KRWG

Street Lights, Security Systems And Sewers? They're Hackable, Too

Mar 4, 2013
Originally published on March 4, 2013 4:05 pm

Allegations that the Chinese military has been hacking U.S. corporations are raising tensions. But in the case of a full-fledged cyberwar, things would look very different.

"Our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems," President Obama said in his State of the Union address last month.

And cyberattacks could go beyond company computer servers and advanced information technology.

Whether you know it or not, you are surrounded by a network of machines that are talking to each other. For example, downtown San Francisco's California Street is a potential target for a cyberattack.

Hacking Into Infrastructure

"It may not be easy to recognize, but almost everything around you in that area is Internet capable," says Don Bailey, CEO of Capitol Hill Consultants, a cybersecurity firm in San Francisco.

He says street lights and building security systems are controlled remotely and monitored over the Internet.

Bailey is currently working for the Defense Advanced Research Projects Agency, better known as DARPA, mapping out security holes in these kinds of systems.

But in the past, Bailey hacked into new cars using a cellphone network. He says modern sewers are also hackable. This is possible because over the past decade, the Internet and the mobile phone network have been layered on top of all kinds of technologies that weren't built with security in mind, he says.

Everyone wants connectivity and control, and that means connecting all kinds of systems, switches and machines to the Internet that were never designed to live online — devices that are fundamentally insecure.

Can Be Fixed, But Not Easily

"Sometimes that can't be patched," says Tiffany Rad, a security researcher. "It needs to be removed and replaced. And that's not an easy task to do."

She says insecure industrial switches have been built into oil pipelines, power plants and even prison doors. These switches are programmable, so they can be set to turn off if the pressure in a pipe gets too high or too low. A generation ago, switches like this weren't designed to be connected to the Internet.

"So when you see systems that are legacy like this, some of them 30 years old, it's a very hard proposition when you tell someone who is running these facilities, 'Take them offline; we got to fix this; replace that,' " Rad says.

The Vulnerabilities

A couple of years ago, she and some friends demonstrated that built-in vulnerabilities made it possible to hack open cell doors in federal prisons.

"If we wanted to unlock the prison doors, we could do that," Rad says. They could also trick the guards into thinking that the doors were still closed and locked while in reality they weren't.

Rad didn't bust anyone out of jail, but she proved the attack was possible and let officials know. One reason prisons were vulnerable was their Internet-connected control rooms.

"I'm not convinced it would take a nation-state and a bunch of funding to do something like this," says Dillon Beresford, a cybersecurity consultant at Cimation based in Texas.

A few years ago, he duplicated some of the most novel aspects of what's probably the most famous cyberwarfare attack in history — Stuxnet. That's the virus that caused Iran's nuclear centrifuges to spin out of control.

"When I looked at Stuxnet, I saw techniques that were being used, you know, back in the ... early 2000[s], late '90s by people in the hacking community," Beresford says.

He began looking into the vulnerabilities of the technology in his spare time.

"And what I found, at least for me, was surprisingly shocking," he says. "There were a lot of trivial bugs that could be exploited."

Switching Hacking Off?

Writing those exploits took Beresford just a few weeks and cost a few thousand dollars. Rad's team, which hacked prison doors, only had four members and a tiny budget.

Beresford says many engineers who rely on automated industrial switches now realize how vulnerable they are.

"Pretty much at this point, they're just waiting for something to happen," he says.

In the past year, close to 200 cyberattacks on critical infrastructure were reported to the Department of Homeland Security.

Today, switches made by Siemens and GE are built into infrastructure all over the world. Parts made in China end up in the U.S.

Beresford says just talking about cyberwarfare probably doesn't help. "We should be working together to solve some of these problems," he says.

He believes the only way to make all of us safer is through a type of public hacking diplomacy.

When Beresford finds a bug in a system, he says he discloses it and pushes manufacturers to find a fix. Ultimately, he hopes this kind of research will make cyberwarfare harder to wage.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

Moving on now to a less light-hearted topic in tech - cyberattacks. Recently we heard allegations about the Chinese military hacking into U.S. corporations. And during his State of the Union Address last month, President Obama had this warning.

PRESIDENT BARACK OBAMA: Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.

