New tech, new bugs, new headaches
When you think of security vulnerabilities, the first thing that likely comes to your mind are flaws in Windows or apps like Adobe Reader that let hackers wreak havoc on your PC. But computers are everywhere these days, and with more computers come more security headaches.
Join us as we look at ten hacks and vulnerabilities that take threats to the next level. Somehow, things have gotten even crazier since our last look at shocking security exploits.
Hackers crack the car
In-car navigation and infotainment systems can deeply improve the driving experience, but they can also open up your car to security issues that you might never have imagined.
Case in point: In July, security researchers Charlie Miller and Chris Valasek managed to control a Jeep Cherokee’s acceleration and braking—among other things—via the Internet. The pair exploited a vulnerability in the Jeep’s Uconnect in-dash infotainment system, and used a smartphone to remotely brake the car while it was being driven.
The hack took Miller and Valasek three years of work to pull off. The fact that someone could take control of a car through a hole in the infotainment system is worrisome, though, and the hack was serious enough that Fiat Chrysler recalled 1.4 million vulnerable vehicles.
Hacked electric skateboard makes riders eat pavement
But the automobile isn’t the only mode of transportation that is potentially vulnerable to hacking. In early August, researchers Richo Healy and Mike Ryan demonstrated how they could remotely control an electric skateboard by exploiting the unsecured Bluetooth connection between the board and the remote used to control it.
In their demonstration, which they fittingly named FacePlant, Healy and Ryan used a laptop to seize control of a Boosted electric skateboard, abruptly stopping it, then sending the board in reverse. The rider would go flying off the board as a result, ending up with a serious case of road rash.
Realistically, you probably don’t have to worry too much about becoming the victim of a hacked electric skateboard, but Healy and Ryan’s research should serve as a wakeup call to makers of electric skateboards, scooters, and bicycles.
Malware gets into your BIOS
When you think of malware, you probably think of viruses, spyware, and trojans that infect your PC at the OS level. But there’s a whole class of emerging malware that targets your PC’s underlying firmware.
A piece of malware called badBIOS doesn't just infect a PC’s BIOS—it's also nearly impossible to completely eradicate. According to researchers, badBIOS can persist on your system, even if you flash your BIOS. As a result, traditional detection and removal methods are useless against badBIOS.
Because malware that targets firmware sidesteps the operating system, pretty much any PC may be vulnerable, even if you run an OS for which very little malware exists. Last month, for example, researchers showed how malware can attack the EFI firmware that Apple uses on Macs.
Malware that uses sound to jump air gaps
BadBIOS had one other sinister trick up its sleeve: Although the malware spreads via infected USB flash drives, researchers believed that it communicates with other infected computers via high-frequency audio signals.Researchers say that it’s only one of several possible ways malware could communicate with other infected machines without the aid of a network connection.
When good flash drives go bad
Malware delivered on flash drives via infected files isn’t new, and it’s a problem that you can mitigate by exercising caution and using a good antivirus package. But when the flash drive itself is malicious, well, all bets are off.
BadUSB, a toolkit put out by a pair of security researchers last fall, shows how flash drives can be modified for nefarious purposes. Using attacks like BadUSB, a prospective malware distributor could modify the firmware on the flash drive itself to fool a PC into thinking the flash drive is a different kind of device.
For example, as IDG News Service's Lucian Constantin explained, “a USB thumb drive connected to a computer can automatically switch its profile to a keyboard—and send keystrokes to download and install malware—or emulate the profile of a network controller to hijack DNS settings.”
USB Killer kills PCs dead
Of course, BadUSB isn’t all a malicious flash drive can do—one could potentially fry your PC.
USB Killer is a proof-of-concept attack in which an attacker would modify a flash drive’s hardware so that it would deliver an electrical shock to your PC instead of data. The modified USB drive would cause an electrical-current feedback loop of sorts: Eventually, the electrical current would become strong enough—and reach a high-enough voltage—to toast your PC’s innards.
WireLurker takes aim at Macs, iPhones
When it comes to mobile malware, the iPhone has been left mostly unscathed. That doesn’t mean iOS isn’t vulnerable to attack, though. Last fall, an attack making the rounds in China dubbed WireLurker used infected OS X apps to deliver malware that swiped personal data—like call logs and contacts—from both jailbroken and unmodified iPhones alike.
Once WireLurker got onto your Mac, it would wait for you to connect an iPhone to your computer via USB. If it detected a jailbroken iPhone, it would look for specific apps for jailbroken phones and replace them with infected versions. On non-jailbroken phones, it would deliver its payload using a feature that allows companies to install custom apps on their employees’ iPhones.
Apple wasted no time and blocked WireLurker shortly after researchers uncovered the malware attacks.
Your GPU: A future malware target?
Back in March, a group of developers created a malware proof-of-concept called JellyFish that demonstrated how malware could potentially run on a PC’s graphics processor.
While JellyFish was but an example to show to the security world how such an attack might work, malware like it could prove especially potent, because it can be readily adapted to attack machines running WIndows, Linux, or OS X.
GPU-hosted malware would also be more difficult for antivirus software to detect, though a recent report from McAfee indicates that security software may—may—be able to detect it after all. Here’s hoping.
Tech makes for a home security headache
An Internet-connected video camera seems like a good idea in theory—after all, being able to check in on your home while you’re away can enhance your peace of mind. But security researchers have shown that so-called connected home devices often contain issues that could allow an attacker to compromise your privacy or security.
In February, security firm Synack released a study on the issue. As our Paul Lilly reported at the time, Synack’s research revealed “a long list of issues, including open ports, built-in backdoors, and lack of encryption.” Just this month, researchers managed to hack into nine different Internet-connected baby monitors—a terrifying prospect for any parent.
If an attacker finds a way to remotely control a connected home device on your network, they could potentially use it as a way to intercept personal information (such as usernames and passwords) from computers on your home network.
Computers and guns don’t mix
TrackingPoint makes a series of sensor-packed computer-assisted rifles that can make you a more accurate shot. At this year’s DEFCON and Black Hat conferences in Las Vegas, security researchers Runa Sandvik and Michael Auger demonstrated how one of TrackingPoint’s rifles can be hacked.
The pair exploited a flaw in the gun's systems via its built-in Wi-Fi access point, to redirect shots away from the intended target—and potentially toward something or someone else.
TrackingPoint responded to the hack, saying, “Since your gun does not have the ability to connect to the Internet, the gun can only be compromised if the hacker is actually physically with you. You can continue to use Wi-Fi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet.”