9/20/2011 12:19 PM ET|
Hackers can control car, TV or home
In a widely wired world, vulnerability to cybercrime is increasing, and not just on your PC. Hacking targets now include Internet TVs, cars, medical devices and home security systems.
If anything in your home communicates data over a network or to an outside source, it can be hacked.
That's the harsh reality that online-security companies such as Symantec and Superior Solutions face, and one device-centric security firm -- Mocana -- is preparing for a post-PC world where everyone is wired and every device from a smartphone to the kitchen refrigerator is connected to a network. Even without hackers figuring out how to access every corner of a user's life, cybercrime is becoming a big industry.
A report released by Symantec earlier this month found that cybercrime cost victims $388 billion in time and money last year alone, hitting 431 million people in 24 countries. That number is rising steadily; the 54% of online adults who were victims of computer virus or malware attacks this year is up from 51% last year. Attacks against mobile devices are soaring as well, with Kapersky Labs finding that 65% more smartphones, tablets and other devices were targeted for malware attacks last year, compared with 2009.
A Mocana survey, meanwhile, found that 64% of professionals at companies including Apple, AT&T, Intel, IBM and Microsoft had experienced an attack on a non-PC device that required the attention of their IT staff. An additional 54% said that attack disrupted the company's network, but 51% said their companies still didn't update security or create patches to protect information on devices.
Researchers at Germany's University of Ulm discovered that Google Android devices not updated to the latest version of their operating system put calendar data, phone numbers, home addresses and email addresses at risk each time they connect to a network, making personal smartphones and tablets prime hacking targets. The hacking of Sony's PlayStation Network back in April, the ensuing shutdown and the exposure of nearly 100 million users' information brought the hacking problem home, without involving a PC, a tablet or even a smartphone to get in.
"If you look at every sector of the economy, it's consumer electronics, it's smart-grid and smart-energy infrastructure, it's health care and medical devices, it's industrial control, it's aerospace and defense, it's retail and it's transportation logistics," says Adrian Turner, the chief executive of Mocana. "All of those markets have or will have connected devices."
We spoke with executives at Mocana and Superior Solutions and found that security flaws on the following items allow as much access for hackers as a lockless door would for a passing burglar:
There's some great, convenient, connected technology out there that makes life in the living room a lot easier. Those devices also make it a lot easier for hackers to get your information, passwords and even money as you use your HDTV to play around on the Internet.
"In the home, you have this whole other phenomenon, which is the explosion of phones, tablets and the next big wave, which is Internet-connected TVs," says Turner. "According to Moore's Law and the fact that we think in a linear way and don't realize how powerful these computers are getting -- or that $1 worth of computer power today will be worth 3 cents in five years -- we don't realize that these TVs are as powerful as the computers that were sitting on our desk 10 years ago."
Mocana bought several of the most popular Internet TVs just before the last holiday season and discovered that they were wide open to attacks. While most online TV functions are as benign as checking the weather with a Weather Channel app, getting scores through a Fox Sports app or cruising a Netflix queue, applications such as Amazon On-Demand pay-per-view -- which give hackers a financial incentive to access your network and steal passwords and other information -- prove problematic even when secured.
The holes in current Internet-TV security are just wide enough to allow hackers to present fake credit card forms and fool consumers into giving up their private information; intercept and redirect Internet traffic, which can trick consumers into thinking fake bank and shopping websites are legit; or steal TV manufacturers' digital "corporate credentials" to access a user's search engine or video-streaming and photo-sharing services.
The Sony hacks hit users through a network, but Internet televisions cut out the middleman entirely if they're not properly secured. That's upsetting now, but it could become much more troublesome by 2015, the year television market-research group DisplaySearch says 500 million Internet-connected TVs will be sold worldwide.
"There are issues with the majority of customers we work with, and a lot of the problem is implementation," Turner says. "You look at the Sony PS3 incident, and that was a well-thought-through, multilayered security model where they made some poor decisions when it came to implementation."
Home security systems
Sure, it's great that you can control your alarms, locks and remote notification through your smartphone and check your security cameras online. Just realize that means hackers can use those same commercial-friendly conveniences against you if they're able to access your home security system.
"People tend to think of these things as very different, but they're actually the same from a security perspective," says Turner, whose company also provides security software for video surveillance equipment, security systems and even Honeywell's building automation systems. "It's an Internet-connected device, it has a certain processor and operating system, and it's that combination of OS and CPU that people looking to break into a system or automated scripts to find devices are looking for."
But how would a hacker get in? If your home is protected through an X10 automation system, for example, the answer lies in the power lines. Last month, two security researchers went to a convention in Vegas and showed off tools they'd created that could tap into the power lines that home automation systems use to communicate. From there, hackers could monitor the house lights to see when occupants were away, jam alarm signals, block alerts to police and fire departments, disable motion sensors or even just overload the system with a flood of commands.
If all that seems far too complicated for a novice hacker, why not just sneak in through the automatic garage door? This was much easier years ago, when garage door locks used a PIN code set on the remote and garage door control. But even today's newer systems using what's called an IperCODE are fairly easy to get around, as evidenced by the sheer number of hacking products that come up under a simple search engine query for IperCODE.
"While it offers more protection, it too has been hacked," says Michael Gregg, the chief operating officer of Superior Solutions. "There are programs (not in the Apple Store) that can create rolling codes to attempt to pair with the garage door and obtain access."
Once you're in the garage, it gets much easier to access . . .
Slim jims, wire hangers, bashed windows? These are the methods cavemen use to break into and steal cars. Today, it's a lot less messy and labor-intensive.
"Beyond the TV, we think the car is the next connected platform," Mocana's Turner says. "It is security services, diagnostic services and entertainment services, and there's a lot of promise for these systems to communicate with each other."
