8. OnStar gets 0wned
In yet another illustration of how modern, networked vehicles can be hacked, a researcher was able to locate, lock, unlock, and remotely start, any GM vehicle using OnStar's RemoteLink app.
Samy Kamkar built a device he calls "OwnStar" that sniffs communications between an OnStar mobile app and the OnStar cloud service. He then was able to grab the vehicle's location, make, and model, and remotely unlock and start various vehicle functions.
“Fortunately the problem lies with the mobile software and is not a problem with the vehicles themselves,” Kamkar said in his demonstration of the attack.
GM said it had fixed the flaw in some back-end systems, and updated the iOS version of the RemoteLink app as well.
9. Other cool stuff: Cracking chemical plants, fridges, Fitbits
Hacking for physical sabotage is an especially scary concept when it comes to a power or chemical plant, and that was the topic of Physical Hacking 101-type talks conducted by two researchers at the recent Black Hat USA and DEF CON conferences in Las Vegas.
Jason Larsen, principal security consultant at IOActive, and Marina Krotofil, senior security consultant at the European Network for Cyber Security, say hacking physical systems requires more than coding know-how: physics, chemistry, plumbing, and engineering knowledge also are required in many cases.
Larsen gave what he calls the "bread and butter" of where to first go for these types of attacks: items that are easiest to manipulate, such as valves. In an interview with Dark Reading prior to his talks, Larsen said kitchen sink valves aren't equipped to handle water pressure in the range of a ton, for example.
But as Krotofil explains, an exploit can take months or years to create once an attacker actually gains access to the plant environment. "The problem is, once you get access [to the environment], it is the end of the IT world, and you are now a control engineer," Krotofil said in an interview with Dark Reading. "Now it's become a completely different game. ... The difference is in complexity of knowledge, complexity of fields, and the interaction of those fields."
Finding a flaw in code isn't always enough in these environments: "There must [also] be vulnerability in the process," says Krotofil. If the physical processes can continue along even without the correct input from the computer, then the exploit doesn't work.
She published an open-source framework for cyber-physical attacks that includes two chemical plant models for testing purposes. "If we know what it takes to attack the processes," she says, "then we may know what it takes to defend them."
Meantime, DEF CON this year launched its first Internet of Things Hacking Village, and everything from Apple network storage, toys, blood pressure monitors, Fitbits, and fridges fell to white-hat hackers there. There was even a prototype Stuxnet model.