The Internet of Things: 7 Scary Security Scenarios
The IoT can be frightening when viewed from the vantage point of information security.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blta42baa162961c078/64f0dc24f1110449801bf385/Homeland-pacemaker-hack.png?width=700&auto=webp&quality=80&disable=upscale)
Who could forget that chilling scene in Homeland when a terrorist hacked into a pacemaker and assassinated a fictional US vice president while an "inside" accomplice cold-bloodedly watched? Plausible? Probably not, at least not in such a dramatic, suspense-filled moment. More likely, the threat scenario surrounding medical devices would be a patching problem with an embedded device (like a pacemaker) or a malware infection on network-connected equipment such as pregnancy monitors, insulin pumps, or MRI picture storage. Though researchers have been raising security concerns about these devices for some time, the US Food and Drug Administration has only recently begun to address the problem.
Researchers are identifying holes in satellite ground terminal equipment that could be used to disrupt communications to ships, airplanes, and military operations. Ruben Santamarta, principal security consultant with IOActive, showed this year that an attacker could compromise the satellite systems, run malware, install malicious firmware, and even send a phony SMS text to trick a ship to follow a certain path or to rescue another ship. In the air, Santamarta said, an attacker could gain control over subsystem interfaces by taking advantage of the weak password reset feature, hard-coded credentials, or insecure protocols in cockpit communications. Though he conceded that it was unlikely that the vulnerabilities would cause a plane to crash, he said disruptions to the messaging systems still pose serious risks.
Security researchers Billy Rios and Terry McCorkle warn that a widely deployed TSA carry-on baggage scanner could be easily manipulated by a malicious insider or outside attacker to sneak weapons or other banned items past TSA airport checkpoints. Among the blatant security holes: storing user credentials in plaintext and a feature that could project phony images on the X-ray display. Rios has also flagged weaknesses in two TSA detection systems at San Francisco International Airport. One of the systems included 6,000 Kronos time clocks open on the public Internet, two of which also are deployed at other US airports. (The time clock system in San Francisco has since been taken offline.)
The smartphone is hardly a new "thing." But hackers are finding new ways to exploit it through apps, photos, videos, social media, and GPS. That selfie you took with your BFF? It doesn't need to include Barack Obama, or even Jennifer Lawrence, to become a target. The most recent example: Thousands of photos and videos from the Snapchat service were put online, apparently taken from sites such as Snapsaved.com, which, according to news reports, allowed people to log in using their Snapchat username and password to offer access to the site -- and also the chance to store photos meant to be deleted within seconds of being viewed. This year, owners of Mac and iOS devices found their iPhones and iPads held for ransom through a hack that targeted Find My iPhone and Find My Mac to trigger a remote lock of the device.
If you are in the market for the least hackable car this year, your best bet is the Audi A8, according to automobile vulnerability researchers Charlie Miller and Chris Valasek. But that doesn't give the connected car a free ride on the information highway. Miller and Valasek's latest study looked for ways a hacker could access the car's network by breaking into its wireless-enabled radio, for instance, and issuing commands to the automated steering, parking, braking, or driving mechanisms. The research is bad news for owners of a 2014 Jeep Cherokee, a 2014 Infiniti Q50, or a 2015 Escalade. Yes, your car has cool, state-of-the-art network technology. But it's also most likely to get attacked via Bluetooth, telematics, or the onboard phone app. Now the good news: Security researchers are pressuring the auto industry to improve car cyber security safety. Recent efforts include I Am The Cavalry's Five Star Automotive Cyber Safety Program and an information-sharing initiative between the Alliance of Automobile Manufacturers and the Association of Global Automakers.
Imagine this scenario, suggested by @Somedude8: You enter your house, and the thermostat is set to 120 degrees. An email arrives in poorly written English asking for $500 to return control of your home heating system. It's not all that far-fetched, as a trio of University of Central Florida researchers demonstrated at BlackHat 2014 by hacking into the Nest Learning Thermostat. In less than 15 seconds, they showed how an attacker can remove the Nest from its mount, plug in a micro USB cable, and backdoor the device, unbeknownst to the owner. The compromised Nest could be used to spy on the home, attack other devices on the network, or steal wireless network credentials.
It might be tempting to play Doom on your printer in the off-hours when you are not answering emails or writing reports from the comfort of a home office. But the fact is that the Internet of Things is making the convenience of home also a target for attackers. In September, at 44Con in London, researcher Mike Jordon showed off a hack of a Canon Pixma printer that let him modify the printer's firmware remotely so that its LED indicator screen could run the classic Doom video game. Jordan demoed how to update the printer with a Trojan for spying on printed documents or to install malicious software on a network. But the commonplace printer isn't the only home office device that is vulnerable. It took Kaspersky Lab researcher David Jacoby less than 20 minutes to hack into his home office DSL router and network attached storage devices, where he found 14 vulnerabilities.
What's not to like about the Internet of Things? You drive to work in your connected car while the GPS automatically navigates you away from a traffic jam that would have parked you on the expressway for two hours. At the same time, your onboard messaging app reads you an email from your boss telling you that you've earned a 10% raise for your big project.
The nightmare scenario might look like this. You take a taxi home after work because a hacker breaks into your car's WiFi, takes control of the steering wheel, and crashes you into a tree. When you arrive, you are greeted with a strangely worded email asking for a ransom in exchange for the return of an embarrassing photo of you at a recent party you thought was beyond reach and securely hidden in your camera roll in the cloud.
Love it or fear it, the Internet of Things is fast becoming a reality. By the year 2020, the analyst firm Gartner predicts, there will be more than 26 billion Internet-connected "things" -- not including PCs, tablets, or smartphones -- all of which are raising the challenges of cyber security to a whole new level. Recently, security researchers have offered a glimpse of potentially scary security scenarios that could unfold in the not too distant future. Here are seven that may be closer than you think.
What's not to like about the Internet of Things? You drive to work in your connected car while the GPS automatically navigates you away from a traffic jam that would have parked you on the expressway for two hours. At the same time, your onboard messaging app reads you an email from your boss telling you that you've earned a 10% raise for your big project.
The nightmare scenario might look like this. You take a taxi home after work because a hacker breaks into your car's WiFi, takes control of the steering wheel, and crashes you into a tree. When you arrive, you are greeted with a strangely worded email asking for a ransom in exchange for the return of an embarrassing photo of you at a recent party you thought was beyond reach and securely hidden in your camera roll in the cloud.
Love it or fear it, the Internet of Things is fast becoming a reality. By the year 2020, the analyst firm Gartner predicts, there will be more than 26 billion Internet-connected "things" -- not including PCs, tablets, or smartphones -- all of which are raising the challenges of cyber security to a whole new level. Recently, security researchers have offered a glimpse of potentially scary security scenarios that could unfold in the not too distant future. Here are seven that may be closer than you think.
Who could forget that chilling scene in Homeland when a terrorist hacked into a pacemaker and assassinated a fictional US vice president while an "inside" accomplice cold-bloodedly watched? Plausible? Probably not, at least not in such a dramatic, suspense-filled moment. More likely, the threat scenario surrounding medical devices would be a patching problem with an embedded device (like a pacemaker) or a malware infection on network-connected equipment such as pregnancy monitors, insulin pumps, or MRI picture storage. Though researchers have been raising security concerns about these devices for some time, the US Food and Drug Administration has only recently begun to address the problem.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024