Democratizing the creep factor: Anyone can play NSA, “Ocean’s 11” and cyberstalker

I spent four day last week at Black Hat and DEF CON watching presentations on how quite literally everything with a connection — and some things without one — can be hacked. We’re not talking about just letting someone into your hard drive, either, but into your home. Alarms, door locks, TVs, surveillance cameras, medical devices, toys, cars, keys, toilets — they all can be manipulated in the name stealing stuff or perhaps just good, old-fashioned invasion of privacy.
Corporations, government agencies and people of great import should be scared. Average citizens? Well, we should be a little freaked out, too.

Scary news first: public spaces are not your friends

Some of the Black Hat and DEF CON presentations were truly off-putting, particularly those about placing devices in public places to harvest network traffic or personal data about everyone connected to a network. I didn’t see the talk about using femtocells to steal packets from CDMA phones, but the session description did the trick. Here’s the first paragraph:

“I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don’t even know you’re connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box… for free.”

Same with CreepyDOL, a small Raspberry Pi-powered device and software package that grabs all the personal data computers automatically away when they connect to a WiFi network. It comes complete with visualization software for mining the data easier. (It got a little press elsewhere, including from the New York Times.)

Just plug in and start harvesting data, for about $50. Source: Brendan O'Connor

Just plug in and start harvesting data, for about $50. Source: Brendan O’Connor

And those are just the new, shiny exploits. It’s already common knowledge that you shouldn’t walk around a place like DEF CON with your Bluetooth turned on. Two years ago at Black Hat, Carnegie Mellon researcher Alessandro Acquisti explained how much personal information someone could glean from snapping a smartphone photo and having a good idea where you live.

Smart TVs probably aren’t, either

“In some ways,” Adam Grattafiori of iSEC Partners said during a Black Hat talk, “[a smart TV is] really just a smartphone with a 50-inch screen.” Then he and partner Josh Yavor proceeded to show just exactly how they’re different — including how easy it is to get access to that built-in webcam that often has a wide view of an entire room.
First, they exploited holes in the TV’s firmware (they focused on Samsung) but that’s not too useful unless someone can actually access the TV. Thankfully for hackers, smart TVs are full of apps that are full of holes.
“Social media applications really are just remote content injection,” Yavor said. He and Grattafiori wanted to turn them into “remote command injection” so they could run malicious code. They showed how they did this in Skype by injecting malicious JavaScript into a Mood Message, which actually runs as code. Whenever that message displayed on someone else’s TV, the code would execute.
Grattafiori and Yavor also demonstrated how they were able to attack the TV’s browser and inject code via an alert message. Once they have credentials and access to an app’s permissions and files, it’s easy enough to start digging around for personal information or perhaps getting creepy with the video camera. I can almost sense the sextortionists out there drooling over what they might catch on video.
It’s probably not of any consolation to know this was one of at least three talks at the two conferences about hacking smart TVs. A Korean researcher, SeungJin “Beist” Lee, gave a seemingly thorough talk about how to remotely breach any model of smart TV via the web (his slides are available here), and a team of researchers gave a DEF CON talk with the reassuring title of “Google TV: Or how I learned to stop worrying and exploit secure boot.”

Source: SeungJin "Beist" Lee

Source: SeungJin “Beist” Lee

Controlling your car, 3-D printing your housekey and going “Ocean’s 11” on your surveillance camera

For some reason, though, hacking that affects our physical firewalls and not just our digital ones seems uniquely disturbing — and Black Hat and DEF CON provided plenty of examples of how that might work.
Keys, like for your front door
Two MIT students demonstrated how to fabricate the supposedly irreplicable Schlage Primus key for just a few dollars using a 1,200-dpi scanned image, some CAD software and a 3-D printing service. If you can’t get your hands on the necessary key, no problem. They suspect a good photo (using a telephoto lens) of a key dangling from the guard’s keychain could do the trick, too.
It works for normal keys from 200 feet away.

Source: University of California, San Diego

Source: University of California, San Diego

And to make things worse, they suggested an internet key-sharing ecosystem might crop up, like BitTorrent or Pirate Bay, but for CAD models of keys that can then be printed. Maybe they could start with the master keys to New York City.
Your car’s electronic system, which controls everything
In 2011, a team of researchers published a paper explaining how someone could breach cars’ electronic control units (ECUs) using their cellular networks (e.g., OnStar), their Bluetooth connections and even Bluetooth-connected smartphones inside a car. At DEF CON, security experts Charlie Miller and Chris Valasek of IOActive Labs showed what’s possible when cars are breached by actually showing video of them doing it. (You can get their paper and all their code here.)
“If you guys need any work done,” Miller joked to the crowd, “we’re mechanics now.”
Someone who can figure out which packets sent across the central message bus relate to which commands — very hard work, and different for nearly every make and model — can do a lot. Send vehicle data back to a server, control the brakes, gas pedal, steering wheel, horn and locks. It’s not so crazy to think high-tech car thieves or even kidnappers would hang out in parking lots targeting fancy cars or VIPs, or that a ring of mechanics with direct access via diagnostic tools could compromise cars for later thievery.
Source: Miller and Valasek

Source: Miller and Valasek

Just about everything else
Smart-home systems (including door locks)? Check. Kids’ toys with WiFi connections? Toilets? SONOS system? Check, check and check.
Network-connected surveillance cameras that are used to secure premises are terribly unsecure and can be hacked to send systems administrators watching the feed whatever the hacker wants them to see. Security researcher Craig Heffner of Tactical Network Solutions demonstrated how he could replace the video feed of an area with a still shot of that same area (e.g., an empty hallway) or even access other stuff on the network.
“I’m in your network, I can see you, and I’m root,” he warned.
Source: Craig Heffner

Source: Craig Heffner

What about driverless cars and other autonomous vehicles, you ask? Not only is their software vulnerable, but their sensors are often dumber than you might think. Dr. Andrew “Zoz” Brooks — a robotics expert and co-host of a 2008 Discovery Channel series called “Prototype This” — explained how things like GPS, laser range finders and millimeter wave radar can be fooled by everything from jamming signals to painting the road lines black.

Time to go Luddite?

Do we need to leave the city for a cabin in the mountains? Probably not just yet. The good news is that many of the specific companies whose products were hacked — including Samsung, Z-Wave and MiCasaVerde — have been gracious about the discovery of these flaws and are working to improve them. I have to assume wireless device manufacturers and carriers are working to improve the security of their products, too.
The other good news is that some of this stuff is still really hard to do. That guy who smashed your car window and took your iPod isn’t hacking your car anytime soon. And some stuff, like infiltrating smart-home networks, requires being close enough to intercept radio frequency signals between the various devices.
But should we trade in our Priuses for ’84 Ford Escorts nonetheless? Maybe. Toyota hasn’t been so quick to embrace what Miller and Valasek found out about the Prius, as Miller pointed out in this tweet:

They removed the dashboard to do learn the ins and outs, but someone with knowledge of the firmware exploits and a remote attack vector wouldn’t have to.