This blog was written by Bruce Snell.
Last week I went to one of the few places hotter than it is here in Texas: Las Vegas. Every year, the security industry gathers together for a week of education, demonstration and socialization at Black Hat, DefCon and BSides. A lot of people in the industry use these conferences as a time to reveal research they have been working on. I saw a really interesting talk given by Dr. Zinaida Benenson on what gets people to click on malicious links. Cyberwarfare is an area of interest for me and Kenneth Geers presented an excellent (and too short!) briefing on the ongoing conflict between Ukraine and Russia. However, there were a few topics that made a big enough splash in the news that the one of the flight attendants on my flight home asked me about after finding out I was leaving the conference. Of course some of these hacks might sound frightening, you shouldn’t be too scared yet.
Ransomware for smart thermostats
Coming out of the “IoT Village” at DefCon, two researchers revealed that it was possible to load malware on a smart thermostat. As I mentioned before, it’s currently hot here in Texas. Imagine coming home looking to get out of the 101 degree weather only to find that ransomware has infected your thermostat and you now have to pay $100 or your thermostat will be stuck at 99!
Now don’t go ripping out your ecobee3 just yet. In order to get this to work, the malware had to be directly loaded onto the thermostat. The model used is basically a small Linux box with a touch screen. The manufacturer provided a memory card slot for their customers to upload their own photos. However, they do not check to make sure that only photos are being loaded. The researchers were able to load their malware by simply inserting an infected SD memory card into the device.
So while your thermostat most likely isn’t going to be hacked while you’re reading this, it does show the potential for bad guys to continue to attack our homes via devices most people don’t think twice about.
Jeep Hack Version 2
You might remember the big story last year when two researchers remotely hacked a Jeep from their couch while it was driving down the highway. This year, they unveiled a new batch of attacks that took control over braking, acceleration and steering at any speed. They were able to bypass a number of safety controls in the vehicle by plugging directly into the car’s CAN network and sending signals to that took advantage of cruise control and parking assist components of the car.
While this could certainly be disastrous to a distracted driver (the researchers said that the driver could easily override any of the commands), we have to keep in mind that this would require someone in the car to have their laptop plugged directly into the vehicle’s onboard diagnostic (OBD) port in order to execute any of these hacks. You’d probably notice someone sitting in your passenger seat trying to plug into the port under the driver side dashboard. It’s something that people should think about, but not freak out over.
Automated Spear Phishing
While the previous two hacks weren’t necessarily something the average person has to be concerned about right away, a couple projects were revealed that you should definitely be aware of. Two researchers developed a new tool that uses an automated bot to analyze information from a person’s Twitter and Facebook posts to create a phishing campaign that has a much greater chance of tricking someone into clicking on a link. The bot, called SNAP_R, looks at what and when someone posts, what topics they post about or respond to. It then creates a message that resembles something their target would read and click on.
What does this mean for you? We could very well see an increase in phishing campaigns happening across Twitter and Facebook. Unfortunately, even if you are extremely diligent about thinking before you click a link, that doesn’t mean all your friends are. Cybercriminals love using a compromised account to spread malware to others. If you get a weird instant message on Facebook from a friend, they may have had their account compromised. In their study, the researchers noted that up to 60% of the messages generated by their tool were clicked on. Keep an eye out for more phishing in the future!
If you’re a fan of Top Gun or Archer, the song by Kenny Loggins probably popped into your head when you read “Danger Drone.” This project started because Fran Brown was watching the movie and thought “Danger Drone” would be a great name. This turned into a $500 Raspberry Pi / quadcopter combo that is effectively a flying hacking laptop. Many “smart home” devices suffer from security issues. A device may be hackable, but since it doesn’t directly connect to the internet the risk seems low. With something like a Danger Drone, that risk could increase dramatically.
Those of you at home might be asking, “why create something like this?” With most projects like this, the intention is not to make the bad guys’ lives easier. It’s actually to raise awareness of the issues and force the manufacturers to pay closer attention to security. Many times a company will be alerted to a security vulnerability but won’t make any effort to fix the problem until it becomes public knowledge. With the case of the Danger Drone, the goal is to provide security professionals better tools to assess security of an organization and to raise awareness of the security issues around the Internet of Things (IoT).
So What Can I Do to Stay Safe?
The smart thermostat and Jeep hacks should not impact the average person at all since they both require physical access to the devices. Those are meant to raise awareness of the issues. While not something you have to deal with today, it’s definitely something you need to be aware of.
For the spear phishing bot and the Danger Drone (my new favorite term), you can use some basic security practices to help keep yourself safe.
- Update – For traditional laptops, tablets, smartphones and any smart device such as smart thermostats, connected light bulbs, smart TVs, it is extremely important that you are vigilant about keeping your devices up to date with the latest software patches and updates. This will help protect against viruses and ransomware as well as against a Danger Drone flying above and looking for security holes.
- Be Skeptical – Phishing is an extremely common way to spread malware and steal personal information. With the advent of tools like SNAP_R, we should expect to see phishing continue to increase. Always think twice before clicking on a link you were not expecting, even if it’s from someone you know.
- Use Security Software – Just in case you do accidentally click on a malicious link, having comprehensive security software installed on your device will help stop malware from infecting your system.
I always enjoy my yearly pilgrimage to these security conferences and it’s always my hope that the tools and techniques presented there can help make our digital world a safe place.