Nowhere to hide: 9 new hacks coming to get you
- 20 February, 2017 22:00
Securitywise, the internet of things is going as badly as most computer security experts predicted. In fact, most vendors don’t fully appreciate the potential threats IoT devices pose. Anything connected to the internet and running code can be taken over for malicious purposes. Given the accelerating proliferation of internet-connected devices, we could be hurtling toward catastrophe. Personal security cameras, for example, are being used to conduct the largest denial-of-service attacks the world has ever seen, not to mention allowing strangers to spy on the very people the cameras are supposed to protect.
Worse, with IoT devices, vulnerabilities can have consequences far beyond the digital realm. The coming wave of IoT attacks include those that could injure or kill people. This isn’t hypothetical. I’m talking about real attacks that are already possible today. And no one has done anything to make these attacks less likely to happen.
Following are nine next-wave hacks that could be coming for you soon.
Your heart monitor will get hacked
Hackers have long known they can disrupt nearly any medical device that has writeable software, works wirelessly, or connects to the internet. Computer scientists and hackers have exploited heart pacemakers, heart monitors, IV drip devices, medicine dispensers, and diagnostic machinery, all of which have the potential to kill the patient. These threats come to our attention frequently.
But it’s not as if medical technology vendors aren’t worried about vulnerabilities and hackers. New medical devices take up to 10 years to create, test, and be approved. U.S. medical device manufacturers must follow guidelines and laws from nearly a dozen overlapping regulatory bodies, including the FDA, the FCC, and the Department of Health and Human Services. Moreover, medical device manufacturers specifically avoid using the latest and greatest software. By slowing down the process and using older, more proven and stable software, manufacturers feel they can better root out potential issues before their devices are released to the general public.
Despite all this, medical devices aren’t even close to being hack-proof. There have been hundreds of recalls for medical devices in the past decade, a large percentage of which are due to cybersecurity issues.
Ironically, the slow vetting process and regulations surrounding medical devices may be their undoing. Software and code can’t be significantly updated once it is introduced to the review cycle and released to the public. As a result, medical devices are always using very old technology by the time they are in operation. None can take advantage of the latest advances in computer security defense; worse, they often contain commonly known exploits that were removed from general computers many years ago. When I get paid to perform penetration tests on medical devices, I always start with attacks that have long ago been patched on your average computer. I’ve never not had that strategy work. Something here has to give. When it comes to medical devices, too much is at stake to be this easy to hack.
Your car will careen out of control
These days automakers are as likely to advertise the cool new cyberfeatures they’ve put in their cars as they are the engine, performance, and styling of the vehicles themselves. Get caught with fewer features than your competitors and you’ll lose every millennial buyer—that seems to be the thinking.
The problem is that cars can now be opened remotely, have their engine killed, and be instructed to crash out of control. And only recently have car manufacturers begun concentrating on tightly securing those systems. Most experts involved tell me we are a long way from being able to say that cars are “unhackable.” As one car security expert told me, “We’ve not been able to secure computers after trying for over three decades, why do you think we’ll be successful with cars?”
Good question. Still, many within the auto industry say that completely securing a car’s entire system against hackers isn’t even the main goal. The more realistic goal is to make the life-critical systems, such as the engine and brakes, unhackable. “Who cares if they change your stereo channel and change your GPS’s voice personality? But we absolutely need to be able to stop bad people from doing anything that could threaten human life. And that I think we can do it,” one car security expert told me.
Your house will be broken into with the push of a button
Thieves are starting to pay attention to our connected homes. Any device in your home that can be controlled over a network or wirelessly can also be controlled by a hacker. Front door locks can now be opened remotely, alarm systems can be deactivated, garage doors can be opened, and thermostats can be manipulated. Even refrigerators have already been hacked to send out spam.
As connected homes become more popular, expect thieves to take advantage. Why break a window when you can press a button and unlock the front door or garage? Traditional criminals prove quite adept at adopting lower-risk methods, especially when you consider that houses that contain smart devices are more likely to have expensive things to steal. Personally, I think it’s a bit early for anyone to trust their home’s security to any of today’s electronic locks and openers, until I hear that manufacturers are doing a much better job on securing them than they currently are.
