If there was one common thread among the coolest hacks this year by security researchers, it was the chilling and graphic physical implications. Good hackers rooted out the security holes and wowed the industry with actual images of remotely sending a car rolling into a ditch, hijacking the target of a smart rifle, and disabling a state trooper cruiser.
The most creative and innovative hacks in 2015 were both entertaining and chilling. They elicited a little nervous laughter, and then raised the discourse over just what bad guys could execute if increasingly networked things on the Internet aren't secured or built with security in mind.
Here's a look at some of the coolest hacks of the year:
1. Car hacking accelerates -- from the couch
Famed car hackers Charlie Miller and Chris Valasek for nearly three years had been working toward the Holy Grail of their research, remotely hacking and controlling a vehicle, and when they finally succeeded, they demonstrated it with a live (and yes, Andy Greenberg is still alive) journalist behind the wheel of a 2014 Chrysler Jeep Cherokee on a highway at 70mph. They killed the ignition from 10 miles away from their laptops while sitting on Miller's couch, and Greenberg steered the car onto an exit ramp.
The controversial demo stirred debate among the security industry over whether the pair had gone too far to illustrate their research. Miller and Valasek have no regrets, and it resulted in the kind of response they had hoped for: Chrysler recalled 1.4 million vehicles possibly affected by the vulnerability the researchers found in the Jeep's UConnect infotainment system that allowed them to hijack its steering, braking, and accelerator, among other things.
The hole was embarrassingly simple, the researchers admit: a wide (and unnecessarily) open communications port in the Harman uConnect infotainment system's built-in cellular connection from Sprint, which gave them a connection to the car via their smartphones on the cellular network. They used a femtocell and found they could access the vehicle some 70 miles away via the cell connection.
That let them control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.
The hack also elicited the attention of the feds: a pair of veteran senators proposed legislation for federal standards to secure cars from cyberattacks and to protect owners' privacy, and the National Highway Safety Administration launched its own investigation into the effectiveness of Fiat Chrysler's recall.
Miller and Valasek's "most hackable cars list" in 2014 foreshadowed their Jeep research. At the top of that list was the 2014 Jeep Cherokee, as well as the 2014 Infiniti Q50 and 2015 Escalade. based on their study of networking features of various vehicles.
"Only a handful of people really have the baseline experience to do this type of stuff. I'm not too worried about it," Valasek recently told Dark Reading.
2. Police cars -- relatively low-tech compared with the Jeep -- hackable, too
If you're one of those drivers (like me) reassured that your older-model vehicle with no Internet connectivity isn't hackable, think again. Researchers in Virginia this year were able to hack two Virginia State Police vehicle models, the 2012 Chevrolet Impala and the 2013 Ford Taurus.
No, the researchers in this project didn't drive state troopers into ditches or onto highway exit ramps. The public-private partnership led by the Virginia State Police, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), and Kaprica Security, among others, conducted the experiment to explore just what law enforcement could someday face in the age of car hacking. Like Miller and Valasek's maiden car hacks of a 2010 Ford Escape and 2010 Toyota Prius, the hacks of the VSP cruisers require initial physical tampering of the vehicle. The researchers inserted rogue devices in the two police vehicles to basically reprogram some of the car's electronic operations, or to wage the attacks via mobile devices.
The project evolved out of concerns by security experts as well as police officials of the dangers of criminal or terror groups tampering with state police vehicles to sabotage investigations or assist in criminal acts.
Among the hacks were remotely disabling the gearshift and engine, starting the engine, opening the trunk, locking and unlocking doors, and running the windshield wipers and wiper fluid. Some of the attacks were waged via a mobile phone app connected via Bluetooth to a hacking device planted in the police car, thus making a non-networked car hackable.
And unlike most car-hacking research to date, the researchers built prototype solutions for blocking cyberattacks as well as data-gathering for forensics purposes.
What made this project even more eye-popping, of course, was that a state police department would agree to it. But Capt. Jerry L. Davis of the Virginia State Police's Bureau of Criminal Investigation, told Dark Reading law enforcement officials in the state didn't hesitate to give the car hacking project the green light. "Our executive staff was aware of the issue in the arena and some of the cascading effects that could occur if we didn't start to take a proactive" approach, he said.
Automakers traditionally have shied away from publicly discussing cybersecurity issues. But Ford and General Motors actually provided rare public statements on car cybersecurity to Dark Reading in its exclusive report on the project.
3. When a bad guy hacks a good guy with a gun
Just when you thought hacking couldn't get any scarier than 0wning a car's functions, a husband and wife team in August at Black Hat USA demonstrated how they were able to hack a long-range, precision-guided rifle manufactured by TrackingPoint. Runa Sandvik, a privacy and security researcher, and security expert Michael Auger, reverse-engineered the rifle's firmware, scope, and some of TrackingPoint's mobile apps for the gun.
