Devious Devices Designed to Harm You

We’re accustomed to the idea of hackers’ trying to crack our computers, but today our TVs, cars, phones, and appliances are becoming increasingly vulnerable as we use technologies such as Wi-Fi, Bluetooth, RFID, cellular, and GPS to connect them. Though increased connectedness has been a boon to convenience and communication, a sinister flipside has emerged: More and more real-world objects are hackable, some with potentially frightening real-world consequences. Hackers can unlock your car and even start the engine. They can steal your credit card just by walking past you—without touching your wallet. They can hijack a lifesaving insulin pump and turn it against the user. Here’s a roundup of some of the technology that bad guys can use to hack you and everything around you. ATM Skimmers ATM skimmers are rogue devices surreptitiously attached to automatic teller machines and programmed to read and record your bank card’s magnetic strip, and then pass the data on to criminals. Examples of a new thin ATM skimmer.Older ATM skimmers commonly made the card slot look unusually bulky or otherwise tampered-with, but detecting the new skimmers is much harder. They are so thin now that a crook can now insert the skimmer directly inside the card slot at your local ATM, grocery self-checkout, or gas pump, and still leave room for your card to pass through, thus ensuring that only an expert is likely to notice the skimmer’s intrusion. The information on your credit or debit card’s magnetic strip is useless without the card’s PIN code, and even the most sophisticated in-slot skimmer can’t retrieve PIN codes. However, criminals have developed transparent rubber overlays that they place over the ATM’s keypad, to record the victim’s PIN code. ATM skimmers and PIN code recorders can be very difficult to detect before money goes missing from customers’ bank accounts. War Texting The term war texting may sound like something that an easily distracted soldier might pause to perform during a lull on the battlefield, it actually refers to the process of hijacking hardware connected to ubiquitous GSM (Global System for Mobile Communications) mobile phone networks. Surveillance cameras, home automation systems, and cars often depend on GSM telephony for over-the-air firmware updates. Though GSM makes updating these systems far more convenient, it also leaves them vulnerable to outside attack. Last year at the Black Hat security conference in Las Vegas, iSec Partners security consultants Don Bailey and Matthew Solnik demonstrated the threat of war texting by unlocking the doors of a Subaru Outback and then starting its engine—all remotely. Bailey said that he and Solnik took about 2 hours to figure out how to intercept wireless messages between the car and the network, and then re-create the messages from his laptop. Power Pwn Another looming threat involves rogue chameleon devices—treacherous gear that victims fail to spot because it doesn’t look odd or out of place. Pwnie Express’s Power Pwn incorporates covert wireless transfer capabilities in what looks like a simple surge protector. The Power Pwn, for example, masquerades as a typical office surge protector, but it conceals some crafty tech. The Power Pwn was developed by Pwnie Express with funding from DARPA, the Department of Defense’s secretive and experimental research and development wing. High-gain, extended-range Wi-Fi, 1000-foot-range Bluetooth, and 3G are built into the Power Pwn, which is designed to bypass your network security and firewalls, while maintaining a constant covert connection with the attacker. The product’s makers, Pwnie Express, say that the Power Pwn is intended as an enterprise test tool for network vulnerabilities, but anyone with $1300 can buy one. Considering the high value of information on business networks, the Power Pwn’s price hardly guarantees that criminals won’t be able to get their hands on one. Radio Frequency Identification (RFID) An RFID chip.RFID chips are tiny devices that contain information about the object they are attached to, which may range from an ID card containing personal medical information, to a car-key fob, to your U.S. passport, to a pet, to an electronic door lock, and to a credit card. The primary purpose of an RFID chip is to embed digital information in something nondigital, making the object easier to keep track of and communicate with. Some RFID chips don’t even require a battery; instead, they are powered electromagnetically by a nearby receiver. But anything that has an associated RFID chip is potentially hackable—and with such chips priced as low as $0.07 each, RFIDs are sure to show up in more and more things inthe future. Earlier this year at the ShmooCon hacker-centric security conference, security researcher Kirstin Paget demonstrated just how easy RFID-equipped credit cards are to hack. Using about $350 worth of equipment, Padget wirelessly copied her credit card’s RFID data, cloned it onto a blank card, and then easily made a payment to herself using a Square card reader. Padget described the hack as “embarrassingly simple.” The ability of a knowledgable person to clone RFID with ease should raise red flags for anyone using the technology for personal data, door locks, or any other form of security. Global Positioning System (GPS) What users of the Girls Around Me app saw.GPS in and of itself is a benign technology, but the GPS built into smartphones can be problematic. App developers use GPS in all kinds of ways beyond simply establishing latitude and longitude coordinates. For example, apps such as FourSquare rely on GPS to track their users’ social habits and spending habits, and let users share where they are hanging out by “checking in” on the app. However, location-based app developers often provide their APIs (application programming interfaces) to third parties, increasing the danger of misuse by interested outsiders. This is precisely what happened in April, with an app called Girls Around Me. Using a combination of FourSquare’s and Facebook’s APIs, the Girls Around Me app displayed for anybody to see the location, pictures, and even names of nearby women. Perhaps the most disturbing aspect of this situation is that, under existing law, everything the developers of Girls Around Me did in making individual people’s information available to its users was strictly legal. A level of intrusive data gathering that might raise concerns of stalking if pursued in person in the real world amounted to nothing more than the cleverly directed collection of readily available digital information. Hackable Insulin Pumps Jay Radcliffe, director of the Smart Device Threat Intelligence Center—and a type 1 diabetic who is always connected to an insulin pump—discovered that his Medtronic wireless insulin pump could be hacked and taken over by a rogue signal. An insulin pump.From up to half a mile away, a hacker could assume control of the pump and deliver a deadly dose of insulin to an unsuspecting diabetic. The chances of such a thing happening are exceedingly small, but the potential consequences are dire. If nothing else, the scenario suggests a plot device in a James Bond movie featuring a ruthless criminal mastermind and an otherwise well-guarded diabetic target. Though technology does far more good than bad in our lives, it has a dangerous side. Given that more and more of our world is connected through technology, criminals and hackers are virtually certain to find more ways to exploit the technology we depend on in our daily lives. The best advice is to be aware of your devices’ behavior. If you notice a change, it could be due to hacking. Often, this is how banks discover skimming and credit card fraud. You can also consult resources such as the FBI’s Scams & Safety website to stay informed and safe from various threats, online and off. We’re accustomed to the idea of hackers’ trying to crack our computers, but today our TVs, cars, phones, and appliances are becoming increasingly vulnerable as we use technologies such as Wi-Fi, Bluetooth, RFID, cellular, and GPS to connect them. Though increased connectedness has been a boon to convenience and communication, a sinister flipside has emerged: More and more real-world objects are hackable, some with potentially frightening real-world consequences.Hackers can unlock your car and even start the engine.
Screen_Shot_2011-09-09_at_11.45.25_AM Screen_Shot_2011-09-09_at_11.45.25_AM

