{"id":2323,"date":"2014-11-19T00:16:41","date_gmt":"2014-11-19T00:16:41","guid":{"rendered":"http:\/\/www.lifeandnews.com\/articles\/?p=2323"},"modified":"2016-08-12T00:37:44","modified_gmt":"2016-08-12T00:37:44","slug":"can-a-hacker-stop-your-car-or-your-heart-security-and-the-internet-of-things","status":"publish","type":"post","link":"https:\/\/www.lifeandnews.com\/articles\/can-a-hacker-stop-your-car-or-your-heart-security-and-the-internet-of-things\/","title":{"rendered":"Can a hacker stop your car or your heart? Security and the Internet of Things"},"content":{"rendered":"

By Temitope Oluwafemi<\/a>, University of Washington<\/em><\/p>\n

An ever-increasing number of our consumer electronics is internet-connected. We\u2019re living at the dawn of the age of the Internet of Things. Appliances ranging from light switches and door locks, to cars and medical devices boast connectivity in addition to basic functionality.<\/p>\n

The convenience can\u2019t be beat. But what are the security and privacy implications? Is a patient implanted with a remotely-controllable pacemaker at risk for security compromise? Vice President Dick Cheney\u2019s doctors worried enough about an assassination attempt via implant that they disabled<\/a> his defibrillator\u2019s wireless capability. Should we expect capital crimes via hacked internet-enabled devices? Could hackers mount large-scale terrorist attacks? Our research suggests these scenarios are within reason.<\/p>\n

Your car, out of your control<\/h2>\n

Modern cars are one of the most connected products consumers interact with today. Many of a vehicle\u2019s fundamental building blocks \u2013 including the engine and brake control modules \u2013 are now electronically controlled. Newer cars also support long-range wireless connections via cellular network and Wi-Fi. But hi-tech definitely doesn\u2019t mean highly secure.<\/p>\n

\"\"<\/a><\/figure>\n

Displaying an arbitrary message and a false speedometer reading on hacked car. Note it\u2019s in Park.<\/span>
\nKarl Koscher<\/span>, Author provided<\/span><\/span><\/p>\n

Our group of security researchers<\/a> at the University of Washington was able to remotely compromise and control <\/a>a highly-computerized vehicle. They invaded<\/a> the privacy of vehicle occupants by listening in on their conversations. Even more worrisome, they remotely disabled brake and lighting systems and brought the car to a complete stop on a simulated major highway. By exploiting vulnerabilities in critical modules, including the brake systems and engine control, along with in radio and telematics components, our group completely overrode the driver\u2019s control of the vehicle. The safety implications are obvious.<\/p>\n

This attack raises important questions about how much manufacturers and consumers are willing to sacrifice security and privacy for increased functionality and convenience. Car companies are starting to take these threats seriously, appointing cybersecurity executives<\/a>. But for the most part, automakers appear to be playing catchup, dealing with security as an afterthought of the design process.<\/p>\n

\"\"<\/a><\/figure>\n

Remotely-controlled appliances may mean your house is not remotely secure.<\/span>
\nHouses image via www.shutterstock.com<\/a><\/span><\/p>\n

Home insecurity<\/h2>\n

An increasing number of devices around the home are automated and connected to the internet. Many rely on a proprietary wireless communications protocol called Z-Wave.<\/p>\n

Two UK researchers exploited security loopholes<\/a> in Z-Wave\u2019s cryptographic libraries – that\u2019s the software toolkit that authenticates any device being connected to the home network, among other functions, while providing communication security over the internet. The researchers were able to compromise home automation controllers and remotely-controlled appliances including door locks and alarm systems. Z-Wave\u2019s security relied solely on keeping the algorithm a secret from the public, but the researchers were able to reverse engineer the protocol to find weak spots.<\/p>\n

\"\"
Home automation panels allow residents \u2013 and hackers? \u2013 to control internet-enabled appliances.<\/span>
\nJan Prucha<\/a>, CC BY-SA<\/a><\/span><\/figcaption><\/figure>\n