CORNISH: So what would a full fledge cyberwar look like? NPR's Steve Henn tried to imagine it.

STEVE HENN, BYLINE: Whether you know it or not, you're surrounded by a network of machines that are talking to each other. Right now, I'm standing on California Street, downtown San Francisco.

DON BAILEY: It may not be easy to recognize but almost everything around you in that area is Internet capable. The streetlights are outfitted with machine-to-machine technology to remotely control them. The vehicles driving down the street, even security systems for office buildings, they're remotely controlled and monitored over the Internet.

HENN: That's Don Bailey. He runs a cybersecurity firm called Capitol Hill Consultants. Right now, Bailey is working for DARPA, the Defense Department's Advanced Projects Research Agency. He's mapping out security holes in these kinds of connected systems. But in the past, Bailey has hacked into new cars using the cell phone network. He says even modern sewers could be hackable.

And a lot of this stuff is possible. Because over the last decade, the Internet and the mobile phone network have been layered on top of all kinds of technologies that were not built with security in mind.

BAILEY: It's true. We're seeing a major change in the way technology is deployed.

HENN: Everyone wants connectivity and control and that means connecting all kinds of systems - switches and machines to the Internet - that were never designed to live online; devices that are fundamentally insecure.

TIFFANY RAD: Sometimes that can't be patched.

HENN: Tiffany Rad is a security researcher who works for a defense contractor in Columbia, Maryland. She says insecure industrial switches have been built into oil pipelines, power plants, even prison. These switches are programmable so you can set them to say turn off the pressure in a pipe, if it gets too high or too low. But a generation ago, switches like this weren't designed to be connected online.

RAD: So when you see systems that are legacy like this, some of them 30 years old, it's a very hard proposition when you tell someone who's running these facilities: Take them off-line we got to fix this, replace that.

HENN: A couple years ago, she and some friends demonstrated that built-in vulnerabilities made it possible to hack open cell doors in federal prisons.

RAD: If we wanted to unlock the prison doors, we could do that. And what we're also able to show is if the doors were unlocked and they were open, the guards would - it would show on their computer screen that they actually were still closed and locked.

HENN: Now, Rad didn't bust anyone out of jail, but she did proved this kind of attack was possible and let officials know. One reason prisons were vulnerable is that their control rooms were connected to the Internet.

DILLON BERESFORD: I'm not convinced it would take a nation-state and a bunch of funding to do something like this.

HENN: Dillon Beresford a cybersecurity consultant based in Texas. A couple years ago, working by himself, he duplicated some of the most novel aspects of what's probably the most famous cyberwarfare attack in history: Stuxnet. That's the virus that caused Iran's nuclear centrifuges to spin out of control.

BERESFORD: I guess, when I looked at Stuxnet, I saw techniques that were being used back in the late - you know, early 2000, late '90s. I mean, like people in the hacking community.

HENN: So he thought...

BERESFORD: Why not look at these controllers, right, in my own spare time and see if I can find some vulnerabilities. And what I found - at least for me was surprisingly shocking. I mean, there were a lot of trivial bugs that could be exploited.

HENN: Writing those exploits took Beresford just a couple of weeks and cost just a few thousand dollars. Tiffany Rad's team - which hacked prison doors - had just four people and a tiny budget. Beresford says, many engineers who rely on these kinds of automated industrial switches now realize how vulnerable they are.

BERESFORD: They're pretty much at this point, they're just waiting for something to happen.

HENN: In the past year, close to 200 cyberattacks on critical infrastructure have been reporter to the Department of Homeland Security. But Beresford says talking about cyberwar probably doesn't help. Today, switches made by Siemens and GE are built into infrastructure all over the world. Parts made in China can end up here.

BERESFORD: We should be working together to solve some of these problems.

HENN: He believes the only way to make all of us safer is through a kind of public hacking diplomacy. When Beresford finds a bug in a system, he says he discloses it and pushes manufactures to find a fix. He's helped plug holes in the U.S., and in China, and all over the world. And ultimately, he hopes this kind of research will make cyberwarfare harder to wage.

Steve Henn, NPR News, Silicon Valley. Transcript provided by NPR, Copyright NPR.