by Marc Goodman
Needless to say, in the networked world of the IoT, physical access to copiers is not even required, as many of these documents can just be pulled from office photocopiers remotely. Hackers have been able to gain access to networked photocopiers (the vast majority of which are online in any modern office) and watch what was being copied in real time. Moreover, office printers, such as the HP LaserJet Pro, have been remotely hacked to gain unauthorized access to your Wi-Fi network and its administrator passwords, which the device stores in plain, unencrypted text. An embedded firmware attack discovered in 2011 demonstrated that millions of HP printers could remotely receive update instructions from hackers that sent the devices into overdrive, resulting in their catching fire. By exploiting a vulnerability in the machine’s fuser element, the hackers were able to get the printer to overheat, burn the paper passing through the device, and ultimately burst into flames. Thanks to the IoT, it is now possible to commit arson from thousands of miles away, and I wouldn’t count on your IoT-enabled smoke detector to save you, because any hacker motivated enough to burn your office or home will likely turn off any safety systems to detect the fire as well.
Other common office equipment can be hacked, including the videoconferencing equipment commonly found in most offices and boardrooms, where some of the most closely guarded corporate secrets are discussed. Just as the cameras in your home can give a hacker a bird’s-eye view into your activities, so too can the digital eyes in the workplace. Videoconferencing systems, such as those from Polycom and Cisco, widely used in most offices today, have proven easily vulnerable to attacks. To prove the point, one hacker wrote a script to detect as many insecure videoconference systems as he could find and in short order had uncovered more than “five thousand in conference rooms at law firms, pharmaceutical companies, oil refineries, and medical centers.” Among the live video feeds he was able to tap into were a meeting between a jailhouse lawyer and a prison inmate, “an operating room at a university medical center, a venture capital pitch where a company’s confidential financials were being projected onto a screen,” and even the Goldman Sachs boardroom. The experiment proves that in the office too, when everything is connected, everyone is vulnerable. Because many of the Polycom and other videoconferencing systems are sold, installed, and maintained without any serious security protocols in place and with auto-answer enabled by default, hackers can just remotely dial in and boot up the cameras and speakerphones to spy on you and your company.
Meanwhile, around the world construction crews are busy creating new “smart” buildings—skyscrapers, warehouses, and factories—and retrofitting those already in existence. Putting a building online offers profound potential savings for property owners, who can leverage complex automation systems to save on water, electricity, and gas costs in buildings that sense our presence and learn to turn themselves off appropriately as people come and go. Modern heating, ventilation, and air-conditioning (HVAC) systems are all going online and are being integrated with a variety of alarms, sensors, security card readers, cameras, and even physical objects, such as vending machines, water pipes, parking gates, and elevators, all centrally controlled via building management operating systems. Evidence of these “improvements” is everywhere, and in many large office buildings, such as those in Manhattan, elevators do not even have individual numbered buttons for you to select your desired floor anymore. Instead, the data encoded in your RFID badge or the controls at a central security station predetermine to what floors the elevator will take you.
Just like your home automation hub, commercial building management systems can be hacked, and when they are, the results can be surprising. In April 2012, students at MIT hacked the twenty-one-story Green Building, home to the university’s Department of Earth, Atmospheric, and Planetary Sciences, and used its compromised electrical systems to create a giant, playable, and multicolor Tetris game. A wireless gaming console connected to the building allowed “players” to move, rotate, and drop blocks that corresponded to the lights in various offices. From across the street and throughout Cambridge, the windows in the building’s offices lit up and moved as if the hackers were playing the famous Russian puzzle video game. While some building hacks can be fun, others can be much more costly.
Systems that had historically operated as stand-alone entities are now being unified, and the far-reaching interconnections of the IoT can prove extremely difficult to foresee, map, and protect. To deal with these challenges, many organizations are turning to centralized management for their building systems, choosing to hire, for example, an outside security contractor to remotely monitor all the security feeds for a particular company across numerous sites. When everything is connected, other services, including HVAC, can also be centrally managed, and one such company to do so is the retailer Target, which had outsourced its heating and cooling responsibilities to a vendor known as Fazio Mechanical Services of Pennsylvania. From their headquarters, Fazio technicians directly interfaced with Target’s supplier and contract management system, a pathway to the mother lode Crime, Inc. found too tempting to resist.
When an employee of Fazio Mechanical inadvertently opened up a phishing e-mail with a malware-infected attachment (a variant of the Zeus banking Trojan produced by Crime, Inc.), he infected himself and the rest of his company. But because Fazio was tied into Target’s network, the Trojan also made it possible for hackers to peer into the network of their ultimate quarry: the giant retailer, Target Corporation. The result was the attack against Target mentioned earlier and the massive breach of personal information and payment card details for 110 million American consumers. Once hackers had compromised Fazio Mechanical and stolen an employee’s log-in credentials there, they were able to use them to fish around Target’s network until they struck gold.
