At the outset of last week’s Black Hat cybersecurity conference, founder Jeff Moss spoke enthusiastically about how the information security industry was full of enormous potential, while at the same time it was becoming exhausting, nonstop work. “On one hand, I’m really excited, but on the other hand I just want to sleep sometime,” said Moss. After two packed days of briefings covering the latest hacks and effective (or not so effective) ways to prevent them, sleep may be in short supply for anyone associated with the security world. That’s because the breaches we’ve seen so far may be just a tune up for a really big show to come.
There was a good deal of buzz in advance of this year’s major cybersecurity gathering in Las Vegas, starting with the news weeks before that researchers Charlie Miller and Chris Valasek had been able to remotely take control of a Jeep Cherokee, a hack that led to the recall of 1.4 million vehicles last month.
Car hacking has apparently become a cottage industry. The Def Con Show in Las Vegas on Friday (following Black Hat) featured a “Car Hacking Village” where attendees could learn more about how to hack into the connected systems of most automobiles. “I really think that car companies should spend more money to secure their cars,” said Miller in a press conference following his presentation.
But there were plenty of other devices that could be hacked besides the cars we drive. The payments industry got a jolt last week when two security researchers revealed that the Square mobile payments reader, which is used by millions of small merchants to process credit transactions, can collect unscrambled information which could later be sold on the black market or used for fraudulent charges.
According to security researchers Alexandrea Mellen and John Moore, they made their findings available to Square, but said they have not received word that the problems will be fixed. Although the two said that the vulnerabilities include the latest models of the Square reader, the payment technology company recently issued a statement that said, “We’ve also recently migrated the small percentage of remaining sellers who use an out-of-date, unencrypted card reader to new hardware.”
Even rifles have now joined the list of hackable items. Security researchers Michael Auger and Runa Sandvik tested the Tracking Point TP750 computer-aided, self-aiming sniper rifle which uses WiFi connectivity and a default network password. In research presented at Black Hat last week, the pair found they could make the rifle miss its target and prevent the gun from firing. Wired has loaded a video of their hack and TrackingPoint has since posted a notice to customers on their website that they are working with the two researchers “to verify their assessment and will provide you with a software update if necessary.”
This is just a small sampling of the various devices and technology on hackable display last week, but there is a larger, more significant context to the messages coming out of the annual Black Hat gathering. A continued lack of attention to security is leading to vulnerabilities that could have far greater impact on our lives than a misfiring rifle or an erratically driving car.
Colby Moore, a researcher who works for Synack, presented work that shows how the satellite system of Globalstar (which has more than four dozen in space) was vulnerable to intrusion because the company’s devices, which use satellites to track shipments, are sending unencrypted data. Although Moore carefully explained that it was illegal to hack satellites, he built his own transceiver that could intercept data from the satellite tracking system because he was able to reverse-engineer the code since, according to Moore, the same code is used for all devices.
“The real problem here is these are aging satellite networks,” said Moore. “I sincerely hope they are serious about addressing these issues.”
Moore said he gave his research to Globalstar six months ago, but the company has not taken action. In response to an inquiry from Fortune, Globalstar provided a brief statement that said, “Our engineers would know quickly if any person or entity was hacking our system in a material way, and this type of situation has never been an issue to date.”
Chemical plants apparently have vulnerabilities as well. Security consultant Marina Krotofil of the Hamburg Institute of Technology presented a case study for how a chemical plant could be breached by remote hackers. Cyberattacks on the process networks that control an industrial chemical plant could result in temperature or pressure changes with catastrophic results.
An even more extreme version of the cyber apocalypse could be found in work presented on the hacking of cities. There has already been plenty of research on the hacking of urban traffic control systems, electronic road signs, city surveillance cameras, and airport security. This is the planners’ vision of the “smart city,” but hackers are already adept at being able to access smart devices.
Security researchers Greg Conti (West Point), David Raymond (West Point), and Tom Cross (Drawbridge Networks), presented a hypothetical case that cities are becoming increasingly more vulnerable as they become hyper-connected. And the challenge of securing a system that large is daunting.
“There’s a big delta between securing a company and securing a city,” said Conti.
The potential for urban hacking on a mass scale has the security community worried enough that a group of them have started a Securing Smart Cities nonprofit with the expressed goal of finding a better way to protect large connected areas from disaster before it’s too late.
At the start of Black Hat last week, Philippe Courtot, CEO of Qualys, called 2015 “the year of the megabreach.” As we all look toward 2016 and beyond, even that label may seem small in comparison.