As we approach the much ballyhooed era of the so-called ‘internet of things‘ where pretty much all our devices will be connected to the internet and thus remotely accessible and controllable, on the surface this looks great. But the catch is that this also allows hackers to access them and that can be problematic.
I doubt that hackers will bother to randomly turn on our toasters or change the thermostat settings in our houses or turn the lights on and off. Such things might provide an increase in beliefs about ghosts and poltergeists but provide little benefit to the hackers. But some things could be really dangerous. For example, as self-driving cars enter the market, we need to worry about the possibility that a third party can gain access to the car’s controls and take it where we don’t want it to go.
Even with current cars, it appears that because these car’s computers do not contain a firewall between the parts that run the car with the parts that run the communication and entertainment systems that are connected to the internet, hackers can use that gateway to take control the car away from the driver. Wired reported on the frightening experiment it conducted with remote hijackers commandeering a car.
As another example, e-readers and online streaming of films enable providers to closely monitor usage. Consider the experiment by Kindle Unlimited to allow readers to download as many books as they want but charge people only for the number of pages they actually read with part of the proceeds going to the authors of the works at $0.005 per page. So the more pages of an author’s work that are read, the more they get paid. This seems like a fair way of compensating writers. But enterprising hackers found that they could write software that produce fake 3,000-page books filled with nonsense and then jump to the end of it, giving the illusion that all the pages had been read, immediately generating $15 for the ‘author’.
This is why it is so hard to have nice things. You have to combat all those people who are trying to abuse and exploit the system, and putting in place countermeasures immediately makes them harder to attain and drives the costs up.
doublereed says
Well, for the purposes of surveillance and tracking these little things could be useful. Or if you’re trying psychological warfare like the Stasi’s Zersetzung.
Also a hacker might be able to hack into one device and pivot to the rest of your devices. All the different openings increases the possibility of someone hacking into something more valuable (like your car).
Reginald Selkirk says
Leaving a toaster or toaster oven on for hours could start a fire. These appliances are designed for short use, and do not have as much insulation as full scale ovens.
moarscienceplz says
In the case of cars, we simply cannot accept the Microsoft model of lazy coding and testing, with the expectation that the manufacturers will push out a hundred fixes as the bugs reveal themselves over time. We need to insist that mission critical software can only be updated at the dealership with the use of some sort of physical key in addition to the usual security features to identify authorized technicians. Using only software to protect software has never been fully successful, and now that we are talking about millions of lives at stake, it cannot be business as usual.
Also, we need laws to guarantee that all vital software upgrades will be done at the factory’s expense for the lifetime of the car.
doublereed says
If the software can only be updated at the dealership, you’re asking car owners to rely on outdated, vulnerable software until they make their way to the dealership. If anything, patching should be as automatic as possible.
There’s no simple solution to the issue.
lanir says
When you introduce something as valuable as a car to the equation it actually gets easier. There are already reasons to let your dealership keep current contact information for you. If a remote update doesn’t go right you can always be contacted in those ways. The risk at that point is that someone gets your contact information… but generally they already could if they hack a dealership because otherwise you don’t know about recalls.
As doublereed mentioned at #1, clever hackers (like our wonderful friends at all the pretty little acronym groups both at home and abroad) will find ways of using any vulnerable device to infect the rest of your network. For the last few years it’s been done with printers for example.
The real issue is that the focus on too many of these things has been the usual corporate nonsense. It doesn’t matter if it’s a medical device implanted in your body, a vehicle, a kitchen appliance, a tv remote or just a light switch. The same security treatment seems to be pretty common: once it barely works, throw it out there and caveat emptor is the rule of the day. The math on that is pretty simple too so it’s easy to see why companies do it. Generally you only know about security issues with a product if you own it already. And most people wouldn’t understand the difference between an obvious and simple to exploit bug that shows an appalling disinterest in customer safety and a complex, difficult to exploit potential hole that is identified early by a security conscious company and likely to be patched long before there is any real world risk of an exploit.
And frankly, sometimes simple mistakes are made. But some of the products coming out of Internet of Things shops currently are too awful for that to be a plausible explanation for all of it.
Marcus Ranum says
Doublereed@#4:
If the software can only be updated at the dealership, you’re asking car owners to rely on outdated, vulnerable software until they make their way to the dealership. If anything, patching should be as automatic as possible.
Most high end cars get their software quietly updated whenever they go to a dealership. I used to know a coder at BMW (who worked on the system data-bus architecture) who said that it was pretty much pointless to debug a car unless you were running the latest codebase on it. Come to think of it, that was the year I bought a 1966 Land Rover. Which, by the way, was nowhere near as reliable as a BMW…
The whole “internet of things” idea is stupid marketing bullshit. It has been a reality since the first iPhone, really. That was where the software industry finally realized there were clouds on the horizon: complex important powerful computers running full operating systems with device-and-release-specific drivers were going to be everywhere and on everyone and all connected to something NAT’d to the internet. I was shocked that Google’s smart guys, having solved system administration for locked data centers, managed to come up with an update model for android that is so utterly terrible -- but it seems to me that “hey let’s make a cellphone” is the sound made by large tech companies jumping the shark. Nobody in their right mind should want the system administration problems inherent in that, unless they have first developed zero system administration software. System administration is the “hey let’s march on Moscow” thing that if you get it wrong, you’re doomed. Apple got it right. They’re about the only ones. The world is splitting into companies that know how to do system administration (Google, Apple, Amazon, ADP, Box, cloud services) and companies that pay them a hell of a lot of money for things they don’t understand and can no longer control. That crowd will panic and tell their employees “bring your own device” which is an incredibly stupid idea unless it’s very carefully managed. And companies that are going “internet of things” to avoid management costs aren’t going to manage IOT well, either.
