by Marc Goodman
In addition to baby cams, home and office security camera systems are just as vulnerable, and researchers have found widespread flaws in more than twenty major brands, most of which are sold with remote Internet access enabled by default and weak security features. Nearly 70 percent of users never change the default user names, such as “user” and “admin,” nor do they reset the manufacturer’s preset password, such as “1111” or “1234.” As a consequence, tens of millions of Internet-connected cameras are wide open to interception by parties unknown, and hackers are delighted to share their voyeuristic discoveries. Without the consent or knowledge of those surveilled, thousands of these live feeds are available online for all to see: a Laundromat in Los Angeles, a man in Newark watching football on the couch, patrons at a bar in Virginia, a living room in Hong Kong, or an office in Moscow—take your pick. Given the opportunities, it wasn’t long before Crime, Inc. began exploring how to best use IoT-enabled cameras to its advantage.
Why not hack the bank’s cameras before the robbery to learn employee patterns of conduct, when cash deliveries arrive, and the times the guard is on his break? Of course knowing that most bank robberies only yield a paltry sum, with high risk, there are bigger fish to fry. That’s exactly what a team of criminals from Crime, Inc. did in March 2013 when they carried out an Ocean’s Eleven–style attack against the Crown Casino in Melbourne, Australia. Hackers took over the casino’s own security system and used the resort’s own security cameras to spy on the house, including its VIP gambling rooms. The prime suspect, described only as a foreigner, was known as a “whale,” a high roller who regularly bet large amounts of money. Except this time he had an edge. Because he and his accomplices had hacked the live video feeds, they were able to see all the cards held by the dealer and fellow players at his poker table. When the criminal whale sauntered up to play with other high rollers, his hidden hacker compatriots were feeding him betting instructions into a concealed wireless earpiece. Confident of his bets, the hacker was able to win more than U.S.$33 million in just eight hands of cards. Rather than tempt fate, he left a wealthy man and flew back home to his own country before authorities ever realized what had happened. As the exponential march toward the Internet of Things drives on, more people will discover that the trusted things they expected to protect them, whether security cameras or air bags, can be commandeered by others and used against them in surprising and even deadly ways.
From Carjacking to Car Hacking
Most people would rather have malicious software running on their laptop than inside their car’s braking system.
PROFESSOR CHRISTOF PAAR, EMBEDDED SECURITY RESEARCHER
Cars used to run on gasoline. Today they run on code. Sure, you still need gas or electricity for power, but without functioning computer code any modern car is dead in its tracks. Though your dad’s 1957 Chevy might have been a purely mechanical device, these days automobiles are little more than computers on wheels. A car rolling off the assembly line in 2015 has between seventy and a hundred onboard computers, known as electronic control units. Together they manage the auto’s engine, cruise control, ABS brakes, climate, transmission, entertainment, windshield wipers, power seats, locks, navigation, fuel efficiency, and air-bag deployment, to name but a few. Though automakers do a good job of making it all look relatively seamless, today’s cars are remarkably complex systems containing nearly 100 million lines of computer code (versus the relatively paltry 1.7 million lines of code running the avionics on the U.S. Air Force’s F-22 Raptor frontline jet fighter). All these embedded electronics account for 50 percent of a new vehicle’s cost on average (nearly 80 percent for hybrids). Together these microchips form the controller area network (CAN), the onboard computer network that is the lifeblood of any recent automobile and is responsible for improved safety, reduced emissions, and better mileage for our cars than at any time in history.
These embedded technologies are not just communicating internally with one another via the CAN but also increasingly sharing this information online with the outside world via a variety of radio and cellular networks built into the car itself. Doing so provides tremendous conveniences for drivers: BMW’s TeleServices network enables a vehicle’s internal sensors to continuously self-diagnose and report malfunctions to the local dealer. When a problem is spotted, owners receive a call telling them their car is sick and to come in for an appointment. GM’s OnStar will call for an ambulance automatically if its air-bag and motion sensors detect that a car has been in an accident.
While event-data-recording black boxes in cars can help crash investigators and reduce insurance premiums, they can also “narc” on your every move, generating hundreds of megabytes of data per second. These devices continuously track a horde of vehicular data, including your location, seat belt use, speed, and turn-signal operation. As Jim Farley, global vice president of marketing and sales for Ford Motors, admitted in early 2014, “[We know] everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing.” It’s not just Ford of course. GM’s OnStar caused outrage when it unilaterally updated its terms of service to grant itself the lifelong right to monitor all its vehicles, including location and odometer reading, and to share this information with third parties even after the service had been canceled by the car’s owner. Oh, and that convenient built-in car microphone that allows you to ask OnStar for directions and listens in after a crash, it can also be turned on remotely without your knowledge and secretly listen in on your private conversations, as the FBI has been doing since at least 2003 in its mobrelated investigations.