Our group was able to compromise Z-Wave controllers via another vulnerability<\/a>: their web interfaces. Via the web, we could control all home appliances connected to the Z-Wave controller, showing that a hacker could, for instance, turn off the heat in wintertime or watch inhabitants via webcam feeds. We also demonstrated an inherent danger in connecting compact fluorescent lamps (CFL) to a Z-Wave dimmer. These bulbs were not designed with remote manipulations over the internet in mind. We found an attacker could send unique signals to CFLs that would burn them out, emitting sparks that could potentially result in house fires.<\/p>\n

Our group also pondered the possibility of a large-scale terrorist attack. The threat model assumes that home automation becomes so ubiquitous that it\u2019s a standard feature installed in homes by developers. An attacker could exploit a vulnerability in the automation controllers to turn on power-hungry devices – like HVAC systems – in an entire neighborhood at the same time. With the A\/C roaring in every single house, shared power transformers would be overloaded and whole neighborhoods could be knocked off the power grid.<\/p>\n

\"\"
Better to have the white hats find vulnerabilities than the black hats.<\/span>
\nMan image via www.shutterstock.com.<\/a><\/span><\/figcaption><\/figure>\n

Harnessing hackers’ knowledge<\/h2>\n

One of the best practices of designing elegant security solutions is to enlist the help of the security community to find and report weak spots otherwise undetected by the manufacturer. If the internal cryptographic libraries these devices use to obfuscate and recover data, amongst other tasks, are open-source, they can be vetted by the security community. Once issues are found, updates can be pushed to resolve them. Crypto libraries implemented from scratch may be riddled with bugs that the security community would likely find and fix \u2013 hopefully before the bad guys find and exploit. Unfortunately, this sound principle has not been strictly adhered to in the world of the Internet of Things.<\/p>\n

Third party vendors designed the web interfaces and home appliances with Z-Wave support that our group exploited. We found that, even if a manufacturer has done a very good job and released a secure product, retailers who repackage it with added functionality – like third party software – could introduce vulnerabilities. The end-user can also compromise security by failing to operate the product properly. That\u2019s why robust multi-layered security solutions are vital \u2013 so a breach can be limited to just a single component, rather than a successful hack into one component compromising the whole system.<\/p>\n

Level of risk<\/h2>\n

There is one Internet of Things security loophole that law enforcement has taken notice of: thieves’ use of scanner boxes that mimic the signals sent out by remote key fobs to break into cars<\/a>. The other attacks I\u2019ve described are feasible, but haven\u2019t made any headlines yet. Risks today remain low for a variety of reasons. Home automation system attacks at this point appear to be very targeted in nature. Perpetrating them on a neighborhood-wide scale could be a very expensive task for the hacker, thereby decreasing the likelihood of it occurring.<\/p>\n

There needs to be a concerted effort to improve security of future devices. Researchers, manufacturers and end users need to be aware that privacy, health and safety can be compromised by increased connectivity. Benefits in convenience must be balanced with security and privacy costs as the Internet of Things continues to infiltrate our personal spaces.<\/p>\n

\"The<\/p>\n

Temitope Oluwafemi is a 5th year PhD student at the University of Washington. He receives funding from Intel’s ISTC initiative.<\/em><\/p>\n

This article was originally published on The Conversation<\/a>.
\nRead the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Temitope Oluwafemi, University of Washington An ever-increasing number of our consumer electronics is internet-connected. We\u2019re living at the dawn of the age of the Internet of Things. Appliances ranging from light switches and door locks, to cars and medical devices boast connectivity in addition to basic functionality. The convenience can\u2019t be beat. But what […]<\/p>\n","protected":false},"author":39,"featured_media":5588,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/2323"}],"collection":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/comments?post=2323"}],"version-history":[{"count":2,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/2323\/revisions"}],"predecessor-version":[{"id":5589,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/2323\/revisions\/5589"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media\/5588"}],"wp:attachment":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media?parent=2323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/categories?post=2323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/tags?post=2323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}