As an information security consultant for the last almost 30 years, I guess I should be happy. But I’m not. I’m actually annoyed as fuck. Because I have garbage like lightbulbs that won’t work unless I punch a hole in my firewall that a moose could fit through. I have a drone that needs new software every month (and cthulhu only knows what is going on in there) and I don’t think any of this crap works very well. My house has something like 40 active IP addresses in it at any given time and most of them are service or entertainment related.
I ran into a guy at a security conference who decided to poke me about my negativity regarding a certain bluetooth toothbrush(now there is brilliant marketing!) that puts your brushing history on the web. He said that the toothbrush uses bluetooth so it’s OK. I replied, “Yeah. The problem is the charging base; it’s on your WiFi” It wasn’t until a few hours later that I realized even a computer security practitioner can slip up and not understand the subtle connectivity that’s going on. And meanwhile, I know hackers who can turn your coffee machine into a network scanner and map your network and install backdoors from it. Yay. I don’t think they have sold that to the FBI yet. If you want to reality check how that game will play out take a look at the “pwnie plug.” It’s nicer than what the FBI currently use.
Hey, you want a cool new computer game? Figure out what happens when your lightbulb DHCPs the same address as your phone. Then figure out what the lightbulb should have done about it, or the phone should have done. There will be lots of opportunities for time-wasting brought to us by the internet of mediocre things.
Marcus Ranum says
Anyone who wants to know what the IOT is going to look like should read Charlie Perrow’s “Normal Accidents”
tl;dr version: when you have tightly coupled systems that depend on eachother to function correctly, they must function correctly as a system, which they usually don’t because they fail separately. Then you wind up with infinitely complex failure modes and humans will just play whack-a-mole with the most common ones but will inevitably be surprised when a wheel falls off when you turn on your cell phone.
This is an example of the kind of utter stupidity people are doing. I can’t even imagine why anyone would want this particular feature but I can imagine it’d be as fun as back in the days when we used to want to call call-centers and yell “FORMAT C:/Y” and hope they have voice-activated command set up.
https://www.youtube.com/watch?v=VOlbOpwQD64
(Listen to the idiots applauding. It’s goofiness all the way down)
EnlightenmentLiberal says
Everything that Marcus Ranum said.
Also, going forward, I will have to apply the knowledge that I learned from roleplaying in the Shadowrun campaign setting. Specifically, no wireless anywhere, and never connect anything to the internet except for a throwaway device for receiving and sending email -- with the assumption that someone has hacked the device.
I will personally fight the internet of things in my own personal space for as long as I can.
doublereed says
I’ve only been a security consultant for a couple years now, and I think I’m almost as cynical as Marcus about it all. I hope that means I’ll go far!
Marcus Ranum says
doublereed@#9:
I think I’m almost as cynical as Marcus about it all
I was being optimistic.
You should see me when I get cynical.
John Morales says
Meh. Was a time not that long ago when it was bemoaned how an unprotected PC would last only a few minutes online before being compromised; yet here we are today, still (and even more!) on the internet.
Much like the “road toll”, it’s an acceptable side-effect of new tech, where the overall benefits outweigh the harm.
Marcus Ranum says
EL@#8:
I will personally fight the internet of things in my own personal space for as long as I can.
Been there, lost that battle.
A couple years ago I actually had a home network designed like a SCADA network.* My internet connected machines were on one network and my automation and sensors on another. I had 2 switches, 2 armored CAT5 copper pulled to each room, separate monitoring, the whole bit (I was still actively coding on system log analysis stuff so it was nice to have a sensor network) The green network could sniff the blue network’s traffic via a T-tap at the router to the internet, everything was NAT’d to private ranges so my log server could differentiate based on subnet, etc. I invested, oh, a few hours in getting that all right. And it all came apart over time. Some dimweed figured out how to make a device that was unable to update itself over a NAT’d connection, and would cease to function if its code got old, so… over time, the entire green network moved onto the blue network. Now, yeah, screw it: my lightbulbs are on the same DHCP zone as my gaming machine and my phone because Microsoft apparently requires some games to use uPnP to participate in Xbox’s network. That’s genius, right there. So when some gamer punk decided to DDOS my game box with a UDP packet spew at my published address, my lightbulbs and the home router from Verizon both wedged.
The internet of things is going to be like that only worse because that gamer kid will also accidentally DDOS your toilet so that the butt-cleaning attachment sprays water all over -- which will make the dog very happy -- but will do wonders for your downstairs ceiling. Oh Brave New World!