There may be even greater concerns for the future of your car than privacy alone. The growing complexity of the modern automobile is leading to massive recalls because of system failures and tragic loss of life. In just the first six months of 2014, GM was forced to recall twenty-nine million cars, with millions more recalled from Nissan, Hyundai, Ford, Honda, and BMW. When the deeply complex electronics in a car control all of its major functions, system failures can have unintended consequences, such as the spate of problems at Toyota late in the first decade of the twenty-first century that resulted in the deaths of as many as thirty-seven drivers. A jury found that many of the crashes could have been caused by software deficiencies in Toyota’s electronic throttle control system, which caused the accelerator pedal to remain depressed and vehicle brakes to fail. Toyota was accused of covering up the defects and in 2014 agreed to a record $1.2 billion fine by the U.S. Department of Justice for putting profits ahead of safety. Of course accidental safety issues with vehicle electronics are just part of the problem. When cars become computers, they, like all other systems, can make attractive targets for malicious hackers.
The days of thieves using clothes hangers to break into cars are quickly becoming history. No need to stick a gun in somebody’s face to steal a car either; carjacking has joined the modern age, replaced by car hacking. In the United States, all cars manufactured since 1996 have been required to have standardized electronic onboard diagnostics ports, which provide direct physical access to a vehicle’s central computer systems, and a cluster of new IoT communications protocols such as RFID, Bluetooth, and mobile telephony provide such access at a distance. Newer vehicles even come with USB ports, and as always more connections mean more vulnerabilities. According to the London Metropolitan Police, nearly half the eighty-nine thousand vehicles stolen in London in 2013 were hacked, with criminals’ using a variety of electronic devices to open and start the cars. The gadgets crooks use in the attacks can be purchased on Crimeazon.com, mostly from suppliers in Bulgaria. The operation takes less than ten seconds to pull off, and of course there are videos on CrimeU explaining the whole process.
Using mobile-phone-sized gadgets originally designed for locksmiths to help individuals who had lost their electronic car keys, thieves can merely program a new blank electronic key to replace the original. This spoofing technique fools the car into thinking the o
wner’s original key fob is present and can be accomplished by either wirelessly intercepting the radio signal you use when opening or locking the car or by targeting the car’s onboard computer directly.
Using nothing more than a laptop and an SMS text message with the correct encoded instructions, thieves can unlock your doors, start the car, and drive off. Your musical tastes could put you at risk too, as several security researchers proved in 2011 when they added malicious computer code to an MP3 music file and burned a list of songs to a CD. When played through the car’s audio system, the infected song file warped the vehicle’s firmware, allowing hackers entry to all the car’s main control systems. In a situation like this, car theft might be the best of all possible outcomes, for once a vehicle’s onboard computer systems have been compromised, the possibilities are near limitless.
For just under $30, hackers can build a hardware device, such as the CAN Hacking Tool, which, when plugged into your car’s onboard computer network, allows them to remotely seize control of your vehicle’s lights, locks, and steering and brake systems. Because nearly every single element of your car is managed by a computer system, devices such as these mean it is now possible to reach out and touch any car on the road from halfway around the world by subverting mobile phone receivers embedded in the car itself. More closely, remote hacks are also possible via Bluetooth and Wi-Fi. Dozens of demonstrations by hackers and security researchers have proven it is entirely possible for criminals fifteen hundred miles away to seize control of your car when you are driving sixty-five miles per hour down the highway. What they do with your hacked vehicle is only limited by their imaginations. Change your odometer to zero and your speedometer to 160, even when your car is standing still? Easy. Honk your horn, blast the radio, tighten your seat belt, and turn on the windshield wipers? Simple. Turn off the engine or jerk the steering wheel sharply to the left so that you lose control of the car at high speed? Yes. Suddenly deploy your air bag so that you careen out of control with your kids in the backseat? Entirely possible. If a computer controls your car, it can be controlled by an attacker.
The challenge with these vulnerabilities is that they needn’t target any single car but instead could affect all cars or vehicles of a particular make, model, and year simultaneously. In the Texas Auto Center case, a rogue employee was able to remotely shut down a hundred cars. But companies such as OnStar have their technology installed in millions of vehicles, including the ability to remotely block an engine’s ignition from starting and actually disable a moving vehicle in case of theft. Couldn’t a rogue employee at OnStar thus turn off a hundred thousand or a million cars? Though GM would surely deny it, once the back door has been built into the car, protecting it from abuse becomes a profound challenge and creates the opportunity for widespread infrastructure attacks by both hackers and nation-states alike.
As ambient sensor networks proliferate and vehicle technology improves, human beings will be turning more control of their driving responsibilities over to machines. Renault Nissan’s CEO, Carlos Ghosn, has publicly stated his company will have a fully autonomous self-driving vehicle available for the mass market by 2020, and Volvo’s plan is to have such cars by 2017. The biggest proponent of such technologies has been Google, whose own self-driving test cars have logged over 700,000 miles without a single crash or accident. The point is an important one because, as it turns out, human beings are terrible drivers and more than thirty-three thousand Americans are killed in car accidents annually. A fully automated, well-functioning autonomous vehicle network could avoid thousands of needless deaths and save billions in associated economic costs. As the price of these technologies plunges, you can expect UPS drivers and taxis to be replaced by autonomous and cheaper non-union alternatives.