There they found information on Target’s suppliers’ portal and data from Target Facilities Management. Ultimately, hackers learned that these systems were not segmented off from other major IT systems used by the retailer, including, shockingly, its payment and financial systems. Armed with all the details they needed, the hackers burrowed like rats through a multitude of interconnected networks until they arrived at the company’s internal server responsible for controlling the tens of thousands of individual point-of-sale terminals where customers swipe their credit cards at the register. Once there, attackers installed malware known as Trojan.POSRAM, which copied all the card swipes taking place throughout Target stores nationwide and secretly exfiltrated the data to Russia, a breathtaking fraud that continued until the story was broken by the security researcher Brian Krebs. No doubt the Target attack is the highest-profile penetration of an HVAC system to date, but it is not the only one.
We might like to believe that the government could do a better job in protecting its buildings from remote attacks, but evidence does not seem to suggest that is the case, even at those facilities one might expect to be among the most secure. In 2011, researchers were able to successfully hack the Federal Bureau of Prisons’ industrial control system network and remotely take over the facilities. Hackers could unlock individual cell doors or an entire cell block at will, even though the computer screens at the central guards’ stations indicated they were still locked. The prison’s communications network could also be turned off so that individual guards could not call for help in case of emergency. Worse, it was possible to electronically “destroy the doors” by overloading the electrical system controlling them, thereby leaving them permanently open for the entire prison. Using these techniques, Crime, Inc. could potentially free compatriots to put other prisoners at risk by opening their cell doors for retaliation attacks. These threats are not just theoretical.
In mid-2013, an unknown computer “glitch” at the Turner Guilford Knight Correctional Center in Miami, Florida, caused all doors in the maximum-security wing to suddenly and simultaneously open, setting prisoners free, causing a riot, and allowing gang members to seek revenge on rivals. According to surveillance video
at the prison, one inmate in particular seemed prepared for the incident that stunned guards and other prisoners alike. At the moment the doors unexpectedly opened, the prisoner calmly walked down the passageway to the cell of a long-standing enemy and “shanked” him with a homemade prison knife before returning to his own lockup pod. The cause of the “glitch” was still under investigation in late 2014, and the incident suggests that not every building in our society need be connected to the Internet.
Our growing threat surface area brought about by the Internet of Things creates opportunities not just for Crime, Inc. but for nation-states as well, as the U.S. Chamber of Commerce has discovered. As the leading business group lobbying on behalf of America’s corporate interests, the chamber often took stances on international affairs and foreign trade issues, positions that were frequently critical of China, in support of its three million business members. While the chamber had successfully blocked cyber attacks against its main network emanating from the People’s Republic in the past, its luck ran out in late 2011 when it discovered a recently installed Internet-enabled thermostat at one of its offices on Capitol Hill had inadvertently created a back door to its internal corporate network. Chamber officials made the discovery when they found the energy-saving device had been secretly communicating with an Internet address in China.
While attackers might have been clever in their use of the thermostat as a means of breaking into the chamber’s primary network, they were less skilled at routing their own print jobs. Their carelessness caused a printer used by chamber executives to spontaneously start printing pages of information with Chinese characters on them, something officials at the FBI viewed as a useful clue of something amiss. Once inside the chamber’s network, attackers searched for financial and budgetary information, compromised e-mail systems, and focused on employees working on trade policy matters in Asia. Make no mistake, there are deep geopolitical implications to the Internet of Things, and those nations capable of leveraging these technologies to their fullest will have access to unparalleled intelligence and strategic advantage. As the Chinese premier, Wen Jiabao, noted in a speech in August 2009 in the city of Wuxi, “Internet + Internet of Things = Wisdom of the Earth.”
The Smart City Operating System
Those skilled in war are able to subdue the enemy’s army without battle. They capture his cities without assaulting them and overthrow the state without protracted operations.
SUN TZU
In 1964, Marshall McLuhan presciently predicted that by “means of electric media … all previous technologies … including cities …[would] be translated into information systems.” It might have taken fifty years, but his forecast was spot-on. The Internet of Things has the full potential to transform cities into living, breathing ecosystems of ambient intelligence and connected sensors, vastly improving the quality of life for their inhabitants. In the utopian vision of smart cities, trash cans with embedded sensors will notify the rubbish collectors when they are full, immediately dispatching the closest GPS-equipped garbage truck to whisk them away. The growing numbers of “municipal sensor networks” can measure the pollution produced by individual buildings, the air quality on a particular block, or the number of pedestrians walking on a given street, creating the first-ever “Fitbit for the city.” Better sensors in our streetlights will mean municipalities will be able to provide just the right level of lighting, appropriately adjusted for time of day, season, and weather conditions, reducing energy costs by up to 30 percent. That is of course if things go well.
The less sanguine perspective on a citywide operating system would be a municipal network of IoT-enabled devices, always on and subject to attack from hackers anywhere in the world. Using a wireless traffic-detection system commonly deployed in cities throughout the world, an Argentinean hacker, Cesar Cerrudo, was able to control traffic lights in Manhattan by hacking the underlying sensors embedded in the roadways, a technique that enabled him to reroute traffic and cause traffic jams at will. Hacking buildings and a city’s operating system can compromise physical safety as well as allow attackers to gain control of elevators, air ducts, door locks, lighting, bridges, tunnels, water treatment facilities, and other vital systems. If smart meters can be hacked, so too can smart grids, and the ability of a hacktivist collective, organized crime group, or rogue nation to shut off power to the masses now becomes a reality. In July 2014, a security researcher was able to seize control of the power supply to Ettlingen, a town of forty thousand people in southern Germany. A hacker using the same exploit could have switched off all municipal utilities, including power, water, and gas.