(* Like a SCADA network ought to be, not like how Iranian nuclear engineers do it, or how the US’ “smart grid” energy companies did it**)
(** Should I say “don’t get me started on smart grid”? Because it’s actually hard to describe how bad some of those systems are, without falling into a sort of Hunter Thompsonesque sputtering rage.)
John Morales says
Marcus, not relevant to the topic, but… lexicon matters.
http://grammarist.com/usage/o-oh/
EnlightenmentLiberal says
With enough time and effort, one has a good chance at securing one device like a personal computer from not-Mossad threats.
Securing every piece that connects to the internet is a pain, and that’s when I actually have control over the code that running on it. When it’s a closed black box, like a light bulb, or toaster, etc., then it becomes basically impossible for me to secure it short of taking out the wireless adapter. That’s difference one.
Second, my computer will still sometimes get viruses, and that’s why I have backups. Further, when my laptop gets viruses, my fridge and stove still work. It’s an inconvenience, but it’s not life threatening. If a hacker gets control of my toaster, that is life threatening. That could be a huge fire hazard. I already suffered third degree burns once from a house fire. Not again, thanks. That’s difference two.
Third, there is value attaching my laptop computer to the internet. I find it hard to fathom any value that I would receive by attaching my toaster to the internet.
PS: I’m also a huge hater on wireless mice, wireless keyboards, wireless game controllers, etc.. Finding wired mice et al nowadays can be a pain.
John Morales says
EnlightenmentLiberal,
So, connect to the internet via your secure device, so you only need worry about Mossad-level threats.
Do there really exist fridges and stoves that will not work unless they are online?
Then don’t do it. Your objection only has merit to the degree that you cannot avoid such online appliances.
doublereed says
@Marcus
Clearly I have so much learn.
Trickster Goddess says
Remotely hacking people’s thermostats could cause deaths if it happens during a cold snap or a heat wave.
John Morales says
doublereed, beyond cynical is jaded.
EnlightenmentLiberal says
Apparently it’s not that easy. Please see the post by Marcus above. Thankfully, I haven’t had these problems yet.
John Morales says
EnlightenmentLiberal ,
Yeah, it is. Conceptually, if not routinely.
That Marcus failed merely speaks to his abilities.
(And, the subtext is that he learnt a lesson, yet perseveres. I see no despair there)
EnlightenmentLiberal says
To John Morales
Marcus (seemingly) and I have a great deal of technical expertise in this area. This is what I am paid to do. May I ask, what is your technical level of competence in this area of computer security? Do you actually know what you’re talking about? Do you do this professionally? As an amateur?
John Morales says
I sneer at your appeal to authority, EnlightenmentLiberal.
(I do have IT background, but that is an irrelevance)
If you want to credibly dispute my contentious retort, you have to do better than that.
EnlightenmentLiberal says
I’m not going to a fallacy. I’m trying to gauge your level of competence, and whether I’m out of my league, or whether you are out of yours.
What do you say to Marcus’s experience of certain accessories, hardware, that will stop working if they do not update in X amount of time, and other hardware that cannot successfully update behind a NAT? How would you handle this?
I am also sensing a great deal of hostility, for seemingly no apparent reason. Are you just here to take metaphorical jabs at me for past disagreements?
John Morales says
FFS, EnlightenmentLiberal.
It’s you who cavils at the prospect of incendiary toasters due to net connectivity.
It’s not personal; it’s SIWOTI.
I would handle it as I have hitherto; I have no accessories or hardware that will stop working if they do not update in X amount of time.
(Privileged, am I!)
Marcus Ranum says
I have no accessories or hardware that will stop working if they do not update in X amount of time.
Ah, you’re certain? I remember one fun time when a DNS server misconfiguration brought down a production network that was believed not to need internet access. It turned out to have a license manager that made a difference between “no internet access” (ok) and “contacted license/update server and got an error N times and deauthorized myself”*(database service shuts down and everything dies) it’s a good example of the kind of subtle failures Perrow talks about.
As far as whether or not I failed to have a secure home network because I’m incompetent or because software has embedded the internet too much -- that’s a toughie. I suppose I could point to my resume, but I suppose you could dismiss that as an appeal to authority rather than a list of quite real accomplishments including personally (and single-handed) designing and coding the first productized internet firewall, and the third, and I think I can claim credit for 4 or 5 others that were just ripoffs of my design. Or perhaps it means something that DARPA trusted me, personally, to configure, implement, and manage** the first whitehouse.gov internet server, which collected email for president@whitehouse.gov, which went FEDEX to Washington on floppies from my office once a week. Or I could tell you I designed and taught the system security audit practices and pen testing*** for Arthur Andersen U for 4 years. And other stuff that is fairly noteworthy like that one of my products was the first NAT firewall**** and another the first to offer transparent VPN tunnelling. I did the NAT code, Wei Xu did the swipe port to BSDI so I only deserve partial credit. I don’t mention these things to blow my own horn but rather to explain why I was thoroughly surprised to find myself defeated by some lightbulbs. And, of course I am intelligent enough to know that I could have switched back to regular light bulbs and avoided the problem. That’s a viable strategy for a while. Eventually those who remain off the internet will be like the new amish.
