This weekend we saw the DEF CON security conference in Los Angeles.
DEF CON is a hacker conference where hackers (good and bad kinds) come together to share security findings and clever hacks. Usually the result is some pretty scary news as well as a brief insight into the hacker culture.
DEF CON to FBI/NSA/CIA : “We need some time apart”
Even though DEF CON is all about hacking and security it is not only attended by hackers. Delegates from the FBI, NSA, CIA and the press also attend and often with the consent of the organisers. Last year there was even a keynote speech given by NSA Director Gen. Keith Alexander to the conference attendees.
This year however was different due to the revelations surrounding the PRISM surveillance program and the FBI’s initial denial of such a program existing when queried in an official government hearing last year. The feelings towards the US based intelligence and law agencies have soured very quickly as more evidence of the extent of the PRISM has surfaced. Organisers of this years event simply stated that it would be best for everyone if US intelligence agencies just kept away. The DEF CON culture only just tolerates the presence of government organisations and the press as long as they don’t try to pretend to be hackers or pull a fast one over the attendees. In previous events it was not unusual to see members of the press and government agencies singled out, heckled and ridiculed to the point where they simply left. It would be safe to say that this year would have seen much the same.
Cars hacked – industry put on notice.
The big news to come out of DEF CON this year is that most modern cars are vunerable to hacking and this has been proven with a report from CNET. Three computer security experts attending DEF CON gave a talks to packed rooms of over 1000 people. The hacks performed on two very popular cars in the US demonstrated the impact this could potentially have on road safety by messing with functions such as disabling the brakes, jerking the steering wheel, operating the horn and lights, accelerating, taking full control of the steering, firing pretensioning in the seatbelt and even showing a full tank when it was not.
It must be noted that the dashboard had to be removed and a laptop needed to be hooked up to a few of the EMS (electronic management system) that control almost every aspect of the vehicle but it does highlight the need for security and caution when incorporating wireless technology such as bluetooth, Wifi and Cellular connectivity.
The two models that were hacked were the Toyota 2010 Prius and the Ford 2010 Escape which no doubt left many people feeling very uneasy.
Hopefully the auto industry takes notice of this sooner rather than later.
Home Automation = Home Invasion 2.0
Another scary keynote from the weekend included security problems within our own homes. From the Smart TV to electronic door locks. This trend of having many things attached to your home network is expanding the digital playground for hackers. Demonstrations over the weekend included the bypassing of smart door locks to taking over a child’s toy containing a camera and even the Smart TV with built in cameras and access to apps can put your banking at risk if you bank on the TV and even watch you in your own home without you knowing. People have to very careful when putting together a home network and attaching these devices to the network.
Snapchat is not as secure as you thought.
Another scalp claimed at DEF CON is snapchat and facebook poke. Both revealed to not securely delete old pictures taken by two digital forensic investigators. By examining the phones internal storage, monitoring the data sent and pinging the servers used by the app, it is possible to obtain a copy of the messages, before during and after you send a picture to a friend.
GoPro hacked to become a spycam.
This is a feature you do not want. The old story that increased features also increase the chances for thing to go wrong was proven in this presentation from Todd Manning and Zach Lanier. With all the smarts built into these cameras, the avenues for mischief are many resulting in your shiny GoPro camera acting as an audio or video bug. Great that you get to share your rad mountain biking or surfing adventures live but not so cool when your private life is shared with people that might not have the best plans for you.
Power plants are not safe.
Even the humble control gear used to run industrial installations like power plants are vunerable to attack. Once again, adding connectivity without proper security in place has opened the door that can allow ne’er do wells to send radio signals to the control and sensor gear to trick the power plant to shutting down from up to 60km away.
The potential effects could range from a small fluctuation to actual damage to the installation depending on the kind of information sent to the power plant.
Not even medical technology is safe.
Pacemakers were also on this years agenda as they also have been given wireless capabilities without adequate security. Of the hundreds of thousands of pacemakers and internal defibrillators implanted over the last few years, many of them include wireless communications for the purpose of reprogramming and monitoring by medical professionals. Unfortunately this also allows scenarios where hackers can stop your heart from 10 meters away.
Even with all these scary stories coming out it is important to note that in most cases, the manufacturers responsible for the faults have been notified well in advance of DEF CON and hopefully are attending to these issues if they have not already been fixed. The whole purpose of this exercise is to help manufacturers find better ways to secure their products instead of hold an anarchist’s how to lecture.