Can You Hack It?
Everything electronic you own—iPhone to subway card to power strip—can be hacked. So how to defend yourself?
Wherever you’re sitting right now,
take a moment to note the connected devices around you. In your pocket
or handbag, you probably have an electronic key fob and perhaps a
rechargeable subway card embedded with RFID. You likely have a
smartphone, which is connected to a Wi-Fi network and also has
voice-mail service. You might be wearing a Nike FuelBand, or a Fitbit,
or possibly even a new pair of Google Glass. Maybe you can spot a
traffic light or an orange highway sign out of your window. A power
strip is likely not too far away.
All of these devices share one thing in common: They can be hacked.
As we herald the coming Internet of Things, it’s easy to forget that
our ever expanding tech playground is mostly unsupervised. There is no
playground teacher to blow a whistle when another kid takes control of
your Bluetooth headset. There is no Norton antivirus software for your
garage door opener.
If you can plug it in or connect it to a network, your device—no
matter what it is—can be harnessed by someone else. And that someone
doesn’t have to be a Chinese superhacker to do some serious damage with
it, either on purpose or by accident. It can be your Uncle Roger, who
doesn’t have his new iPhone figured out and is cluelessly turning your
lights on and off via your Belkin WeMo.
I’m a hobbyist. Because I study emerging technlogy and the future of
media, I’m often tinkering, breaking things, and putting them back
together. Once, I wanted to see if I could break into the protected
Wi-Fi network we set up for my daughter at home. Less than an hour
later, I’d failed to penetrate her network but managed to shut down the
main network for our house. Which I knew, because of my husband’s sudden
yelling upstairs: “Why is the IRS website redirecting to Sesame
Street?!”
Part of what makes new technology so exciting is that, unlike the old
days, it works right out of the box. You no longer need to know how to
build a computer, connect a modem, run a terminal emulator, and install
bulletin board stystem, or BBS, software in order to send a racy message
to a co-worker. Now any tech idiot can download Snapchat and
accidentally send a racy photo to his sister-in-law. The tech playground
is more accessible and, as a result, increasingly problematic.
Just after the annual Black Hat
Internet security convention a few months ago in Las Vegas, I asked a
group of my friends—a Navy engineer, a professional hacker, and a
hobbyist—to help me come up with a quick list of devices that will be
vulnerable during the next few years as the Internet of Things becomes
widespread. Here’s our (incomplete) list. (Entries with a * are those
we’ve tried hacking at home, for fun.):
Obvious
smartwatches*
smartphones*
computers*
tablets and phablets*
home computer locks*
the cloud (services, storage, software)
ATMs at banks
printers
GPS devices*
Wi-Fi routers*
webcams*
thumb and portable USB drives
hotel and gym safes (they tend to use a single default passcode)
cable box or DVR
voice mail (especially those with a global call-in number that doesn’t lock out after successive failed attempts—we saw this with the News of the World scandal)
smartwatches*
smartphones*
computers*
tablets and phablets*
home computer locks*
the cloud (services, storage, software)
ATMs at banks
printers
GPS devices*
Wi-Fi routers*
webcams*
thumb and portable USB drives
hotel and gym safes (they tend to use a single default passcode)
cable box or DVR
voice mail (especially those with a global call-in number that doesn’t lock out after successive failed attempts—we saw this with the News of the World scandal)
Less Obvious
power strips (can be infected with malware)
power cords for your devices (code can be implanted)
luggage trackers (such as the Trakdot)
connected glasses (Google Glass, Oculus Rift. As of now, Google’s QR barcodes for Wi-Fi store the full access point name and password as plain text)
gaming consoles: PS3, Kinect, Nintendo*
refrigerators (such as Samsung)
cars with computer operating systems
smart pens (like the Livescribe)
gesture control devices (such as the Leap)*
SD cards
cameras
smart alarm clocks*
coffee makers
key fobs
light switches*
moisture sensors*
kitchen and pantry trackers (such as Egg Minder)
insurance driving monitors, such as Progressive’s Snapshot device
traffic lights (MIRT transmitters can change lights to green in two to three seconds)
highway signs that spell out text
power strips (can be infected with malware)
power cords for your devices (code can be implanted)
luggage trackers (such as the Trakdot)
connected glasses (Google Glass, Oculus Rift. As of now, Google’s QR barcodes for Wi-Fi store the full access point name and password as plain text)
gaming consoles: PS3, Kinect, Nintendo*
refrigerators (such as Samsung)
cars with computer operating systems
smart pens (like the Livescribe)
gesture control devices (such as the Leap)*
SD cards
cameras
smart alarm clocks*
coffee makers
key fobs
light switches*
moisture sensors*
kitchen and pantry trackers (such as Egg Minder)
insurance driving monitors, such as Progressive’s Snapshot device
traffic lights (MIRT transmitters can change lights to green in two to three seconds)
highway signs that spell out text
And we didn’t even get into medical devices, which are frighteningly exposed to mischief.
