Lee H. Badman
September 01, 2011
Here’s a puzzle for you: what do a new Dodge Ram pickup truck, a digital road sign, a young English lady’s cell phone and a modern lighting control system have in common? They’re not all necessarily made in the same Third World country, if that’s what you’re thinking. But they are all exploitable by virtue of their network connectivity, and the implications can be quite worrisome.
I was in London a few weeks back, and the scandal involving the widespread hacking of mobile phones by the media was still fresh enough that my cab driver was more than happy to share the lurid details as Londoners saw it. The technical aspects are interesting enough, but my new friend Mick said something that stuck with me: "It just shouldn’t be that easy. I mean, everybody’s got a cell phone, and not all reporters are that smart, you know?"
Then, driving home from work this week, I caught a story on NPR1 that detailed how security firm iSEC Partners was able to demonstrate unlocking a vehicle and starting its engine through the same sort of IP-connected framework that makes the likes of OnStar tick. This was a nice followup to an earlier piece dealing with same topic, but talking more about the use of texting as a command protocol of sorts and the security weaknesses that accompany the once-exotic notion of making seemingly stupid objects able to interconnect in cool and strange new ways.
And who hasn’t seen the images of digital highway signs hacked to display funny (in the eye of the prankster, obviously) messages? Instead of "Traffic Congestion Ahead," you probably saw either "Zombies Ahead" or "Poop Ahead," depending on what variant cycled through your email. Whether you subscribe to sophomoric humor or not, the fact that many such signs now get programmed remotely over cellular or satellite networks also raises the hairs on the backs of the necks of those of us who "do" security for a living.
Put simply, as the Internet of Things continues its aggressive growth and more IP-enabled consumer devices show up far and wide, the environment for those who enjoy network-based vandalism, and for those who seriously hack for a living, is also becoming proportionally more target-rich.
Attacks on modern devices can have a social engineering and a technical component. Josh Wright, of Will Hack For SUSHI fame, published a great article called "Verizon MiFi Pwned," which details his signature thorough approach to attacking a device through simple observation of product labels combined with easy-to-use cracking tools to maliciously master one of Verizon’s hottest mobile products.
The examples of devices to be concerned about from the perspective of network security go on and on: ATMs, medical equipment, lighting systems, appliances, smart grid components and network signaling devices on the road, in port and in the rail spaces. And there are plenty more potential targets as the world grows ever more connected by the amazing fruits of modern chipmakers’ labors.
In reality, not every device I've mentioned here has been hacked--yet. At the same time, common sense says it’s just a matter of time before each one of these device sets sees real trouble, whether it’s just somebody recreationally DOSing the devices or using the new distributed endpoints as ingress vectors to real high-value targets.
These are exciting times in networking, and getting more so every day. Let’s hope that all of the people putting new devices and protocols onto the wire and in the air remember to add a healthy dose of paranoia into their feature sets.