How to pull off the perfect cyber crime
He’s always been a bit arrogant my chief technology officer. But when he claimed our security set-up was impenetrable I knew he’d gone too far – even the FBI gets hacked these days. How could we be totally safe? He was talking nonsense.
Then I started reading about the internet of things (IoT). It’s a fabulous technology. Lightbulbs you can control with your phone and cars report engine faults direct to the maker.
My chief technology officer (CTO) loves this stuff. It’s also notoriously insecure. So I got an idea. I’d prank him. I called a techie mate of mine. We ran a covert survey of the CTO’s house. I’ll be honest – we never went through with our mad scheme. We just made a report. Then we showed it to my esteemed CTO. The look on his face was priceless. Here’s what we found.
DAY 1 Surveillance: Home CCTV is commonplace. And my CTO is a big fan. He’s got cameras inside and outside. And boy are these hackable. Cyber security firm Imperva Incapsula reported in October that CCTV cameras are being hijacked to launch DDoS (distributed denial-of-service) attacks across the internet. Incidents are up 240 per cent on 2014. Incredibly, many owners fail to change the default password. Researchers at Context Information Security recently hacked the Motorola Focus 73 outdoor security camera, tilting it, zooming it and redirecting the video feed. It even provided a way to gain access to a home wi-fi password. It was clear we could spy on my hapless CTO and watch his every move. Spooky.
DAY 2 Penetration: The key to hacking is the wi-fi router. Get into that and we would have access to every device in the IoT sphere. Is it hard? Turns out it is disturbingly easy. A 2015 report by HP found an average of 25 vulnerabilities per IoT device. Seventy per cent did not encrypt communications, 60 per cent had security glitches in their user interfaces and 80 per cent failed to require passwords of sufficient complexity. For example, Pen Test Partners demonstrated how to steal a user’s Gmail credentials by going through a Samsung smart fridge. It’s that easy.
DAY 3 Prank time: We wanted to give my CTO a bit of a scare. And when we looked at our options we were spoiled for choice. How about cranking the volume on his TV up to maximum? Or boiling his kettle non-stop (bit dangerous)? Context Information Security demonstrated a method of hacking into internet-connected lightbulbs to gain control of a Canon PIXMA printer and then ran a game of Doom on the printer display. Their estimation was 2,000 vulnerable printer models connected directly to the internet. We were sorely tempted to print out “We are watching you!” on a loop to make the point.
DAY 4 Now we got serious: We wanted to prove that IoT devices could offer a real threat to our corporate secrets. If we could hack into his home network then it would be easy to steal company data. Our chosen way in would be via his baby monitor. A report by security analytics firm Rapid7 showed how nine baby monitor models could be hacked. The holes were trivial to “exploit by a reasonably competent attacker” and can “quickly provide a patch to compromise the larger, nominally external, organisational network”. Translation – we could hack his system. QED.
In the future, intelligence services might use the loT for identification, surveillance, monitoring, location-tracking and targeting for recruitment, or to gain access to networks or user credentials
DAY 5 Out of the office: The IoT is everywhere. This means we have opportunities to cause trouble no matter where our target is located. In September WIRED magazine showed how hackers can take control of a Jeep Cherokee. The air-con starts spewing freezing air. The wipers turn on. Brakes and steering could be controlled. The hackers previously disabled the brakes on a Toyota Prius. We’ve seen traffic lights hacked. A survey by Unisys found 70 per cent of critical infrastructure managers reported at least one security breach in the past 12 months. There’s no escape.
DAY 6 We almost went too far: My techie mate pointed out that our target’s wife still used a Windows XP laptop and, being a bit old fashioned, didn’t apply updates. Huge mistake. An attack on the Windows Remote Access Tool or RAT would give us access to her webcam. A plethora of sleazy internet forums show how the RAT tool can be abused, with horrifying results. We could activate the webcam while she’s watching Netflix in bed. The very thought made us shudder.
DAY 7 Full-scale panic: The more we looked at ways to exploit the IoT, the more we panicked. Drone attacks? They are coming. Texas-based firm Praetorian flew a wi-fi-enabled drone over Austin, Texas and found almost 726 IoT devices in 18 minutes. It was looking for devices using the ZigBee communication protocol, which had been shown to be insecure. That is insecurity on a galactic level. We are not the only one’s thinking of this. James Clapper, US director of national intelligence, told a senate committee last month: “In the future, intelligence services might use the loT for identification, surveillance, monitoring, location-tracking and targeting for recruitment, or to gain access to networks or user credentials.”
We never went ahead with our attack. Hackers, maybe even the government, would not be so restrained.