There is a new global arms race afoot. In June of 2010, a computer virus emerged that proved to be vastly more sophisticated than any previously seen. It has been called a "cyber missile", an elaborate worm designed to attack and disrupt industrial programmable logic controllers, primarily impacting those in Iran, Indonesia and India. That work, known as Stuxnet, was a highly sophisticated, organized attack with signs pointing to a jointly developed USA-Israel virus as an effort to degrade and destroy Iran's nuclear program in the absence of airstrikes. With the existence of Stuxnet, the bar had been raised. No longer the hobby of obsessive hackers, the creation and dispersal of viruses had now expanded to organized military affairs, designed and deployed as weapons toward political goals.
“Certainly the concern of hacking connected [incidents] is one that’s increasing rapidly,” Troy Hunt, a Microsoft MVP for developer security, tells Hopes&Fears. “It's probably worth noting that there’s enormous pressure to rush these into a very competitive marketplace and inevitably that exacerbates the security problem as shortcuts are taken. The other angle is that more connected things simply mean a larger attack surface so the raw number of breaches goes up accordingly (all else being equal, of course).” And with that pressure comes a new industry, and money to be made. Whereas the cost to develop viruses like Stuxnet had previously been estimated at around $100m, in recent years that cost has plummeted to just $10,000. The Botnet known as GameOver Zeus was estimated by the FBI to have caused losses of up to $100m or more. A single organized group of Chinese hackers was estimated to have targeted industries as diverse and central as transport, financial services, navigation, food and agriculture, satellites, scientific research, construction aerospace and mining. “Robbing one person at a time using a knife or gun doesn’t scale well. But now, one person can rob millions at the click of a button,” says Marc Goodman of the Future Crimes Institute. It is estimated that roughly 20% of North Korea's military budget goes to cyber warfare.
Where there’s money to be made, competition will be fierce, and that competition leads to increasingly innovative cracks and viruses being exposed and created. Although many say such fears are overblown, US intelligence officials place the cost of cyber crimes at $475 billion dollars per year and growing quickly. But stealing money and disrupting nuclear centrifuges isn't enough for some hackers. Others see deeper challenges in cracking the system software of surgical robots, sewer systems and the electrical grid. Medical devices in hospitals are already "rampant" with viruses, having been thoroughly compromised.
Australian Microsoft Most Valuable Professional for Developer Security (not actually a Microsoft employee)
Hunt has been building web applications for various industries since the earliest days of the web in the mid '90s. An Australian based in Sydney, he also runs haveibeenpwned.com, an online resource for users to check if their accounts have been compromised ("pwned") in a mass data breach.
Was it or wasn't it?
The most recent high-profile hack may not have been a hack at all. On July 8th, the New York Stock Exchange mysteriously shut down due to what authorities reported as a "glitch." Very few people were willing to rule out a cyber attack though and almost immediately it was discovered that the Twitter account for Anonymous had posted a cryptic reference the previous day. "Wonder if tomorrow is going to be bad for Wall Street.... we can only hope," the tweet read. Along with the NYSE, the Wall Street Journal's website went down along with other high-profile financial sites almost simultaneously which has further fueled speculation that a hack was to blame. A full investigation into the incident is ongoing.
Recently, even hacking firms are themselves subject to being hacked, rendering the valuable viruses they’ve concocted, sometimes for sale to repressive governments, effectively worthless. Ryan Dewhurst, of Dewhurst Security, urges us not to be afraid of hackers using their technical prowess to imminently endanger human life: “I think the most damage an electronic attack ('cyber attack') can cause today is financial and political. Just last week, Hacking Team, a company who sold viruses to repressive governments, police agencies and intelligence agencies for the purpose of spying on their own people were severely hacked. The very viruses they sold have now been released online for anyone to study, meaning the very core of their business, their Intellectual Property (IP) is now mostly worthless. Not only that, their internal files show who they have sold their malicious software to, who is using it and for what purposes; a political minefield. Cases like Hacking Team's are much more likely today. We have seen the same with the Sony Pictures Entertainment breach from last year and many other countless examples.”
