Most people know that their computers and smart phones are under the constant threat of attack from hackers. But your car? Your house? Your TV and other consumer electronics?
It seems like a take on Stephen King’s short story ” Trucks“– where machines come to life and go on a murderous rampage (the movieversion was “Maximum Overdrive”). In this case, hackers find securityflaws in the computers running our vehicles, appliances and medicaldevices and wreak havoc.
The real threat is far less dramatic, of course. But just a coupleyears ago, few people were seriously talking about this as a dangerthat might someday come to pass. As we look to 2012, however, thepotential seems a lot less ridiculous, since our electronicsincreasingly tend to be part of a home network with an IP address –one that can be controlled by a mobile device.
Some experts in information security believe 2012 will be a year when hackers focus more on those things.
Anup Ghosh, CEO of Invincea, says that, “in the search for moreinteresting devices to hack, the adversary is going to transition fromtraditional IT networks to embedded systems, which we normally think ofas physical systems — your car, TVs, your house, your office building.Systems that are networked and run a lot of software will be fertileground for hackers.”
Ghosh says the devices in the house simply become another node on thehome network. “The devices will run an operating system kernel of somekind and accept network connections. Hackers will be able to exploitthe network interface and software services running on these devices togain privileged access to these devices. From there, they can launchattacks against other devices, store data, and exfiltrate data off thehome network.”
Ghosh says researchers from the University of California at San Diegoand the University of Washington have already demonstrated how to hackcars through the CD player and Bluetooth interface. He says thatmakes any number of subsystems in the car vulnerable to exploitation.Hackers could track a vehicle, kill the ignition switch and unlock thedoors.
Jason Rouse, principal security consultant at Cigital, says these capabilities are not new.
“Frankly, we’ve been able to break into a car for a decade,” he says.”There is a worm hole attack that lets you unlock a car door just bywalking past the driver. But in most cases that’s not that interestingto hackers. Their primary goal is to make money.”
But he does agree that there is increased danger to cars and appliancesbecause of the convergence of controls for home or car systems with mobile devices.
Indeed, there are television ads showing mom turning the lights on andoff in her house from her smart phone while she sits on an airplanewaiting to leave the gate.
“You can turn on your car, you can lock or unlock it with your mobiledevice. That convergence comes with possible consequences,” Rouse says.
“You could imagine hackers getting control of a number of vehicles andthen selling that list to criminals. They can say where the vehiclesare, what their license plates are, and they could unlock them all atthe same time.”
Luckily, hackers are lazy
Rouse says the best thing consumers have going for them is that hackerstend to be lazy. “Most of them don’t have the attention span to dosomething like that.”
The primary danger, experts agree, is not to the car or the home itselfbut to the personal data that lies behind it — things like passwords, credit card numbers andother information that can then be easily monetized.
When it comes to office buildings, Brandon Williams, global CTO ofMarketing at RSA, The Security Division of EMC, says most companies doa good job of identifying physical assets to be secured.
“We even build security enclaves in the physical world like we mightdesign in an electronic world. Data centers tend to be like vaults,networking closets are like locked file cabinets, and Wi-Fi is like a chain-link fence,”he says.
But, he says, the systems that control the locks may not be so secure.”Are they vaulted?” he asks, “or sitting in a locked closet somewherein an area of the network that might be accessible remotely?”
Those systems should be in a vault as well, he says.
Ghosh says the responsibility for security of home and office systems”falls squarely on the shoulders of the device manufacturers. As thesemanufacturers network-enable these devices, they must also engineerthem for resiliency against cyber attack.
But Rouse says that may be a long time coming.
Home, auto and office systems that can be controlled remotely, “arevery sexy,” he says. They are sold by charm. Security is anafterthought.”