From skateboards and trucks to medical devices and rifles, these recent hacks show that every “thing” is at risk.
Musicians have the GRAMMYs. Actors have the Emmys. Athletes have the ESPYS. Hackers, well they have Black Hat. Every year, more than 10,000 security pros converge in Las Vegas to explore the latest network flaws, device vulnerabilities and cyber attacks of the past, present and future. While these demonstrations typically focused on how to take control of computers, given the rise of the Internet of Things, it seems like just about any “thing” can be susceptible to malicious intruders. As we gear up for what will surely be an insane amount of coverage across all media channels, here are a few hacks that’ll surely grab your attention.
Serial hacker Samy Kamkar has devised a tablet-sized box that could easily tap into and wirelessly take control of a GM car’s futuristic features. With connected car security a hot topic at this year’s conferences, the Los Angeles-based entrepreneur has created a device — dubbed OwnStar — that can locate, unlock and remotely start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.
The system is driven by a Raspberry Pi and uses an ATmega328 to interface with an Adafruit FONA for cellular connection. After opening the OnStar RemoteLink app on a smartphone within Wi-Fi range of the hacking gadget, OwnStar works by intercepting the communication. Essentially, it impersonates the wireless network to fool the smartphone into silently connecting. It then sends specially crafted packets to the mobile device to acquire additional credentials and notifies the attacker over 2G about the new vehicle it indefinitely has access to, namely its location, make and model.
With the user’s login credentials, an attacker could do just about anything he or she wants, including tracking a car, unlocking its doors and stealing stuff nside (when carjacking meets car hacking), or starting the ignition from afar. Making matters worse, Kamkar says a remote control like this can give a malicious criminal the ability to drain the car’s gas, fill a garage with carbon monoxide or use its horn to drum up some mayhem on the street. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.
Tesla Model S
Researchers said they took control of a Tesla Model S car and turned it off at low speed, one of six significant flaws they found that could provide hackers total access to vehicles, the Financial Times reported.
Kevin Mahaffey, CTO of Lookout, and Marc Rogers, principal security researcher at Cloudflare, claimed they decided to hack a Tesla car because the company has a reputation for understanding software than most automakers. The hackers had to physically gain entry into the vehicle, which made it more difficult than many other attacks. Once they were connected through an Ethernet cable, they were later able to access the systems remotely. These included the screens, speedometer, windows, electronic locks, and the ignition.
“We shut the car down when it was driving initially at a low speed of five miles per hour. All the screens go black, the music turns off and the handbrake comes on, lurching it to a stop,” Rogers describes.
Tesla has since issued a patch to fix the flaws.
After his own electric skateboard abruptly stopped working last year, unable to receive commands from its remote control, Richo Healey decided to delve a bit deeper into the incident. What he discovered was that, the volume of Bluetooth traffic in the surrounding the intersection interfered with his RC’s connection to the board.
Cognizant of this defect, Healy teamed up with fellow researcher Mike Ryan to examine the hackability of his and other e-skateboards on the market today. The result was an exploit they developed called FacePlant that can give them complete control of someone’s gadget.
The duo describes FacePlant as “basically a synthetic version of the same RF noise” that Healey experienced at the intersection in his hometown of Melbourne. The exploit ultimately allows them to gain total control of someone cruising down the street or sidewalk, which means they could easily cold stop a board or send it flying in reverse, tossing the rider.
They found at least one critical vulnerability in each board they examined, all of which hinge on the fact that the manufacturers of the boards failed to encrypt the communication between the remotes and the boards. The attack for controlling them is essentially identical across the board (no pun intended), but the mechanism for conducting it differs somewhat for each one. As a result, they’ve only completed an exploit for the Boosted board at this time.
Three former Boston University students have highlighted a vulnerability in the hardware of Square readers that would enable hackers to convert it into a credit card skimmer in less than 10 minutes. The rigged PoS device could then be used to steal personal information with a custom-recording app.
Computer engineering grads Alexandrea Mellen, John Moore and Artem Losev unearthed the flaw last year in a project for their cybersecurity class. They also found that Square Register software could be hacked to enable unauthorized transactions at a later date.
“The merchant could swipe the card an extra time at the point of sale. You think nothing of it, and a week later when you’re not around, I charge you $20, $30, $100, $200… You might not notice that charge. I get away with some extra money of yours,” Moore explains.
The group says there is no evidence that either of the vulnerabilities have been employed to scam credit card holders, but does warn that their findings raise red flags for the fast-emerging mobile commerce industry.