But modern cars, whether driven by people, artificial intelligence, big data, or sensor networks, are still just computers on wheels, powered by insecure data systems, communicating via entirely hackable transmission protocols. As such, things might not turn out quite as rosy as proponents of autonomous vehicles suggest. When the majority of vehicles join the IoT, it won’t be long before some rogue attacker seizes control of a car and turns it into a multi-ton weapon of metal, glass, and explosive fuel. In the same way both Crime, Inc. and crazed exes are targeting computers and mobile phones, it’s only logical that they will go after cars in the future too, bringing scenes like those in Stephen King’s 1983 horror thriller about a possessed car named Christine many steps closer to reality. Law enforcement officials clearly see the threat, and in July 2014 the FBI warned in an internal report that driverless cars could be used as “lethal weapons, with terrorists potentially packing explosives into a self-driving car aimed at a specific destination.” Autonomous vehicles could also potentially be turned off en masse, bringing traffic to a complete standstill in a city or country.
To be certain, some of these vehicular attacks require a high degree of computer savvy to pull off, but as we have seen with other exploits, soon there will be point-and-click crimeware options for car hacking as well. Automakers are starting to take notice, particularly as “most hackable car” lists come out. Just as vehicles were rated for their crash safety in the past, now security researchers are ranking which cars are most hackable (the answer is Jeep Cherokee, Cadillac Escalade, Infiniti Q50, and Toyota Prius). In a nod to these growing concerns, Tesla, creator of some of the most technologically advanced vehicles on the road today, hired a high-profile security guru away from Apple to make the point. But what new threats will be enabled by these technologies in the future when Crime, Inc. remotely seizes control of your self-driving car, locks the doors, and speeds you off toward an abandoned warehouse on the wrong side of town? Though you might futilely attempt escape, the last thing witnesses reported seeing was you screaming in horror and banging your fists against the vehicle’s interior windows, impotent to respond to the next generation of kidnapping. Of course, assuming you make it home alive in your potentially hacker-possessed car, you may find more troubles waiting, as while you were out, your house joined the Internet of Things as well.
Home Hacked Home
Since the days of the Jetsons, we’ve been promised a space-age home filled with robotic contraptions and whimsical electronics meant to guarantee the good life, all at the touch of a button. While we don’t yet have our flying cars, the Hanna-Barbera cartoon from the early 1960s was prophetic in predicting flat-panel TVs, video chats, and automatic sliding doors. In theory, the modern networked home sounds great. Security systems and video cameras will protect us from burglars and call police if a window is smashed. Digital thermostats will interface with weather reports for your home’s specific GPS coordinates and intelligently adjust heating and air-conditioning to ensure maximal efficiency, comfort, and cost savings. Smart sensors in the basement will detect the water on the ground after a pipe bursts and automatically turn off the flow to the affected area. Your smart phone will lock your front door’s dead bolt over the Internet so you won’t ever have to worry again about whether or not you remembered to do so while en route to the airport. Smart refrigerators will warn us when our milk is about to spoil, and the mere act of dropping an empty Cheerios box in the garbage pail will automatically use your stored credit card details to order more cereal without your lifting a finger. But do you really want your garbage pail to have your credit card number?
The home automation market in the United States is “expected to reach $16.4 billion by 2019,” and all the major technology firms are vying for a piece of the pie. Elements of your home might have already joined the IoT, with an increasing number of utilities installing smart meters to measure and regulate water, electricity, and gas usage. But perhaps some of the largest opportunities are in the consumer products space where Google, Apple, Samsung, and Microsoft, to name but a few, are fighting it out to become the central hub and operating system for your house, allowing you to remotely monitor and manipulate your humble abode using your home automation gateway while
on the go.
Apple’s recently unveiled HomeKit, included with iOS 8, brings the Cupertino giant’s design flair to home automation, enabling users to lock their doors, dim their lights, and play their stereos by merely tapping their iPhones or by voicing a request to the company’s AI voice agent, Siri. By your merely speaking the words “going to bed,” HomeKit will know to automatically carry out a series of actions, such as drawing the curtains, lowering the temperature, and turning off the lights, although given the experience some have had with Siri’s voice recognition, hilarity may ensue when the TV suddenly blares, your car starts, and your front door unlocks. Eventually, though, the kinks will be ironed out and centralized digital hubs in our homes managed by our smart phones will become reality in the very near future. So what could possibly go wrong?
Well, for one, you’ve never had to upgrade the firmware in your washing machine, reinstall the OS for your house, and reboot your home in order to get the front door to work. While connecting lightbulbs, toasters, washing machines, DVRs, game consoles, refrigerators, set-top boxes, ovens, dishwashers, televisions, door locks, security systems, baby cameras, thermostats, toilets, lamps, and bathtubs to the Internet of Things may offer Jetsonian convenience, joining all of these objects to the IoT will of course bring its own set of privacy and security risks. Many such systems use no authentication or encryption when communicating between an appliance, your mobile device, and the home system. As a result, they can easily be spoofed, hacked, intercepted, and subverted. A July 2014 study by HP found that 70 percent of the devices connected to the Internet of Things were vulnerable to attack, with each object on average containing twenty-five unique security flaws.