All your devices can be hacked Avi Rubin
[Music]
[Applause]
I’m a computer science professor and my
area of expertise is computer and
information security when I was in
graduate school I had the opportunity to
overhear my grandmother describing to
one of her fellow senior citizens what I
did for a living
apparently I was in charge of making
sure that no one stole the computers
from the university and you know that’s
a perfectly reasonable thing for her to
think because I told her I was working
in computer security and it was
interesting to get her perspective but
that’s not the most ridiculous thing
I’ve ever heard anyone say about my work
the most ridiculous thing I ever heard
is I was at a dinner party and a woman
heard that I work in computer security
and she asked me if she said her
computer had been infected by a virus
and she was very concerned that she
might get sick from it that she could
get this virus and I’m not a doctor but
I reassured her that it was very very
unlikely that this would happen but if
she felt more comfortable she could be
free to use latex gloves when she was on
the computer and it’d be no harm
whatsoever than that I’m gonna get back
to this notion of being able to get a
virus from your computer in a serious
way
what I’m going to talk to you about
today are some hacks some real-world
cyberattacks that people in my community
the academic research community have
performed which I don’t think most
people know about and I think they’re
very interesting and scary and this talk
is kind of a greatest hits of the
academic security community’s hacks none
of the work is my work it’s all work
that my colleagues have done and
actually asked them for their slides and
incorporated them into this talk so the
first one I’m going to talk about are
implanted medical devices no medical
devices have come a long way
technologically you can see in 1926 the
first pacemaker was invented in 1960 the
first internal pacemaker was implanted
hopefully a little smaller than that one
that you see there and technology has
continued to move forward
in 2006 we hit an important milestone
from the perspective of of computer
security and why do I say that because
that’s when implanted devices inside of
people started to have networking
capabilities one thing that brings us
close to home as we look at Dick
Cheney’s device he had a device that
pumped blood from an aorta to another
part of the heart and as you could see
at the bottom there it was controlled by
a computer controller and if you ever
thought that software reliability was
very important get one of these inside
of you now what a research team did was
they got their hands on what’s called an
ICD this is a defibrillator and this is
a device that goes into a person to
control their heart rhythm and these
have saved many lives well in order to
not have to open up the person every
time you want to reprogram their device
or do some Diagnostics on it they made
the thing be able to communicate
wirelessly and what this research team
did is they reverse engineered the
wireless protocol and they built the
device you see pictured here with a
little antenna that could talk the
protocol to the device and and thus
control it in order to make their
experience real they were unable to find
any volunteers and so they went and they
got some ground beef and some bacon and
they wrapped it all up to about the size
of a human beings area where the device
would go when they stuck the device
inside it to perform their experiments
somewhat realistically they launched
many many successful attacks one that
I’ll highlight here is changing the
patient’s name I don’t know why you
would want to do that but I sure
wouldn’t want that done to me and they
were able to change therapies including
disabling the device and this is with a
real commercial off-the-shelf device
simply by performing reverse engineering
and sending wireless signals to it
there was a piece on NPR that some of
these I CDs could actually have their
performance disrupted simply by holding
a pair of headphones on to them now
wireless and the Internet can improve
healthcare greatly there are several
examples up on the screen of situations
where doctors are looking to implant
devices inside of people and all of
these devices now it’s standard that
they communicate wirelessly and I think
this is great but without a full
understanding of trust
were the computing and without
understanding what attackers can do and
the security risks from the beginning
there’s a lot of danger in this ok let
me shift gears and show you another
target I’m going to show you a few
different targets like this and that’s
my top so we’ll look at automobiles this
is a car and it has a lot of components
a lot of electronics in it today in fact
it’s got many many different computers
inside of it more Pentiums than my lab
did when i was in college and they’re
connected by a wired network there’s
also a wireless network in the car which
can be reached from many different ways
so there’s Bluetooth there’s the FM and
XM radio there’s actually Wi-Fi there
are sensors in the wheels that
wirelessly communicate the tire pressure
to a controller onboard the modern car
is a sophisticated multi computer device
and what happens if somebody wanted to
attack this well that’s what the
researchers that I’m going to talk about
today did they basically stuck an
attacker on the wired network and on the
wireless network now they have two areas
they can attack one is short-range
wireless where you can actually
communicate with device from nearby
either through Bluetooth or Wi-Fi and
the other it’s long range where you can
communicate with the car through the
cellular network or through one of the