Creating the Internet of Things holds the possibility for immense improvements in both our quality of life and the global economy, particularly as objects become “smart” and learn to automatically interact with one another for our benefit. Putting aside major privacy concerns for the moment, with billions of cars, coffee machines, buildings, mobile phones, elevators, dishwashers, and toys talking to each other and taking commands from the Internet at large, we have provided attackers innumerable points of contact to reach into our lives and affect them for the worse.
We can’t even protect the relatively few things we have online today, yet day in and day out we bring new smart objects into our homes and into our lives without ever bothering to stop and ask what the potential risks and pitfalls might be. As a result, much like practitioners of the ancient martial art of judo, attackers can now use the weight and strength of our own overgrown connections to defeat us. In effect, we’ve wired the world but failed to secure it—a decision we may well come to regret, especially as we begin connecting the human body itself to the Internet.
CHAPTER 14
Hacking You
The Internet of Things, sometimes referred to as the Internet of Objects, will change everything—including ourselves.
DAVE EVANS, FORMER CHIEF FUTURIST AT CISCO
Steve Austin, astronaut, a man barely alive. Gentlemen, we can rebuild him, we have the technology. We have the capability to make the world’s first bionic man. Steve Austin will be that man. Better than he was before. Better. Stronger. Faster.” Those were the lines spoken in the opening credits of the hit 1970s television show The Six Million Dollar Man. Like a lot of boys growing up at the time, I was amazed by the tremendous superhuman strength the starring bionic superhero possessed and longed for the ability to run that fast, jump that high, and see that far. As cool as the bionic man was, adults assured me it was all just made up, pure fantasy from the wildest annals of science fiction. But as I later learned, science fiction can rapidly become science fact.
I first met Bertolt Meyer in mid-2012 when he was filming a television documentary for Channel 4 in the U.K. titled How to Build a Bionic Man. Meyer, a thirty-three-year-old social psychologist from the University of Zurich, was exploring both the possibilities and the ethical implications of the latest bionic technologies. His interests in the topic were motivated not just by scientific curiosity but also by personal destiny: Meyer was born without his lower left arm. As a child, he was fitted with a variety of primitive prosthetics, all of which made him feel different and self-conscious, not to mention had extremely limited functionality. Meyer aspired to have the same anatomical functionality others had and wanted to move beyond the non-opening hands and metal hooks with which he had been fitted as a child. In 2009, that dream became a reality when he was outfitted with one of the most advanced prosthetic devices in existence: the Touch Bionics i-limb hand.
Meyer had in fact become a real-world bionic man. He was thrilled with his new physical abilities, including for the first time the capacity to clap his hands and to hold a fork and carry a heavy shopping bag with his left hand. The new bionic hand included an advanced aluminum chassis for “improved durability, increased grip strength and a more anatomically correct” design than any of his previous prostheses. Meyer controlled the device by sending myoelectric pulses from the human flesh of his arm just above the prosth
etic limb to electrode sensors attached to his skin, enabling the hand to open, close, rotate, and pick up objects. It was a true breakthrough for Meyer personally and led to a profound interest in the world of bionics, the subject of his documentary, in which I was interviewed.
As the bionic man cum filmmaker and I discussed the ethical implications of these technologies, the conversation turned to the matter of digital security, a topic Meyer had yet to consider. As it turned out, myoelectric impulses from Meyer’s own body were not the only way his bionic hand could be operated. His bionic hand was also Bluetooth enabled and could be controlled, adjusted, and reprogrammed by a mobile app that he had downloaded from the manufacturer to his iPhone. I discussed with Meyer the inherent well-known insecurities of the Bluetooth protocol and how many times it had been subverted by hackers in the past. Suddenly, in an instant, Meyer understood the implications of his vulnerability and turned ashen gray, jaw agape at the vulnerabilities that nobody had previously disclosed to him.
I asked Meyer if I could see his mobile phone and the app he used to control his bionic appendage. He dutifully complied, passing the device to me. As I examined the Bluetooth app, I saw it offered a variety of grip positions and reprogramming options. If I pushed one button, his hand would open, another it would close; individual fingers could be positioned and his thumb and wrist manipulated. I was now in control of the bionic man and his body. Through my mere possession of his iPhone, Meyer’s body would now do my bidding. Of course, I needn’t have physical access to his phone, given its use of the insecure Bluetooth protocol. I could just hack it and remotely take control. Though Meyer hadn’t realized it, his hand had joined the Internet of Things, and when it did, its usage no longer belonged solely to its rightful owner. After Meyer overcame the initial shock, we continued our discussions and eventually became friends. We also learned an important lesson together. Now, for the first time ever in the history of humanity, the human body itself was subject to cyber attacks.
