Pacemakers, Cars, Energy Grids: The Tech That Should Not Be Hackable, Is
The death of one 35-year-old white male in San Francisco's Nob
Hill neighborhood last Thursday would usually not be a news story,
especially since police said no foul play was involved.
But the death in question was of Barnaby Jack , a celebrated "white hat" hacker, who used his skills to expose vulnerabilities in tech hardware and helped companies to address them. Jack, who was known for hacking medical devices, was a week away from disclosing his newest findings at a top-tier hacker conference on August 1.
While it might take about a month to determine the cause of Jack's death, it's probably unwise to buy into wild theories, even though speculation and rumors are all over the Web.
It goes without saying, however, that hacking of mission-critical devices and systems is an incredibly sensitive subject; white hat hackers provide a glimpse of what future stealth cyber warfare could look like, and they can reveal weaknesses in products and industries worth billions of dollars. They also demonstrate the human costs of unprotected technology. While a virus on a local PC could -- in the worst case -- compromise your private information or business, custom-made malware may compromise, well, your factory, or a nuclear power plant , or even cost someone their life.
Here's the brief round-up of the devices and systems that really should not be hackable... but they are.
Pacemakers and ICDs
Killing a person from 50-feet away, with a deadly electrical 830V shock through a cardiac implant? It's not Homeland ; it's reality.
Barnaby Jack demonstrating his famous "money-spitting ATM" hack at Black Hat 2010. Photo courtesy of DanTentler (via Flickr) .
Last fall, Jack, speaking at the Breakpoint conference in Melbourne , showed a video demonstration of his remote attack against an implantable cardioverter-defibrillator. The hack delivered a deadly 830V blow with a distinctive sound. He was planning to reveal more details at Black Hat this year. Instead, the conference organizers decided to leave Jack's talk slot empty "to commemorate his life and work."
There are well over 3 million pacemakers and over 1.7 million implantable cardioverter-defibrillators (ICDs) in use, Jack said in the brief description of the talk he was planning to give at the Black Hat USA hacker conference this year.
Security firm IOActive,Jack 's employer, earlier revealed that other types of medical devices might be hacked, too -- think insulin pumps , wirelessly programmed to deliver less or more insulin, leading to fatal results.
So yes, it is serious. In June, the FDA sent makers of medical devices a recommendation to address the vulnerabilities "that could directly impact medical devices or hospital network operations."
That said, if you are a user of the aforementioned devices, you shouldn't be gravely concerned about the vulnerabilities at the moment. But checking with the manufacturer of the medical device about the safety and the wireless security of the device might save you from some sleepless nights.
Jack 's colleagues at IOActive are doing two presentations at Black Hat this week, focusing on compromising industrial facilities from 40 miles away and car hacks (see more on the latter topic below). It is not known whether or not the company will be disclosing any of Jack's findings on medical device security.
Air Traffic Control
The next-generation air traffic control system, called NextGen, will include automatic dependent surveillance-broadcast (ADS-B) technology, due to be installed on the majority of aircraft operating within the US by 2020, and even earlier in the EU.
The technology, which will ultimately replace radars, will be capable of broadcasting more accurate information about the position, altitude, velocity, and other characteristics of the each aircraft, thus improving flight safety and streamlining air traffic management.
What's the issue with this wonderful new system, then? It's vulnerable to attack because ADS-B doesn't use encryption. Moreover, the technology doesn't have authentication mechanisms, either, leaving it susceptible to fake plane injections .
US Navy air traffic controllers. Photo: Wikipedia.
NextGen will be even more heavily dependent on the global positioning system (GPS) signals than the current systems. But that means the system could be easily jammed with consumer devices that sells for under $100. GPS jammers, while illegal in the US, are easy to obtain online and can disrupt the normal functioning of certain cellular networks, pagers and the number of other systems.
There are even some documented disruptions by GPS jammers -- such as the cases at the Newark airport in 2009 and in the San Diego harbor area in 2007 .
Moreover, current air traffic control systems have been repeatedly hacked in nationwide events already, as was revealed in a report published in 2009 . The FAA report showed that despite the brief outage of several ATC systems in Alaska in 2006, there were no plane crashes or any significant incidents.
Smartphones and SIM Cards
SIM cards, which are tiny computer smartcards we get from our cell carriers, are used to identify customers on most cellular networks worldwide. News about how seriously SIM cards are vulnerable to attack hit the wires recently; up to 750 million devices around the globe are potentially hackable, based on the findings of German code-breaker Karsten Nohl , famous for his research in the field of GSM, or Global System for Mobile Communications, telephony security.
GSM is the most popular cellular network standard in the world. (It originally stood for Groupe Special Mobile.) AT&T Inc. ( T ) and T-Mobile US ( TMUS ), for example, use GSM on their US networks.
Nohl, who earlier pointed out numerous flaws in the security of GSM networks (think wiretapping), said he was able to hack into SIM cards with a specially crafted text message and then impersonate the owner of the phone, read texts, and even use mobile banking.
