IT NEWS

Your car potentially hasn’t “just” been a car for a long time. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. These systems tie into everything from passwords and web chat systems for car company employees, to file repositories and other parts of business infrastructure which potentially feed back into the vehicles themselves.

Sounding horns, disabling start up, reporting a vehicle as stolen, even accessing built in cameras are all possible for rogue entities should they manage to break into a manufacturer’s network.

New research has been revealed in the world of car hacking, which builds and expands upon a way to reveal car owner details via VIN numbers which we covered last month. These latest revelations come from the same researcher, Sam Curry, and his collective of car technology explorers and investigators.

Viewing a problem in isolation

Last time around we saw how publicly available data that was visible on a car was being tied back to telematics, and how that data could reveal an awful lot of information about the car owner. It was also possible to send basic instructions to the VIN associated vehicle, such as honking the horn or flashing the lights.

As it turns out, the exploration of how fast moving, incredibly heavy objects are tied to digital systems is a lot more comprehensive than first thought. In fact, many major brands have their digital systems tied to single sign on (SSO) systems, and badly configured endpoints which grant dizzying levels of access to those in the know.

The brands mentioned in the report include:

• Kia
• Honda
• Infiniti
• Nissan
• Acura
• Mercedes-Benz
• Hyundai
• Genesis
• BMW
• Rolls Royce
• Ferrari, Spireon
• Ford
• Reviver
• Porsche
• Toyota
• Jaguar
• Land Rover
• SiriusXM

Where things go wrong is that many of these systems were found to be vulnerable to multiple forms of exploitation. While many of the digital systems in vehicles are isolated from one another, it all goes wrong quickly if an SSO outside of the car owner’s control allows for developer or administrator-level access.

What access, data, and control was made available to researchers

The complete list is way too long to republish here, but some of the most impressive results from a variety of manufacturers are mentioned below:

• Full admin access to a company-wide admin panel, allowing for the sending of arbitrary commands to roughly 15.5 million vehicles (start engine, disable starter, unlock, read device location, flash and update firmware).
• Update vehicle status to “stolen”, updating both license plate and notifying authorities
• Authenticate into user account and perform actions against vehicles.

These three alone have the potential for sheer chaos, especially in relation to notifying law enforcement. Nothing quite matches the audacity of killing a jeep on the highway from way back in 2015, but these vulnerable SSO systems increasingly offer ways to mess with car owners in more and more convoluted ways.

For sheer malicious troll value alone, what could match authorities flagging down your car? It’s entirely possible that an incredibly unlucky individual could end up in a vehicular based swatting scenario, but with weapon touting officers surrounding your car instead of your home. Elsewhere, instead of malicious individuals spying on your bedrooms with insecure security cameras, we have live views from inside a car.

There is almost no level of privacy invasion, personal risk, or data leak exposure left unturned. I’m a big believer in not overhyping security risks and vulnerabilities but what Curry and team uncovered here is not fantastic by any stretch of the imagination. No matter what your angle of attack, whether your interest is in social engineering, pranking, system tampering, or data collection, there’s potentially something for everyone.

Are these issues still a problem?

Thankfully, no, as Curry mentions that “all vulnerabilities” were fixed within a week, with all of the manufacturers being very responsive to the vulnerability reports. If you own one of the brands listed in the report, you don’t need to do anything as everything mentioned has been addressed.

Given the sheer scale of the finds from this small band of researchers, it may be more concerning should your model of car not be on the list. We simply don’t know what’s out there, and may not unless Sam or other researchers compile fresh lists of findings. For the time being, you may wish to dig into whether or not your non-listed model of car comes with any digital systems or services and if there happens to be any telematics running in the background.

