The death of one 35-year-old white male in San Francisco's Nob
Hill neighborhood last Thursday would usually not be a news story,
especially since police said no foul play was involved.
But the death in question was of
, a celebrated "white hat" hacker, who used his skills to expose
vulnerabilities in tech hardware and helped companies to address
them. Jack, who was known for hacking medical devices, was a week
away from disclosing his newest findings at a
conference on August 1.
While it might take about a month to determine the cause of Jack's
death, it's probably unwise to buy into wild theories, even though
speculation and rumors are all over the Web.
It goes without saying, however, that hacking of mission-critical
devices and systems is an incredibly sensitive subject; white hat
hackers provide a glimpse of what future stealth cyber warfare
could look like, and they can reveal weaknesses in products and
industries worth billions of dollars. They also demonstrate the
human costs of unprotected technology. While a virus on a local PC
could -- in the worst case -- compromise your private information
or business, custom-made malware may compromise, well,
your factory, or a nuclear power plant
, or even cost someone their life.
Here's the brief round-up of the devices and systems that really
should not be hackable... but they are.
Pacemakers and ICDs
Killing a person from 50-feet away, with a deadly electrical 830V
shock through a cardiac implant? It's not
; it's reality.
Barnaby Jack demonstrating his
famous "money-spitting ATM" hack
at Black Hat 2010. Photo courtesy of
DanTentler (via Flickr)
Last fall, Jack, speaking at the
Breakpoint conference in Melbourne
, showed a video demonstration of his remote attack against an
implantable cardioverter-defibrillator. The hack delivered a deadly
830V blow with a distinctive sound. He was planning to reveal more
details at Black Hat this year. Instead, the conference organizers
decided to leave Jack's talk slot empty
"to commemorate his life and work."
There are well over 3 million pacemakers and over 1.7 million
implantable cardioverter-defibrillators (ICDs) in use, Jack said in
the brief description
of the talk he was planning to give at the Black Hat USA hacker
conference this year.
Security firm IOActive,Jack 's employer, earlier revealed that
other types of medical devices might be hacked, too -- think
, wirelessly programmed to deliver less or more insulin, leading to
So yes, it is serious. In June, the FDA sent makers of medical
to address the vulnerabilities "that could directly impact medical
devices or hospital network operations."
That said, if you are a user of the aforementioned devices, you
shouldn't be gravely concerned about the vulnerabilities at the
moment. But checking with the manufacturer of the medical device
about the safety and the wireless security of the device might save
you from some sleepless nights.
Jack 's colleagues at IOActive are doing
at Black Hat this week, focusing on compromising industrial
facilities from 40 miles away and car hacks (see more on the latter
topic below). It is not known whether or not the company will be
disclosing any of Jack's findings on medical device security.
Air Traffic Control
The next-generation air traffic control system, called NextGen,
will include automatic dependent surveillance-broadcast (ADS-B)
technology, due to be installed on the majority of aircraft
operating within the US by 2020, and even earlier in the EU.
The technology, which will ultimately replace radars, will be
capable of broadcasting more accurate information about the
position, altitude, velocity, and other characteristics of the each
aircraft, thus improving flight safety and streamlining air traffic
What's the issue with this wonderful new system, then?
to attack because ADS-B doesn't use encryption. Moreover, the
technology doesn't have authentication mechanisms, either, leaving
susceptible to fake plane injections
US Navy air traffic controllers. Photo: Wikipedia.
NextGen will be even more heavily dependent on the global
positioning system (GPS) signals than the current systems. But that
means the system could be easily jammed with consumer devices that
sells for under $100. GPS jammers, while illegal in the US, are
easy to obtain online and can disrupt the normal functioning of
certain cellular networks, pagers and the number of other systems.
There are even some documented disruptions by GPS jammers -- such
cases at the Newark airport in 2009
and in the
San Diego harbor area in 2007
Moreover, current air traffic control systems have been repeatedly
hacked in nationwide events already, as was revealed in
a report published in 2009
. The FAA report showed that despite the brief outage of several
ATC systems in Alaska in 2006, there were no plane crashes or any
Smartphones and SIM Cards
SIM cards, which are tiny computer smartcards we get from our cell
carriers, are used to identify customers on most cellular networks
worldwide. News about how seriously SIM cards are vulnerable to
attack hit the wires recently; up to 750 million devices around the
globe are potentially hackable, based on the findings of
code-breaker Karsten Nohl
, famous for his research in the field of GSM, or Global System for
Mobile Communications, telephony security.
GSM is the most popular cellular network standard in the world. (It
originally stood for Groupe Special Mobile.)
), for example, use GSM on their US networks.
Nohl, who earlier pointed out numerous flaws in the security of GSM
networks (think wiretapping), said he was able to hack into SIM
cards with a specially crafted text message and then impersonate
the owner of the phone, read texts, and even use mobile banking.
