9 Coolest Hacks Of 2015
Cars, guns, gas stations, and satellites, all got 0wned by good hackers this year in some of the most creative yet unnerving hacks.
If there was one common thread among the coolest hacks this year by security researchers, it was the chilling and graphic physical implications. Good hackers rooted out the security holes and wowed the industry with actual images of remotely sending a car rolling into a ditch, hijacking the target of a smart rifle, and disabling a state trooper cruiser.
The most creative and innovative hacks in 2015 were both entertaining and chilling. They elicited a little nervous laughter, and then raised the discourse over just what bad guys could execute if increasingly networked things on the Internet arent secured or built with security in mind.
Heres a look at some of the coolest hacks of the year:
1. Car hacking accelerates -- from the couch
Famed car hackers Charlie Miller and Chris Valasek for nearly three years had been working toward the Holy Grail of their research, remotely hacking and controlling a vehicle, and
when they finally succeeded, they demonstrated it
with a live (and yes, Andy Greenberg is still alive) journalist behind the wheel of a 2014 Chrysler Jeep Cherokee on a highway at 70mph. They killed the ignition from 10 miles away from their laptops while sitting on Millers couch, and Greenberg steered the car onto an exit ramp.
The controversial demo stirred debate among the security industry over whether the pair had gone too far to illustrate their research. Miller and Valasek have no regrets, and it resulted in the kind of response they had hoped for: Chrysler
recalled 1.4 million vehicles
possibly affected by the vulnerability the researchers found in the Jeeps UConnect infotainment system that allowed them to hijack its steering, braking, and accelerator, among other things.
The hole was embarrassingly simple, the researchers admit:
a wide (and unnecessarily) open communications port
in the Harman uConnect infotainment systems built-in cellular connection from Sprint, which gave them a connection to the car via their smartphones on the cellular network. They used a femtocell and found they could access the vehicle some 70 miles away via the cell connection.
That let them control the Jeeps steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.
The hack also elicited the attention of the feds: a pair of veteran senators proposed legislation for federal standards to secure cars from cyberattacks and to protect owners privacy, and the National Highway Safety Administration launched its own investigation into the effectiveness of Fiat Chryslers recall.
Miller and Valaseks most hackable cars list in 2014 foreshadowed their Jeep research. At the top of that list was the 2014 Jeep Cherokee, as well as the 2014 Infiniti Q50 and 2015 Escalade. based on their study of networking features of various vehicles.
Only a handful of people really have the baseline experience to do this type of stuff. Im not too worried about it, Valasek recently told
Dark Reading
.
2. Police cars -- relatively low-tech compared with the Jeep -- hackable, too
If youre one of those drivers (like me) reassured that your older-model vehicle with no Internet connectivity isnt hackable, think again.
Researchers in Virginia this year were able to hack two Virginia State Police vehicle models
, the 2012 Chevrolet Impala and the 2013 Ford Taurus.
No, the researchers in this project didnt drive state troopers into ditches or onto highway exit ramps. The public-private partnership led by the Virginia State Police, the University of Virginia, Mitre Corp., Mission Secure Inc. (MSi), and Kaprica Security, among others, conducted the experiment to explore just what law enforcement could someday face in the age of car hacking. Like Miller and Valaseks maiden car hacks of a 2010 Ford Escape and 2010 Toyota Prius, the hacks of the VSP cruisers require initial physical tampering of the vehicle. The researchers inserted rogue devices in the two police vehicles to basically reprogram some of the cars electronic operations, or to wage the attacks via mobile devices.
The project evolved out of concerns by security experts as well as police officials of the dangers of criminal or terror groups tampering with state police vehicles to sabotage investigations or assist in criminal acts.
Among the hacks were remotely disabling the gearshift and engine, starting the engine, opening the trunk, locking and unlocking doors, and running the windshield wipers and wiper fluid. Some of the attacks were waged via a mobile phone app connected via Bluetooth to a hacking device planted in the police car, thus making a non-networked car hackable.
And unlike most car-hacking research to date, the researchers built prototype solutions for blocking cyberattacks as well as data-gathering for forensics purposes.
What made this project even more eye-popping, of course, was that a state police department would agree to it. But Capt. Jerry L. Davis of the Virginia State Polices Bureau of Criminal Investigation, told
Dark Reading
law enforcement officials in the state didnt hesitate to give the car hacking project the green light. Our executive staff was aware of the issue in the arena and some of the cascading effects that could occur if we didnt start to take a proactive approach, he said.
Automakers traditionally have shied away from publicly discussing cybersecurity issues. But Ford and General Motors actually provided rare public statements on car cybersecurity to
Dark Reading
in its exclusive report on the project.