Many systems allow you to set security measures in place related to logins and data collection, but as with any potential situation involving unauthorised access behind the scenes, this may not help where someone has access to the admin account. For now, drive safely and we wish you a non-compromised journey.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Why does technology no longer excite us? Lock and Code S04E01
• New device? Here’s how to safely dispose of your old one
• LastPass updates security notice with information about a recent incident
• Okta breached last month, no customers compromised
• Update VPN Plus Server now! Synology patches vulnerability with a CVSS of 10
• Google patches 60 vulnerabilities in first Android update of 2023
• Fake Flipper Zero websites look to cause a big splash
• Software provider denied insurance payout after ransomware attack
• FBI warns of imposter ads in search results
• Malware targets 30 unpatched WordPress plugins
• LA housing authority is latest LockBit ransomware victim
• New Twitter data dump is a cleaned up version of old Twitter dump

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Online collaboration platform Slack reported on New Year’s Eve it had suffered a “security incident” where some of its code stored on GitHub was stolen. According to the post from the company’s security team, Slack’s private code repositories were accessed using swiped employee tokens. No customer data was contained in the repositories.

“On 29 December 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on 27 December. No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Slack didn’t mention how the breach was discovered, nor how the tokens were stolen.

If this story of code theft seems familiar, then you’re likely aware that something similar happened to Okta, an access management software that allows employees to log in to restricted company resources using single sign-on. Coincidentally, some time between these two GitHub breach incidents, CircleCI, a popular DevOps company, had its systems compromised, potentially exposing all customer secrets—the term it uses for passwords or private keys.

Ars Technica’s Dan Goodin entertained the possibility the Slack, CircleCI, and LastPass breaches were related.

While the investigation is ongoing, Slack shared its current findings that the attacker did not access the company’s other environments, which include production and resource environments.

“Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack,” the notice said. The company has already taken steps to secure its GitHub account by invalidating the stolen tokens.

Slack customers don’t need to take any action following the breach.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The state of Louisiana introduced a law on January 1, 2023, that holds sites that specialize in pornographic content accountable if they do not check their visitors’ ages.

A website is obliged to check whether a visitor is of the legal age required to access pornographic content if a substantial portion of its content falls into that category—meaning more than thirty-three and one-third percent of total material on a website. So, for obvious reasons, we will refer to the affected parties as porn sites in the rest of this article.

The law, known as Act 440, can result in adult sites getting sued if they do not implement age verification technology. It lists a lot of reasons why explicit content can be harmful for young visitors and while we understand those reasons, we envision a lot of issues.

Identifying information

Verifying somebody’s age will almost certainly require that users provide personally identifiable information (PII) such as a credit card, ID or driver’s license. So the first question is, what are the risks of trusting adult sites with this kind of PII? What happens if the stored information gets exfiltrated by a threat actor or a rogue insider? There’s money, headlines, and potentially leverage, in understanding people’s sexual preferences. And it’s not just politicians, sports stars and celebrities at risk: I can already envision the phishing mails that claim ”Your ID was found on the servers of a porn site. Pay now or we will tell all your friends and family.”

The legislators must have had the same thought. The law says the commercial entity or third-party service that does the age verification should not retain any identifying information of the individual after access has been granted to the material. And those that retain identifying information will be liable for damages.

That’s reassuring but, unfortunately, computer systems are very bad at forgetting things. Data breaches can happen to those with the best intentions and they can have all kinds of consequences. Users have no way to know if their data is beind stored or discarded, and the law won’t do anything to stop card skimmers—malware that’s injected into a site to collect information as its entered into forms.

Location, location

As in real estate, location matters a lot here. As long as Louisiana is the only state, or one of a few, with such a law, it is child’s play (pun intended) to circumvent the age verification. The IP address allocated to your computer can be used to discover with reasonable accurancy where you are in the world, to the nearest town or city. So, understanding where somebody is, and whether they should be asked their age, will probably be based on their IP address.

Such IP geolocation is not a foolproof system. Some ranges of IP addresses may occur only partially in Louisiana while the rest are located in other states or even countries. Both alse positives and false negatives are likely.

There are also several methods to mask or change an IP address deliberately, such as using a VPN, which can make it appear that a visitor is in a different city, or even a different country, than the one they are actually in.

