- Internet enabled cars – FBI warns of car hacking risks
- Your insulin pump could be the death of you
- Imagine hackers taking control of your Internet-enabled sex toy
- Your daughter’s seemingly innocent Hello Barbie is not so innocent after all
- Security should be a first priority – not an afterthought
The lines between cyberspace and the real world are becoming increasingly blurred. Up until a few years ago, we could simply unplug, leave the digital world behind and retreat to our reliable, analogue, physical world. With computers all over the place and more and more devices linked to the Internet of Things, the days of being able to disconnect from cyberspace are long gone. The IoT is everywhere. It’s in our toys, our appliances, our cars – even on and in our bodies. There is no way to escape from it and although it offers many benefits, the exponential developments also mean that all the dangers of the Internet can now easily cross over into our physical world as well.
The majority of our connected devices have minimal or no built in security and the ever growing complexity of networks could result in serious vulnerabilities in infrastructures all over the world. Big Brother – or actually, Big Google, Big Facebook, you name it – is watching us all; recording our every move. Our game consoles, routers, TVs, phones and even our fridges, toys and other devices can listen to, record and transmit our conversations. Some of these seemingly harmless devices can for instance also tell when we turn our lights on and off – and a host of other activities which we think take place behind closed doors, away from prying eyes. As you can imagine, all this personal information is also extremely valuable for cybercriminals and gives them untold power, when in possession of it.
The risk of hackable Internet enabled things is very real and can have far reaching consequences. If we don’t secure our IoT devices adequately, we could be in for serious crime waves. As illustration of this point, this article will cover various hacks that took place in recent months.
Internet enabled cars – FBI warns of car hacking risks
Today’s modern cars offer technologies that aim to offer improved safety features, better fuel economy and basically generally greater convenience. With this increased connectivity, however, come potential cyber security challenges as well. Last year, security researchers Chris Valasek and Charlie Miller managed to prove that it is possible to hack a car. They did this by remotely sabotaging the transmission of a 2014 Jeep Cherokee while it was driving down the highway. This hack resulted in Chrysler having to issue over 1 million vehicle recalls and sending software updates to the affected owners.
The FBI, in collaboration with the National Highway Traffic Administration and the Department of Transportation, has now confirmed that vehicular cybersabotage is real and issued a statement about the dangers of Internet of Things hacks on vehicles. In their announcement, the FBI lists a number of car hacks that took place last year and provides recommendations and tips on how to keep vehicles safe from cybersabotage and what to do when your car is hacked. They advise drivers to be careful and maintain awareness of who has access to the car. Furthermore, they urge owners to keep vehicle software up to date and to avoid connecting unsecure devices to the network of their car. The FBI encourages people to get in touch with them as soon as they suspect that their vehicle has been hacked.
Your insulin pump could be the death of you
While cars seem like the most likely devices to turn into killing machines after being hacked, medical devices can pose serious threats as well – some of which with fatal outcomes. Many sophisticated medical devices contain vulnerabilities in terms of their architecture and software, making it very easy for people with malicious intent to hack into this equipment in order to hijack or control it. Former US vice president Dick Cheney’s cardiologist, for instance, feared that cybercriminals could hack the vice president’s pacemaker and deliver a fatal shock. To prevent this, he disabled the Wi-Fi capability of the device during Cheney’s time in office. The fact that the cardiologist’s reason for concern was not unfounded was proven when medical students at the Alabama University managed to hack into the pacemaker of their robot patient. With this cybersabotage they actually managed to ‘kill’ the robot. The students were able to interfere with the ‘patient’s’ heart rate and could theoretically have administered shocks to a defibrillator, if the robotic patient had had one. Imagine the effect an attack like this could have in a real-life scenario.