radio stations think about it when a car
receives a radio signal its processed by
software that software has to receive
and decode the radio signal and then
figure out what to do with it even if
it’s just music that it needs to play on
the radio and that software that does
that decoding if it has any bugs in it
could create a vulnerability for
somebody to hack the car the way that
the researchers did this work is they
read the software in in the computer
chips that were in the car and then they
use sophisticated reverse engineering
tools to figure out what that software
did and then they found vulnerabilities
in that software and then they built
exploits to exploit those they actually
carried out their attack in real life
they bought two cars and I guess they
have better budgets than I do the first
threat model was to see what someone
could do if an attacker actually got
access to the internal network on the
car ok so think of
if someone gets to go to your car they
get to mess around with it and then they
leave and now what kind of trouble are
you in the other threat model is that
they contact you in real-time over one
of the wireless networks like the
cellular or something like that never
having actually gotten physical access
to your car this is what their setup
looks like for the first model where you
get to have access to the car they put a
laptop and they connected to the
diagnostic unit on the in-car network
and they did all kinds of silly things
like here’s a picture of the speedometer
showing 140 miles an hour when the cars
in park once you have control of the
cars computers you can do anything now
you might say okay that’s silly well
what if you make the car always say it’s
going 20 miles an hour slower than it’s
actually going you might produce a lot
of speeding tickets then they went out
to an abandoned airstrip with two cars
the target victim car in the chase car
and they launched a bunch of other
attacks one of the things they were able
to do from the chase cars apply the
brakes on the other car simply by
hacking the computer they were able to
disable the brakes they also were able
to install malware that wouldn’t kick in
and wouldn’t trigger until the car was
doing something like going over 20 miles
an hour or something like that the
results are astonishing and when they
gave this talk even though they gave
this talk at a conference to a bunch of
computer security researchers everybody
was gasping they were able to take over
a bunch of critical computers inside the
car the brakes computer the lighting
computer the engine the dash the radio
etc and they were able to perform these
on real commercial cars that they
purchased using the radio network they
were able to compromise every single one
of the pieces of software that
controlled every single one of the
wireless capabilities of the car all of
these are implemented successfully how
would you steal a car in this model well
you compromised the car by a buffer
overflow vulnerability in the software
or something like that you use the GPS
in the car to locate it you remotely
unlock the doors through the computer
that controls that start the engine
bypass anti-theft and you’ve got
yourself a car surveillance was really
interesting the authors of the study
have a video where they show themselves
taking over a car
and then turning on the microphone in
the car and listening in on the car
while tracking it via GPS on a map and
so that’s something that the drivers of
the car would never know was happening i
scaring you yet got a few more of these
interesting ones these are ones where I
went to a conference and my mind was
just blown and I said I have to share
this with other people
this was Fabien Monroe says lab at the
University of North Carolina and what
they did was something intuitive once
you see it but kind of surprising they
videotape people on a bus and then they
post processes the video what you see
here in number one is a reflection in
somebody’s glasses of the smartphone
that they’re typing in they wrote
software to stabilize even though they
were on a bus and maybe someones holding
their phone at an angle to stabilize the
phone process it and you may know on
your smartphone when you type a password
the keys pop out a little bit and they
were able to use that to reconstruct
what the person was typing and had a
language model for detecting typing was
what was interesting is by videotaping
on a bus they were able to produce
exactly what people on their smartphones
were typing and then they had a
surprising result which is that their
software had not only done it for their
target but other people who accidentally
happen to be in the picture they were
able to produce what those people had
been typing and that was kind of an
accidental artifact of what their
software was doing I’ll show you two
more one is p25 radios p25 radios are
used by law enforcement and all kinds of
government agencies and people in combat
to communicate and there’s an encryption
option on these phones this is what the
phone looks like it’s not really a phone
it’s more of a two-way radio motorola
makes the most widely used one and you
can see that they’re used by secret
service they’re used in combat it’s a
very very common standard in the US and
elsewhere so one question the
researchers asked themselves is could
you block this thing right could you run
a denial of service because these are
first responders so what a terrorist
organization want to black out the
ability of police and fire to
communicate at an emergency they found
that there’s this girl tech device used
for texting that happens to operate at
the same exact frequency
is the p25 and they built what they
called my first jammer if you look