It was 1999 or so, in the keynote for one of CSI/FBI’s conferences in Chicago that I predicted that systems would eventually auto-patch themselves from the vendors directly, and that this would utterly defeat configuration management. I was more right than I ever dreamt or I would have adjusted my stock selections a bit. When I made that prediction people went around saying I had lost it and they’d never just trust code to auto-install. Heh. We were naive then and I was not jaded yet.
Anyway, the internet of things is going to push people who want reliable systems into becoming the new amish. The last systems any of us had a chance to fully understand were mostly taken out of service in the late 90s. The new stuff fulfils Brian Kernighan’s dictum (paraphrased) “if you are building systems at the edge of your ability, you are building systems you cannot debug -- because it’s harder to debug something than it is to build it.” Perhaps that’s an appeal to authority, but I suspect Kernighan has more practical computing experience than the lot of us wadded together.
(* the update server dns lookup was returning a valid address of a wrong but reachable host, which was not accepting connections on port 80 -- connection refused error is an importantly different code from network unreachable)
(* for its first year of operation. Later, office of science and tech policy stood up http://www.whitehouse.gov, a different server at NASA. I was not involved with that monstrousity.)
(*** we didn’t call it that, then. I taught “design review and validation”)
(**** shoulda patented that one, damn it)
Marcus Ranum says
One more observation on system comprehensibility and code integration: we are fucked. Web design (and everything uses http/https with some kind of scripting on both sides) embeds distributed, loosely-coupled, low-integrity processing into all kinds of things. But the worst part of THAT is that because of distributed asynchrony it’s not really possible to build a code debugger because your processing happens all over the place.*
It is not plausible to write robust code when “debugging” consists of hitting reload on a web page and farting with HTML until the layout works, which layout is controlled via the internet’s linguini franca spaghetti coding language, javascript.
I haven’t seen much I’d call “robust software” since 2004 or so and it just keeps getting worse. Computing’s answer to bad design is adding more layers of indirection -- managing complexity by layering on more complexity; a fail loop.
(* per Rob Pike: “distributed computing is when a system that you have never realized exists is able to take you offline for a reason you don’t understand” Bingo. Yet Pike helped inflict android and chrome on us all…)
John Morales says
Marcus,
Yeah, I am*. Even my PC and the wife’s laptop will keep working without connectivity, nevermind the TV/microwave/oven/fridge/toaster and whatnot.
Heh. Perhaps you haven’t.
FWIW, I don’t particularly worry about Van Eck phreaking, either.
—
* The appliances I possess need only power-point connection (AC 2400V 50Hz) to work. Wifi/ethernet is only for my computers.
John Morales says
PS “It is not plausible to write robust code when “debugging” consists of hitting reload on a web page and farting with HTML until the layout works, which layout is controlled via the internet’s linguini franca spaghetti coding language, javascript.”
Of course it is: virtual machines and sandboxes. Get serious.
Dunc says
Yep, this is a serious concern. For example, there’s a presentation by James Mickens on the issues with the IoT where he describes in detail how it’s possible to extract your WiFi password by snooping on the traffic exchanged by a certain type of internet-connected lightbulb.
If Marcus freaking Ranum is not competent to secure a home network, then we’re all completely screwed. Seriously, look him up. If he’s not competent, no one is.
It’s not that hard -- you simply have to resist the urge for shiny new toys. You can’t compromise any of my stuff because none of it is connected to anything. I don’t feel any need to be able to control any of it remotely, or even from my phone. When I want to switch the heating on, I get off my arse, open the cupboard that the boiler lives in, and prod a physical switch.
Dunc says
There’s a very good post on some of these issues from Jeff Atwood over on Coding Horror: Welcome to The Internet of Compromised Things. The key point: routers are increasingly a weak point, and once your router is compromised, you’re pretty much completely screwed.
John Morales says
Dunc:
Leaving aside that it is not yet the case that we must use potentially-incendiary internet appliances, I note given what Marcus wrote, we’re all completely screwed if you merely go by his authority.
“As far as whether or not I failed to have a secure home network because I’m incompetent or because software has embedded the internet too much – that’s a toughie. I suppose I could point to my resume, but I suppose you could dismiss that as an appeal to authority rather than a list of quite real accomplishments including personally (and single-handed) designing and coding the first productized internet firewall, and the third, and I think I can claim credit for 4 or 5 others that were just ripoffs of my design.”
(Do note he explicitly admitted he was bested by “Some dimweed)”
—
Routers aren’t magical boxes, they’re just computers.
Or, since you like authority, listen to EnlightenmentLiberal: “With enough time and effort, one has a good chance at securing one device like a personal computer from not-Mossad threats.”
sonofrojblake says
http://e.lvme.me/oozm79d.jpg
Dunc says
I’m not a fan of authority, but I do like expertise. Marcus Ranum is a well-known expert in the field of IT security.
