The security hacks into our computers have turned out to be the tip of the iceberg; a constant stream of new vulnerabilities are teaching us that developers and manufacturers have not given security the attention that it requires, even as technology spreads to our cars, our phones, and the devices in our homes.
You’ve seen headlines about some of these recent disclosures. There’s nothing you can do about them except shiver, feel paranoid, and follow the Rules For Computer Safety.
Hacking Android phones
Two weeks ago a security researcher revealed an Android vulnerability called “Stagefright” that affects virtually every Android phone, 950 million of them worldwide. A hacker can send a phony MMS message and immediately gain control of certain parts of the phone, without any need for the phone owner to do anything at all. It is the worst phone vulnerability of all time by a large margin.
The vulnerability was discovered by mobile security firm Zimperium. It’s simple: an attacker sends an MMS message with a video that carries an infected payload. Depending on the settings on your phone, the attacker may be able to gain access to your phone immediately; you don’t even have to open the message to be infected. In the worst case, the attacker will have root access to the phone: complete, unlimited control.
The Android ecosystem was designed on purpose to be open and customizable. Google does not have control over Android phones and cannot singlehandedly deliver security updates to them. There is a strong likelihood that there will not be a fix for most Android phones.
Although a patch was developed by the researcher who found the vulnerability and provided to Google immediately, almost no Android phones have been patched yet, and many older models are out of support and will never get any patch. Google is trying to change the way updates are distributed for Android phones to bypass the carriers and manufacturers, or at least partner with them, but they are very interested in maintaining control of your experience so they can deliver advertising and sell you new devices – even if that means compromising your security. Ron Amadeo of Ars Technica says:
“In a perfect world, the inability to update billions of potentially pwnable Android handsets would be enough to get Google, the OEMs, and the carriers to all sit down, set aside their branding guidelines and marketing department-enforced differences, and say, ‘We need to fix this.’ But we don’t live in a perfect world. . . . There’s too much disregard for the customer in the Android ecosystem to expect any of this get fixed proactively. Carriers and OEMs don’t want to be relegated to the user space, and right now there are no repercussions for their self-centered actions.”
Google’s partnership with Samsung and LG to distribute a patch will protect 2.6% of active Android devices, if it is successful. Google says that the attack is difficult to accomplish on most newer Android phones and only 10% of Android phones are really vulnerable. Great news! Only 95 million devices can be taken over by bad guys remotely without notice, by Google’s own estimate. Sigh.
There’s information here and here about how to find out if you’re vulnerable, and what settings to change to keep the attack from working. Personally, I’ve given up hope and I’m not doing anything different with my phone.
Hacking Fiat Chrysler Cars
Security researchers demonstrated last week that they could remotely take over a Fiat Chrysler car driving down the highway and manipulate its brakes, steering, and acceleration, using a hack that operates over the air through the car’s entertainment system. From the Wired article by Andy Greenberg, who agreed to be a test subject on a real highway:
“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. . . . The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”
This particular hack was disclosed to Fiat Chrysler before it was discussed in public and the car maker promptly took steps to prevent it from being used by bad guys. You’re not at risk of having your Jeep drive into a ditch. Fiat Chrysler subsequently decided to recall 1.5 million cars to apply a patch.
Car makers are notoriously slow at implementing new technology in automobiles. In the last decade cars have turned into very complex, specialized computers, but the manufacturers have not made security their top priority – and they will be slow to deal with these new threats from sophisticated hackers. Expect them to be reacting to news stories like this for the next few years, instead of staying ahead of the bad guys.
Hacking GM cars
Another researcher/hacker showed off a device at last week’s Black Hat conference that allowed him to remotely locate, unlock and start any GM vehicle equipped with the OnStar system – basically the same functions as the RemoteLink phone app that connects OnStar with a smartphone.
In this case the hack requires that the hacker have physical access to the car for at least a short while, making it slightly less scary. GM rushed to fix the back end servers to prevent some of the vulnerability exposed by this exploit, and is working on a fix for the RemoteLink app.
There will be many more automobile hacks before this is brought under control. Car makers are new to the field of Internet security and have built in controls for cars that can be reached through wi-fi and cell systems without going through the hardening process that computers have dealt with for the last decade.
Macs turn out to be vulnerable to an attack that also works against Windows computers – and it’s a doozy. Attackers can rewrite the firmware that controls the chips used to run the computer before an operating system is launched. Firmware hacks can be made completely undetectable to the operating system. The hack survives even if the hard drive is completely wiped off and reformatted. According to one of the researchers who worked on the Thunderstrike 2 worm, “The worm is really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware. For most users, that’s really a throw-your-machine-away kind of situation.”
Despite Apple’s reputation for being more secure than Windows PCs, the researchers found that this hack would work against Macs as readily as it does against PCs. They discovered a way to launch it remotely instead of requiring physical access to a Mac, and are working on ways to turn it into a worm that will spread from one system to another using devices attached with Thunderbolt. A hard drive plugged into an infected system could infect the next machine it was plugged into, even if the second device wasn’t online or connected to the same network.
A client looked up a phone number for HP support on Google and called the first number listed. The helpful tech on the other end of the line set up a remote session and led her through a number of diagnostic tests, then let her know that there were signs of a virus on her computer.
It took her a while to realize that she was talking to a bad guy, not anyone from HP.
When you let someone connect remotely to your computer, they have complete control and can compromise it without your knowledge. You can never be sure that your computer belongs to you after the bad guys have access to it.
In this case, it appeared that my client disconnected before the bad guy had a chance to install any malware; we did a thorough job of searching nooks and crannies and disinfecting things before she went back to work. Fortunately she was logged into an account that did not have local admin privileges, which may have kept the bad guy from doing more damage.
It’s a variation on the phone scam where a caller claims to be calling from Microsoft about a problem with your computer. I’ve heard a lot of stories about those calls in the last few months. Remember, Microsoft does not call to help you fix your computer.
Fow now, remember another one of the Rules For Computer Safety: Just because something is listed in a Google search doesn’t mean it is safe.
“The federal government is warning hospitals and other health care facilities to stop using a leading infusion pump because it has a vulnerability that leaves it open to hackers. . . . The existing vulnerability gives hackers the ability to access the pump remotely through a hospital’s network, which means an unauthorized user could take control of the device and change the dosage of a medicine that the pump delivers, according to the FDA.”
Hacking baby monitors
Baby monitors are now wireless and have webcams built in. There have been several reports of hacking into wireless baby monitors. From ComputerWorld: “One family heard voices as the camera followed them about the room; the second mom was freaked out and scared as a hacker remotely controlled the camera to follow her movements.” The first family heard a man’s voice saying on the monitor, “Wake up, little boy, daddy’s coming for you.”
Planes are going to start falling from the sky. This is going to get worse before it gets better.