The U.S. Food and Drug Administration and Department of Homeland Security have both issued advisories warning hospitals not to use the Hospira infusion system Symbiq due to cybersecurity risks. While no known attack has occurred, hackers could theoretically tamper with the intravenous infusion pump by accessing a hospital’s network.
“This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA said in a statement.
Hospira has since discontinued the manufacture and distribution of the Symbiq Infusion System, because of unrelated issues, and is working with customers to transition to alternative systems. However, amid the latest string of security woes, the FDA strongly encourages healthcare facilities to begin transitioning to other infusion systems as soon as possible.
This isn’t the first time vulnerabilities in medical devices have been in the spotlight. Back in 2014, Scott Erven and his team found that drug infusion pumps could be remotely manipulated to change the dosage doled out to patients. On top of that, a WIRED article noted that “Bluetooth-enabled defibrillators could be hacked to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring, X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”
Asset-tracking systems made by Globalstar and its subsidiaries were discovered to have flaws that would enable a hijacker to track valuable and sensitive cargo and then disable the location-tracking device used to monitor it. From here, criminals could potentially fake the coordinates to make it appear as if the shipment was still traveling its intended route. Or, as WIRED points out, a hacker who simply wanted to cause chaos could add false coordinates to companies and militaries monitoring their assets and shipments to make it appear as if they’d been taken over.
These findings were brought to light by Colby Moore, a researcher with the security firm Synack. The same vulnerable technology isn’t only employed for tracking cargo, it’s used in people-tracking systems for search-and-rescue missions and in SCADA environments as well.
As Moore tells the magazine, the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. Subsequently, a hacker could intercept the communication, spoof it or jam it.
“Each device has a unique ID that’s printed on its outer casing. The devices also transmit their unique ID when communicating with satellites, so an attacker targeting a specific shipment could intercept and spoof the communication. Often the unique IDs on devices are sequential, so if a commercial or military customer owns numerous devices for tracking assets, an attacker would be able to determine other device IDs, and assets, that belong to the same company or military based on similar ID numbers.”
Security researchers Runa Sandvik and Michael Auger have hacked a pair of $13,000 TrackingPoint self-aiming rifles. The duo has developed a set of techniques that could let an attacker compromise the gun via its Wi-Fi connection and exploit vulnerabilities in its software. According to WIRED, the tactics can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing.
“The first of these has to do with the Wi-Fi, which is off by default, but can be enabled so you can do things like stream a video of your shot to a laptop or iPad. When the Wi-Fi is on, the gun’s network has a default password that allows anyone within Wi-Fi range to connect to it. From there, a hacker can treat the gun as a server and access APIs to alter key variables in its targeting application.”
Additionally, the researchers shared that a hacker could alter the rifle in a way that would persist long after that Wi-Fi connection is broken. It’s even possible, they tell WIRED, to implant the gun with malware that would only take effect at a certain time or location-based on querying a user’s connected phone.
Hijacking data as sound waves
Reuters has reported that a team of researchers led by Ang Cui have demonstrated the ability to hijack standard equipment inside computers, printers and millions of other electronic devices to send information through sound waves.
The project, called Funtenna, refers to a software payload that intentionally causes its host hardware to act as an improvised RF transmitter using existing hardware, which is typically not designed for electromagnetic emnation.
The program works by taking control of the physical prongs on general-purpose input/output circuits and vibrates them at a frequency of the researchers’ choosing, which can be audible or not. The vibrations can be picked up with an AM radio antenna a short distance away.
The new transmitting antenna adds another potential channel that would be hard to detect because no traffic logs would catch data leaving the premises. Cui tells Reuters that hackers would need an antenna close to the targeted building to pick up the sound waves, as well as find some way to get inside a targeted machine and convert the desired data to the format for transmission.
Tobias Zillner and Sebastian Strobl of Cognosec uncovered flaws in the Zigbee standard, which is widely used by countless IoT appliances. Specifically, the researchers shed light on the fact that the protocol’s reliance on an insecure key link with smart gadgets opens the door for hackers to spoof them and potentially gain control of your connected home. According to Cognosec, the items that have been tested and proven to be susceptible include ight bulbs, motion sensors, temperature sensors and door locks.
“If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile. However, the use of a default link key introduces a high risk to the secrecy of the network key,” the team states in its recent paper. “Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialisation and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.”
[Images: Samy Kamkar, Tesla, Colby Moore, Square, WIRED, Ang Cui]