Hackers aren’t confined to cyberspace anymore

Written by Joe A.J. Beaumont 29/03/2019

You know what they say about assumptions...

Like many things in life, hackers are victims (and I use the word loosely) of stereotyping. You won’t find much stock imagery depicting hackers that doesn’t involve a hoodie, a dimly-lit room and several monitors full of scrolling binary text. And whilst that’s definitely sometimes true, it also makes several assumptions about hackers in general, which is at best misleading and at worst leaves you wide open to attack.

The main assumption with this stereotype is that hackers are stuck behind keyboards, limiting their impact of how far they can reach into the physical world. How much damage can someone do like this? Sure, they could engage in a phishing campaign and compromise my email address, but I can change my password easily enough. The more enterprising hacker might hack into your company’s servers for a spot of cryptomining or a dabble in ransomware, but you’ve (hopefully) got basic security monitoring and, of course, backups. Now, before I go any further in this scenario, I need to acknowledge that an alarming amount of companies DON’T have these essential security features, but we’re assuming a broadly ideal world here, so indulge me for this moment.

Hackers are no longer behind a keyboard: they’re in your house, your office, and maybe even more intimate places.

From cyberspace to the real world

Now, let’s hit pause on the hacker and instead turn our attention to the insane and often hilarious world of the Internet of Things, or IoT. The world of IoT is growing at quite the pace, with manufacturers keen to stuff a web server into the most mundane of devices or connect the most vital equipment to an app or the internet. The benefits of this range from the downright handy to the absurdly questionable. The downside, however, is that we’re increasingly opening more and more of our physical lives to hackers. The problem is compounded as it’s not just that more IoT devices exist, but also that manufacturers refuse to take their security seriously – especially the cheaper non-branded devices (the so-called Shenzhen generics).

Returning to the hacker, these IoT devices and their generally woeful security give them the ability to step out of the cyber world and in to the physical world. Cyber criminals use these devices are their remote hands. Hackers are no longer behind a keyboard: they’re in your house, your office, and maybe even more intimate places. IoT devices can do things like control your oven and adjust your heating – in fact, they can turn on anything connected to a ‘smart’ plug socket – meaning it only takes one little security flaw and you’ve given control to that hoodie-wearing figure.

Though IoT devices are certainly a major risk, it’s worth noting that they’re also not the only thing that we need to worry about. Let’s take a look at some real-life examples.


Let’s get physical, physical

Let’s start with the tale of Yale’s security fail that happened to their ‘smart’ home system late last year. Their server went for a little lie down for a couple of days, leaving people locked out of their homes and offices, or at the mercy of their alarm system. Whilst the root cause this time was down to vendor error rather than a hack, do you really think hackers don’t know how to (D)DoS an online service? Plus, when – and it is when – these kinds of services get hacked (I’m not targeting Yale directly here), hackers will be able to open your front door and walk right in.

On exactly that note, January of this year saw researchers blow open the cyber security of a door access system – much like the ones you find in most offices. Cyber crooks could, in theory, simply turn off the access control for the doors, remotely unlocking them all and opening up your business to anyone who fancies walking in. The problem in this instance was the mind-numbing stupidity of using hard-coded passwords and default credentials – something that a decent pen test would have picked up.

For a more up-close-and-personal example, not to mention insanely terrifying, how about St Jude Medical’s pacemakers? Security flaws were found that could in theory allow a hacker to discharge your battery or even ‘deliver incorrect pacing shocks’ – i.e. stop your heart.

I think we can all agree that remotely opening your front door or stopping your heart is worse than resetting your email password.

Putting the brakes on... literally

As for another example, let’s look at cars. Cars these days are able to be remotely locked/unlocked, started, braked and steered via an app, or even through Amazon Echo. As a man who drives a 10+ year old Saab, this level of technology is tantamount to witchcraft. As long ago as 2015, security researchers were showing that it’s possible to remotely take control of a Jeep and bring it to a stop. Add to the picture 2019’s leaps in autonomous cars, buses and lorries, and it’s a potentially grim outlook. Fun fact: some security advice from a reputable company recommends keeping your car’s key fob in the fridge as a security precaution. Yes, really.

Time for just one more example: the world of industrial control systems is (sadly) well-known for having lax security. A lot of factory machines were designed back before the internet was really a ‘thing’, and so didn’t factor much in the way of network security. Now they’ve been hooked up to the internet, their security is often best described as lacking, worst described as non-existent.

A man opening a car door
Lost your key? Maybe check the fridge... behind the cheese!

This became ever-more apparent at the beginning of the year, when it was found that cranes, drilling rigs (and other scary heavy machinery) were “alarmingly vulnerable to being hacked” – being called less secure than a garage door opener. Yikes. The culprits here were things like simple replay attacks, non-rolling codes and re-using the same checksums.


A hand swapping a key for cash
Hackers are largely motivated by profit (maybe not just €250 though).

So... why isn’t the world in chaos?

I could list many more examples of ways hackers can now interact with our physical lives, but I think you get the idea. The way I’ve painted it so far, is that hackers can pretty much tap us on the shoulder from the comfort of their keyboard. I’ve made it sound like we’re all doomed. Why aren’t cranes spinning around on building sites? Why aren’t houses burning down? Why aren’t cars smashing into each other at 90 mph? Well, it all comes down to motivation.

Generally speaking, hackers are motivated by prestige or, more commonly, profit. This means they’d much rather go for quick-wins like ransomware or cryptomining, or put the hours in and hack their way into a big juicy corporate target. Hacking a pacemaker might be good for some extortion on high-value targets (“Pay me millions or I’ll kill you”), but if a hacker trawling Shodan finds a way into, say, a vendor’s range of smart home devices, they’re more likely to go for a bug bounty if we’re lucky, or cash in on the dark web if we’re not. It’s the case of the latter that doom-laden scenarios start to become a tad more realistic.


Lock your (cyber) doors

The above notwithstanding, the writing is very much on the wall. So, it makes sense to do the sensible thing right now and make sure your business isn’t vulnerable to attack by that smart device your boss brought in, or to be honest, from any other part of your IT infrastructure. The remedies are very much the same and, thankfully, easy to implement. A decent penetration testing schedule will outline your security weaknesses and how to fix them, and security monitoring with proactive threat hunting is pretty much the best way to stay on top of any security threats as they arise. It sounds so simple – and it is – but so many organisations aren’t doing these security basics.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.