Another location-related problem are the sites outside of Louisiana. Some countries are known to turn a blind eye to anything that doesn’t hurt its own population and brings in cash. They would do absolutely nothing about complaints hailing from Louisiana or any other state or country based on this or similar laws.

UK

The UK has had plans to implement a similar law since 2016 as part of the Digital Economy Act, which demands mandatory age verification to access online pornography but was subsequently not enforced by the government.

And last year an even more far-reaching update was added to its draft Online Safety Bill. It hasn’t happened yet, and it has received plenty of criticism for the reasons we have pointed out: Bad for privacy, easy to circumvent, and hard to achieve. 

Draft amendments have been made to smooth the path to getting the bill passed and the legislative process should take a couple of months, before we know how much gets implemented.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

News of data dumps is often scary as the possibilities of identity theft, account takeovers, user de-anonymization, and other online data-driven threats rear their ugly heads. Reading about the latest reports of a new Twitter dump, however, is like opening up an already-healed wound, as the dump turned out to be the same one back in November 2022 that affected more than 400 million users. Security researchers from Privacy Affairs verified this to be true. Only this set is a lot cleaner—the file size containing it significantly smaller because the number of affected users has been halved to 200 million after duplicates were removed.

The person responsible, who claims not to have originally collected the user data, has now decided to make the data freely available, offering it up on the site they were earlier trying to profit from. How bad is this? Should Twitter users be concerned?

From the forums to the public

Privacy Affairs claims data in the set can be used in social engineering attacks and doxxing. If email addresses and phone numbers are included in the dump, and the option to search for users using any of these pieces of data is enabled, then those entries would appear via abuse of an API in the data harvested. Phone numbers, in particular, could leave someone open to identification or SIM swap attacks on their mobile network provider.

Naturally, this would be the biggest concern for people with phone numbers or other identifying information in any leak. In this case, things may not be as bad as they sound. From the forum post:

I combined the files, converted to CSV, added a header, changed invalid control characters to “*”, deduplicated (including the 23M that were the same except for different # of followers), made the dates smaller and computer-friendly, and removed spaces that appeared before some emails. I also used very high compression, so the compressed file is just over 4GB. I intentionally didn’t sort it, so the curious will have an easier job comparing it to the original.

If you suspect you’ve been caught up in this leak, you can check on Haveibeenpwned, which has added the data to its system and is currently notifying anyone signed up for the notification service.

A welcome relief?

The forum poster goes on to say the following:

NOTE: There are NO PASSWORDS, NO PHONES, NO PHYSICAL ADDRESSES in this file. The original scrape did not contain any of that data.

While the data does include email addresses, the lack of passwords, phone numbers, and physical location is good. What’s left behind, other than email addresses, is publicly available information someone could gather up by various means. This includes name, screen name, follow count, account creation date, and others.

Unless your threat model is very specific and hinges on the exposure of your email address, you probably have little to worry about on this occasion. While there could be some form of social engineering risk from this data going public, the majority of it is likely to be data that a casual attacker could harvest from publicly available information very quickly in any case.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Housing Authority of the City of Los Angeles (HACLA), established in 1938 to provide affordable housing in Los Angeles, confirmed in a statement that it was a victim of a ransomware cyberattack. This is the second major attack against an agency in LA after the Los Angeles United School District (LAUSD) experienced a similar incident at the hands of Vice Society, a ransomware gang, in September last year. 

“The Housing Authority of the City of Los Angeles (HACLA) is experiencing a cyber event that resulted in disruption to our systems,” a spokesperson said. “We are working diligently with third-party specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality securely to our environment as soon as possible. We remain committed to providing quality work as we continue to resolve this issue.”

The notorious LockBit ransomware gang claimed responsibility for the attack against HACLA after they listed the agency on their leak site on New Year’s Eve. Based on screenshots taken from the dark web, HACLA’s page reveals that LockBit possesses more than 15TB of the agency’s files. It also has snapshots of these files and folders and the ransom payment deadline of January 12.