No he didn’t. That is not what he said. He said that some dimweed had written some software which did not work properly on a secure network.
I believe everybody here has acknowledged that “just don’t use (x) then” is an effective solution to the problems of IT security, but it’s not a particularly ideal one.
Dunc says
Just for clarity: yes, we are all completely screwed. The proliferation of distributed code with effectively untraceable webs of dependencies is a fucking disaster, as is the idea that you should be able to control your lightbulbs over the freaking internet.
We are moving into a regime where your choices are going to be between living with massive, ongoing IT security issues, or simply not using any recent technology.
flex says
To comment on the Wired article. As an engineer working in the automotive industry, I can say that when that article came out it was taken very, very seriously by the OEMs. The vulnerability was identified very rapidly. The corrective actions may not yet be completely in place, so I won’t say more, but it was a stupid vulnerability which should have never have been there in the first place. By which I mean that I recall discussing this possible vulnerability over a decade ago with Ford. It was not a particularly clever trick. Correcting it means taking up some more memory space for code, so there may be some vehicles which will not be easy to patch.
I will say that the need to integrate complex systems from multiple sources is something that the automotive companies already do. A single vehicle may have over a hundred different suppliers providing parts, and often a deep chain of sub-suppliers. Yes, these systems are mechanical and electrical rather than software, but it’s not quite the same as having an open system where anyone can easily add a new part. The hobbyists do so, but most people just drive the car.
I will also note that the Wired report explicitly told the driver to not touch the steering wheel, accelerator, or brakes. I know that currently the mechanical linkages for all those systems will override the electrical controls, and if the driver had tried to steer the car, or tapped the brakes, the driver would have regained control. So the picture isn’t quite as bleak as the article suggested.
All that being said, it is clear that technological advancement toward autonomous driving will create more points of potential vulnerability. And while my colleagues and I are doing what we can to identify and prevent vulnerabilities, it is inevitable that we will miss some. One strategy is to continue to have manual over-ride systems which cannot be disabled by the vehicle software. Another strategy is to put a manually-activated auto-stop button which will put the vehicle software into a ‘safe’ mode, pull the vehicle to the side of the road, and send out a distress signal. Maybe these are not the most elegant solutions, but occupant safety is more important than getting to the destination.
I think it’s also worth noting that at the present time the in-vehicle networks do attempt to keep themselves isolated from external communication. It doesn’t always work, but the automotive OEMs do not want un-vetted devices on their networks. Partially because it exposes them to vulnerabilities, but largely because the timing of network communication is so critical in a vehicle that adding untested devices to that network can seriously impact the vehicles performance. (Yes, the network hardware isn’t cutting-edge, and there are 2+ different network protocols used in any particular vehicle. CAN is not universal. Which causes other problems.) So the chance of adding a light-bulb to a vehicle network and creating a new vulnerability is low because the vehicle network wouldn’t recognize the light-bulb.
Although, knowing the engineers I work with, at some point the idea of customer-added network devices to vehicles will probably become reality. Engineers like their gadgets.
TL/DR version:
The automobile OEMs are taking this very seriously.
That being said, there will undoubtedly be an occasional exploit discovered.
Mano Singham says
flex,
Although you say that:
in the video, the driver tries to accelerate and steer but does not seem to regain control.
flex says
Mano,
I’ll look at the video again when I get home. I can’t view it here at work.
But if it’s the one I recall, I know that the mechanical linkages for steering are still present on that vehicle platform. There may be an accelerator override when a collision detection is active, but that means not just putting messages on the bus, but also spoofing a number of sensors (radar and vision) to to trigger an override on the system and the only thing the vehicle should do is slow down. Not impossible, but not easy. Generally the accelerator input from the operator trumps the accelerator inputs from other parts of the system. The presumption still is that the operator has a better idea of what they want the vehicle to do than the vehicle does.
left0ver1under says
Prediction: In the next ten years, massive numbers of people will have knee jerk reactions to this and pay exorbitant amounts to buy and refurbish used cars that don’t have computers in them. If you doubt it’s possible, recall how many people tried to buy old Geo Metros for ridiculous amounts after oil prices soared in 2008.
A lot of accusations of paranoia and being luddites have been and are made against naysayers. People who said car companies would use computers in the engine to monitor driving habits and refuse to fulfil warranties were deemed “crackpots” until it actually happened. The only car hackers I would worry about are those engaging in insurance fraud -- park a wreck on the side of the road, then when an expensive and controllable car comes along, steer it into the beater and make a claim.
I’m less worried about “big brother” than I am about the big bully trying to steal my lunch money. Every connection, every increased dependence on electronic networks means another service charge, another fee, another means of data mining and advertising. The extent of it makes it ever easier for corporations and banks to nickel and dime you out of nickels and dimes with more and more charges. It makes it easier for the wealthy to take working people’s wealth away.
