What happens when hackers get physical?
Let’s get physical, physical
Let’s start with the tale of Yale’s security fail that happened to their ‘smart’ home system late last year. Their server went for a little lie down for a couple of days, leaving people locked out of their homes and offices, or at the mercy of their alarm system. Whilst the root cause this time was down to vendor error rather than a hack, do you really think hackers don’t know how to (D)DoS an online service? Plus, when – and it is when – these kinds of services get hacked (I’m not targeting Yale directly here), hackers will be able to open your front door and walk right in.
On exactly that note, January of this year saw researchers blow open the cyber security of a door access system – much like the ones you find in most offices. Cyber crooks could, in theory, simply turn off the access control for the doors, remotely unlocking them all and opening up your business to anyone who fancies walking in. The problem in this instance was the mind-numbing stupidity of using hard-coded passwords and default credentials – something that a pen test would have picked up.
For a more up-close-and-personal example, not to mention insanely terrifying, how about St Jude Medical’s pacemakers? Security flaws were found that could in theory allow a hacker to discharge your battery or even ‘deliver incorrect pacing shocks’ – i.e. stop your heart.
This became ever-more apparent at the beginning of the year, when it was found that cranes, drilling rigs (and other scary heavy machinery) were “alarmingly vulnerable to being hacked” – being called less secure than a garage door opener. Yikes. The culprits here were things like simple replay attacks, non-rolling codes and re-using the same checksums.
So... why isn’t the world in chaos?
I could list many more examples of ways hackers can now interact with our physical lives, but I think you get the idea. The way I’ve painted it so far, is that hackers can pretty much tap us on the shoulder from the comfort of their keyboard. I’ve made it sound like we’re all doomed. Why aren’t cranes spinning around on building sites? Why aren’t houses burning down? Why aren’t cars smashing into each other at 90 mph? Well, it all comes down to motivation.
Generally speaking, hackers are motivated by prestige or, more commonly, profit. This means they’d much rather go for quick-wins like ransomware or cryptomining, or put the hours in and hack their way into a big juicy corporate target. Hacking a pacemaker might be good for some extortion on high-value targets (“Pay me millions or I’ll kill you”), but if a hacker trawling Shodan finds a way into, say, a vendor’s range of smart home devices, they’re more likely to go for a bug bounty if we’re lucky, or cash in on the dark web if we’re not. It’s the case of the latter that doom-laden scenarios start to become a tad more realistic.
Lock your (cyber) doors
The above notwithstanding, the writing is very much on the wall. So, it makes sense to do the sensible thing right now and make sure your business isn’t vulnerable to attack by that smart device your boss brought in, or to be honest, from any other part of your IT infrastructure. The remedies are very much the same and, thankfully, easy to implement. A decent penetration testing schedule will outline your security weaknesses and how to fix them, and security monitoring with proactive threat hunting is pretty much the best way to stay on top of any security threats as they arise. It sounds so simple – and it is – but so many organisations aren’t doing these security basics.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.