October 6, 2015 Leave a comment
If you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.
Let’s face it, data breaches are a dime a dozen today. There’s a much more dangerous and far-reaching threat that we should all be aware of: vulnerabilities in Internet of Things and connected devices. When these are exploited, we’re not just talking about CEOs losing their job – in a worst case scenario these flaws could result in human fatalities.
From cars to drug pumps
Let’s look at perhaps the most widely reported such flaw first. Security researchers Charlie Miller and Chris Valasek demonstrated at Black Hat 2015 recently an audacious hack of a 2014 Jeep Cherokee. The research is too lengthy to go into in any great detail here. However, in short, they ran a scan of the car’s proprietary Uconnect entertainment system, which is wirelessly connected to the Sprint network by default, and found port 6667 to be open. On the Jeep it’s used for D-Bus – a system enabling “inter-process communications” – requiring no authentication. From this they pivoted to a chip in the Uconnect head unit and were able to rewrite its firmware in a way which allowed them to send commands through the car’s controller area network (CAN) message bus. This forms the heart of the vehicle’s on-board computer and enabled them to remotely adjust steering, brakes and other key parts of the automobile.
Now Fiat Chrysler Automobiles (FCA) is recalling 1.4 million vehicles to patch them, and Sprint has blocked access to port 6667, so a serious remote hack as detailed by the researchers is no longer possible. It’s also true that they spent over a year developing this research including painstaking reverse engineering. But the repercussions of this vulnerability are extraordinarily serious. If hackers can remotely hijack and control cars, they could force them to crash, assassinating targets; or collide with police cars chasing them; or even lock victims in the vehicle until other gang members can arrive. Kidnap, murder, car theft – and all under the anonymizing cloak of the internet.
It’s not just in the automobile industry where vulnerabilities in connected devices could cause serious physical harm to victims. The US Food and Drug Administration (FDA) last month warned hospitals against using a popular internet-connected drug infusion pump after research revealed it could be remotely hacked.
It explained: “This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
It doesn’t take much to imagine what hackers could do if they had found the flaws in the Hospira Symbiq Infusion System (v3.13 and earlier), the Plum A+ Infusion System (v13.4 and earlier), and the Plum A+ 3 Infusion System (v13.6 and earlier). Assassins could engineer a way for targets to be laid up in hospital and then hack into the smart drug pump systems keeping them alive: quick, easy, and almost untraceable. Hospitals relying on such systems could even be blackmailed.
Rifles and planes
The danger doesn’t end there. Yet another major news story this summer revealed security researchers Runa Sandvik and Michael Auger have found a way to hack the ShotView targeting system on Tracking Point’s fancy Linux-powered rifles. By compromising the rifle via its Wi-Fi connection and then exploiting software vulnerabilities they could prevent the gun from firing, or even worse, cause it to hit another target as per the hacker’s instructions. If Secret Service operatives are ever given such devices to guard the president, he’d better be wearing a bullet proof vest.
Think you’re safe in the sky? Think again. Now even airplanes are being controlled by complex interconnected systems comprising onboard electronics and network connectivity. One security researcher, Chris Roberts, was detained by the FBI and accused of hacking in-flight entertainment systems on a jet. He was apparently able to overwrite code on the airplane’s Thrust Management Computer while aboard a flight, causing a plane to move laterally in the air. Roberts himself denies having done this during a real flight and Boeing has claimed IFE systems are isolated from flight and navigation systems, but the threat is too real to ignore.
From 9/11 to Malaysian Airlines flight MH17 downed over the Ukraine, it has been proven time and again that aircraft are a high profile target for terrorists and rogue states. We need to be alive to the vulnerabilities which could allow determined hackers through.
Now the cases I’ve listed above are only vulnerabilities at the moment. There’s no evidence of them having been exploited maliciously in the wild. But how long before hackers begin to put their own considerable resources into researching new zero days like these? The pay-off could be huge for them, while the repercussions for ordinary users could be nothing short of catastrophic. Devices and systems like the ones above are patently vulnerable, and it’s no surprise given the complexity of the code used to run them. It doesn’t help that those firms making these IoT systems are not experts in information security, and few of these devices can even be patched effectively.
In my next two posts I’ll explore the patterns linking all of these cases, before suggesting ways to address these potentially tragic but preventable vulnerabilities.
* * *