Five years ago, cybercriminals stole two of soccer superstar David Beckham's BMW X5s by using a laptop and transmitter to unlock them and activate the ignition. A jammer is placed close to the car and prevents the owner from being able to remotely lock or unlock it, while a scanner rolls through all possible codes looking for a match. As there are about 3 billion codes, the 10- to 15-minute process still isn't the most effective way for hackers to break into an automobile.
Given the other, potentially deadlier options, car owners should feel lucky if only their locks and starter are hacked. Car dealerships are more commonly using remote vehicle-immobilization systems to cut the ignition or repeatedly honk the horns of cars whose owners aren't paying in a timely fashion. A recently laid-off worker at an Austin, Texas-area dealership hacked into his former employer's records, began tampering with payment information and disabled 100 cars before the dealership reset all employee passwords and police traced the employee's IP address.
Even that seems like a prank compared with what scientists from the University of California and the University of Washington were able to do with cars last year: hack a car's computer through wireless connections similar to General Motors' OnStar system, control the car while it was in motion, apply the brakes, selectively brake each wheel to steer, and shut down the engine completely. They were also able to shut down the brake and accelerator completely so the driver would have no control whatsoever -- then removed malware once the vehicle had crashed.
"To date, automotive systems have not been widely targeted, primarily because attackers like to go where there is access to money or sensitive data," Superior Solutions' Gregg says. "There's no big monetary prize in attacking such devices. However, many of these products are relying on security by obscurity."
Basically, automakers are just hoping hackers won't spend the time or effort to figure out that cars can be hacked through tire pressure monitors, as researchers from Rutgers University and the University of South Carolina discovered last year, or through Bluetooth connections and music files, as the same University of Washington and University of California researchers found earlier this year.
"There's a lot of discussion about the car systems and entertainment systems being on separate buses within the car, so if someone breaks through via a browser-based or entertainment-based system, they won't be able to set off the airbags or muck with the brakes," Mocana's Turner says.
But even hacking your car, cutting the brakes and setting up a potentially fatal crash seems less direct than remotely pulling the plug on . . .
Yeah, that pacemaker that keeps your heart going, or that defibrillator that gives Grandpa a jolt if his heart stops, or that insulin pump that keeps your diabetic sibling stable -- it's all completely hackable.
"These devices also send data to the outside world by means of radio frequency communication, which could allow someone to send rogue instructions to an implanted device by intercepting the device's wireless signal and then broadcasting a different signal," Superior Solutions' Gregg says. "When a computer fails, you reboot it, but when a pacemaker fails, someone could die."
He's not kidding, and researchers, lawmakers and the Federal Drug Administration aren't laughing. In June, the FDA stopped treating medical device software updates as accessories that required weeks or months of premarket approval processes and started treating them as patches critical to the safety of patients that need to be released immediately. Just last month, researchers at the Massachusetts Institute of Technology and the University of Massachusetts Amherst proposed a method for jamming foreign signals that could shut down defibrillators and prompted members of the House Energy and Commerce Committee to call for hearings on the safety of these devices.
"What's different about this era of computing is that a lot of these devices are going into critical context, and then this data that's moving across them is becoming more valuable, whether you're talking about a handset with enterprise data or a medical device that's in the field," Mocana's Turner says. "Unfortunately, these systems are so porous today that bad things will happen, and there will be physical consequences because of the nature of the devices."
At the very least, Turner insists that vulnerability will lead to lawsuits that will push insurance companies to enact a universal, manufacturer-neutral set of guidelines for securing these devices before they can be covered. In the worst-case scenario, however, a hacker's keyboard becames a deadly weapon.
"While this may seem far-fetched, attackers will always think outside the box," Gregg says. "Such attacks could be of interest to terrorists or others looking to target government officials or military leaders."
This article was reported by Jason Notte for the Street.
VIDEO ON MSN MONEY
Hacking is a problem because of all the holes and backdoors microsoft leaves in its OS. Holes that are mandated by the government. The government doesnt want our systems to be hack proof. Because they are the biggest hackers of them all.
You make a hack proof OS, and I guarantee the government would outlaw it.
Makes me kind of glad I drive a car that pre-dates computerization all together.
No one's thoughts are private.
Have your door locks changed once by a locksmith and someone can be taking a peek inside your home within a week. The locksmiths have had their brains pick-able for the last decade too.
Everyone and their brother knows your SS#, DOB, full name, mother's maiden, account numbers and past addresses.
Oh yeah, the govt knows. Some politicians must be getting huge kickbacks from the pharmaceutical industry. Their greed is going to ruin Social Security by bothering so many people with the voices. The victims just want to work, enjoy a few luxuries and be left alone but they are tortured instead.
Now the shrinks say anyone is capable of hearing the voices at any time, so you bet someone can take a look at anyone, anytime and anywhere. Your bank deposit and even your bedroom are not private.
Psychiatry is a sleazy profession, just like politics.
Just maybe we should have left things the way they were, no computers(control circuit boards) in washers, refrigerators, TVs, cars, and other appliances. This technology is too easily hacked.
Hopefully, my TV won't order a good movie, or sports pay per view when I'm not home and my refrigerator order a twelve pack of beer to drink while watching the TV event... They can at least wait till I'm home.....
The other day a hacker "hacked" my dog and made him take a dump on my wife's favorite rug. When will the govt. finally start doing something!
Oh you mean the music that was originally STARTED by black people? Let me know if you would like another cup of owned, sir.
Says the guy that posted this using a computer networking system...Unless you live in the boonies and / or like a mormon in Va, your post holds no weight. Even using electricity is using technology.
Copyright © 2013 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.
RECENT ARTICLES ON IDENTITY THEFT
Which store penalizes you for too many returns? And which one will let you retroactively apply coupons?