Posts Tagged ‘hacking’

medicaldeviceintheoperat_199045-900x535

Advances in medical technology are making people’s lives better every day and the future looks even brighter … and darker, if we don’t get the security right. Here’s a link to a piece I wrote for the IBM SecurityIntelligence.com blog on the subject I hope you find useful.

https://securityintelligence.com/hacking-your-health/

You are driving down the road minding your own business on a brisk winter day when suddenly the stereo starts blaring unrecognizable music, the air conditioner begins blasting cold air, the onboard navigation system changes course, the headlights start flashing, the engine turns off, killing the power steering and braking systems making a controlled stop difficult, if not impossible. Oh, and the same thing just happened to every other car on the road around you at the very same time.

Got your attention?

That scenario, though implausible today, is not impossible in the not too distant future. The Internet of Things (IoT) movement to turn everything we use into computers has already taken hold in the automotive industry. Cool new features that let you remotely lock and unlock and start your car are becoming more common. That’s great news for both the good folks who enjoy this infusion of technology into more and more parts of their lives and it’s great news for the bad guys who would like to exploit the darker sider of these advancements.

The point is that if you can control all these systems on your car wirelessly, the potential exists for a hacker to do the same.

While the doomsday scenario outlined previously is still a bit far fetched, it may not be as unlikely as you might think as we are already starting to see proof of concept attacks and other vulnerabilities emerge. Here are a few examples:

  • Reuters reported that BMW recently patched a bug that left over 2 million Rolls-Royce, Mini and BMW cars open to having their doors unlocked by attackers. According to the article, the vulnerable software allowed drivers to:

    activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.

    Apparently the communications between the car and the controller weren’t encrypted so an attacker could trick the car into listening to unauthorized commands. The problem is supposed to be fixed now but one has to wonder why it just now occurred to the powers that be that authenticating the source of the commands might be an important feature.

  • The Register reported that:

    Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn – all while the car was driving along.”

  • And there’s this from ARS Technica:

    papers published in 2010 and 2011, on-board components such as CD players, Bluetooth for hands-free calls, and “telematics” units for OnStar and similar road-side services make it possible for an attacker to remotely execute malicious code.
    The research is still in its infancy, but its implications are unsettling. Trick a driver into loading the wrong CD or connecting the Bluetooth to the wrong handset, and it’s theoretically possible to install malicious code on one of the ECUs. Since the ECUs communicate with one another using little or no authentication, there’s no telling how far the hack could extend.”

  • And if you’d like to see a proof of concept take a look at this video which shows a car’s horn, steering and brakes being controlled by a backseat driver.

Before you throw away your keys and go horse shopping bear in mind that most cars on the road lack these sort of remote control capabilities in the first place but that is changing. The hope here is that the auto makers will learn from these early mistakes and make safer vehicles in the future. The likelihood is that we will hear about a lot more of these types of vulnerabilities before they do.

Now, who wants a self driving car?

LinkedInMy previous posting dealt with a technical attack involving malware being distributed through social media. Here’s a story on how social media sites can be used for social engineering to entice users into being attacked.

http://money.cnn.com/2012/03/12/technology/linkedin-hackers/index.htm

The article points to how information gleaned from LinkedIn profiles can be used to target users with more plausible attack scenarios — a.k.a. spear phishing. It describes how one person was able to get added as a connection to more than 60 people at a company where he posed online as a worker and then proceeded to get himself added to a private LinkedIn discussion forum.

  • “Now I had an audience of 1,000 company employees,” O’Horo said. “I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits — 40% from inside the corporate network.”

Of course, the risk here is that the fake page could have been infected and used to distribute malware as previously described. But is this really a problem with LinkedIn? Should we avoid social networking sites as a result?

I would say “no” and “no.” The real issue here was that people were trusting things they shouldn’t trust. If someone had bothered to find out who this guy was before adding him to the private discussion forum, it wouldn’t have been an issue. Also, if users had been more discerning as to which links they clicked on, it wouldn’t have been an issue.

The point really is what and whom should you trust? LinkedIn, like any social networking site, is only as good as the information in it and only as trustworthy as the people posting to it. It seems that every time we develop a new communications forum, whether it be snail mail, telephone, email, SMS, or social networking sites, we have to re-educate ourselves as users as to what is and is not reasonable and responsible behavior within this new context.

Hackers know this and it’s how they are able to exploit these windows of opportunity with each new turn of the technological crank. The onus is on the good guys to maintain a healthy skepticism when moving into new forums or risk being the next victim.