The ransom demand was not disclosed.

As of this writing, a red banner at the top of HACLA’s homepage says it’s still experiencing “technical difficulties.”

“During this time, you may experience issues related to the services that HACLA provides. Thank you for your patience while we work through these issues,” the banner said.

The timely attack on HACLA is an opportunistic one, as LockBit appeared to have taken advantage of the holiday season to make their move. As we’re well aware, cybercriminals favor attacking victims when they least expect it. And there’s no better time than the holidays and special events—even weekends—to attack, as, more often than not, there are fewer people paying attention, making the risk of detection lower.

The September attack on LAUSD occurred during the Labor Day weekend.

Read: How to stay secure from ransomware attacks during holidays and special events

Following the LAUSD attack, Los Angeles Police Department (LAPD) Chief Michel Moore was quoted saying that ransomware attacks are “the No.1 threat to our safety.” 

“This is a wake-up call, a reminder, because all of us are so dependent on our cyber universe, to check our systems, to recognize that personal, businesses, public and private sector, are constantly being probed and constantly under attack, and that is why it’s critical that you pay attention to your security system, that you pay attention to who your users are and that you’re constantly on vigilance,” Moore said.

In an interview with LAist, Nick Merrill, a research fellow at the UC Berkeley Center for Long-Term Cybersecurity, thinks that HACLA, like LAUSD, is not likely to pay the ransom.

“LockBit believes that this is going to be a low-cybersecurity resource organization,” Merril said, adding that the successful attack could further erode trust in government agencies.

“Now HACLA has lost credibility. Defense is more than people’s privacy issues. It’s about creating the effect of a predictable and reliable society with services we can depend on.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you make use of plugins on your WordPress site (and you probably do), it’s time to take a good look at what’s running under the hood. Ars Technica reports that unpatched vulnerabilities being exploited across no fewer than 30 plugins.

A long list of plugin problems

If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it’s used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it’s so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.

Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.

Plugins are created by third parties and vary widely in quality. Some are updated frequently while others are unsupported. Some are so popular that they are successful software products in their own right, with paid staff, secure development lifecycles, and millions of users, and others are made by lone hobbyists. And while WordPress will update itself with security fixes by default, automatic updating of pluigns has to be enabled by each website operator.

So, news of a malware campaign targeting plugins with unpatched vulnerabilities is no surprise. In fact researchers suggest the malware used for these attacks may have been in circulation for three years. Ars Technica reports that once a vulnerable website is detected, the attack injects rogue scripts into the pages of the site. The scripts redirect website visitors to malicious websites when they click anywhere on an affected web page.

According to research by Dr Web, attacks rely on unpatched versions of the following plugins or themes:

• WP Live Chat Support Plugin
• WordPress – Yuzo Related Posts
• Yellow Pencil Visual Theme Customizer Plugin
• Easysmtp
• WP GDPR Compliance Plugin
• Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
• Thim Core
• Google Code Inserter
• Total Donations Plugin
• Post Custom Templates Lite
• WP Quick Booking Manager
• Facebook Live Chat by Zotabox
• Blog Designer WordPress Plugin
• WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
• WP-Matomo Integration (WP-Piwik)
• WordPress ND Shortcodes For Visual Composer
• WP Live Chat
• Coming Soon Page and Maintenance Mode
• Hybrid
• Brizy WordPress Plugin
• FV Flowplayer Video Player
• WooCommerce
• WordPress Coming Soon Page
• WordPress theme OneTone
• Simple Fields WordPress Plugin
• WordPress Delucks SEO plugin
• Poll, Survey, Form & Quiz Maker by OpinionStage
• Social Metrics Tracker
• WPeMatico RSS Feed Fetcher
• Rich Reviews plugin

Plugging the plugin gap

Time and again, not updating a plugin comes back to haunt WordPress admins in the worst possible way. Cleanup is often not an easy task, and a tiny slice of preventative action can keep you far away from a massive repair operation further down the line.