SIM cards. Photo: Pixabay.
Nohl didn't elaborate on the vulnerability he discovered, to give
mobile operators time to fix the issue. That said, he's expected to
go into some details at the Black Hat security conference this
week. He said that the problem was related to the implementation of
DES (Data Encryption Standard) encryption, the standard that is now
being surpassed by newer and stronger alternatives, but which is
still widely used.
Smartphones are generally vulnerable not only to complex hacking
threats, but to
some malware as well
. In addition, a number of up-to-date smartphones have remote
control tools embedded into their mobile systems. The "Find My
iPhone" tool from
), for example, is susceptible to remote hacks. In a
heavily publicized case last year
reporter had his iPhone wiped after a hack via security flaws at
The electronics in your car (even if it is a decade old) exist not
just in its navigation and entertainment systems -- your car may
also use a computer to set a maximum speed lock or auto brake in
case of danger.
While humans still have their fair share of control, computers are
building up their presence in automobile control systems; they're
meant to assist drivers and ultimately make driving safer and more
On theother hand , electronics are hackable, meaning that your car
might soon become as vulnerable to malicious threats as your PC is.
Security specialists from Twitter andIOActive
what can happen if somebody hacks into a car: Brakes can be
disabled,steering control can be compromised, and a hack can even
make a horn blast suddenly.
While the demonstration involved physically jacking the target car,
remote attacks are also
. Luckily, nonehave been reported so far.
Some speculate, though, that the recent death of a prominent
investigative journalist, Michael Hastings,
might have been connected to a cyber attack on his
. Yet, as in the case with Barnaby Jack, police said no foul play
was suspected inHasting 's
car accident on June 18
, when the 2013 Mercedes C250 that Hastings was driving slammed
into a tree and caught fire.
(TM), makers of the models examined and apparently compromised by
some hackers (they broke into a Ford Escape and a Toyota Prius),
said that they take hackers seriously, but emphasized the
robustness of their cars' protection against wireless attacks.
One type of car hack -- the immobilization of a theft-protection
system -- is already common. Just recently, an academic paper that
was to reveal the secret codes to start the engines of luxury rides
like Bentleys or Lamborghinis was set to be published at the Usenix
Security Symposium conference in August. But the paper was
from publication by a British court as the result of a lawsuit
instigated by European car-production powerhouse
Google top management in a driverless car (Eric Schmidt, Larry
Page, Sergey Brin. Photo courtesy of Google.
So when self-driving cars from
(GOOG) eventually hit the market, let's hope they have all possible
safety and security flaws addressed.
Is it possible for hackers to cut the power feed to a city, region,
or nation? Unfortunately, this may soon become a reality. In fact,
the US electrical grid had been already penetrated by foreign
spies, according to
reports made public in 2009
Fresher assessments are also far from optimistic.
"If they could gain access, hackers could manipulate SCADA
(supervisory control and data acquisition) systems to disrupt the
flow of electricity, transmit erroneous signals to operators, block
the flow of vital information, or disable protective systems," says
joint report by US governmental bodies
on the state of the US power networks, published in November 2012.
The report's authors point out that while cyber attacks might not
be as devastating as physical interventions, cyber intrusions could
magnify physical damage, causing longer outages.
Power Lines Tower. Photo: Pixabay.
The government appears to be well aware of the threats and possible
implications in this field. In early 2012, the NSA commander,
General Keith Alexander,
that in a year or two the infamous hacking group Anonymous would be
able to launch a cyber attack on the US power infrastructure,
resulting in "limited outage."
Congressional power grid safety survey
published in May 2013 noted, "The electric grid is the target of
numerous and daily cyber attacks," with a number of providers
reporting numerous attempts to hack them. However, none confirmed
damage to their equipment as the result of the attacks. That is why
some critics called the report overblown
, published only to rekindle the argument for big spending on cyber
Hackable systems are everywhere. Remember the
public billboard hacked to display porn
in 2010? The
prison computer system hacked by a prisoner
in 2011? Or the US emergency alert system in Montana that was taken
over by hackers who warned citizens of
a zombie attack
Although we obviously wish that personal computers, websites, ATMs,
and other financial service systems weren't hacked on a daily
basis, unfortunately, they still are and will probably continue to
be for the near future. National security interests aside, we have
managed to live with hacks into our data and information systems.
The government has even
brought some perpetrators to justice
Truth be told, the more serious hack attacks are probably not
disclosed to the public because of the classified or sensitive
nature of the breaches. If military drones can be hijacked the way
can be, you probably wouldn't want to know about it.
Fortunately for us, most attempts to hack life-critical systems
remain lab experiments, single case studies, or proof-of-concept
affairs. They are for our benefit, too; the more people are aware
of potential threats, the more companies work on patching
vulnerabilities, and the more money invested in making these
critical systems secure by design, the better.