We know emails can get hacked. But what about solar panels?
The computer security industry’s annual pilgrimage to Las Vegas this week for a trio of conferences will hash out the myriad, creepy ways criminals can breach our increasingly connected world.
Among this year’s talks: the possibility drones perched high up on buildings could link into unsecured networks, the ease even a bored teen-ager could take over an Airbnbrental’s Wi-Fi, ransomware used to hijack connected cars, and how a hacked roof-top solar array could destabilize an entire power grid.
Black Hat is the largest of the three gatherings, counting over 11,000 in attendance last year, and the most prestigious. Of the two others, DefCon is more for hackers while BSides is more technical.
“The bad guys communicate really, really well. They have an entire ecosystem for sharing and monetizing techniques. Our corporate security community doesn’t have those tools, but we have Black Hat and DefCon and BSides,” said Gunter Ollmann, chief security officer at Vectra Networks, a security firm based in San Jose.
These are the hacking scenarios that have got the cybersleuths talking:
Wi-Fi dangers at vacation rentals
In the “so easy, and yet so dangerous” category comes a talk Thursday by security intelligence researcher Jeremy Galloway ofcloud software company Atlassian in Austin, Texas.
When on a snowboarding trip in Colorado with some friends recently, he realized their Airbnb rental came equipped with Wi-Fi — and that the Wi-Fi router was sitting in plain sight.
All he had to do to get into the server was pick up the router, unbend a paperclip and use it to reset the router. At that point he could have put a snooping program in place that could watch the Wi-Fi network long after he had checked out, sending updates that could include other guests’ login credentials and passwords to multiple networks.
The danger is not simply to Airbnb rentals but any home-based rental where the hosts are not tech or security savvy. He recommends home property owners who have Wi-Fi in their rental space physically lock up the device, either in a closet or another secure area.
With connected cars coming up fast in the rear-view mirror, researchers at ESET, a security company, see ransomware aimed at cars as a likely future exploit.
The nightmarish scenario is that you get into your self-driving car, the doors lock and a message pops up on the screen saying, “Pay us ransom or we won’t let you out.” Or perhaps even threatens to take you somewhere you don’t want to go.
“Everything I see points to jackware as a logical development. It’s not inevitable, but it’s up to the people who make cars to prevent it from becoming a reality,” said Stephen Cobb, a senior researcher for the firm based in San Diego.
Installing solar panels can open homeowners up to hackers, according to a presentation scheduled for Friday by security researcher Frederic Bret-Mounet.
After installing solar panels on his home near San Francisco, he noted the array was connected to the cloud. It took him a single weekend to hack into his own system.
Once there, he realized that had he been malicious, he could have overridden the safety limits on the system, causing it to overheat and then be knocked offline. He could also have remotely set off the solar array’s emergency shutdown protocol.
He also realized he could have potentially compromised devices in thousands of homes. Not only that, but “I could have installed spying software that would have had visibility into their home networks, seeing their emails and everything they did online,” he said.
While having one or two solar power systems in a neighborhood go out might inconvenience a few people right now, California has set a goal of 50% of the state’s power coming from renewable sources by 2030.
Tomorrow, when solar arrays are ubiquitous, ”these lightly-protected systems could then be all too easily infiltrated, possibly with catastrophic effects on the state’s power grid”, he said.
To Jeff Melrose, a strategist for cybersecurity at engineering services supplier Yokogawa US, drones are a terrifying threat to industrial installations, from power and chemical plants to factories.
“In the old days, a fence kept people out of your plant. Now a drone can just fly right over it,” he said.
A drone can almost silently creep in, perch and watch for days. It can also find its way to a hidden corner of a building and then serve as a connection to any open Bluetooth or Wi-Fi networks or even a wireless mouse or keyboard.
Drones are also close to risk-free to the attacker. “You can put up an untraceable drone and if it gets caught, it gets caught. It’s basically risk free,” said David Latimer, a security analyst at Bishop Fox, a security consulting firm in Tempe, Ariz.
Latimer sees a tidal wave of attacks coming. “This Christmas, almost every hacker wants a drone,” said Latimer.
Disclosure key to security
Talking about parts of our home and infrastructure vulnerable to attack might seem dangerous because it could give hackers ideas. But security workers say its crucial to staying one step ahead of the bad guys and necessary for a healthy security system.
Not that there aren’t criminal hackers in attendance, but “they are definitely outnumbered by those who participate to make our connected world a safer place,” said Grayson Milbourne, security intelligence director at computer security firm Webroot in Broomfield, Colo.