I use cash instead of a debit card in stores, and alternately get called “behind the times” or “paranoid about the gubbinment”. But unlike those who say it, I’m not wasting money on surcharges for using a card, and my buying habits aren’t being monitored to target me with more junk advertising. And no, I’m not “missing out” on anything by going back to a bar phone and getting rid of my not-so-“smart” phone, or leaving it at home when I go out.
lorn says
Don’t underestimate how dangerous automated systems can be:
Turning off or drastically lowering the setting on a thermostat can cause a house to freeze up in winter. Busted pipes, flooding, dead animals, frost-bitten older folks are not unlikely outcomes.
Resetting passwords or entry codes could keep people who wish to leave in or rescuers out. Disabling lighting could easily cause problems. Particularly in the case of the young or very old. Even security systems with battery backup can be disabled if deprived of power long enough.
Turn off the refrigerator/freezer off long enough for food to rot, then back on so that it all looks good, could easily cause food poisoning. That’s the worse case but consider that many families buy their meat in bulk and keep it in a separate freezer. They may have several thousand dollars, and a huge slice of their food budget, invested in frozen meat.
A little jiggering and you might be able get a house with a heat pump and backup heat strips to run the heat and AC at the same time. Something is going to break because nether is designed to run all the time. At the very least you end up with a huge power bill. I’ve seen this with a conventional AC system when a defective relay and control board happen to break in just the right way. The homeowner complained of $600 power bills. The constant uncoordinated running cause the feed to overheat and start to melt. A new relay, control board, feed and breaker solver the problem but it could have easily caused a fire.
Way back when a lot of businesses thought that open fax lines were safe. Then someone figured out that you could make a loop out of paper and send an endless fax. Endless insults were a popular but, if you used enough black, reverses color print worked well (insult in white on a black background), you could expend their supply of paper and ink while putting a lot of wear on their fax machine. The point is that automated systems are usually exploitable.
Keeping this in mind some power companies have disconnected automated controls on vital machinery. To screw with it you have to physically go to the site, get through the fence, get into the building, break into the control box, and tweak the settings with a screwdriver. There are costs associated with manual control but it tends to discourage hackers.
Automation and the ability to make changes on-the-fly and remotely is very convenient and can allow things to be done that otherwise can’t be done. But every capability is also a vulnerability. A library of digital books can be ‘burned’ in a millisecond. Anonymous sabotage from 12000 miles away can become a tempting and low-risk crime.
EnlightenmentLiberal says
Man, you’re being an asshole for no reason. Knock it off already.
Marcus Ranum says
John Morales:
Of course it is: virtual machines and sandboxes. Get serious
I don’t understand why you’re trying to engage in one of these “teach your grandma how to chew cheese” arguments; but whatever. Please remember: I’m not your enemy and I’m not trying to tell you what to do.
Simply saying “virtual machines and sandboxes” is inadequate. Unless you don’t understand that one of the most important parts about transactions is synchronizing them -- you can stick a web app under traces (what debugger do you use for server-side scripting?) and watch it -- but watching what it reports is a different matter entirely from watching what it does. If you’ve taken a car to a mechanic and had them plug in their data doodad and go “it says something’s wrong” you’ll understand what I mean: if there’s no alert being thrown out of a code checkpoint, then there’s no way to know what’s going on other than “no alert” and there’s a serious problem if you’re getting a crash that doesn’t trigger an alert. The same applies on the client side -- you’ve got, what, HTML in a variety of browsers with an impossible option-set of plugins that alter the HTML coming down. How do you regression test that? (hint: you don’t) How do you synchronize that with your web server (hint: “I clicked it here and watched it there” is about as good as that gets, enjoy your race conditions!) How do you tell whether the client is sending requests that are malformed, or if it’s a plugin in the client, or if it’s a load balancer in the pipe, or whatever? (hint: you assume) Lots of assume this and hope that and eyeball the other thing is not how you build reliable systems -- it’s how you build systems that appear to work.
Saying: Get serious. when I have been nothing but serious makes me think you’re the one who’s not putting any real thought into it, or you’re not familiar enough with the problem to really understand it. If you think that just throwing sandboxes and VMs at distributed development somehow magically results in good code -- well, you’ve been asleep the last couple decades. The sandboxes and VMs coding model is what brought uncomprehending programmers to develop huge critical applications full of injection attacks -- that’s a perfect example of what happens when you don’t understand where your data is going and what’s happening to it in the process. In the old days, you’d load your application into a debugger and step through the call-graph and watch what happened. Now, in the brave new world of coding, you can’t do that -- or, you can but it’s been made harder. That’s progress!
note given what Marcus wrote, we’re all completely screwed if you merely go by his authority.
I was careful to talk in terms of my experiences, not authority. If you choose to interpret that as authority, I think I see the problem: there’s a big difference between someone saying “trust me because of who I am…” and “I’ve done a whole bunch of this stuff and here’s some examples and they’re relevant to my knowledge and expertise.” Maybe you’ve got a vested interest in finding me wrong…? Knock yourself out, if you do. I don’t understand why I am pulling aggro from you, but it isn’t going to impress or annoy me much either way.
FWIW, I don’t particularly worry about Van Eck phreaking, either.
I haven’t mentioned it at all. I am, however, happy that you chose to be careful to announce that you’re not part of the tinfoil hat brigade. Good for you!!!!
