Seems all devices can be hacked!

Reply

  #1  
Old 12-04-12, 06:15 PM
Member
Thread Starter
Join Date: Jan 2011
Location: United States
Posts: 2,446
Seems all devices can be hacked!

I just saw this video from Avast security that came as an informational video and it opened my eyes. As I understand it all kinds of devices can be hacked from pace makers,cars,to phones besides just your computer. Not much anyone can do except just be careful but it was interesting enough that I thought I would post a link to the video so others could see it too. Here is the link Avi Rubin: All your devices can be hacked | Video on TED.com .
 
Sponsored Links
  #2  
Old 12-05-12, 07:25 AM
Member
Join Date: Oct 2010
Location: USA
Posts: 563
Anything that can communicate is potentially vulnerable to being told to do something that it doesn't normally do.

Anything that can communicate that has software running on it, even if it's more firmware than software, can be given instructions to possibly do something else specific.

Anything that can communicate and has reprogrammable EPROM chips can possibly have those chips reflashed to new instructions entirely.

Programmers simply do not think about security. Often the task to "hack" a device requires some ability with communications protocols beyond the average nefarious person, but if someone knows those protocols they can possibly find a way to influence or take control of a device. That's referred to as "security through obscurity" and is not the recommended model, as once the obscurity part is gone (and the Internet helps in propagating that knowledge) the security is also gone.
 
  #3  
Old 12-05-12, 06:44 PM
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 2,938
Programmers simply do not think about security.
They do when the NSA makes them.LOL

Very interesting video.

Some code cannot be reversed engineered because the machine code resides in systems guarded by guys with big guns! LOL. And the source code also resides inside safes inside buildings with guys that also have big guns.LOL
 
  #4  
Old 12-05-12, 06:54 PM
Member
Thread Starter
Join Date: Jan 2011
Location: United States
Posts: 2,446
Now that I think about it I remember hackers being invited to try to hack into certain systems. Not the bad guy hacker but the ones with the white hats. They do that just to test certain systems and I am glad they do. I also thank Avast for providing the video as everyone should be informed about this.
 
  #5  
Old 12-06-12, 06:49 AM
Forum Topic Moderator
Join Date: Sep 2005
Location: USA
Posts: 4,501
Likes Received: 6
I think this is good information, but I think a lot of it is scare tactics too. If most people considered how easy it was for a thief to break into their house, they wouldn't be happy.

Locked myself out of my house once, it took a locksmith about 10 seconds (and $80) to pick the lock. It probably would have taken him 30 seconds if the deadbolt was locked too. Of course, I didn't want to have to fix a broken window either.

I completely agree that companies should be working harder to secure their systems, even more so for life-safety devices. But unfortunately they will always be hackable by someone who's determined enough.
 
  #6  
Old 12-06-12, 10:04 AM
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 2,938
Often the task to "hack" a device requires some ability with communications protocols beyond the average nefarious person, but if someone knows those protocols they can possibly find a way to influence or take control of a device.
IMHO I think the above point made by T-W-X is very important. Sometimes (or I guess most times?) the comm. protocols that become standard have defects (I guess you would call them defects?) which can be exploited if you really know the details. And as T-W-X says those details are public and are available on the internet.

I worked on systems that had proprietary comm. protocols and an outsider could never obtain the code to find out the details. But I guess of course one can always eavesdrop and make inferences about what’s going on inside and look for weaknesses in that manner.
 
  #7  
Old 12-06-12, 11:23 AM
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 2,938
I thought maybe you guys would get a kick out of this, but when we talk of reverse engineering I guess we always picture the bad guys doing their thing. But I several times had to do reverse engineering on the stuff we developed. You know why? Because we lost the source code!! (Oh my!!)

Not really funny as these were taxpayer funded projects. But it does happen.
 
  #8  
Old 12-06-12, 08:13 PM
Member
Join Date: Oct 2010
Location: USA
Posts: 563
One of the most common remote exploits is called a buffer overflow. When a programmer writes code, they define variables based on the size of the information that the variable is expected to contain. So, if a programmer expects to use whole numbers through 100, they'll define the smallest variable that can handle the range.

Sometimes, if someone transmits data that exceeds the size of the variable, the software receiving the garbage data will fail out and allow the attacker to execute arbitrary code or commands to the remote system, usually to widen the hole to make using that system easier for the attacker. There are ways to protect against this, by not running server software in a Sysop-level account, by sandboxing the software so it can't talk to the rest of the system without itself using a network socket, and the like, but in little or specialized devices this kind of security might not be implemented.
 
  #9  
Old 12-07-12, 11:08 AM
Member
Join Date: Jan 2008
Location: Southeastern Pennsylvania
Posts: 2,938
One of the most common remote exploits is called a buffer overflow. When a programmer writes code, they define variables based on the size of the information that the variable is expected to contain. So, if a programmer expects to use whole numbers through 100, they'll define the smallest variable that can handle the range.

I agree. That’s called type checking and it is implemented by compilers (in some languages) by adding code for run time that checks the information that’s going to be moved into a variable when the program is running. So for example, if you declare a variable “RoomFahrenheitTemp” with a range 10-130, which is the entire temperature range that your application should ever see, and at run time you try to move, say for example, the number 315 into that variable, the error checking code will force your program to your predefined error path.

Here is where so many mistakes are made. Error handling IMHO and in my experience is the most neglected area in software. Unless you have a strong detailed requirements specification, some programmers do a very poor job of error handing. Some to the point of even ignoring the error. In fact, it’s hard to tell whether they intentionally ignored the error or never expected that type of error to occur in the first place.

It shouldn’t happen but programmers by default sometimes get to make their own private decision about how the system should handle errors. IMHO not good. As pointed out when security is involved it can be a disaster!

 
Reply

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread
Display Modes