Another example of a hackable medical device is the drug infusion pump such as the ones used for administering antibiotics, chemotherapy, insulin, morphine and other medication. Billy Rios, security researcher at a startup focused on embedded device security, took a special interest in these after he had been hospitalised for an emergency surgical procedure. Taking a close look at the infusion pumps there, he discovered vulnerabilities in the devices that would enable malicious hackers to remotely change the firmware on the pumps, giving them the ability to change drug dosages. A malicious hacker could first raise the dosage above the maximum limit and then deliver a deadly dose without the pump issuing an alarm. The hacker could even alter the display screen of the pump so that it indicated that the patient received a safe dosage of the medication. Also, he wouldn’t need actual access to the device as its communication modules are connected to the hospital networks and the Internet. Hospira, maker of the LifeCare pumps, has denied that there was a problem with the pumps. They did not believe that it was possible to hack them. Rios is now working on a proof of concept attack to demonstrate that it is indeed possible.
The FDA has taken note of the potential disastrous consequences if these types of devices are not fitted with security and has taken steps to remedy the problems. Unfortunately, medical devices such as these drug infusion pumps and pacemakers can’t just be ‘fixed’ that easily; a software update may not necessarily do the trick. May of these devices will need to be re-architected, which could take years.
Imagine hackers taking control of your Internet-enabled sex toy
As if the above examples weren’t creepy enough, research teams at various tech companies have proven that even Internet connected smart sex toys are hackable. At this year’s CeBIT Technology Fair in Germany, security firm Trend Micro demonstrated how they were able to activate a large pink vibrator by merely entering a few lines of code onto their laptop. While this was great entertainment for the audience, the fact that this is possible poses serious risks. Sex toy manufacturers are increasingly leveraging the Internet of Things to produce products and devices that use Wi-Fi and Bluetooth to connect to smartphones and computers. This not only enables the toys’ users to control the devices, but allows them to download software updates as well as communicate with each other. These connections can however also enable hackers to intercept the devices. One can only imagine what could potentially result – besides the obvious embarrassment – when footage is recorded and used for blackmail and ransom purposes.
Your daughter’s seemingly innocent Hello Barbie is not so innocent after all
Over the last two years or so, many consumer products have had Wi-Fi connectivity added to them and with the increase of this Internet connectivity obviously come increased security threats. A Samsung smart fridge, for instance, designed to use Wi-Fi to sync with the Google Calendar of the owner of the appliance, somehow omitted to validate SSL certificates. This left the owner’s particulars out in the open and ready for the taking. Security firm Rapid7 tested nine baby monitors and found that all of them were easy to hack – despite the obvious, worrying risk of paedophiles spying on children. Mattel’s Hello Barbie was also recently kitted out with Wi-Fi connectivity and speech recognition technology to enable real time, artificially intelligent conversations. The recorded audio is transmitted to third parties for processing and is then returned with natural language responses. Security researcher Matt Jakubowski discovered that Hello Barbie was easily hackable, enabling access to the microphone, stored audio files as well as account and system information. Cybercriminals could easily replace the servers and make the doll say whatever they want it to say. What was most concerning was the ease with which Hello Barbie could be compromised; the information stored in the doll also enabled hackers to gain access to other IoT devices and steal personal data – without people’s knowledge.
Security should be a first priority – not an afterthought
During the past two years, many consumer products were updated with Wi-Fi connectivity but there are very few manufacturers that actually give the security aspect of this any serious consideration. When producing smart devices, companies often treat security as an afterthought, while it should be first priority. One of the reasons for this is because ensuring a good standard of protection costs a considerable amount of money. When looking into the future of the security of the Internet of Things, lots of parties are diving deep into it. It is destined to be a huge market; not only for security researchers but for cyber criminals as well.
Before being able to tackle IoT security, we need to however study potential threats, especially since not every device poses the same threat level. Also, there are various factors that need to be taken into consideration. For instance, would a criminal rather hack your daughter’s Hello Barbie or another, to the hacker more useful - device? We can do our bit by reducing data risk – by keeping our personal data away from IoT devices as much as possible and securing necessary data transfers.