(PS: someone who understands computer security will know when TEMPEST is an appropriate response and when it isn’t and won’t make blanket pronouncements about it without tying them to a risk model.)
he explicitly admitted he was bested by “Some dimweed)”
Do note that I made sure to mention it was my home network, and I set it up as a playground and it wasn’t one of my clients’ networks, and if I was ‘bested’ it was because of the dynamic between new shiny software and bad code.
Why so aggro? Maybe back off a bit? It doesn’t bother me but it’s puzzling. I feel like I’m talking about facts (as I understand things given my experiences and expertise) and I don’t want to bring personalities into it.
Marcus Ranum says
Oh, several comments referring to “mossad level” attacks.
NSA and Mossad (and CIA and FBI, too) are really weird combinations of skillful and highly technical at some things as well as utterly incompetent and stupid at others. So I generally resist people saying things that imply that those agencies are super skillful, or whatever. It’s not that simple.
If you want to understand what the NSA is like in cybersecurity-land, it’s kind of like Bobby Fischer. OK, now, if you’re playing chess against Bobby, you’re probably toast. But if what you’re playing is “the price is right” … it’s up in the air. If the game you’re playing is “who’s not an asshole?” an obnoxious teen-ager could beat Bobby hands down any day. So you get things like the NSA doing some really witchy-cool clever things — or, more precisely: contractors that NSA paid doing witchy-cool clever things — and stumbling over its own pants on the next topic. Mossad’s the same way, ditto FBI and CIA -- they’re all stupid about different things in slightly different ways. The NSA is decidedly the Bobby Fischer of codes and keys and ciphers. The Mossad is the Bobby Fischer of gaining insider knowledge, and possibly was almost as good at it as the KGB on their best days. The CIA is the Bobby Fischer of spending huge amounts of money and killing you if that didn’t work, and the FBI is the Bobby Fischer of scarily threatening to arrest you and lock you up with legal procedurals to ruin your life. Those all work, but they’re all different threat vectors.
When someone says “Mossad level” security I automatically interpret that as meaning that I need to watch out for my housecleaner. When someone says “FBI level” security I automatically interpret that as meaning that I need to watch out for a load of armed goons showing up in suburbans. When someone says “CIA level” security I interpret that as meaning I might have a hellfire missile go in my window if I don’t cooperate. When someone says “NSA level” security I do, in fact, worry that my toaster has eyes on me when my back is turned.
None of those agencies are particularly good at anything outside of a narrow axis of expertise. The FBI’s data management is beyond incompetent. The NSA’s is so incompetent that: Edward Snowden. Especially: Edward Snowden right after what Chelsea Manning did to State over the GiG; they should have taken a few lessons from that. One of those lessons might have been: turn on your system logs on your servers Which, by the way, was a lesson State didn’t learn from Aldrich Ames. Outside their areas of strength, the government agencies, in my experience, are massive sucking holes of weakness and fail. That’s just my experience. But it’s pretty substantial experience (that stuff is not on my resume, so if you want to get aggro about whether I speak authoritatively or from knowledge, be my guest)
Marcus Ranum says
PS: See your “mossad security” and raise you the fact that their operations are widely and easily attributed to them. That’s not a sign of great sophistication as much as it is a sign of sloppiness and reliance on naked power.
Marcus Ranum says
Lorn@#39:
Don’t underestimate how dangerous automated systems can be:
If you go into SHODAN and search for home X-10 controllers you’ll find all kinds of horrible nutso stuff. Ranging from things I’ve seen like the guy who had his fishtank heat/light on an X-10 system with default passwords, to the other guy who had an entry in his controller for “electric bong”. Maybe it was a security guy trolling to see if anyone would try turning it on, or not.
Home webcams: terrifying. Lots of people use older models with vulnerabilities like SSL fallback to RC4 modes, that you can pretty much just walk into. I always wanted to write a novel about someone who sees a murder committed via a webcam that they were hacking, and then things go horribly wrong from there… I know a hacker whose hobby is ‘found porn’ -- acquired through home webcams that weren’t configured right. The problem is: most of those are kid-cams and baby-cams.
Smart people don’t put dangerous stuff on home automation systems. When systems get more and more software-controlled, that’s when it gets interesting. Someone might be able to set your house on fire if your computer’s got overclocking modes and programmable fans and can get in to your home WiFi using a vulnerability in the base station of a bluetooth toothbrush.
I thought a lot of this stuff was BS until my buddy Aaron Turner at INL did the AURORA test -- and it worked. That was, in fact, what made me attribute (correctly, it turns out) STUXNET to the US -- the STUXNET attack on Bushehr’s generator system was basically AURORA. I’ve seen pictures of what that looked like -- the spindle of the dynamo went right through two cinder-block walls. Good thing the reactor didn’t need emergency power at that time, or it could have been like Fukushima except 11 miles upwind from a city of 200,000 people. BTW, the real giveaway on STUXNET was that the centrifuges at Natanz were Pakistani RP1s. The only supply of spare RP1s for testing is in Oak Ridge, TN -- the ones that Libya turned over to the US when they stood down their refinement program.*
(* I bet Ghaddafi was nonplussed: the US and its allies browbeat him into playing nice with the nukes then the CIA went and did a ‘regime change’ operation on him anyway, and he got killed to boot. Whups! Hint: don’t trust the CIA!)
