Deadly Device Hacks May Be Coming Soon
Last March, the online humor magazine Cracked listed computer hacks that seemed like they could have happened only in the movies — but actually did in real life.
Among them were hacking an ATM to spit out extra cash, causing traffic jams by messing up stoplights, stealing a car with a cellphone, hijacking a TV signal and hacking into the school computer to change student grades.
Unfortunately, the eye-opening revelations in the Cracked story are just the tip of the iceberg. We've reached a point where we need to face the reality that if something is connected to a network, hackers will find a way to manipulate it.
An ATM or a traffic signal might not be too much of a stretch for the imagination, but are you prepared for your refrigerator to be hacked? What about your pacemaker?
Brave new world
Every year, security experts predict the trends to watch out for in the coming 12 months.
Derek Manky, a senior threat researcher at FortiGuard Labs, a division of Fortinet in Sunnyvale, Calif., predicts that in 2013 we'll see machine-to-machine (M2M) communication attacks.
M2M communication refers to technologies that let both wireless and wired systems "talk" to other devices of the same ability.
The practical possibilities of M2M are inspiring, since it may remove human error from many situations, but there are questions about how to best secure it.
Manky predicts that this year we'll see an instance of M2M hacking that's not been exploited before, most likely in a way related to national security, such as at a weapons-development facility.
He said it will likely happen when an attacker poisons information streams that run along the M2M channels, making one machine mishandle the poisoned information, creating a vulnerability and thus allowing unauthorized access.
"Typically M2M does not exist in consumer environments," Manky said, "but rather in public services that, of course, affect citizens in daily lives. Think things like airports, power, oil and gas, traffic lights, etc.
"However, with technology like home automation moving forward in the future, we will start seeing M2M become embedded more and more in consumer environments."
If an attacker were able to poison an information stream between systems in one of these environments, Manky said, it certainly could have an impact on daily lives.
In a typical day, a person might drive his or her car or take mass transit, go through traffic control systems such traffic lights or train switching, and then come back home to disable the security alarm.
But as M2M communications evolve and malicious hackers adapt their code to infiltrate these systems, the attackers could potentially remotely disable a vehicle's alarm and start the engine, remotely disable a household security system in a break-in attempt or take down a power station's control network in a denial-of-service attack.
Death by laptop
We are already seeing hints of potential M2M attacks. Researchers have been wirelessly hacking into pacemakers for years, and last fall Barnaby Jack of Seattle-based security vendor IOActive showed how he could deliver a deadly shock to someone's pacemaker from a nearby laptop.
Jack blamed poor software programming and a trend among medical-equipment makers to go wireless without taking security precautions, and pointed out that his lethal laptop code could just as easily be launched from a hospital computer or other electronic device.
Manky thinks that M2M attacks will happen slowly at first, but, he said, "It's been proven now that it can be done. And, code exists and has been analyzed that achieves this. So, it serves as a case and foundation to further attacks down the road."
Machines communicating with each other via the Internet are becoming more common, and that means security for these connections, particularly wireless connections, is going to have to be improved.
"It is a common pattern for us to see these machines that communicate with each other connected to the public Internet nowadays via an external interface," said Manky. "That means IP connectivity, and that they are open to probing and attack attempts by hackers.
"Vendors who develop the machines themselves that communicate need to take extra care in terms of secure development to make sure there is no low-hanging fruit attackers can go after," he added. "And, of course, critical M2M systems should be closed-circuit, as they were designed to be in the first place."