The following preventative maintenance could save you a lot of trouble:

• Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
• Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
• Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
• Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company. The last thing you want is a stack of emails some rainy Monday morning telling you that visitors have been drafted into a botnet courtesy of your blog.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has published its first security bulletin of 2023 with details of security vulnerabilities affecting Android devices. Patch level 2023-01-01 includes 20 issues and patch level 2023-01-05 includes fixes for another 40 issues.

The Android security patch level refers to a monthly manifest of security patches rolled out by Google in an effort to close up security holes and malicious code exploits in the Android OS. The more recent your patch level, the less vulnerable your device is to security exploits.

The vulnerabilities that stand out the most in this round are three critical and one high severity vulnerabilities in the Android kernel. But there are some other critical issues to keep an eye on.

Mitigation

If your Android phone is at patch level 2023-01-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication. However, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Kernel

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below are details for the three critical ones in the kernel.

CVE-2022-42719: A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.

CVE-2022-42720: Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.

CVE-2022-42721: A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.

mac80211

mac80211 is a framework which driver developers can use to write drivers for SoftMAC wireless devices. SoftMAC devices allow for a finer control of the hardware, allowing for 802.11 frame management to be done in software for them, for both parsing and generation of 802.11 wireless frames.

The main purpose of a wireless LAN is to transport data. The 802.11 standard defines various frame types that stations use for communications, as well as managing and controlling the wireless link. 802.11 defines a data frame type that carries packets from higher layers, such as web pages, printer control data, etc., within the body of the frame.

All three critical vulnerabilities in the kernel require a remote attacker to be on the local network and they need to be able to inject WLAN frames to successfully exploit the remote code execution (RCE) vulnerabilities.

WLAN

Another option for attackers that are able to inject WLAN frames is the also critical vulnerability listed as CVE-2022-41674 which is an issue in the Linux kernel before 5.19.16. Attackers could inject WLAN frames and cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Qualcomm

Another critical vulnerability lies in the Qualcomm Bluetooth component and is listed as CVE-2022-22088. The description of the vulnerability says it’s a memory corruption in Bluetooth HOST due to buffer overflow while parsing the command response received from remote. The vulnerability has a CVSS score of 9.8 (out of 10). The vulnerability only applies to devices with certain Qualcomm chipsets. A full list of those chipsets can be found in the Qualcomm January 2023 Security Bulletin by looking at the details for this CVE number.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Security researchers are advised to be on the lookout for scammers targeting their interest in the latest hard to obtain security testing tools. Flipper Zero, a slick looking portable multi-tool which frequently makes its way into the news, is one of the hottest pieces of kit around for security folks and fans of hardware generally.

It’s also had some issues with regard to production, leading to a perfect storm of “I want this” butting heads with “This is a great opportunity for a bit of scamming”. Indeed, the device is currently listed as being sold out on the official portal. If you do have one to sell, you’re going to be very popular and this is something scammers can most definitely work with.

A world of fake Flippers

Security researcher Dominic Alvieri warns of fake Flipper Zero websites claiming to offer the product for sale.

The sites, promoted by imitation Twitter accounts, look very much like the real thing. Two of the accounts have deleted all of their Tweets and one account itself is now deleted. However, Bleeping Computer notes that the accounts had previously been responding to queries regarding availability.

A nice payday?

At least one known site is still online and “selling” non-existent Flipper devices. As the standard price for a Flipper Zero is $169, and the bogus site in the Bleeping Computer screenshot is $199, that could mean a very tidy profit for someone up to no good.

The payment process asks for a variety of personal information, with an eventual request for payment in various forms of cryptocurrency.

While the sites are being grouped under the banner of a phish, it could be that collection of security researcher data (or anyone else, for that matter) in this case is secondary to the desire to simply make some quick cash. This isn’t to say someone isn’t interested in the data; it could be revisited once the payments run their course (assuming anyone actually pays up. This hasn’t happened yet).

