It Only Takes Seconds to Hack an ATM… Are Our Cars Just as Vulnerable?
The More Complex the System the More Vulnerable it is to Attack and Human Error
In 2010, a charming New Zealander named Barnaby Jack took the stage at Black Hat, a hacker conference held annually in Las Vegas. To his right stood two automated teller machines, cash machines identical to those found in bars and corner stores the world over. Jack, a security researcher, had spent years exploring the small computers inside ATMs. Until recently, manufacturers had tended to equate ATM security with physical protections, taking steps like storing cash inside a safe and bolting down machines. But with a few clicks of his computer mouse, Jack was about to demonstrate how fragile the ATMs’ security was. He was about to show a room full of hackers how to get rich quick.
The crowd listened intently as Jack sketched out the technical details in a PowerPoint presentation. Then the fun began. To attack the first ATM, Jack wrote a program to hack into it remotely. Though the machine still functioned like a normal ATM and would let customers withdraw cash, it also saved a record of their card numbers and let Jack download them.
He also created a backdoor, a hidden way to access the system. When he walked over to the machine, inserted a fake ATM card, and pushed a button, the machine began dispensing bills indiscriminately—without linking the withdrawal to any bank account.
He then turned to a second ATM and plugged a USB memory stick into the computer at the heart of the machine. The computer loaded his program, displayed the word “JACKPOT!!” in flashing letters on the screen, and blared catchy slot machine music as it dumped bills onto the floor. The crowd erupted in cheers.
But Jack, hailed as a genius by his peers, didn’t break into ATMs to steal money. He was a “white hat” hacker—he broke into systems to help make them more secure. Before going public, he would turn his results over to manufacturers so they could fix the problems he found.
But not all hackers are so friendly. A few weeks before Christmas in 2013, hackers stole 40 million credit card numbers from shoppers at Target, one of the world’s largest retailers. They used credentials stolen from a heating contractor to enter Target’s computer network and break in to cash registers in nearly 18 hundred stores. They installed software on the registers to monitor every transaction and steal customers’ credit card information.
We don’t usually think of cash registers as computers. But, like ATMs, that’s essentially what they are. Target’s registers were connected parts of a large complex system, so once hackers found a vulnerability, they were able to exploit it in every store. When Target announced that it had been hacked, its sales fell sharply and, within months, its CEO resigned.
It was an embarrassing fiasco, but hacked cash registers don’t put lives at risk. A hacked car, on the other hand, is a different story.
*
Whatever happens, don’t panic.
Andy Greenberg was driving down the highway at 70 miles per hour when the accelerator in his 2014 Jeep Cherokee stopped working. He stomped on the gas, but nothing happened. As the Jeep slowed to a crawl in the right lane and tractor trailers whizzed past him, he shouted into his cell phone, “I need the accelerator to work. Seriously, it’s fucking dangerous. I need to move!” But the Jeep’s stereo had been turned up to full blast, and the hackers on the other end of the phone couldn’t hear him over the blaring hip-hop.
Don’t panic.
The good news was that Greenberg was in the Jeep to write a magazine story, and the hackers weren’t trying to hurt him. Greenberg writes about technology and security for Wired. The two hackers, Charlie Miller and Chris Valasek, sat miles away in Miller’s living room. They laughed as Greenberg struggled with the ailing Jeep. After years of research, the pair had figured out how to use the Jeep’s cellular internet connection to attack computers inside the car. Those computers controlled everything from the windshield wipers to the speedometer and brakes. Greenberg was now their test subject. They were attacking his transmission.
“Attacks on cars, ATMs, and cash registers are just symptoms of a broader problem. Even without hackers, increasing complexity makes modern systems vulnerable to surprising failures.”
Two years earlier, the pair had invited Greenberg to sit behind the wheel of a different car they’d hacked. Back then, their attacks required a data cable connecting their laptop to the car’s internal network. Sitting in the back seat, they shifted the car into automatic parking mode, made its steering wheel jerk uncontrollably, and disabled the brakes. When the two released details of these attacks at the 2013 Black Hat conference, auto manufacturers downplayed the threat. After all, the hackers needed a physical connection to the car.
But Miller and Valasek eventually figured out how to attack cars remotely. The two-ton Jeep sported a state-of-the-art entertainment system that controlled everything from the radio to the car’s navigation and air-conditioning. It also connected to the internet and ran applications that searched for cheap gas and displayed reviews of nearby restaurants.