closely at this device it’s got a switch
for encryption or clear text let me
advance the slide and now I’ll go back
you see the difference
this is plain text this is encrypted
there’s one little dot that shows up on
the screen and one little tiny turn of
the switch and so the researchers asked
themselves I wonder how many times very
secure important sensitive conversations
are happening on these 2-way radios
where they forget to encrypt and they
don’t notice that they didn’t encrypt so
they bought a scanner these are
perfectly legal and they run at the
frequency of the p25 and what they did
is they hopped around frequencies and
they wrote software to listen in if they
found encrypted communication they
stayed on that channel and they wrote
down that’s a channel that these people
communicate in these law enforcement
agencies and they went to 20
metropolitan areas and listened in on
conversations that were happening at
those frequencies they found that in
every metropolitan area they would
capture over 20 minutes a day of clear
text communication and what kind of
things were people talking about well
they found the names and information
about confidential informants they found
information that was being recorded in
wiretaps a bunch of crimes that were
being discussed sensitive information
it was mostly law enforcement in
criminal they went and reported this to
the law enforcement agencies after
anonymizing it and the vulnerability
here is simply the user interface wasn’t
good enough if you’re talking about
something really secure and sensitive it
should be really clear to you that this
conversation is encrypted that one’s
pretty easy to fix the last one I
thought was really really cool and I
just had to show it to you it’s probably
not something that you’re gonna lose
sleep over like the cars or the
defibrillators
but it’s stealing keystrokes now we’ve
all looked at smart phones upside down
every security expert wants to hack a
smart phone and we tend to look at the
USB port to GPS for tracking the camera
the microphone but no one up till this
point had looked at the accelerometer
the accelerometer is the thing that
determines the vertical orientation of
the smartphone and so they had a simple
setup they put a smart
phone next to a keyboard and they had
people type and then their goal was to
use the vibrations that were created by
typing to measure the change in the
accelerometer reading to determine what
the person had been typing now when they
tried this on an iPhone 3GS this is a
graph of the perturbations that were
created by the typing and you can see
that it’s very difficult to tell when
somebody was typing or what they were
typing but iPhone 4 greatly improved the
accelerometer and so the same
measurement produced this graph now that
gave you a lot of information while
someone was typing and what they did
then is used advanced artificial
intelligence techniques called machine
learning to have a training phase and so
they got most likely grad students to
type in a whole lot of things and to
learn to have the system use the machine
learning tools that were available to
learn what it is that the people were
typing and to match that up with the
measurements in the accelerometer and
then there’s the attack phase where you
get somebody to type something in you
don’t know what it was but you use your
model that you created in the training
phase to figure out what they were
typing they had pretty good success this
is an article from the USA Today they
typed in the Illinois Supreme Court has
ruled that Ram Immanuel is eligible to
run for mayor of Chicago see I tied into
the last talk and ordered him to stay on
the ballot now the system is interesting
because it produced Illinois Supreme and
then it wasn’t sure the model produced a
bunch of options and this is the beauty
of of some of the AI techniques is that
computers are good at some things humans
are good at other things take the best
of both what the humans solve this one
don’t waste computer cycles a human’s
not going to think it’s the supreme
might it’s the Supreme Court right and
so together we’re able to reproduce
typing simply by measuring the
accelerometer why is this matter well in
in the Android platform for example the
developers have a manifest where every
device on their the microphone etc has
to register if you’re going to use it so
that hackers can’t take over it but
nobody controls the accelerometer so
what’s the point you can leave your
iPhone next to someone’s keyboard and
just leave the room and then later
recover what they did even without
using the microphone if someone is able
to put malware on your iPhone they could
then maybe get the typing that you do
whenever you put your iPhone next to
your keyboard there’s several other
notable attacks that unfortunately I
don’t have time to go into but the one
that I wanted to point out was a group
from the University of Michigan which
was able to take voting machines the
Sequoia AVC edged er ease that were
going to be used in New Jersey in the
election that were left in a hallway and
put pac-man on it so they ran the
pac-man game what does this all mean
well I think that society tends to adopt
technology really quickly I love the
next coolest gadget but it’s very
important and these researchers are
showing that the developers of these
things need to take security into
account from the very beginning and need
to realize that they may have a threat
model but the attackers may not be nice
enough to limit themselves to that
threat model and so you need to think
outside of the box what we can do is be
aware that devices can be compromised
and anything that has software in it is
going to be vulnerable it’s going to
have bugs thank you very much
[Applause]