The cyber security convention DefCon and its corporate counterpart, Black Hat, that are held annually in Las Vegas present a unique tableau where the traditional (and traditionally overstated) conflict between underground hacking culture and corporate and government security professionals is suspended with the goal of openness and education. If you enjoy and own technology and gadgets of any kind, the conferences highlight a looming security crossroads that affects every layperson. Gizmag takes a look at some of the more important hacks from this year.
Though DefCon is in its 21st year, it's only in recent years that the convention has drawn much mainstream media notice beyond hyping the intimidating nature of its admittedly counterculture aura and attendees. Shrugging aside the mohawks and crazy t-shirts as immaterial, the inherent themes of government surveillance, information security, digital ethics, flaws in common household products or corporate software offhandedly assumed to be impenetrable are of interest to anyone and arguably always have been.
Web of Things = Web of Hackable Things
Where most of us might assume that anything offered for sale has been fully vetted as safe and secure, DefCon and Black Hat exist to dispel this myth. Operating on the mantra that the first step toward making a better product is first to break it, presenters showed us how our devices may be turned against us, unlocking smart doors and turning on devices' cameras.
Attacking a Samsung Smart TV, two researchers turned on the TV's camera remotely by exploiting apps on the TV (like Facebook) that are vulnerable to traditionally unsophisticated coding exploits. It's important to note that as is relatively common security practice, they alerted Samsung to the exploit in advance of DefCon to give the company time to patch their software before the exploit became common knowledge.
A team from Trustwave's Spider Labs selected a range of common “smart” home devices and found that nearly every one had security risks, and of those, most were easy to exploit. Several of the devices were control hubs meant to easily network devices such as lights, doors, and household appliances. Their packages of associated smart phone apps, networks, and web portals provide several gateways for abuse. The team found that these devices initially ship without even basic authentication or the ability to turn off remote access, and one company specifically has even refused to acknowledge or respond to bugs in its software.
The LIXIL Satis Smart Toilet is (obviously) less a security risk, but just as illustrative of the shortcuts manufacturers are taking in getting their trendy smart gadgets to market. It ships with a hard-coded Bluetooth password (0000), thus ensuring your Google-smart friends can easily prank you by downloading the free app and triggering the self-cleaning function when you'd rather they not.
At-risk: Autonomous vehicles and vehicle sub-systems
Robotics expert Zoz presented the many ways that autonomous systems on current and future vehicles are at risk of hacking, generally through their lower level operations, like collision avoidance or control loops, and through their sensors. Not all the hacks are sophisticated: LIDAR sensors rely on reflectance, and can be confused with an application of literal smoke and mirrors. Attacking the vehicle's ability to discern true obstacles, for example, by creating obstacle swarms or fake stop lights, would create a situation that a human could not perceive and the system could not ignore, and thus would jam its higher operations.
Fully autonomous cars may still be some years away from our roads, but the electronic sub-systems in any modern car are also hackable to an alarming degree. Research has already been conducted stating that it was possible to hack automotive systems directly, or even remotely over Bluetooth, but no concrete evidence was given, nor was it even stated what car model was studied.
However, Charlie Miller and Chris Valasek with DARPA funding not only humorously demonstrated the takeover of vehicles using a laptop, but released tools and code with the goal of making it easier for researchers to develop monitoring and control applications to circumvent harmful attacks. They chose a 2010 Toyota Prius and 2010 Ford Escape for their parking assist feature that assigns some automated control over steering in addition to the usual braking and display controls. They can be seen driving the Prius using an old-school Nintendo controller in the following video.
Infrastructure Weaknesses
Two teams of presenters at Black Hat demonstrated new ways our world's infrastructure could be one step closer to a chaotic scene from a sci-fi movie. After creating a demonstration oil pump, engineers used a series of attacks starting from susceptible internet-facing servers and finally “pivoting” towards the programmable logic controllers (PLCs), hardware that actually controls oil pump function. The industrial protocols used were developed in the 1970's and are not only unencrypted but often too weak to even support encryption. In fact, the team, who in their day jobs install and support these oil pump systems, argued that it wouldn't take a government to cause an environmental catastrophe, but “script kiddies.”
In a second demonstration, IOActive, the same company that presented the Prius and Escape hack above, showed that the wireless devices distributed by the top three developers of industrial network solutions were all subject to the same vulnerabilities. Not only did the team prove that false data could be injected into these systems with radio frequency transceivers, but that the companies involved had only the slightest concerns about security. Combined, this puts many oil, natural gas, nuclear, and petroleum companies at risk for catastrophic failures.
If you're interested in the detailed innards of another hack from this past weekend of security conferences, Gizmag has coverage of the CreepyDOL system.