Marcus Ranum says
I know I’m breaking the 3 comment rule but 2 seconds after I posted the preceeding, the following (redacted) hit my in-box:
My car audio system is a ‘dumb’ bluetooth speaker that I stream my iPhone to. I don’t even have head units in my car.
flex says
Okay, I’ve watched the video again, and it is one I saw before.
There is no indication that the driver couldn’t override the steering if he tried. They say that they could access the steering below a certain speed, and only in reverse. That’s a feature that I wasn’t aware was active on the 2014 Jeep, but the intent of that feature is a parallel parking aid.
As for interrupting the accelerator, they manage that by tricking the body control module into thinking the car was put into park. You can see the dashboard PRNDL indicator flash into P for a second on the video. This triggers a fail-safe mode, because the engine. transmission, and other systems are telling the body control module that the vehicle is still in drive. So the fail-safe mode is to slowly bring the vehicle to a stop. This is designed as a safety feature. The solution to this mode is to cycle the ignition. That is, turn the car fully off and back on. On some of the newer systems it also requires taking the key completely out of the ignition (or on the keyless vehicles, the FOBik used to open the doors, etc, is queried to ensure an authenticated FOBik is still in the car).
What the video does not show is the hackers controlling the acceleration, although from my knowledge of the architecture, it should be possible to do so. The pedal input should still override any message input.
The systems like the locks should still be able to be unlocked from the front seat door controls, the rear locks can be disabled as a safety feature to keep children from unlocking and exiting the car when it would be unsafe for them to do so. The rear lock disable function has been in cars for over 20 years, so it is possible that these may be vulnerable.
The radio volume probably required the hackers to continually send the max-volume command at a fast enough rate to prevent the radio from registering the knob turns. If the radio gets a message every 100ms to put the speakers at max volume it will respond faster than the knob telling the radio sound level to drop. You might be able to measure a drop in the radio volume between the messages as the knob turns, but the human ear wouldn’t be able to tell that there is any affect. The human ear does not respond that quickly to a change in sound levels.
The fan and wiper controls are similar, and are usually simple commands to turn them on or off, or set the level, without much in the way of authentication.
So, from the perspective of an automotive engineer who has worked on the stuff, the Wired video is important and shows some distinct vulnerabilities (and the Wired article shows a few more), but it doesn’t mean that you should throw away all new vehicles and shop for an older model car. The newer cars are vulnerable, but not any more unsafe than the vehicles without internal networks. I would argue that overall they are safer, but I recognize that what has been made safer may be seen as less important than the new safety issues that a in-vehicle network creates.
If you want to postulate scenarios where a stalker remotely hacks into a car and drives it, hijacking the occupants, this doesn’t seem to be possible. If nothing else, the brakes will still work, and the brakes will eventually stall the engine, they are designed to do so. Frankly, if a stalker was intent on kidnapping someone, there are a lot easier ways of doing so than trying to hack into their car. The old bag over the head, or threatening them with a gun seems a lot more likely.
doublereed says
Yea, but the NSA can send the FBI after you, so it’s like combination threat.
The CIA, I’ve never understood the CIA. From what I understand, all they do is undermine our diplomacy efforts and give weapons to our soon-to-be enemies. Have they ever done anything positive for America in the last 50 years?
Marcus Ranum says
Doublereee@#47:
You might enjoy reading Weiner’s “legacy of ashes”
It is a fair summation of the horribleness that is CIA. And he’s generous. Then you can go on and read his book on the FBI…
The money shot on the CIA is “the US needed an agency to do strategic international intelligence, but instead Dulles built a ‘department of dirty tricks'” And that’s it. CIA sucks at its purpose -- intelligence -- but if you need a democracy overthrown to install a dictator, they’re all about that. Unless it’s Castro. Because the exploding cigars failed.
Marcus Ranum says
PS -- NSA and FBI compete more than they cooperate. Ditto CIA and NSA. If NSA tried to send FBI after someone you’d be more likely to get an inter-agency pissing and sabotaging match than anything else. That is one thing those agencies are excellent at.
anat says
left0ver1under, my husband and I still drive a model 1999 with a stick shift (purchased in 2006). In a few years we will probably need to replace it, we wonder if we might still find another stick model. (Our previous car was indeed a Geo Metro.) We never buy new cars. (I think the newest we bought was 6 years old.)
Dunc says
Re: “mossad threats”… I can’t speak for anybody else, but my understanding of the term is to refer to the sort of people who don’t need to dick around trying to brute-force your password, because they’ve got a cosy arrangement with both the backbone carrier and whoever runs the service you’re accessing, and if needed can simply abduct you and apply rubber-hose cryptanalysis for anything they don’t already have backdoor access to. It’s basically about distinguishing between threats that can be mitigated by conventional means (I.e. strong passwords) and threats that can shoot you in the back of the head.