They can steal your credit card just by walking past you without touching your wallet. They can hijack a lifesaving insulin pump and turn it against the user. Here’s a roundup of some of the technology that bad guys can use to hack you and everything around you.

ATM Skimmers

wafer_thin_atm_skimmer-11399612ATM skimmers are rogue devices surreptitiously attached to automatic teller machines and programmed to read and record your bank card’s magnetic strip, and then pass the data on to criminals.Examples of a new thin ATM skimmer.

Older ATM skimmers commonly made the card slot look unusually bulky or otherwise tampered-with, but detecting the new skimmers is much harder.

They are so thin now that a crook can now insert the skimmer directly inside the card slot at your local ATM, grocery self-checkout, or gas pump, and still leave room for your card to pass through, thus ensuring that only an expert is likely to notice the skimmer’s intrusion.

The information on your credit or debit card’s magnetic strip is useless without the card’s PIN code, and even the most sophisticated in-slot skimmer can’t retrieve PIN codes.

However, criminals have developed transparent rubber overlays that they place over the ATM’s keypad, to record the victim’s PIN code. ATM skimmers and PIN code recorders can be very difficult to detect before money goes missing from customers’ bank accounts.

War Texting

The term war texting may sound like something that an easily distracted soldier might pause to perform during a lull on the battlefield, it actually refers to the process of hijacking hardware connected to ubiquitous GSM (Global System for Mobile Communications) mobile phone networks.

Surveillance cameras, home automation systems, and cars often depend on GSM telephony for over-the-air firmware updates.

Though GSM makes updating these systems far more convenient, it also leaves them vulnerable to outside attack.

Last year at the Black Hat security conference in Las Vegas, iSec Partners security consultants Don Bailey and Matthew Solnik demonstrated the threat of war texting by unlocking the doors of a Subaru Outback and then starting its engineall remotely.

Bailey said that he and Solnik took about 2 hours to figure out how to intercept wireless messages between the car and the network, and then re-create the messages from his laptop.

Power Pwn

Another looming threat involves rogue chameleon devices treacherous gear that victims fail to spot because it doesn’t look odd or out of place.

power_pwn-11387996Pwnie Express’s Power Pwn incorporates covert wireless transfer capabilities in what looks like a simple surge protector.

The Power Pwn, for example, masquerades as a typical office surge protector, but it conceals some crafty tech.

The Power Pwn was developed by Pwnie Express with funding from DARPA, the Department of Defense’s secretive and experimental research and development wing.

High-gain, extended-range Wi-Fi, 1000-foot-range Bluetooth, and 3G are built into the Power Pwn, which is designed to bypass your network security and firewalls, while maintaining a constant covert connection with the attacker.

The product’s makers, Pwnie Express, say that the Power Pwn is intended as an enterprise test tool for network vulnerabilities, but anyone with $1300 can buy one.

Considering the high value of information on business networks, the Power Pwn’s price hardly guarantees that criminals won’t be able to get their hands on one.

Radio Frequency Identification (RFID)An RFID chip

RFID chips are tiny devices that contain information about the object they are attached to, which may range from an ID card containing personal medical information, to a car-key fob, to your U.S. passport, to a pet, to an electronic door lock, and to a credit card.

220216-rfid_originalThe primary purpose of an RFID chip is to embed digital information in something nondigital, making the object easier to keep track of and communicate with.

Some RFID chips don’t even require a battery; instead, they are powered electromagnetically by a nearby receiver.

But anything that has an associated RFID chip is potentially hackable—and with such chips priced as low as $0.07 each, RFIDs are sure to show up in more and more things inthe future.

Earlier this year at the ShmooCon hacker-centric security conference, security researcher Kirstin Paget demonstrated just how easy RFID-equipped credit cards are to hack.

Using about $350 worth of equipment, Padget wirelessly copied her credit card’s RFID data, cloned it onto a blank card, and then easily made a payment to herself using a Square card reader. Padget described the hack as “embarrassingly simple.”

The ability of a knowledgable person to clone RFID with ease should raise red flags for anyone using the technology for personal data, door locks, or any other form of security.

Global Positioning System (GPS)

What users of the Girls Around Me app saw.GPS in and of itself is a benign technology, but the GPS built into smartphones can be problematic.

girls-around-me-map-11342301App developers use GPS in all kinds of ways beyond simply establishing latitude and longitude coordinates.

For example, apps such as FourSquare rely on GPS to track their users’ social habits and spending habits, and let users share where they are hanging out by “checking in” on the app.

However, location-based app developers often provide their APIs (application programming interfaces) to third parties, increasing the danger of misuse by interested outsiders.

This is precisely what happened in April, with an app called Girls Around Me. Using a combination of FourSquare’s and Facebook’s APIs, the Girls Around Me app displayed for anybody to see the location, pictures, and even names of nearby women.

Perhaps the most disturbing aspect of this situation is that, under existing law, everything the developers of Girls Around Me did in making individual people’s information available to its users was strictly legal.

A level of intrusive data gathering that might raise concerns of stalking if pursued in person in the real world amounted to nothing more than the cleverly directed collection of readily available digital information.

Hackable Insulin Pumps

Jay Radcliffe, director of the Smart Device Threat Intelligence Center and a type 1 diabetic who is always connected to an insulin pump discovered that his Medtronic wireless insulin pump could be hacked and taken over by a rogue signal.

237983-hacksinsulin_listingAn insulin pump.From up to half a mile away, a hacker could assume control of the pump and deliver a deadly dose of insulin to an unsuspecting diabetic. The chances of such a thing happening are exceedingly small, but the potential consequences are dire.

If nothing else, the scenario suggests a plot device in a James Bond movie featuring a ruthless criminal mastermind and an otherwise well-guarded diabetic target.
Though technology does far more good than bad in our lives, it has a dangerous side. Given that more and more of our world is connected through technology, criminals and hackers are virtually certain to find more ways to exploit the technology we depend on in our daily lives.

The best advice is to be aware of your devices’ behavior. If you notice a change, it could be due to hacking. Often, this is how banks discover skimming and credit card fraud.

You can also consult resources such as the FBI’s Scams & Safety website to stay informed and safe from various threats, online and off.

Source: Pc World