Jack Daniel, a well-known infosec blogger, analyzes the risk as such: “If I tell my local coffee shop all of the threats they face for using a crappy point-of-sale credit card processing system they’ll simply shut down and ignore me. If I tell them the Internet is cool, but can be scary- and they should really hound their service providers about not using any common or default passwords, they’ll be safer and my credit card will be safer. Not safe, but safer.” Jack stresses, however, that we keep things in perspective: “The thing to remember is that the entire Internet, as well as most networks and computer systems, is completely broken. Yet they continue to drive the global economy in ways previously unimaginable.”
The following, however, is a list of just some of the ways hackers will be able to kill, hurt or rob you from anywhere with an internet connection. If you're not scared now, you will be.
Has reported vulnerabilities to such companies as Facebook, PayPal, Apple Inc and Mozilla. A native Englishman now living in France, Ryan shares his thoughts and insights on security via his blog. As a student he developed, Damn Vulnerable Web App (DVWA), a widely popular tool for for teachers and students to teach app security in a class room environment.
Amateur blacksmith, curmedgon, blogger, and infosec expert
Jack hosts a weekly security podcast (every Thursday night at 6:00pm!), and is the co-founder of Security BSides, a series of meetings for those in the infosec community in an environment that invites collaboration.
See additional sources at the bottom of this page.
Remotely hacking and disabling a car's brake system, also the ability to jerk the steering wheel at will, with a simple laptop is not just on the horizon, it's here. As early as 2013, hackers were able to remotely gain access to cars and control them, including their brakes and lock systems. More recently, a $60 DIY device has been released which makes car hacking easier than ever. And this is what's going down before driverless cars hit the road.
Opening all the doors
at maximum security prisons
Opening all the doors at maximum security prisons
A duo of two hackers, with only two hours and $2,000, were able to access and control prison lock systems. "Why are these locks even connected to the internet?" you may be asking. "Where there exists a computer, there's still a chance of breaking that computer," said Teague Newman, one of the two hackers who pulled off the demonstration.
Crashing a US government drone into you isn't just an arrow in the governments quiver. For only $1,000, researchers at an Austin, Texas college were able to control a drone via GPS spoofing. Even the infamous, militarized Reaper drones are vulnerable. And the information necessary to hack such drones is accessible via a simple Google search. While the security and protections of government drones will surely improve, there's always the increase of civilian drones on the horizon as well as Amazon's planned delivery service. What will happen when a hacker commandeers that delivery of Infinite Jest? Destruction, that's what.
The company that operates South Korea's 23 nuclear reactors was hacked in March and threatened with “destruction” by a hacking group bearing the hallmarks of North Korean hackers. Sensitive technical data was also leaked. It all started with nearly 6,000 phishing emails being sent to employees of the company, in an attempt to gain access to the system. Likewise, the previously mentioned Stuxnet virus destroyed roughly a fifth of Iran's nuclear centrifuges by causing them to spin out of control.
Scrambling air traffic control
The FAA’s infosec plans have not been updated since 2010, rendering them incredibly vulnerable. Polish hackers grounded 10 flights for nearly five hours just last month. Obviously, the fear is that someone with malicious intent and some top-notch skill might want to turn the skies into a demolition derby.
Shutting down the electrical
Shutting down the entire electrical grid of a city, possibly killing hundreds. Last year alone, there were 79 attacks on the energy grid. As we shift to greener energy, we are also adding more points of access for hackers. A new innovation, smart meters, are an incredible boon to hackers, through which they may gain control over the entire grid.
Hacking into city streetlight systems to cause slowdowns and accidents. In 2006, two LA engineers were able to infiltrate the traffic light system, despite being locked out, and increase red light times at key intersections across the city, deliberately clogging key intersections. More recently, researchers found that hacking into these traffic systems is incredibly easy, as many have open wireless and use the default passwords. RedYellowGreen is probably up there with 1234 as far as secure passwords go.
