An Unlocked Backdoor in the Cloud
The increasing use of smaller, dedicated ‘computers’ is transforming what we can expect from our cars and homes in terms of usability, entertainment, efficiency, etc. A variety of groups are proactively highlighting an inherent trade-off for these gains, which is the ability for outside agents to “hack” these systems to potentially create all sorts of . Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop — or even slow down —produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV’s chassis. The more I pound the pedal, the louder the groan gets —along with the delighted cackling of the two hackers sitting behind me in the backseat… “Okay, now your brakes work again,” Miller says, tapping on a beat-up MacBook connected by a cable to an inconspicuous data port near the parking brake. I reverse out of the weeds and warily bring the car to a stop. “When you lose faith that a car will do what you tell it to do,” he adds after we jump out of the SUV, “it really changes your whole view of how the thing works.”
This fact, that a car is not a simple of glass and steel but a hackable network of computers, is what Miller and Valasek have spent the last year trying to demonstrate. Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles. The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month — the better, they say, to help other researchers find and fix the auto industry’s security problems before malicious hackers get under the hoods of unsuspecting drivers. The need for scrutiny is growing as cars are increasingly automated and connected to the Internet, and the problem goes well beyond Toyota and Ford. Practically every American carmaker now offers a cellular service or Wi-Fi network like General Motors’ OnStar, Toyota’s Safety Connect and Ford’s SYNC. Mobile-industry trade group the GSMA estimates revenue from wireless devices in cars at $2.5 billion today and projects that number will grow tenfold by 2025. Without better security it’s all potentially vulnerable, and automakers are remaining mum or downplaying the issue.
“I can see all of the devices in your home and I think I can control them,” I said to Thomas Hatley, a complete stranger in Oregon who I had rudely awoken with an early phone call on a Thursday morning. He and his wife were still in bed. Expressing surprise, he asked me to try to turn the master bedroom lights on and off. Sitting in my living room in San Francisco, I flipped the light switch with a click, and resisted the Poltergeist-like temptation to turn the television on as well. “They just came on and now they’re off,” he said. “I’ll be darned.”
The home automation market was worth $1.5 billion in 2012 according to Reuters; there’s been an explosion in products that promise to make our homes “smarter.” The best known is Nest, a thermostat that monitors inhabitants’ activity, learns their schedules and temperature preferences and heats or cools the house as it deems appropriate. Many of these products have smartphone apps and Web portals that let users operate devices, cameras, and locks from afar. Getting to live the Jetsons’ lifestyle has downsides though; as we bring the things in our homes onto the Internet, we run into the same kind of security concerns we have for any connected device: they could get hacked.
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines — meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.