SIM cards. Photo: Pixabay.
Nohl didn't elaborate on the vulnerability he discovered, to give mobile operators time to fix the issue. That said, he's expected to go into some details at the Black Hat security conference this week. He said that the problem was related to the implementation of DES (Data Encryption Standard) encryption, the standard that is now being surpassed by newer and stronger alternatives, but which is still widely used.
Smartphones are generally vulnerable not only to complex hacking threats, but to some malware as well . In addition, a number of up-to-date smartphones have remote control tools embedded into their mobile systems. The "Find My iPhone" tool from Apple Inc. ( AAPL ), for example, is susceptible to remote hacks. In a heavily publicized case last year a Wired reporter had his iPhone wiped after a hack via security flaws at Apple and Amazon ( AMZN ).
The electronics in your car (even if it is a decade old) exist not just in its navigation and entertainment systems -- your car may also use a computer to set a maximum speed lock or auto brake in case of danger.
While humans still have their fair share of control, computers are building up their presence in automobile control systems; they're meant to assist drivers and ultimately make driving safer and more enjoyable.
On theother hand , electronics are hackable, meaning that your car might soon become as vulnerable to malicious threats as your PC is. Security specialists from Twitter andIOActive recently demonstrated what can happen if somebody hacks into a car: Brakes can be disabled,steering control can be compromised, and a hack can even make a horn blast suddenly.
While the demonstration involved physically jacking the target car, remote attacks are also possible . Luckily, nonehave been reported so far.
Some speculate, though, that the recent death of a prominent investigative journalist, Michael Hastings, might have been connected to a cyber attack on his car . Yet, as in the case with Barnaby Jack, police said no foul play was suspected inHasting 's car accident on June 18 , when the 2013 Mercedes C250 that Hastings was driving slammed into a tree and caught fire.
Ford ( F ) and Toyota (TM), makers of the models examined and apparently compromised by some hackers (they broke into a Ford Escape and a Toyota Prius), said that they take hackers seriously, but emphasized the robustness of their cars' protection against wireless attacks.
One type of car hack -- the immobilization of a theft-protection system -- is already common. Just recently, an academic paper that was to reveal the secret codes to start the engines of luxury rides like Bentleys or Lamborghinis was set to be published at the Usenix Security Symposium conference in August. But the paper was banned from publication by a British court as the result of a lawsuit instigated by European car-production powerhouse Volkswagen (OTCMKTS:VLKAY ).
Google top management in a driverless car (Eric Schmidt, Larry Page, Sergey Brin. Photo courtesy of Google.
So when self-driving cars from Google Inc (GOOG) eventually hit the market, let's hope they have all possible safety and security flaws addressed.
Is it possible for hackers to cut the power feed to a city, region, or nation? Unfortunately, this may soon become a reality. In fact, the US electrical grid had been already penetrated by foreign spies, according to reports made public in 2009 .
Fresher assessments are also far from optimistic.
"If they could gain access, hackers could manipulate SCADA (supervisory control and data acquisition) systems to disrupt the flow of electricity, transmit erroneous signals to operators, block the flow of vital information, or disable protective systems," says a joint report by US governmental bodies on the state of the US power networks, published in November 2012.
The report's authors point out that while cyber attacks might not be as devastating as physical interventions, cyber intrusions could magnify physical damage, causing longer outages.
Power Lines Tower. Photo: Pixabay.
The government appears to be well aware of the threats and possible implications in this field. In early 2012, the NSA commander, General Keith Alexander, reportedly warned that in a year or two the infamous hacking group Anonymous would be able to launch a cyber attack on the US power infrastructure, resulting in "limited outage."
The Congressional power grid safety survey published in May 2013 noted, "The electric grid is the target of numerous and daily cyber attacks," with a number of providers reporting numerous attempts to hack them. However, none confirmed damage to their equipment as the result of the attacks. That is why some critics called the report overblown , published only to rekindle the argument for big spending on cyber security.
Hackable systems are everywhere. Remember the public billboard hacked to display porn in 2010? The prison computer system hacked by a prisoner in 2011? Or the US emergency alert system in Montana that was taken over by hackers who warned citizens of a zombie attack in 2013?
Although we obviously wish that personal computers, websites, ATMs, and other financial service systems weren't hacked on a daily basis, unfortunately, they still are and will probably continue to be for the near future. National security interests aside, we have managed to live with hacks into our data and information systems. The government has even brought some perpetrators to justice .
Truth be told, the more serious hack attacks are probably not disclosed to the public because of the classified or sensitive nature of the breaches. If military drones can be hijacked the way that civilian models can be, you probably wouldn't want to know about it.
Fortunately for us, most attempts to hack life-critical systems remain lab experiments, single case studies, or proof-of-concept affairs. They are for our benefit, too; the more people are aware of potential threats, the more companies work on patching vulnerabilities, and the more money invested in making these critical systems secure by design, the better.