That connection allowed Miller and Valasek to hack the Jeep from Miller’s sofa. First, they figured out how to access the entertainment system through the cellular network. They then used it as a foothold to access the car’s other 30-odd computers. At high speeds, they could disable the transmission. At low speeds, they could cut off the brakes and take control of the steering.
Greenberg pulled off at the next exit ramp and restarted the Jeep. He had expected the harmless demonstrations the pair had shown him years earlier. But this time was different. The hackers weren’t in the back seat. And they didn’t know there was no place for him to pull off the highway when they killed the transmission.
Despite the scare, it was a great story for Greenberg. Three days after Wired published his account, Chrysler acknowledged the security flaw, issued a recall of 1.4 million vehicles, and sent owners a USB drive they could plug into their dashboard to update the software and close the backdoor. But there are always more vulnerabilities: just a few months later, Miller and Valasek figured out how to take control of steering, cause unintended acceleration, and slam on the brakes—all at high speeds.
“The real threat,” Greenberg explained, “comes from malicious actors that connect things together. They use a chain of bugs to jump from one system to the next until they achieve full code execution.” In other words, they exploit complexity: they use the connections in the system to move from the software that controls the radio and GPS to the computers that run the car itself. “As cars add more features,” Greenberg told us, “there are more opportunities for abuse.” And there will be more features: in driverless cars, computers will control everything, and some models might not even have a steering wheel or brake pedal.
It’s not just cars, ATMs, and cash registers that are vulnerable. After his presentation in Las Vegas, Barnaby Jack turned his attention to medical devices. Using an antenna and a laptop, he built a device that could hack into insulin pumps from hundreds of feet away. He could take control of the pump and inject the entire reserve of insulin, with potentially lethal results. His hack even disabled the vibration that normally warned of impending injection.
Jack also hacked implantable defibrillators. He figured out how to control these pacemaker-like devices remotely and deliver an 830-volt shock to a patient’s heart. The attack showed up in the television series Homeland, when terrorists hacked the fictional vice president’s pacemaker to assassinate him. Critics called the plot far-fetched. But Jack thought the show actually made the attack seem too difficult. Others took the threat seriously, too. Years before Homeland aired, Vice President Dick Cheney had his cardiologist disable the wireless functionality in Cheney’s implanted device to avoid just such an attack.
This transformation of cars and pacemakers from offline devices into complex, connected machines is nothing short of revolutionary. And it’s just the tip of the iceberg. From jet engines to home thermostats, billions of new devices are now part of a network often called the Internet of Things, a huge, complex system vulnerable to both accidents and attacks.
Several manufacturers, for example, already make “smart” washers and dryers that connect wirelessly to the internet. These appliances do clever things, like automatically reordering detergent and monitoring the cost of electricity to run only when rates are low. So far, so good. But think about the risks. If our smart dryer has a security flaw, hackers might be able to access it remotely, reprogram the software to overheat the motor, and cause a fire. If even just a thousand homes in a medium-size city had a vulnerable dryer, a hacker could wreak havoc.
The Internet of Things offers us a sort of Faustian bargain. On the one hand, it can allow us to do more—travel in driverless cars, increase engine reliability on airplanes, and save energy in our homes. On the other hand, it creates a path for hackers to do harm in the real world.
But attacks on cars, ATMs, and cash registers are just symptoms of a broader problem. Even without hackers, increasing complexity makes modern systems vulnerable to surprising failures. In recent years, for example, computer glitches grounded fleets of airlines around the world, caused a Wall Street firm to lose half a billion dollars in just half an hour, and led to the accidental release of more than 3,000 prisoners in Washington State. And in early 2018, the combination of a poorly designed emergency warning system and a human error triggered a false missile alert and stirred panic across Hawaii.
We’re living in an age of meltdowns. The nature of our systems has changed, but our ability to manage them hasn’t caught up. The good news is that people in a variety of fields—from social scientists and NASA engineers to mountaineering guides and ER doctors—are finding better ways to design our systems, organize our teams, and think about these challenges. We can all learn from them.
__________________________________
From Meltdown: Why Our Systems Fail and What We Can Do About It. Used with permission of Penguin Press. Copyright © 2018 by Chris Clearfield and András Tilcsik.