Advances in medical technology are making people’s lives better every day and the future looks even brighter … and darker, if we don’t get the security right. Here’s a link to a piece I wrote for the IBM SecurityIntelligence.com blog on the subject I hope you find useful.
I recently wrote about a vehicle hacking demonstration which exposed serious vulnerabilities in a 2014 Chrysler Jeep Cherokee in “Hack my ride.” As expected, the threat extended well beyond that specific make and model and resulted in the recall of 1.4 million vehicles that were affected by the vulnerability.
Don’t feel smug because you don’t drive one of those models because the hits keep coming…
Here’s one that affects GM’s OnStar system, specifically, the mobile app that allows for remote access of vehicle functions. As you can see in this video below, it is possible to create a good deal of havoc with little more than about $100’s worth of equipment.
According Wired.com:
When the driver comes within Wi-Fi range of Kamkar’s $100 contraption, which he’s named “OwnStar” in a reference for the hacker jargon to “own” or control a system, it impersonates a familiar Wi-Fi network to trick the user’s phone into silently connecting.
The consequences?
a hacker could patiently track a car, retrieve his or her hacking device, and unlock the car’s doors to steal anything inside. From across the Internet, they can start the vehicle’s ignition, or use its horn and alarm to create mayhem. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.
The good news? This one should be fixable with a patch to the mobile app.
The bad news? Expect to see more of these sorts of car hacks to come.
You are driving down the road minding your own business on a brisk winter day when suddenly the stereo starts blaring unrecognizable music, the air conditioner begins blasting cold air, the onboard navigation system changes course, the headlights start flashing, the engine turns off, killing the power steering and braking systems making a controlled stop difficult, if not impossible. Oh, and the same thing just happened to every other car on the road around you at the very same time.
Got your attention?
That scenario, though implausible today, is not impossible in the not too distant future. The Internet of Things (IoT) movement to turn everything we use into computers has already taken hold in the automotive industry. Cool new features that let you remotely lock and unlock and start your car are becoming more common. That’s great news for both the good folks who enjoy this infusion of technology into more and more parts of their lives and it’s great news for the bad guys who would like to exploit the darker sider of these advancements.
The point is that if you can control all these systems on your car wirelessly, the potential exists for a hacker to do the same.
While the doomsday scenario outlined previously is still a bit far fetched, it may not be as unlikely as you might think as we are already starting to see proof of concept attacks and other vulnerabilities emerge. Here are a few examples:
“activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.”
Apparently the communications between the car and the controller weren’t encrypted so an attacker could trick the car into listening to unauthorized commands. The problem is supposed to be fixed now but one has to wonder why it just now occurred to the powers that be that authenticating the source of the commands might be an important feature.
“Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn – all while the car was driving along.”
“papers published in 2010 and 2011, on-board components such as CD players, Bluetooth for hands-free calls, and “telematics” units for OnStar and similar road-side services make it possible for an attacker to remotely execute malicious code.
The research is still in its infancy, but its implications are unsettling. Trick a driver into loading the wrong CD or connecting the Bluetooth to the wrong handset, and it’s theoretically possible to install malicious code on one of the ECUs. Since the ECUs communicate with one another using little or no authentication, there’s no telling how far the hack could extend.”
Before you throw away your keys and go horse shopping bear in mind that most cars on the road lack these sort of remote control capabilities in the first place but that is changing. The hope here is that the auto makers will learn from these early mistakes and make safer vehicles in the future. The likelihood is that we will hear about a lot more of these types of vulnerabilities before they do.
Now, who wants a self driving car?
Just when you think you’ve got all the windows closed and doors locked on your IT security, a new and unexpected hole is revealed to get you started on that next ulcer — or at least that’s how it seems at times. Here are a couple of interesting hacks that take advantages of weaknesses you may have never thought of but hackers have …
WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from MacRumors.com:
Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under “active development” with an unclear “ultimate goal.”
Didn’t see that one coming? Try this one on for size…
Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video here.
Hacked Hotel: I’ll leave you with one more bit of grist for the mill from an article in the South China Morning Post:
A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.
Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.
Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.
After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.
“Hotels are particularly bad when it comes to security,” Molina said. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings”.
This sort of Internet of Things technology is great. Unfortunately, so are the opportunities for abuse. Clearly, we in the IT Security industry have some work to do. In the meantime, break out the tin foil hats… 🙂
So, you thought IoT stood for “Internet of Things,” right? A reference to the instrumentation of all sorts of previously stand alone devices like refrigerators, washers, dryers, thermostats, implantable medical devices, cars, etc., in such a way as to make them accessible from via the Internet. Cool stuff … when it works. When it doesn’t? Not so much …
How about a high tech toilet that lets you use your Bluetooth enabled phone to as a remote control to:
I guess it could be interesting if you really get bored in the bathroom but, even as someone who loves technology, I’m just not sure that this sort of confluence of water, electricity and sensitive body parts should be brought that close together, if you know what I mean.
What if said toilet had a security flaw that allowed essentially anyone within Bluetooth range (which is supposed to be about 10 meters but can be extended substantially if you know what you’re doing) to control all these functions remotely without your permission?
And what if robo-potty also kept records of all your, let’s say, “activity” for reasons I’m not sure I even want to know?
Well, that’s the case with the My SATIS “luxury” toilet, where it turns out that the Bluetooth code for all the devices is hardcoded as “0000” and can’t be changed, according to a report from the BBC. That means that anyone with an Android phone can download the app, connect to your porcelain convenience and have a grand ole time at your expense.
Take it all one step further and make it part of a “connected home” ecosystem, which, thankfully, hasn’t been done yet and you could imagine the range for these attacks going global.
Brave new world? I certainly hope not …
Inside Internet Security 