Phishing for authenticity

At time of writing, Bleeping Computer mentions that no payments have yet been made to whoever is setting up these fake websites. Meanwhile, Flipper Zero has multiple problems across other social media sites like Instagram where a lack of verification for the Flipper account means there’s no way to report the (many) imitations.

Unfortunately it’s a case of our fishy friend experiencing a phishy time of things for the immediate future. If you’re on the lookout for new hardware, whether Flipper related or otherwise, always take steps to verify the legitimacy of links which come your way. Ironically, recent changes to Twitter’s verified profile status means that it’s not easy to do this anymore. In this case, doubly so as the official Flipper Zero account’s blue checkmark is a paid Twitter Blue account. This means that in theory anyone could have set it up if the Flipper Zero folks hadn’t been fast enough. The good news is that the official Twitter account is linked from the official Flipper Zero website, so it’s likely to be the real thing.

Plenty more phish in the sea? Let’s hope not.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Supreme Court of Ohio issued a ruling days before the New Year that a software and service provider shouldn’t be covered by insurance against a ransomware attack as it didn’t cause direct or physical harm to tangible components of software, as it doesn’t have any.

“When insurance policy covers ‘physical damage’, there must be direct physical loss or physical damage of the covered media containing the computer software in order for the software to be covered under the policy,” the opinion document noted.

This decision overturned a lower court ruling involving EMOI Services, an Ohio-based company selling software for scheduling appointments, medical billing, and record keeping. In 2019, attackers gained access to EMOI’s computer systems, planting ransomware and demanding a ransom of three Bitcoins, which amounted to $35,000 that time. After hiring a third-party vendor to fix the systems, EMOI Services owners realized it would cost them less if they pay the ransom, so they did.

After the company paid the ransom, the attackers handed over the decryption key to restore data. However, some systems and files remained encrypted, such as EMOI’s telephone system and a trove of its non-critical files.

When EMOI Services filed an insurance claim for losses from the ransomware attack—the ransom payment and costs associated with investigating the attack, remediating from it, and upgrading its security systems—Owners Insurance Co., its policy owner, denied the claim. The insurers contended the attack has no “direct physical loss to media”, which is covered by the policy. EMOI Services then sued Owners Insurance Co, alleging breach of contract.

The Court of Common Pleas in Montgomery County ruled in favour of the insurer, agreeing that EMOI’s policy only covers direct or physical loss or damage. The Second District of the Court of Appeals, however, reversed this, saying a potential coverage is possible if EMOI can prove the ransomware attack against it caused actual damage to its software.

The opinion in the Supreme Court of Ohio finally set it all straight: EMOI’s insurance policy is “clear and unambiguous in its requirement”. “Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case,” the ruling said. This was made despite the policy defining computer software as a form of “media”.

“EMOI contends that the policy covers that damage even when there has been no damage to hardware. We are not persuaded by this argument. The most natural reading of the phrase ‘direct physical loss of or damage to’ is that EMOI is insured for direct physical loss of its media and insured for direct physical damage to its media,” the court elaborated on its ruling. Note that the stresses in these statements were reproduced from the court document.

“Similarly, although the term ‘computer software’ is included within the definition of ‘media,’ it is included only insofar as the software is ‘contained on covered media.’ We hold that ‘covered media’ means media that has a physical existence.”

In an email interview with Insurance Journal, Policyholder attorney K. James Sullivan said the Ohio Supreme Court looked at the issue of direct physical loss with a “20th Century lens.”

“I suspect we’re going to see an increasing number of losses to policyholders driven by twenty-first century fact patterns, such as pandemics, harm to computer systems, harm to air quality, etc., so it will be interesting to watch how the Ohio Supreme Court, insurers, and policyholders adapt going forward, Sullivan said. “Based on the underpinnings of these most recent opinions, it seems that insurance policy language needs to catch up to the evolving and emerging risks faced by modern-day Ohio policyholders.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.