Your vacation will be stolen (or fraudulent)
Bob and Leona Williams showed up at their vacation rental in Key West, tired after a day-long drive. They had signed a rental agreement, and the keys to the house had been mailed to them overnight, shortly before they wired the money. But when they arrived, the key didn’t work. They knocked on the door.
A short while later, a sleepy-eyed Amanda Ternoff opened the door. She knew from the car stacked with luggage behind her new guests what had happened. Someone had “fake rented” her house again. This time she was able to tell the scammed tourists what had happened and gave them the phone number for the Monroe County Sheriff’s department. This outcome was better than the last time, when Amanda had come home after taking a vacation of her own and found a Cuban family partying in her backyard pool sanctuary.
It happens hundreds of times a day. A fun-seeking family on vacation shows up at their dream vacation home, only to find it wasn’t a rental and they are out the money. Sometimes these fake vacation scammers have entire websites dedicated to the scheme and reply with official-looking rental agreements and procedures. Other couples have shown up for their vacation of a lifetime, then discover that another couple had appeared a week earlier and used every tour package and amenity they had paid for. The burgeoning appearance of personal do-it-yourself rental sites like Airbnb, combined with traditional Craigslist-type sites, make it easier to pull off.
Experts say stick to trusted companies and dedicated websites that have safeguards to prevent fake rental scams, and be especially aware of anyone who wants you to wire money instead of using a credit card. Other antiscammer sites recommend trying to confirm the vacation rental property in person before paying, although some scammers actually work for legitimate rental companies and trade on those credentials.
Your TV will be bricked for ransom
Our televisions are getting smarter. I can now watch cable, Netflix, Amazon, Hulu, and YouTube, as well as browse the internet, all using my TV’s remote control. But as our smart TVs become big-screen computers, they bring with them the inherent risk of malware and hackers. In fact, at least one TV has already been bricked. “Brick” is a term to indicate that a computing device’s state is so maligned that it will not operate without at least a new firmware write, and firmware writes can be difficult to impossible for someone outside of the vendor’s manufacturing plant to accomplish.
Longtime antimalware vendor TrendMicro warned last year about ransomware that can brick TVs. Ransomware is a malware program that encrypts your data and asks for money to unlock it. In a little more than a month TrendMicro detected 7,000-plus variants of the single ransomware program they found. Luckily, this particular malware program can only infect a specific type of older, now discontinued, smart TV. But no doubt this is only the first wave. Malware writers will code more television-specific attacks. I might not be willing to pay $500 to unlock my company’s laptop, but take away my home entertainment system and I might be willing to pony up the money quicker.
Your mobile phone will be doxed
If you think ransomware is terrible, malware writers have gone one better with doxware. Named after the hacker activity known as doxing, doxware will lock your computer or mobile phone and threaten to release your confidential documents or chats to the world. Think that love affair is a secret? Watch out for doxware. Don’t want your company’s top secret intellectual property to be revealed to your competitors? Better pay up.
Hackers have learned that regular offline backups can defeat the sting of ransomware, but threatening to expose embarrassing or valuable information, to steal a phrase from a popular credit card commercial, is priceless.
Your devices will attack other people
Hackers are aggregating hundreds of thousands to millions of user devices into rogue botnets to accomplish their malicious missions. Security cameras and IoT devices are being used to send spam, to conduct massive denial-of-service attacks, and to steal digital currency. Hackers accomplish this using specially designed bots that look for and compromise predefined IoT devices. Here, the poster child is Mirai, a Linux-based bot that showed up in early 2016. Its source code was released in October 2016 and was immediately reused by many other criminal gangs.
Mirai attempts to log on to vulnerable IoT devices using Telnet (TCP port 23) and a prefined list of very weak passwords (“admin,” “12345,” “password”). If successful, it tries to disable other remote admin log-on methods (SSH, HTTP, and so on), then attempts to connect to its command-and-control servers to get its next instructions and targets. Researchers have found millions of potentially vulnerable devices. People don’t know that their wireless routers, internet cameras, and refrigerators are being used to attack other people. All the average user might notice is some sluggishness or slowness in their own device, and who would blame that on an IoT bot when lagginess is normal in the computer world.