3. When a bad guy hacks a good guy with a gun
Just when you thought hacking couldnt get any scarier than 0wning a cars functions, a husband and wife team in August at Black Hat USA demonstrated how they were able to hack a long-range, precision-guided rifle manufactured by TrackingPoint. Runa Sandvik, a privacy and security researcher, and security expert Michael Auger, reverse-engineered the rifles firmware, scope, and some of TrackingPoints mobile apps for the gun.
The smart rifle has a Linux-based scope as well as a connected trigger mechanism, and comes with its own mobile apps for downloading videos, and for providing information to the firearm such as weather information.
The worst-case scenario is someone could make permanent, persistent changes in how your rifle behaves, Sandvik told
Dark Reading
in an interview prior to Black Hat. It could miss every single shot you take and theres not going to be any indication on the [scope] screen why this is happening.
The good news, though, was that there was no way for an attacker to fire the gun remotely.
Even so, an attacker with wireless access could wreak some havoc on the smart rifle, the researchers found. They discovered an easily guessed and unchangeable password in the rifles wireless feature. Anyone who knows it can connect to your rifle, Sandvik said.
Among other things, they could change the weather and wind settings the smart rifle employs. The researchers got root access to the Linux software on the rifle and to create custom software updates via the WiFi connection that could alter the behavior of the weapon.
Another major flaw was that the rifles software allows administrative access to the device. To view a video demonstration of the hack filmed by Wired, see
this
.
4. Hackin at the car wash, yeah
Sitting in the drive-through car wash now comes with a hacking risk. Security researcher Billy Rios found that a Web interface in a popular car wash brand contains weak and easily guessed default passwords and other weaknesses that could allow an attacker to hijack the functions of the car wash to wreak physical damage or score a free wash for his or her ride.
Rios, who is best known for his research into security flaws in TSA systems and medical equipment, began to wonder about car washes after a friend whos an executive for a gas station chain that includes car washes, told him a story about how technicians had misconfigured one car wash location remotely, causing the rotary arm in the car wash to smash into a minivan mid-wash, spraying water into the vehicle and at the family inside.
If [a hacker] shuts off a heater, its not so bad. But if there are moving parts, theyre totally going to hurt [someone] and do damage, Rios, founder of Laconicly, told
Dark Reading
when he revealed his research earlier this year
.
He found a couple of hundred PDQ LaserWash brand car washes online and exposed on the Net, but he estimates there are thousands or others online as well. The car wash uses an HTTP server interface for remote administration and control of the system. If an attacker were able to glean the default password for the car wash owner or technician and telnet in, he or she could take over the car wash controls from afar and open or close the bay doors, or disable the sensors or other machinery.
An attacker also could also sabotage the sales side of the business. You can log into it and get a shell and get a free car wash with an HTTP GET request, Rios explained.
5. Heat jumps the air gap
Air-gapping, or physically separating and keeping sensitive systems off the network, is the simple, typical go-to for critical infrastructure plants or other similar systems. Turns out theres a way to breach that air gap simply by using heat.
Researchers at the Cyber Security Research Center at Israel’s Ben-Gurion University (BGU) discovered a way to employ heat and thermal sensors to set up a communications channel between two air-gapped systems. The so-called
BitWhisper hack
, which is part of ongoing air-gap security research at the university, broke new ground with a two-way, bidirectional communications channel, and no special hardware is needed, Dudu Mimran, chief technology officer at BGU, told
Dark Reading
.
“What we wanted to prove was that even though there might be an air gap between systems, they can be breached, he said.
There are a few catches, though. The air-gapped machines have to be physically close: The researchers placed them 15 inches apart. And its a slow data transfer rate of 8 bits per hour, not exactly ideal for siphoning large amounts of data. Mimran said its a way to break the air gap, steal passwords, and secret keys, for example.
The researchers installed specialized malware on the machines that could connect to the thermal sensors on the systems, and up the heat on the computers in a controlled way. Just how you could distinguish between normal heat in a system and an heat-based air gap breach is unclear, he said.
6. Gas gauge security running on empty
Renowned security researcher HD Moore earlier this year
found thousands of gas tank monitoring systems at US gas stations exposed
and wide open on the Internet without password protection. The implication: the gas stations were vulnerable to attacks on their monitors that could simulate a gas leak or disrupt the fuel tank operations.
Moores groundbreaking research inspired Trend Micro researchers to explore the problem, too, and they
found similar issues with another gas tank monitoring system
made by the same manufacturer, Vedeer-Root. Trend Micros Kyle Wilhoit and Stephen Hilt then released a homegrown tool called Gaspot, which allows researchers as well as gas tank operators to set up their own virtual monitoring systems to track attack attempts and threats.
Wilhoit and Hilt had set up a series of honeypots mimicking the monitoring system and witnessed multiple attack attempts.
