As more devices go online, hackers hunt for vulnerabilities
November 3, 2015
The hack was simple. Terry Dunlap tapped out a few commands on his laptop and within seconds a message popped on the screen: “Done!” With a few more keystrokes, he could see what the security camera could see and swivel it at will.
The demonstration by Columbia-based Tactical Network Solutions illustrates an increasingly widespread problem: A growing number of devices, from security cameras to cars to weapons systems, are designed to connect to computer networks — the so-called Internet of Things.
But as researchers find ways to compromise the machines, regulators, lawmakers and military leaders are scrambling to safeguard them from hacking. Dunlap’s company specializes in providing “offensive cyber capabilities.”
Advertisement
Billions of devices can connect to the Internet, affording cyberattackers a wide range of opportunity, said Chris Inglis, a former deputy director of the National Security Agency.
Now a teacher at the Naval Academy, Inglis said the military is preparing the next generation of leaders to be ready. All midshipmen are required to take cybersecurity classes, and some have explored how to defend against hacking of machines.
“We believe that everyone, no matter what they do, is going to have a dependence on network systems,” he said.
The headline-grabbing hacks of 2014 and 2015 — the raids on Sony Pictures Entertainment, the federal government’s personnel office and several big retailers — involved attackers cracking into databases. While such assaults are serious problems for the targets, the fallout for individual victims is mostly handled by their employers, financial firms or credit-monitoring agencies.
But attacks on connected devices could bring the issue of cybersecurity into America’s homes and cars.
In a dramatic display this year, two hackers were able to commandeer a Jeep, wirelessly taking control of the steering, transmission and brakes. That hack into Chrysler’s Uconnect dashboard system prompted the company to recall 1.4 million vehicles, the first recall to deal with a computer security problem.
Other researchers have shown that some popular baby monitors contain security flaws that could allow hackers access to the video stream.
Advertisement*
“A compromise of a connected device is much more visceral to the average consumer because it’s in some sense tangible,” said Ted Harrington, a partner at the Baltimore consulting firm Independent Security Evaluators. “If someone is compromising the video stream of their baby monitor, that feels much more catastrophic.”
In some cases, the weaknesses have prompted lawmakers to propose legislation. A House Energy and Commerce subcommittee held a hearing in October on a proposed car safety bill that would impose hefty penalties against anyone who hacks into a vehicle’s systems.
Regulators also have issued security guidance to companies that make Internet-connected devices.
“Companies should test products before they launch them, as opposed to launching the products first and seeing about problems later,” Federal Trade Commission official Maneesha Mithal told lawmakers at the hearing.
“It’s something we call ‘security by design.'”
While cyberattacks on intelligence and defense agencies might not be revealed to the public, Pentagon officials acknowledge they are exploring the implications of hacking into machines and controlling them.
The military is in the midst of evaluating its weapons systems — some of them developed before anyone contemplated the risks of connecting to the Internet — while also exploring new kinds of attacks it can launch.
Earlier this year, tests conducted by the Defense Department identified cybersecurity vulnerabilities in Apache helicopters, drones, Army radios and Navy ships.
Officials have declined to describe how they would undertake cyberattacks on machines.
“It is a big problem,” Deputy Defense Secretary Robert O. Work told a congressional panel in September. “Many of the weapons systems that we have now were not built to withstand a concerted cyber threat.”
In the Tactical Network Solutions demo, Dunlap and his team analyzed the code that controls the camera and wrote their own code to launch an attack to retrieve the password. Dunlap, managing partner at the company, estimated it took his team about five hours.
He said a search on a website that seeks out devices connected to the Internet revealed thousands of cameras around the globe that likely had similar vulnerabilities.
The security camera that Dunlap attacked was an older model made by TRENDnet. The company said the camera has been discontinued and that it has updated code for existing cameras to improve security.
“Our security team tests all our products for possible vulnerabilities before they reach the market,” Sonny Su, the company’s technical director, said in a statement. “We use TRENDnet products in our own homes, so we especially understand the importance of providing secure products to our customers.”
Harrington and his colleagues have long been interested in security weaknesses in devices connected to the Internet. Frustrated by what they saw as a lack of attention to the problem, they gathered people from across the country this summer at Defcon, one of the nation’s top hacker conventions, to demonstrate how dire things had become.
In all, the hackers identified 66 security vulnerabilities at the four-day event. The weaknesses were an especially potent kind known as zero-days, so called because the devices’ manufacturers are unaware of the problem and therefore have no time to devise a fix. Security cameras, drones, door locks and a home automation system were found to have vulnerabilities.
Harrington’s conclusion: “Security issues in connected devices are systemic.”
Advertisement