Jeff Moss founded Black Hat and DefCon, two of the most well-known conferences on hacking and the security industry.
NEW YORK TIMES
NEW YORK — Imagine driving on the freeway at 60 mph and your car suddenly screeches to a halt, causing a pileup that injures dozens of people. Now imagine you had absolutely nothing to do with the accident because your car was taken over by hackers.
Charlie Miller, a security researcher at Twitter, and Chris Valasek, director of security intelligence at IOActive, a security research company, recently demonstrated car hacks at the Black Hat and DefCon computer security conferences in Las Vegas. The researchers completely disabled a driver’s ability to control a vehicle. No brakes. Distorted steering. All with a click of a button. While the demos were with hybrid cars, researchers warn that dozens of modern vehicles could be susceptible.
Hackers and security researchers are moving away from simply trying to break into — or protect — people’s email accounts, stealing credit cards and other dirty digital deeds. Now they’re exploring vulnerabilities to break through the high-tech security of homes, cause car accidents or in some extreme cases, kill people who use implanted medical devices.
“Once any single computer in a car is compromised, safety of the vehicle goes out the window,” Mr. Miller said in an email interview. Modern cars typically have 10 to 40 little computers in them.
“Right now, there aren’t a lot of ways for hackers to remotely attack cars: Bluetooth, wireless tire sensors, telematics units,” he added. “But as cars get Internet connections, things will get easier for the attacker.”
Carmakers and the government are aware that our vehicles are vulnerable. In fact, Mr. Miller and Mr. Valasek received a grant from the Defense Advanced Research Projects Agency, or DARPA, to research ways carmakers can thwart attacks. The biggest fear is the future: As cars become more computerized — or become fully automated, computers on wheels that drive for you — they’ll become more inviting targets.
But the demonstrations by security experts and hackers weren’t a peek at what’s to come. The researchers hacked a Toyota Prius and Ford Escape, two hybrid cars that are on the road.
Certainly, hackable cars are a troubling development for people who don’t even like to use cruise control.
Now to add to your paranoia: security researchers warned that our homes are more vulnerable than our cars to attackers. That is, if burglars trade in their lockpicks and crowbars for laptops and Wi-Fi scanners.
Devices such as the Lockitron, a Wi-Fi enabled front door lock that can be used with a smartphone, could open a way for tech-savvy thieves to break into your home. That’s not to pick on Lockitron. They just happen to be on the cutting-edge of wireless home security.
“We’ve built Lockitron from the ground up with security in mind,” the company said in a statement, while acknowledging that “anyone claiming their system is ‘unhackable’ is wrong.” At the conferences, security experts lauded the company for the protection it has built into the Lockitron.
Hackers could also turn our televisions and webcams against us, monitoring everything we’re saying and doing. Next-generation light bulbs that are connected to the Web could be tampered with. Digital refrigerators could be turned off, spoiling food without your knowledge.
Some hacks could be mere practical jokes, albeit messy ones. Researchers have warned that the Bluetooth-enabled INAX Satis model toilets, which can be controlled via a smartphone app, could easily be hacked to spray water up instead of down. In response to warnings that its toilets could be hacked, INAX said it issued a security update for its toilets this month.
Yes, in the future, you will need to download security updates for your toilet.
And then, there are the usual smart-phones fears. At Black Hat, Kevin McNamee, the director of Kindsight Security Labs, showed how to take over an Android smart phone by injecting code through the game “Angry Birds.” Once he had control of the phone, he removed photos and personal data from the device without the owner having any clue.
Other researchers took over an iPhone by hacking a power adapter to suck passwords and emails from a device that ran operating systems earlier than iOS 7.
But some of the most advanced, and scariest, security researchers are thinking about hacks of implanted medical devices.
Barnaby Jack, perhaps best known for a hack that made an ATM spit out cash, was supposed to demonstrate at Black Hat how implantable medical devices, including a pacemaker, can be hacked to kill someone. But he died unexpectedly, shortly before he was to make his presentation. He was often referred to as an “ethical hacker” and hoped to show the pacemaker exploit as a warning to device makers.
So should we dig holes in our yards, bury our computers and smart phones, and never drive our cars again? Some researchers said many of these demonstrations were certainly provocative, but they were more theoretical than any sort of real risk we had to worry about today.
“Sometimes there is a gap between the researcher community and the real world. Researchers bridge this gap often, but it’s not uncommon to see conference talks on exotic technologies that don’t really impact our everyday lives just yet,” said Chris Rohlf, founder of Leaf Security Research, a security consulting firm, in an interview. “As technology embeds itself into these everyday devices and other parts of our lives, you will see an increased focus on their security. Anywhere you find technology you’ll inevitably find hackers.
“But when these technologies do arrive, I would not count on the companies that are installing computers in our cars, homes, and bodies to be able to stop rogue hackers,” Mr. Rohlf said.
“We haven’t figured out how to stop attacks against Web browsers in personal computers ... for the last 10 years, so there isn’t any reason to think that we can stop attacks against cars or other devices in the near future,” he said. “We should be concerned and start taking action now before something bad happens.”
Black Hat and DefCon, founded by Jeff Moss, are security conferences held together in Las Vegas.