Hacking of goods, the downside of the internet of things
February 8, 2016 |
The internet of things opens up particular data security and privacy issues. The more interaction between the device and its user the more opportunities for a breach by a hacker. And the usual entrepot is through the app. Often developed without any concept of privacy by design and with the bulk of the budget being devoted to the functionality of the apps and not much into its security. All of this comes together in the recent story in the Guardian with Fisher-Price smart bear allowed hacking of children’s biographical data. It provides:
In September, Mattel’s Fisher-Price brand announced it had partnered with a tech company to make Smart Toy, a stuffed bear that can learn a three-year-old’s name.
Naturally, it’s hackable.
Researchers at Rapid7, a Boston-based security company, found that the app connected to the Fisher-Price toy had several security flaws that would allow a hacker to steal a child’s name, birthdate and gender, along with other data. The toymaker encourages parents to use the app so that the toy can better interact with children.
Fisher-Price has since fixed the issue, Rapid7 said.
In a statement, Fisher Price said: “We recently learned of a security vulnerability with our Fisher-Price WiFi-connected Smart Toy Bear. We have remediated the situation and have no reason to believe that customer information was accessed by any unauthorized person. Mattel and Fisher-Price take the safety of our consumers and their personal data very seriously, which is why we act quickly to resolve potential vulnerabilities like this.”
As far as security flaws go, this one may not be severe. But Rapid7’s findings do reinforce how vulnerable consumers can become as they bring more of their possessions online by making them “smart”. This also applies to toys. Last year, Rapid7 found security flaws in a baby monitor. Mattel also recently announced a smart Barbie that has security researchers on the hunt for bugs.
The flaws in the Fisher-Price case had to do with how the app, meant for parents, communicates with servers running the system. They’re the kind of flaws a more experienced internet company probably wouldn’t have missed, Rapid7 said.
“This is an easy mistake,” said Tod Beardsley, Rapid7’s security research manager. “You wouldn’t find these bugs today from places like Google, Microsoft.”
There is no evidence attackers have used the flaws in the wild. However, Beardsley suggested one way they could use the flaw would be to gather information on a target’s family in order to trick them into giving them more information in a phishing attack. A child’s name is also a common password choice, he said.
On its website, Fisher-Price says “NO PERSONALLY IDENTIFIABLE DATA is transmitted by Smart Toy”.
As given the means of communication between an operator and drones the potential of hacking a drone is not just theoretical as is reported in Hackers claim to have hacked NASA, hijacked one of its drones. It provides:
AnonSec hackers claim that they have breached a number of NASA’s systems, and they have published a data trove containing video recordings made by the agency’s aircrafts and drones, the drone’s flight logs, and the names, email addresses and telephone numbers of some 2,400 agency employees.
They apparently attempted to interest The Guardian and WikiLeaks into analyzing the stolen info and publishing the results, but after having received no answer, they decided to do it themselves by torrenting the dump.
The leak was accompanied by an extensive document describing the things they had to do to compromise NASA’s systems (attacks and exploits) and the extent of the compromise.
They claim to have bought their way into the network from another hacker got the Gozi virus into one of NASA’s systems, and then, with time, managed to move laterally within the networks, and also to compromise three NAS (Network Attached Storage) devices. The intrusion dates back to 2013, they say.
They breached the networks of the agency’s Glenn Research Center, Goddard Space Flight Center, and Dryden Flight Research Center.
They also attempted and apparently succeeded in taking temporary (“semi-partial”) control of one of NASA’s Global Hawk drones:
“After countless months of successfully retrieving NASA Drone logs automatically, we noticed some weird traffic. Everytime the GlobalHawk’s would return to base for maintenance and uploading data/recordings… a single .gpx file was POST/pushed sometimes to them. Which meant the GlobalHawk’s didnt only receive live directions from pilots via SatComs, but also had a pre-planned route option that could be uploaded to it before takeoff (probably for automated flights and as a backup if pilots SatCom connection fails)… and over FUCKING WLAN!!!” they wrote.
“So we decided to do something much more sinister… we created out own .gpx file and setup a MitM to replace their file with our own. Several members were in disagreement on this because if it worked, we would be labelled terrorists for possibly crashing a $222.7 million US Drone… but we continued anyways lol.”
“Whether it was the high amount of traffic sending drone logs across their compromised network or the attempted crashing of a GlowbalHawk that caused them to FINALLY inspect their networks, we dont know. But it went down for a while soon after,” they shared.
“When they came back up several days later, we had completely lost access. Not only were we no longer receiving rsync backups over SSH. They also had removed ALL our .php & .aspx backdoors and changed pretty much every single login credential, from ftp to http.”
The ultimate goal of the hackers was to find evidence that NASA was involved in “Chemtrails/CloudSeeding/Geoengineering/Weather Modification,” but apparently they found none.
[…] Hacking of goods, the downside of the internet of things […]