Nick Bilton, a New York Times tech columnist, had his 2013
Toyota Prius broken into three times, and others in his neighborhood also
experienced break-ins. All the cars in question used a remote keyless unlocking
system. The system works in this way: when the car detects a wireless key fob
carried by the driver, it unlocks its doors. The car’s range for this detection
is just a few feet. Unfortunately, the security flaw used in this case allows
anyone with a power amplifier (not a very expensive device) to walk up to the
car and amplify its key-searching signal, which allows the car to detect the
keys when they’re much farther away than a few feet. When the car detects the
keys, it unlocks. The car’s signal is amplified enough so that if the car were
in a driveway (or on the street if close enough), and the keys were in the
house, the key fob would be detected and the car unlocked. In the case of Nick
Bilton, the keys were “sitting about 50 feet away, on the kitchen counter.”
This type of attack is described in detail in this paper.
This is just one instance of security issues in automobiles,
and it’s not the first time cars have been subject to security flaws. Back in
2013, security researchers presented their findings at Defcon 21 regarding
hacks they found against cars. In a much more sophisticated attack than the
power amplifying device, these researchers connected to the car’s electric control
units (ECUs) and were able to inject “rogue signals into it included disabling
the breaks while the car was in motion, jerking the steering wheel,
accelerating, killing the engine, yanking the seat belt, displaying bogus
speedometer and fuel gauge readings, turning on and off the car's lights, and
blasting the horn.” While all of this happened while the researchers were
physically connected to the ECUs, they were able to “achieve persistent attacks
by modifying the ECU firmware to send rogue signals even when they were no
longer physically connected to the control units.” As vehicles become
increasingly computerized, there will no doubt be many more issues.
Similarly, other devices that are becoming computerized are
also at risk. Medical devices with wireless communication functionality have
been shown to be vulnerable to attacks. In a proof of concept, Barnaby Jack demonstrated
how he was able to instruct insulin pumps, worn by diabetics, to release their
contents into the wearer’s body. This could be done from quite far away, as he
was able to “scan a public space from up to 300 feet away, find vulnerable
pumps made by Minneapolis-based Medtronic Inc., and force them to dispense
fatal insulin doses.” Other medical devices are also vulnerable to attack, such
as a “popular pacemaker-defibrillator,” which could be “remotely reprogrammed
to deliver deadly shocks.”
These cases highlight how important it is for manufacturers
to focus on security. In some cases, such as the automatically unlocking car
door, perhaps the security risks outweigh the convenience. In any case, in an increasingly
computerized and connected world, taking security serious is a necessity.
No comments:
Post a Comment