Current Weather
The Spy FM

Street Lights, Security Systems And Sewers? They’re Hackable, Too

Filed by KOSU News in US News.
March 4, 2013

Allegations that the Chinese military has been hacking U.S. corporations are raising tensions. But in the case of a full-fledged cyberwar, things would look very different.

“Our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems,” President Obama said in his State of the Union address last month.

And cyberattacks could go beyond company computer servers and advanced information technology.

Whether you know it or not, you are surrounded by a network of machines that are talking to each other. For example, downtown San Francisco’s California Street is a potential target for a cyberattack.

Hacking Into Infrastructure

“It may not be easy to recognize, but almost everything around you in that area is Internet capable,” says Don Bailey, CEO of Capitol Hill Consultants, a cybersecurity firm in San Francisco.

He says street lights and building security systems are controlled remotely and monitored over the Internet.

Bailey is currently working for the Defense Advanced Research Projects Agency, better known as DARPA, mapping out security holes in these kinds of systems.

But in the past, Bailey hacked into new cars using a cellphone network. He says modern sewers are also hackable. This is possible because over the past decade, the Internet and the mobile phone network have been layered on top of all kinds of technologies that weren’t built with security in mind, he says.

Everyone wants connectivity and control, and that means connecting all kinds of systems, switches and machines to the Internet that were never designed to live online — devices that are fundamentally insecure.

Can Be Fixed, But Not Easily

“Sometimes that can’t be patched,” says Tiffany Rad, a security researcher. “It needs to be removed and replaced. And that’s not an easy task to do.”

She says insecure industrial switches have been built into oil pipelines, power plants and even prison doors. These switches are programmable, so they can be set to turn off if the pressure in a pipe gets too high or too low. A generation ago, switches like this weren’t designed to be connected to the Internet.

“So when you see systems that are legacy like this, some of them 30 years old, it’s a very hard proposition when you tell someone who is running these facilities, ‘Take them offline; we got to fix this; replace that,’ ” Rad says.

The Vulnerabilities

A couple of years ago, she and some friends demonstrated that built-in vulnerabilities made it possible to hack open cell doors in federal prisons.

“If we wanted to unlock the prison doors, we could do that,” Rad says. They could also trick the guards into thinking that the doors were still closed and locked while in reality they weren’t.

Rad didn’t bust anyone out of jail, but she proved the attack was possible and let officials know. One reason prisons were vulnerable was their Internet-connected control rooms.

“I’m not convinced it would take a nation-state and a bunch of funding to do something like this,” says Dillon Beresford, a cybersecurity consultant based in Texas.

A few years ago, he duplicated some of the most novel aspects of what’s probably the most famous cyberwarfare attack in history — Stuxnet. That’s the virus that caused Iran’s nuclear centrifuges to spin out of control.

“When I looked at Stuxnet, I saw techniques that were being used, you know, back in the … early 2000[s], late ’90s by people in the hacking community,” Beresford says.

He began looking into the vulnerabilities of the technology in his spare time.

“And what I found, at least for me, was surprisingly shocking,” he says. “There were a lot of trivial bugs that could be exploited.”

Switching Hacking Off?

Writing those exploits took Beresford just a few weeks and cost a few thousand dollars. Rad’s team, which hacked prison doors, only had four members and a tiny budget.

Beresford says many engineers who rely on automated industrial switches now realize how vulnerable they are.

“Pretty much at this point, they’re just waiting for something to happen,” he says.

In the past year, close to 200 cyberattacks on critical infrastructure were reported to the Department of Homeland Security.

Today, switches made by Siemens and GE are built into infrastructure all over the world. Parts made in China end up in the U.S.

Beresford says just talking about cyberwarfare probably doesn’t help. “We should be working together to solve some of these problems,” he says.

He believes the only way to make all of us safer is through a type of public hacking diplomacy.

When Beresford finds a bug in a system, he says he discloses it and pushes manufacturers to find a fix. Ultimately, he hopes this kind of research will make cyberwarfare harder to wage. [Copyright 2013 NPR]

Leave a Reply

12PM to 1PM Fresh Air

Fresh Air

This one-hour program features Terry Gross' in-depth interviews with prominent cultural and entertainment figures, as well as distinguished experts on current affairs and news.

Listen Live Now!

1PM to 2PM Talk of the Nation

Talk of the Nation

Journalist Neal Conan leads a productive exchange of ideas and opinions on the issues that dominate the news landscape.

View the program guide!

2PM to 3PM PRI's The World

PRI's The World

Get a fresh perspective of people, events and trends that shape our world. Host Lisa Mullins covers a wide range of topics, including science, business, technology, sports, art and music.

View the program guide!

Upcoming Events in your area (Submit your event today!)

Streaming audio and podcasts

Stream KOSU on your smartphone

Phone Streaming

SmartPhone listening options on this page are intended for many iPhones, Blackberries, etc. with low-cost software applications available to listen to our full-time web streams, both News on KOSU-1 and Classical on KOSU-2.

Learn more about our complete range of streaming services

We're perfecting the patient experience - Stillwater Medical Center