IoT bots are becoming the hottest new malware type, like ransomware was before, and email viruses were before that. The problem is becoming so bad so fast that many governmental agencies around the world are launching investigations. Expect new IoT manufacturing laws and regulations to follow in 2017. Unfortunately, literally hundreds of millions of IoT devices out there were coded before we knew about IoT botnets, and they’re waiting to be exploited.
Your biometric identity will be up for sale
Passwords are quickly becoming persona non grata, rapidly replaced by two-factor and biometric authentication. Many people think that biometric identities are the best solution; after all, who can fake your retinal scan? Plenty of people, it turns out. Most users don’t realize that their biometric identity is stored as a digital file. Sometimes that biometric identity is stored exactly as it is (that is, your fingerprint impressions are stored looking exactly like your fingerprints). More often, your biometric identity is stored as an intermediate-represented form. For example, most digital fingerprints are stored looking something like a star constellation, with lines mapped between each ridge and value.
Either way, because your biometric identity is stored so that it can be accessed for future authentication, hackers can steal it as easily as they can your password. And they can recycle your biometric identity on any system that used it in the first place. The only difference is that if your password is compromised, you can change your password. You can’t change your retina print (yet). When your biometric identity gets stolen, essentially your identity is stolen for the rest of your existence.
This becomes a big problem especially when large biometric databases are stolen, like the 2015 U.S. Office of Personal Management heist in which more then 5 million fingerprints were stolen. I know people who had their fingerprints taken back in the 1990s who received a government letter letting them know their fingerprints had been stolen.
The world’s largest publicly known fingerprint database, the FBI’s Integrated Automated Fingerprint Identification System (IAFIS), contains at least 70 million fingerprints. Tens of thousands of sites and hundreds of thousands of computers have access to those files. What are the odds that no unauthorized entity hasn’t gained access to IAFIS and copied the whole thing? I would say about the same odds as every IoT device being perfectly secure. Since the future of authentication is two-factor, with biometric playing a huge role, it is likely that your biometric marker will be sold exactly as your credit card information is sold today—often and cheaply.
For this reason, most computer security experts think all biometric authentication schemes should require at least one other authentication factor, so your biometric marker alone can’t be used to access sensitive information. The hacker may have your retina scan, but hopefully they don’t have the PIN number stored in your head.
Your (chipped) kid will be stolen
This has not happened yet. No one is putting GPS-tracking devices into their kid—yet. We are, however, already chipping our pets, and certainly one day the world will accept chipping our kids as a necessary evil. In fact, some very smart people are already asking whether it might already be time to do it.
But being able to track your kid with a GPS chip has the unwanted consequence of allowing others to follow them to. I’m sure government officials and chip manufacturers will tell us how safe and secure these chips will be, as medical patients have been told the same thing for decades about medical devices. Nope, when chipping a kid becomes the default, thieves will use those same technologies to take kids. And like the average criminal today knows to throw away their victim’s cellphone to avoid police tracking, so too will the internet-savvy criminal of tomorrow cut out that pesky GPS tracking chip. It’s simply a matter of time.
Then again, perhaps we can prevent this dystopian future by refusing to enter it willfully in the first place.
Either way, it’s clear that our world is becoming more connected, and the vendors supplying digital devices aren’t doing nearly enough to secure them. Like now, where in the face of criminal APT attacks and ransomware, computer security experts are longing for the old days of script kiddies and music-playing macro viruses, we may soon be longing for the days when computers where the only objects being exploited.
- 11 signs you’ve been hacked—and how to fight back
- Essential certifications for smart security pros
- 11 signs your kid is hacking—and what to do about it
- Effective IT security habits of highly secure companies
- 17 essential tools to protect your online identity, privacy
- Be paranoid: 10 terrifying extreme hacks
- 10 reasons why phishing attacks are nastier than ever
- 6 hard truths security pros must live with
- 10 security blunders that will get you fired
- 10 dumb security mistakes sys admins make