In February, they reported
finding one such Internet-facing tank monitoring system at a gas station in Holden, Maine, renamed We_Are_Legion from Diesel, suggesting either the handiwork of Anonymous hacktivists or another attacker using the groups slogan.
The vulnerable systems Moore found were located at independent, small gas station dealer sites. Large chains affiliated with big-name petroleum companies generally arent vulnerable to the public-facing Net attacks because theyre secured via corporate networks.
Moore told
Dark Reading
earlier this year that the exposure of the fuel systems was due to a basic lack of default security, namely a VPN gateway-based connection to the devices, and authentication.
7. Star Wars: satellite edition
With equipment costing a little less than $1,000, a security researcher was able to hack the Globalstar Simplex satellite data service used for personal locator devices, tracking shipping containers, and monitoring SCADA systems such as oil and gas drilling.
Colby Moore, information security officer at Synack, demonstrated his research findings of vulnerabilities in the service this summer at Black Hat USA, but his work was shot down by Globalstar.
Moore said an attacker could intercept, spoof, or interfere with communications between tracking devices, satellites, or ground stations because the Globalstar network for its satellites doesnt use encryption between devices, nor does it digitally sign or authenticate the data packets. He says its possible to decode and spoof the satellite data transmitted, so an attacker could spoof a shipping containers contents, or spy on an oil drilling operation.
The real vulnerability is that its [the data] in plain text and not encrypted, he said. And satellite networks are aging and not built with security in mind, he said.
But the day after Moore presented his research at Black Hat,
Globalstar issued a press statement
saying it studied Moores research and the claims were either incorrect or implausible in practice.
Globalstar maintained that many … Globalstar devices have encryption implemented by our integrators, especially where the requirements dictate such because a customer is tracking a high-value asset. Synack was also incorrect when it stated, “the protocol for the communication would have to be re-architected” when in fact, no such re-architecture is required, Globalstar claimed.
The company says its network is not aging: [The] … network is the newest second-generation constellation, having recently been completed in August 2013. Many claims by Synack are simply incorrect, self-serving or misinterpret key information.
Interestingly, Moore had contacted Globalstar several months before his presentation to alert them of his findings. They were pretty friendly, and seemed pretty concerned, he told
Dark Reading
. Moore and Synack stand by their research.
NEXT PAGE: OnStar, chemical plants, fridges and Fitbit get hit
8. OnStar gets 0wned
In yet another illustration of how modern, networked vehicles can be hacked, a researcher was able to locate, lock, unlock, and remotely start, any GM vehicle using OnStars RemoteLink app.
Samy Kamkar
built a device he calls OwnStar
that sniffs communications between an OnStar mobile app and the OnStar cloud service. He then was able to grab the vehicles location, make, and model, and remotely unlock and start various vehicle functions.
“Fortunately the problem lies with the mobile software and is not a problem with the vehicles themselves,” Kamkar said in his demonstration of the attack.
GM said it had fixed the flaw in some back-end systems, and updated the iOS version of the RemoteLink app as well.
9. Other cool stuff: Cracking chemical plants, fridges, Fitbits
Hacking for physical sabotage is an especially scary concept when it comes to a power or chemical plant, and that was the topic of Physical Hacking 101-type talks conducted by two researchers at the recent Black Hat USA and DEF CON conferences in Las Vegas.
Jason Larsen, principal security consultant at IOActive, and Marina Krotofil, senior security consultant at the European Network for Cyber Security, say hacking physical systems requires more than coding know-how: physics, chemistry, plumbing, and engineering knowledge also are required in many cases.
Larsen gave what he calls the bread and butter of where to first go for these types of attacks: items that are easiest to manipulate, such as valves.
In an interview with
Dark Reading
prior to his talks, Larsen said kitchen sink valves arent equipped to handle water pressure in the range of a ton, for example.
But as Krotofil explains, an exploit can take months or years to create once an attacker actually gains access to the plant environment. The problem is, once you get access [to the environment], it is the end of the IT world, and you are now a control engineer, Krotofil said in an interview with
Dark Reading
. Now its become a completely different game. ... The difference is in complexity of knowledge, complexity of fields, and the interaction of those fields.
Finding a flaw in code isnt always enough in these environments: There must [also] be vulnerability in the process, says Krotofil. If the physical processes can continue along even without the correct input from the computer, then the exploit doesnt work.
She published an open-source framework for cyber-physical attacks that includes two chemical plant models for testing purposes. If we know what it takes to attack the processes, she says, then we may know what it takes to defend them.
Meantime, DEF CON this year launched its
first Internet of Things Hacking Village
, and everything from Apple network storage, toys, blood pressure monitors, Fitbits, and fridges fell to white-hat hackers there. There was even a prototype Stuxnet model.
Tags:
9 Coolest Hacks Of 2015