firmware image. To mitigate this the firmware can be dumped in smaller chunks and then stitched back together into a single blob.
Other Potential Attack Surfaces
There are a few other attack surfaces that are considered in scope and are worth mentioning. One of these is the undocumented USB C port that can be found behind a small panel on the side of the unit. There is no publicly available information about what this USB port is used for.
Also, next to the USB port is the SIM card tray. Attacks that utilize a SIM card are also considered to be in scope.
And finally, there is the RFID (NFC) reader.
Summary
Hopefully this blog post provides enough information to kickstart vulnerability research against the Autel MaxiCharger.
We are looking forward to Pwn2Own Automotive again in Tokyo in January 2025 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.
You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
Author/Presenter: Kyle Murbach
Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.
The post DEF CON 32 – Small Satellite Modeling and Defender Software appeared first on Security Boulevard.
This strategic partnership combines Smart Spatial's innovative digital twin platform with Hyperview's expertise in data center optimization, enabling businesses to achieve sustainability, operational efficiency, and proactive management Vancouver, British Columbia – January 16, 2025: Smart Spatial is excited to announce its partnership with Hyperview, the leading cloud-based DCIM platform. This collaboration represents a major ...
The post Smart Spatial and Hyperview Unite to Take Data Centers to the Next Level appeared first on Hyperview.
The post Smart Spatial and Hyperview Unite to Take Data Centers to the Next Level appeared first on Security Boulevard.