The proliferation of all this technology creates a constant need to
keep devices updated and secure. Perhaps the most vulnerable object in
any American house is the cable box, because it is so rarely updated.
If what I’m saying makes you uneasy, you’re not alone. There are
plenty of new products exploiting the fears of techno-theft, promising
to keep you locked down and safe, such as this neck security wallet
from REI, which says it’ll block criminals from scanning the RFID chip
in your passport. I travel to a lot of different countries every year
for work. I’ve had zero attacks on my passport. On the other hand, I’ve
had two laptops and an iPhone compromised.
So how should we think about our constant vulnerablitly? I make a
daily assumption that everything I do is hackable, but almost nothing I
do is worth hacking. I have an awareness of potential vulnerabilities,
and I’m trying to develop an evolving set of street smarts. You should,
too.
For example, since I do a lot of work on the road while I travel, I
now carry my own Wi-Fi hotspot. I can use a secure virtual private
network to send and receive email and to access content that I have
stored in the cloud. (To be sure, that network can be hacked, too, but
at least I can watch the logs of what’s coming and going and attempt to
fight off intruders.)
I also keep this network cloaked, meaning that I haven’t named it
“Amy Webb’s Hotspot.” I routinely look at networks, just for fun, and
I’m astonished at how many people use their own names or the names of
their companies. Instead, I’ve changed the names of all of my devices to
my mobile phone number. That way, if my laptop is lost or stolen,
someone will see a phone number rather than my name, which I hope means
there will be less of an incentive to poke around my machine to see
what’s there.
My passwords are easy to remember but difficult to crack. According
to my hacker friend, you’re best off with a long phrase that also
includes numbers and at least one capital letter. Something like
“Iwant99pizzasand12beersfordinnertonight” is actually more secure than
“Gx1U2y,” because the algorithms that are used to crack passwords have
to process many more computations the longer a password is, and as of
now they’re mostly not using natural language processing. Speaking of
passwords, I change them weekly. It should go without saying that each
one of your networks and devices should have a different password. When
was the last time you changed yours? Because I know you’re wondering:
There is no workaround for this and no way to game the management of
your own passwords.
Another good rule is to turn off your peripherals when they’re not in
use. Don’t leave your nanny cam on all day long. Same goes for
nonessentials on your network, such as additional computers, game
consoles, and the like. The more things you have plugged in, the more
opportunities there are for penetration. Be cognizant of who’s plugging
what into your network and connected devices. An innocent-looking thumb
drive can destroy your computer within seconds. I’m not preaching
abstinence here, but I am saying that computer viruses can be as
menacing as sexually transmitted diseases: invisible to the naked eye,
but most of the time totally preventable with the right precautions
taken in advance.
More importantly, I’d argue that all this hacking isn’t necessarily a
bad thing. A lack of rules is actually helpful for our burgeoning
Internet of Things. I’d much rather that we all come to a good
understanding of how our machines work than to start imposing
regulations and restricting access. Sometimes, a collaborative hacking
effort yields beneficial results for all. For example, the city of
Philadelphia launched a contest and invited hackers to create apps and
widgets to help citizens receive updates on emergencies and city news
and to contact city administration. During Superstorm Sandy, Philly311 was the 33rd most-downloaded app in the country. The city since partnered with Random Hacks of Kindness and Code for America to bring local hackers together with residents, share knowledge, and build more resources.
The tech playground is open to all, offering a fantastic opportunity
to teach kids how to use and control the many devices that are
inextricably tied to their futures. The more they break, the more
they’ll learn how to collaborate, fix, and innovate. Organizations like SparkFun Electronics are using next-generation open-source code to show everyone how to build and hack our Internet of Things.
Open networks are vital to innovation, even if they aren’t totally
secure. Personally, I’m looking forward to 50 years from now when I
think the wrong sequence while looking at the light fixture in my
grandchild’s house and accidentally cause a blackout.
No comments:
Post a Comment