Hacking into weather satellites to disrupt crucial warnings. Last year (noticing a trend?), Chinese hackers breached a National Oceanic and Atmospheric Administration web server, possibly skewing near-and-long term weather predictions. Not only that but despite the hack occurring in September, agency officials didn’t come forward about the hack until October 20th.
Hitting you on your health
Changing the values in hospital infusion pump software to remotely kill patients via overdose isn't just likely it's real. Hackers don’t even need physical access to these pumps because they are connected to the hospital networks, which are then connected to the internet. There are about 400,000 of these drug infusion pumps in the world, and, according to security researchers, are so trivially easy to hack that a single typo can render them inoperable. Altering the glucose regulation of an artificial pancreas to kill diabetics in their sleep. Bionic pancreases have already been hacked to add functionality for benevolent, white hat purposes. However, as the information they transmit is unencrypted, and they increasingly become connected to cloud services, they become more and more vulnerable.
Flying a missile into you
Accessing and controlling missiles and missile defense systems, either to use them directly or steal their designs to subvert their efficiency. Or to blow them up. Just this year, Germany’s Patriot missile defense system was infiltrated by hackers, making it carry out “unexplained” orders. Even our nuclear missile arsenal isn’t safe. While the White House is just finishing up the historic negotiations over Iran's nuclear weapons, they may find their own weapons to be a massive blindspot.
Disabling home security and smoke/fire alarms. A few minutes is all it takes for most home security systems to be compromised. Almost anything with a wireless connection is a gateway for hackers to access your smart home with, but smart cameras are especially egregious. A security research firm recently tested 16 home camera systems and found them all extremely vulnerable. It took an average time of 20 minutes to break into cameras, leaving those who thought they were secure in the position of being surveilled by anyone who wants it bad enough.
This machine will self-destruct in 5 seconds
Turning your Apple Laptop into a firebomb. As the chips that regulate batteries ship with default passwords, they can be easily hacked, and made to heat up, or yes, even (possibly) explode. Even regular old cell phones can (possibly) be remotely triggered to explode by malicious hackers. Charlie Miller, the hacker that first demonstrated this technique, says, "I’d just wrapped a presentation on iPhone hacking and wanted to work on something more flashy ... Like, could I set my sister’s laptop on fire?"
Railroad crossings get all crossed up
Switching railroad signals up so that trains crash. A newly implemented digital, smart, connected system to increase efficiencies and safety opens up a whole new galaxy of possibilities for hackers. Thankfully, this is one of the only areas on this list wherein there is no proof-of-concept. But it’s 'only a matter of time.'
ILLUSTRATIONS: Rhett Jones COVER: Serge Rodionov ADDITIONAL SOURCES: New York Times, The Economist, Wired, Washington Post, The Hindu, Reuters, Troy Hunt, Microsoft, International Business Times, FBI, The Economist, Future Crimes, The Independent, ZD Net, Gigaom, PC World, Cyberlympics, 82 Apps, Pico CTF, Wired, Bloomberg, Technology Review, NPR, Technology Review, CSO Online, RSF, Venture Beat, Twitter, Dewhurst Security, RSF, Twitter, Uncommon Sense, Forbes, Computer World, Wired, CNN, Popular Science, RT, Defense One, GA-ASI, CCD COE, Zero Hedge, Wall Street Journal, Ars Technica, Reuters, Business Insider, CNN, CNBC, CNET, Yale, CNN, Bloomberg, IE Explore, Nick Hunn, Los Angeles Times, Los Angeles Times, Ars Technica, CNN, Business Insider, Washington Post, CNN, Wired, BBC, Security Affairs, CNN, IEEE, Wired, Washington Post, New York Times, Defense World, The Local, Time, Consumerist, Gigaom, Info World, Forbes, Ars Technica, TED, Huffington Post, BBC, Microsoft, Have I Been Pwned, BGR, WND, Coin Telegraph, Newsweek, Dewhurst Security, Hackers Use This, Ethical H3cker, Damn Vulnerable Wed App, Uncommon Sense, Security Weekly, Security B-Sides