The smart rifle has a Linux-based scope as well as a connected trigger mechanism, and comes with its own mobile apps for downloading videos, and for providing information to the firearm such as weather information.
"The worst-case scenario is someone could make permanent, persistent changes in how your rifle behaves," Sandvik told Dark Reading in an interview prior to Black Hat. "It could miss every single shot you take and there's not going to be any indication on the [scope] screen why this is happening."
The good news, though, was that there was no way for an attacker to fire the gun remotely.
Even so, an attacker with wireless access could wreak some havoc on the smart rifle, the researchers found. They discovered an easily guessed and unchangeable password in the rifle's wireless feature. "Anyone who knows it can connect to your rifle," Sandvik said.
Among other things, they could change the weather and wind settings the smart rifle employs. The researchers got root access to the Linux software on the rifle and to create custom software updates via the WiFi connection that could alter the behavior of the weapon.
Another major flaw was that the rifle's software allows administrative access to the device. To view a video demonstration of the hack filmed by Wired, see this.
4. Hackin' at the car wash, yeah
Sitting in the drive-through car wash now comes with a hacking risk. Security researcher Billy Rios found that a Web interface in a popular car wash brand contains weak and easily guessed default passwords and other weaknesses that could allow an attacker to hijack the functions of the car wash to wreak physical damage or score a free wash for his or her ride.
Rios, who is best known for his research into security flaws in TSA systems and medical equipment, began to wonder about car washes after a friend who's an executive for a gas station chain that includes car washes, told him a story about how technicians had misconfigured one car wash location remotely, causing the rotary arm in the car wash to smash into a minivan mid-wash, spraying water into the vehicle and at the family inside.
"If [a hacker] shuts off a heater, it's not so bad. But if there are moving parts, they're totally going to hurt [someone] and do damage," Rios, founder of Laconicly, told Dark Reading when he revealed his research earlier this year.
He found "a couple of hundred" PDQ LaserWash brand car washes online and exposed on the Net, but he estimates there are thousands or others online as well. The car wash uses an HTTP server interface for remote administration and control of the system. If an attacker were able to glean the default password for the car wash owner or technician and telnet in, he or she could take over the car wash controls from afar and open or close the bay doors, or disable the sensors or other machinery.
An attacker also could also sabotage the sales side of the business. "You can log into it and get a shell and get a free car wash" with an HTTP GET request, Rios explained.
5. Heat jumps the air gap
Air-gapping, or physically separating and keeping sensitive systems off the network, is the simple, typical go-to for critical infrastructure plants or other similar systems. Turns out there's a way to breach that air gap simply by using heat.
Researchers at the Cyber Security Research Center at Israel’s Ben-Gurion University (BGU) discovered a way to employ heat and thermal sensors to set up a communications channel between two air-gapped systems. The so-called BitWhisper hack, which is part of ongoing air-gap security research at the university, broke new ground with a two-way, bidirectional communications channel, and no special hardware is needed, Dudu Mimran, chief technology officer at BGU, told Dark Reading.
“What we wanted to prove was that even though there might be an air gap between systems, they can be breached," he said.
There are a few catches, though. The air-gapped machines have to be physically close: The researchers placed them 15 inches apart. And it's a slow data transfer rate of 8 bits per hour, not exactly ideal for siphoning large amounts of data. Mimran said it's a way to break the air gap, steal passwords, and secret keys, for example.
The researchers installed specialized malware on the machines that could connect to the thermal sensors on the systems, and up the heat on the computers in a controlled way. Just how you could distinguish between normal heat in a system and an heat-based air gap breach is unclear, he said.
6. Gas gauge security running on empty
Renowned security researcher HD Moore earlier this year found thousands of gas tank monitoring systems at US gas stations exposed and wide open on the Internet without password protection. The implication: the gas stations were vulnerable to attacks on their monitors that could simulate a gas leak or disrupt the fuel tank operations.
Moore's groundbreaking research inspired Trend Micro researchers to explore the problem, too, and they found similar issues with another gas tank monitoring system made by the same manufacturer, Vedeer-Root. Trend Micro's Kyle Wilhoit and Stephen Hilt then released a homegrown tool called Gaspot, which allows researchers as well as gas tank operators to set up their own virtual monitoring systems to track attack attempts and threats.
Wilhoit and Hilt had set up a series of honeypots mimicking the monitoring system and witnessed multiple attack attempts. In February, they reported finding one such Internet-facing tank monitoring system at a gas station in Holden, Maine, renamed "We_Are_Legion" from "Diesel," suggesting either the handiwork of Anonymous hacktivists or another attacker using the group's slogan.
