Laser Pointers Can Hack Virtual Assistants from Long Distances

Bored with taunting your cat with your laser pointer? Why not try taunting your neighbor instead by hijacking his virtual assistant?!

While we all know that virtual assistants such as Amazon’s Echo and Google’s Home by their very design, respond to sound commands, what researchers at University of Michigan and University of Electro-Communications, Tokyo have discovered takes things to a whole new level of the electromagnetic spectrum!

Reach Out and Hack Someone

Using nothing more than a simple laser pointer these researchers of arcane vulnerabilities were able to demonstrate that they could take over 13 different voice activated devices at distances up to 110 meters. The only limitations to the long-distance hack are the intensity of the beam and of course your sniping skills. Using a higher powered laser the researchers were successful at eliciting similar responses on phones and tablets.

<iframe width=”512″ height=”288″ src=”https://www.youtube.com/embed/ORji7Tz5GiI” frameborder=”0″ allow=”accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture” allowfullscreen></iframe>

Impact of Vulnerability Depends on Assistant’s Use

If you are like many and use your smart assistant for nothing more than listening to the radio or asking about the weather then the impact of a hack would be minimal. However, if you are smart home aficionado your home’s security, shopping accounts and possibly even your credit cards and connected medical devices could be at risk from this vulnerability. Moving beyond assistants, phones and tablets, the researchers were able to demonstrate similar light based vulnerabilities in certain Ford and Tesla automobiles

IoT is Like the Wild West

Through the years we have documented vulnerabilities in all sorts of IoT devices from printers and refrigerators to automobiles and medical devices. The simple fact is device providers are far more interested in bringing new “wow” features to their products than they are building devices with robust security features.  That’s why you need a security partner like Konsultek. Our team of experts has the capabilities to identify vulnerabilities in your network and in the devices that connect to your network and then develop a customized security solution that keeps your organization safe from threats.

Consumer Watchdog Estimates 3000 People could die in Automotive Cyber Attack

Vulnerabilities in connected cars could allow a malicious hacker to wreak havoc on our nation’s roadways leading large scale injuries and death according to Consumer Watchdog.

If it’s Connected it’s Vulnerable

That’s the general message we’ve been reporting for the past decade on this blog and automobiles are no exception. Way back in 2015 researchers Miller and Valasek showed that they could take control of an unaltered 2014 Jeep Cherokee affecting both the steering and braking systems. At this year’s Black Hat hacker conference researchers from Keen Security Lab revealed details of vulnerabilities they found in late model BMWs. Clearly automobiles remain vulnerable and to make matters worse there are far more connected cars today than there were back then.

CAN Bus Vulnerability

While someone hacking your car’s infotainment system to steal your personal information would be annoying and perhaps leave you in a bad mood, someone hacking your car’s CAN bus system could leave you injured or dead. Your car’s CAN bus system is akin to your body’s central nervous system. It controls all of the essential engine, braking, transmission, electrical, climate AND Safety systems.

Comfort Might Kill You

So you might ask “Why would an automaker connect something as critical as CAN bus to the Internet and create a vulnerability?” That’s a great question with a lot of possible answers but one answer is that they do it on purpose to allow you, the end user, to have a more comfortable automotive experience! You see, that same creature feature that allows you to remotely start your car from your smart-phone and dial down the AC so you can hop into a pre-cooled car is just one example of how CAN bus systems become connected to the Internet. Unfortuntately, there are many many more examples that affect vehicles of all shapes, sizes and price points so driving a budget box doesn’t necessarily mean that your car is not vulnerable!

The Numbers

According to Consumer Watchdog a concerted large scale attack could unfold according to this troubling schedule:

  • 19 Million cars on the roads at rush hour
  • 75 Million cars potentially hacked at once
  • 262,500 cars actively being driven at the time of attack
  • 134,400 projected injuries from attack
  • 3,000 projected fatalities.

It takes little imagination to envision what a complete mess the roadways would be with that many disabled vehicles clogging the roads. Emergency response would be crippled and life-saving aid delayed.

Kill Switch – The Recommend Short Term Fix

The Consumer Watchdog report concludes that the simplest and least expensive “quick fix” to these vulnerabilities is a “kill switch”. This $0.50 switch would allow the consumer to create an air gap between all remotely-accessible components and the CAN bus system. Of course, unless these switches could somehow suddenly be installed on all the existing vulnerable automobiles on the road it isn’t really a viable solution. A simpler and even less expensive approach they argue would be to remove all vehicles from the cellular network. Of course that would disable a host of features that many consumers enjoy and rely upon and automakers advertise and market to make their cars more attractive. Chances are neither of these recommendations is ever going to happen.

Posted in IoT

Hacker Discovers Vulnerability that Allows Him to Kill Car Engines

Interconnectivity and the Internet of Things hold the promise of a simpler, higher quality life. At least that’s the narrative that’s spun about smart appliances, medical devices and of course smart cars.

While there is undoubtedly some truth to the virtues of this interconnectedness there are also going to be pitfalls, mainly an increase in the number of vulnerabilities.

Cracking Tracking

In a story on motherboard.vice.com a hacker who goes by the name L&M shared his story of how he was able to hack into thousands of GPS tracker accounts on not one, but two different platforms. It turns out it wasn’t all that difficult thanks to some lazy coding that gave every new user account the same breathtakingly obvious default password 123456!

Armed with this knowledge L&M was able to scrape a “treasure trove” of customer data:

According to a sample of user data L&M shared with Motherboard, the hacker has scraped a treasure trove of information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices’ unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses. (According to L&M, he was not able to get all of this information for all users; for some users he was only able to get some of the above information.)

Killing Engines

Cracking GPS apps and stealing thousands of customer’s information, geez, no big deal when one compares it to some of the shockingly large hospital and healthcare provider breaches of late, right? But here is where it gets far more interesting. These apps have features that allow the customers to remotely turn off their engines if the car is traveling at less than 12mph. Guess what? L&M claims that while he never did it, he certainly could if he wanted to. Traffic jams and gridlock on demand anyone?!

Securing Your network and the IoT

At Konsultek we build better security solutions from the ground up using the most advanced technologies available.

How secure is your network?

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

 

© Copyright 2018 Konsultek