As more devices go online, hackers hunt for vulnerabilities
By IAN DUNCAN | The Baltimore Sun | Published: November 2, 2015
BALTIMORE (Tribune News Service) — The hack was simple. Terry Dunlap tapped out a few commands on his laptop and within seconds a message popped on the screen: “Done!” With a few more keystrokes, he could see what the security camera could see and swivel it at will.
The demonstration by Columbia-based Tactical Network Solutions illustrates an increasingly widespread problem: A growing number of devices, from security cameras to cars to weapons systems, are designed to connect to computer networks — the so-called Internet of Things.
But as researchers find ways to compromise the machines, regulators, lawmakers and military leaders are scrambling to safeguard them from hacking. Dunlap’s company specializes in providing “offensive cyber capabilities.”
Billions of devices can connect to the Internet, affording cyberattackers a wide range of opportunity, said Chris Inglis, a former deputy director of the National Security Agency.
Now a teacher at the Naval Academy, Inglis said the military is preparing the next generation of leaders to be ready. All midshipmen are required to take cybersecurity classes, and some have explored how to defend against hacking of machines.
“We believe that everyone, no matter what they do, is going to have a dependence on network systems,” he said.
The headline-grabbing hacks of 2014 and 2015 — the raids on Sony Pictures Entertainment, the federal government’s personnel office and several big retailers — involved attackers cracking into databases. While such assaults are serious problems for the targets, the fallout for individual victims is mostly handled by their employers, financial firms or credit-monitoring agencies.
But attacks on connected devices could bring the issue of cybersecurity into America’s homes and cars.
In a dramatic display this year, two hackers were able to commandeer a Jeep, wirelessly taking control of the steering, transmission and brakes. That hack into Chrysler’s Uconnect dashboard system prompted the company to recall 1.4 million vehicles, the first recall to deal with a computer security problem.
Other researchers have shown that some popular baby monitors contain security flaws that could allow hackers access to the video stream.
“A compromise of a connected device is much more visceral to the average consumer because it’s in some sense tangible,” said Ted Harrington, a partner at the Baltimore consulting firm Independent Security Evaluators. “If someone is compromising the video stream of their baby monitor, that feels much more catastrophic.”
In some cases, the weaknesses have prompted lawmakers to propose legislation. A House Energy and Commerce subcommittee held a hearing in October on a proposed car safety bill that would impose hefty penalties against anyone who hacks into a vehicle’s systems.
Regulators also have issued security guidance to companies that make Internet-connected devices.
“Companies should test products before they launch them, as opposed to launching the products first and seeing about problems later,” Federal Trade Commission official Maneesha Mithal told lawmakers at the hearing.
“It’s something we call ‘security by design.’”
While cyberattacks on intelligence and defense agencies might not be revealed to the public, Pentagon officials acknowledge they are exploring the implications of hacking into machines and controlling them.
The military is in the midst of evaluating its weapons systems — some of them developed before anyone contemplated the risks of connecting to the Internet — while also exploring new kinds of attacks it can launch.
Earlier this year, tests conducted by the Defense Department identified cybersecurity vulnerabilities in Apache helicopters, drones, Army radios and Navy ships.
Officials have declined to describe how they would undertake cyberattacks on machines.
“It is a big problem,” Deputy Defense Secretary Robert O. Work told a congressional panel in September. “Many of the weapons systems that we have now were not built to withstand a concerted cyber threat.”
In the Tactical Network Solutions demo, Dunlap and his team analyzed the code that controls the camera and wrote their own code to launch an attack to retrieve the password. Dunlap, managing partner at the company, estimated it took his team about five hours.
He said a search on a website that seeks out devices connected to the Internet revealed thousands of cameras around the globe that likely had similar vulnerabilities.
The security camera that Dunlap attacked was an older model made by TRENDnet. The company said the camera has been discontinued and that it has updated code for existing cameras to improve security.
“Our security team tests all our products for possible vulnerabilities before they reach the market,” Sonny Su, the company’s technical director, said in a statement. “We use TRENDnet products in our own homes, so we especially understand the importance of providing secure products to our customers.”
Harrington and his colleagues have long been interested in security weaknesses in devices connected to the Internet. Frustrated by what they saw as a lack of attention to the problem, they gathered people from across the country this summer at Defcon, one of the nation’s top hacker conventions, to demonstrate how dire things had become.
In all, the hackers identified 66 security vulnerabilities at the four-day event. The weaknesses were an especially potent kind known as zero-days, so called because the devices’ manufacturers are unaware of the problem and therefore have no time to devise a fix. Security cameras, drones, door locks and a home automation system were found to have vulnerabilities.
Harrington’s conclusion: “Security issues in connected devices are systemic.”
The researchers’ findings show what’s possible, said Richard Bejtlich, a Washington-based analyst at security firm FireEye. Consumers, however, don’t have much reason to worry. He doesn’t foresee an attack on millions of devices in people’s homes, he said, because most hackers are after bigger-impact targets.
The more likely targets are computers that control factory machinery and water or electric plants, he said.
“There’s has been intense interest by the U.S. military in industrial control systems of foreign countries for at least 10 years,” said Bejtlich, a former Air Force intelligence officer.
Attacks on computers that control enemy aircraft, defenses or other systems offer the military opportunities. A small team at West Point is trying to show Army commanders what can be achieved with just a few hundred dollars and a weekend of tinkering.
Their showpiece? A cyber rifle.
Capt. Brent Chapman said the idea is to show soldiers at all levels the potential of cyber weapons. His team chose a rifle as the starting point because every soldier is familiar with it.
“You don’t need a secret computer in a secret room somewhere to do these things,” he said.
The rifle has four key components: a long antenna, a radio, a small computer called a Raspberry Pi, and the frame itself. The parts cost about $150, and the rifle capable of hacking was assembled in about 10 hours.
At the Association of the U.S. Army convention in Washington in October, Chapman and his colleagues showed how the rifle could be used to knock down a small drone flying in front of them in the convention hall.
The drone, made by a company called Parrot, has a widely known flaw that allows others to gain control of its systems. With a tap on the Raspberry Pi’s touchscreen, the rifle executes a code that turns the drone’s power off, sending it tumbling to the ground. Chapman called the attack almost “cheesy” because it’s so simple.
Parrot did not respond to a request for comment about the security weakness.
Chapman used similar technology in the hills around West Point and was able to connect to a wireless network he set up almost a mile away — farther than he could see. In another demonstration, Chapman has used the rifle to open a computer-controlled door on a model of a bunker. In the future, he imagines infantry units calling up teams that can develop cyberattacks.
“It’s less about the technology, and much more about enabling our own forces to create on-the-fly solutions by allowing them room to experiment,” Chapman said.
©2015 The Baltimore Sun
Visit The Baltimore Sun at www.baltimoresun.com
Distributed by Tribune Content Agency, LLC.