The vulnerable systems Moore found were located at independent, small gas station dealer sites. Large chains affiliated with big-name petroleum companies generally aren't vulnerable to the public-facing Net attacks because they're secured via corporate networks.
Moore told Dark Reading earlier this year that the exposure of the fuel systems was due to a basic lack of default security, namely a VPN gateway-based connection to the devices, and authentication.
7. Star Wars: satellite edition
With equipment costing a little less than $1,000, a security researcher was able to hack the Globalstar Simplex satellite data service used for personal locator devices, tracking shipping containers, and monitoring SCADA systems such as oil and gas drilling.
Colby Moore, information security officer at Synack, demonstrated his research findings of vulnerabilities in the service this summer at Black Hat USA, but his work was shot down by Globalstar.
Moore said an attacker could intercept, spoof, or interfere with communications between tracking devices, satellites, or ground stations because the Globalstar network for its satellites doesn't use encryption between devices, nor does it digitally sign or authenticate the data packets. He says it's possible to decode and spoof the satellite data transmitted, so an attacker could spoof a shipping container's contents, or spy on an oil drilling operation.
"The real vulnerability is that it's [the data] in plain text and not encrypted," he said. And satellite networks are aging and not built with security in mind, he said.
But the day after Moore presented his research at Black Hat, Globalstar issued a press statement saying it studied Moore's research and the "claims were either incorrect or implausible in practice."
Globalstar maintained that "many … Globalstar devices have encryption implemented by our integrators, especially where the requirements dictate such because a customer is tracking a high-value asset. Synack was also incorrect when it stated, “the protocol for the communication would have to be re-architected” when in fact, no such re-architecture is required," Globalstar claimed.
The company says its network is not "aging": "[The] … network is the newest second-generation constellation, having recently been completed in August 2013. Many claims by Synack are simply incorrect, self-serving or misinterpret key information."
Interestingly, Moore had contacted Globalstar several months before his presentation to alert them of his findings. "They were pretty friendly, and seemed pretty concerned," he told Dark Reading. Moore and Synack stand by their research.
NEXT PAGE: OnStar, chemical plants, fridges and Fitbit get hit
8. OnStar gets 0wned
In yet another illustration of how modern, networked vehicles can be hacked, a researcher was able to locate, lock, unlock, and remotely start, any GM vehicle using OnStar's RemoteLink app.
Samy Kamkar built a device he calls "OwnStar" that sniffs communications between an OnStar mobile app and the OnStar cloud service. He then was able to grab the vehicle's location, make, and model, and remotely unlock and start various vehicle functions.
“Fortunately the problem lies with the mobile software and is not a problem with the vehicles themselves,” Kamkar said in his demonstration of the attack.
GM said it had fixed the flaw in some back-end systems, and updated the iOS version of the RemoteLink app as well.
9. Other cool stuff: Cracking chemical plants, fridges, Fitbits
Hacking for physical sabotage is an especially scary concept when it comes to a power or chemical plant, and that was the topic of Physical Hacking 101-type talks conducted by two researchers at the recent Black Hat USA and DEF CON conferences in Las Vegas.
Jason Larsen, principal security consultant at IOActive, and Marina Krotofil, senior security consultant at the European Network for Cyber Security, say hacking physical systems requires more than coding know-how: physics, chemistry, plumbing, and engineering knowledge also are required in many cases.
Larsen gave what he calls the "bread and butter" of where to first go for these types of attacks: items that are easiest to manipulate, such as valves. In an interview with Dark Reading prior to his talks, Larsen said kitchen sink valves aren't equipped to handle water pressure in the range of a ton, for example.
But as Krotofil explains, an exploit can take months or years to create once an attacker actually gains access to the plant environment. "The problem is, once you get access [to the environment], it is the end of the IT world, and you are now a control engineer," Krotofil said in an interview with Dark Reading. "Now it's become a completely different game. ... The difference is in complexity of knowledge, complexity of fields, and the interaction of those fields."
Finding a flaw in code isn't always enough in these environments: "There must [also] be vulnerability in the process," says Krotofil. If the physical processes can continue along even without the correct input from the computer, then the exploit doesn't work.
She published an open-source framework for cyber-physical attacks that includes two chemical plant models for testing purposes. "If we know what it takes to attack the processes," she says, "then we may know what it takes to defend them."
Meantime, DEF CON this year launched its first Internet of Things Hacking Village, and everything from Apple network storage, toys, blood pressure monitors, Fitbits, and fridges fell to white-hat hackers there. There was even a prototype Stuxnet model.Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio