As everything becomes connected to the Net, everything becomes vulnerable to remote access…even if it’s of a malicious or destructive nature: Witness, the smart toilet hack.
Cybersecurity outfit Trustwave released an alert the other day for the Satis automatic toilet from Inax, a smart toilet that’s outfitted with the sorts of sanitary bells and whistles that are more commonly known in Japan. The toilet can be controlled by a user’s smartphone via a Bluetooth connection, and it’s this point of access that’s open to malicious hackers.
The Satis hardware’s Bluetooth port is hard coded in the app and the toilet unit with the access PIN code “0000.” That means anyone could observe the stray signals from a Satis unit within the range of a typical Bluetooth connection, download the “My Satis” app for their Android device and then pair it with the toilet. That would give them direct access to functions like flushing, turning on and off the bidet or air-blow systems or open and close the lid.
Silly as this sounds, if a toilet suddenly began flapping its lid up and down or making noises in the middle of the night the unexpecting user could have a shock and worry about the causes. It’s not beyond the pale to imagine that repeated events like this could cause distress and possible costs when the user attempts to get the unit “fixed.” But there’s a more disturbing exploit in this case–repeated flushing of the cistern could actually end up with the toilet’s owner facing a large water services bill, perhaps even a painfully large one if the flushing happens for a long undetected period.
Though in this case the exploit requires local access to the device, and we know that access is king, the hack nevertheless demonstrates that as more and more of our devices get connected to the Net they become vulnerable. An overly-flushed toilet could simply be a surprise and cost the users a few extra dollars, but the same could not be said for every household device.
We’re increasingly used to headlines such as “Big company X hacked, user data may have been accessed,” followed by some handwringing about identity theft or stolen credit cards and so on. These headlines are a consequence of the fact that today pretty much every company uses the Net in its processes somehow, and that there are real benefits (or possibly just really malicious fun) for those who hack into them. But fresh news of successful hacking of cars is a whole different kettle of fish. It reminds us with the Internet of things slowly bursting into existence around the world, it’s inevitable that hacking is going to blossom simultaneously. Everything may soon be hackable.
At the Def Con conference this week Charlie Miller and Chris Valasek are going to be showing their work in the form of a 100-page white paper that documents the successful hacking of a Toyota Prius and a Ford Escape–research that was carried out beneficently and with government research cash. The pair have managed to interfere with a Prius’s systems to make it brake when traveling at 80 miles an hour, affect its steering or causing the engine to accelerate. The Escape hacks included disabling the brakes at low speeds, meaning the driver would have to stop the car by other means.
Miller and Valasek of course managed their hacks via a physical connection to their target cars’ systems–and as we all know access is key, because if you have access you can probably penetrate the system. This defuses some of the nightmarish possibilities of this news. But only for now. More and more car systems are becoming smart, typically integrating the entertainment system with a navigation system and offering the chance to hook up a smartphone or tablet to the system to provide content or GPS directions.
These devices, of course, offer a penetration point for hackers. A malicious hacker with enough intent may be able to piggyback a hack onto the normal smartphone-car communications, possibly even accessing the smartphone wirelessly. Once into the entertainment system it’s plausible they may be able to access the car’s other systems. It’s absolutely not been demonstrated in connection with Miller and Valasek’s hack, but that doesn’t mean it’s impossible.
The other car hack in the news adds a different, worrying color to the idea. A British university researcher has been barred from publishing research that shows how easy it is to hack the security system of cars like Porches and Lamborghinis. The judge, apparently under pressure from the car makers, argued that the Megamos Crypto system needed to be protected from exploits by malicious hackers, even though the original research was a white hat hack and demonstrated the car companies used weak security. If cracking car security is this easy, perhaps the car industry needs to hire more developers with security expertise.
But it’s not just cars: This weekend we’ve also seen news that the popular communications app Viber has been hacked for the second time in a week, and the company blames Apple for leaving a security loophole open. In this case the hack disrupted the company’s operations and didn’t access user data, but the precedent is clearly set: A more malicious hack achieved via the same loophole could lead to all sorts of trouble for the company’s 200 million users. The same could be said for any app, and it’s at this point you have to remember that people increasingly rely on services like Viber to run their lives–and real financial or perhaps physical damage may occur.
And then there’s the Internet of things. Every day there’s one article or another talking about the networking of some hitherto un-networked device. Even Belkin, manufacturer of endless computer peripheral tech, is in on the act with its WeMo domotics system that demonstrates how consumer-grade this tech has become now. How long until a malicious hack exploits a flaw in a future WeMo-like device, turns on someone’s oven while they’re not in their home and burns the property to the ground? How easy would it be to hack a smartphone-centric electronic door entry system, or even just to meddle with someone’s Nest thermostat so that they run up enormous energy bills?
The Miller and Valasek hack may be an unlikely hack for just a couple of cars, but it has a hugely important lesson for developers everywhere: Assume everything you write could be hacked and end up hurting someone. Even if all you’re selling is a simple smartphone app–secure systems that protect user’s data and access to what may be critical services are an absolute must. If you can salt it, hash it, encrypt it, and lock down access points then you should–without cutting any corners.
[Image: Flickr user Christopher Chen]