|Back to main|
Pacemakers, Cars, Energy Grids: The Tech That Should Not Be Hackable, Is
7/31/2013 11:35:00 AM
The death of one 35-year-old white male in San Francisco's Nob
Hill neighborhood last Thursday would usually not be a news story,
especially since police said no foul play was involved.
SIM cards. Photo: Pixabay.
Nohl didn't elaborate on the vulnerability he discovered, to give mobile operators time to fix the issue. That said, he's expected to go into some details at the Black Hat security conference this week. He said that the problem was related to the implementation of DES (Data Encryption Standard) encryption, the standard that is now being surpassed by newer and stronger alternatives, but which is still widely used.
Smartphones are generally vulnerable not only to complex hacking threats, but to some malware as well . In addition, a number of up-to-date smartphones have remote control tools embedded into their mobile systems. The "Find My iPhone" tool from Apple Inc. ( AAPL ), for example, is susceptible to remote hacks. In a heavily publicized case last year a Wired reporter had his iPhone wiped after a hack via security flaws at Apple and Amazon ( AMZN ).
The electronics in your car (even if it is a decade old) exist not just in its navigation and entertainment systems -- your car may also use a computer to set a maximum speed lock or auto brake in case of danger.
While humans still have their fair share of control, computers are building up their presence in automobile control systems; they're meant to assist drivers and ultimately make driving safer and more enjoyable.
On theother hand , electronics are hackable, meaning that your car might soon become as vulnerable to malicious threats as your PC is. Security specialists from Twitter andIOActive recently demonstrated what can happen if somebody hacks into a car: Brakes can be disabled,steering control can be compromised, and a hack can even make a horn blast suddenly.
While the demonstration involved physically jacking the target car, remote attacks are also possible . Luckily, nonehave been reported so far.
Some speculate, though, that the recent death of a prominent investigative journalist, Michael Hastings, might have been connected to a cyber attack on his car . Yet, as in the case with Barnaby Jack, police said no foul play was suspected inHasting 's car accident on June 18 , when the 2013 Mercedes C250 that Hastings was driving slammed into a tree and caught fire.
Ford ( F ) and Toyota (TM), makers of the models examined and apparently compromised by some hackers (they broke into a Ford Escape and a Toyota Prius), said that they take hackers seriously, but emphasized the robustness of their cars' protection against wireless attacks.
One type of car hack -- the immobilization of a theft-protection system -- is already common. Just recently, an academic paper that was to reveal the secret codes to start the engines of luxury rides like Bentleys or Lamborghinis was set to be published at the Usenix Security Symposium conference in August. But the paper was banned from publication by a British court as the result of a lawsuit instigated by European car-production powerhouse Volkswagen (OTCMKTS:VLKAY ).
Google top management in a driverless car (Eric Schmidt, Larry Page, Sergey Brin. Photo courtesy of Google.
So when self-driving cars from Google Inc (GOOG) eventually hit the market, let's hope they have all possible safety and security flaws addressed.
Is it possible for hackers to cut the power feed to a city, region, or nation? Unfortunately, this may soon become a reality. In fact, the US electrical grid had been already penetrated by foreign spies, according to reports made public in 2009 .
Fresher assessments are also far from optimistic.
"If they could gain access, hackers could manipulate SCADA (supervisory control and data acquisition) systems to disrupt the flow of electricity, transmit erroneous signals to operators, block the flow of vital information, or disable protective systems," says a joint report by US governmental bodies on the state of the US power networks, published in November 2012.
The report's authors point out that while cyber attacks might not be as devastating as physical interventions, cyber intrusions could magnify physical damage, causing longer outages.
Power Lines Tower. Photo: Pixabay.
The government appears to be well aware of the threats and possible implications in this field. In early 2012, the NSA commander, General Keith Alexander, reportedly warned that in a year or two the infamous hacking group Anonymous would be able to launch a cyber attack on the US power infrastructure, resulting in "limited outage."
The Congressional power grid safety survey published in May 2013 noted, "The electric grid is the target of numerous and daily cyber attacks," with a number of providers reporting numerous attempts to hack them. However, none confirmed damage to their equipment as the result of the attacks. That is why some critics called the report overblown , published only to rekindle the argument for big spending on cyber security.
Hackable systems are everywhere. Remember the public billboard hacked to display porn in 2010? The prison computer system hacked by a prisoner in 2011? Or the US emergency alert system in Montana that was taken over by hackers who warned citizens of a zombie attack in 2013?
Although we obviously wish that personal computers, websites, ATMs, and other financial service systems weren't hacked on a daily basis, unfortunately, they still are and will probably continue to be for the near future. National security interests aside, we have managed to live with hacks into our data and information systems. The government has even brought some perpetrators to justice .
Truth be told, the more serious hack attacks are probably not disclosed to the public because of the classified or sensitive nature of the breaches. If military drones can be hijacked the way that civilian models can be, you probably wouldn't want to know about it.
Fortunately for us, most attempts to hack life-critical systems remain lab experiments, single case studies, or proof-of-concept affairs. They are for our benefit, too; the more people are aware of potential threats, the more companies work on patching vulnerabilities, and the more money invested in making these critical systems secure by design, the better.