They launched many, many successful attacks. One that I’ll highlight here is changing the patient’s name. I don’t know why you’d want to do that, but I sure wouldn’t want that done to me. And they were able to change therapies, including disabling the device — and this is with a real, commercial, off-the-shelf device — simply by performing reverse engineering and sending wireless signals to it. There was a piece on NPR that some of these ICDs could actually have their performance disrupted simply by holding a pair of headphones onto them.
Now, wireless and the Internet can improve health care greatly. There are several examples up on the screen of situations where doctors are looking to implant devices inside of people, and all of these devices now, it’s standard that they communicate wirelessly, and I think this is great, but without a full understanding of trustworthy computing, and without understanding what attackers can do and the security risks from the beginning, there’s a lot of danger in this.
Let me shift gears and show you another target. I am going to show you a few different targets like this, and that’s my talk.
So we’ll look at automobiles. This is a car, and it has a lot of components, a lot of electronics in it today. In fact, it’s got many, many different computers inside of it, more Pentiums than my lab did when I was in college, and they’re connected by a wired network.
There’s also a wireless network in the car, which can be reached from many different ways. So there’s Bluetooth, there’s the FM and XM radio, there’s actually Wi-Fi, there are sensors in the wheels that wirelessly communicate the tire pressure to a controller on board The modern car is a sophisticated multicomputer device.
And what happens if somebody wanted to attack this? Well, that’s what the researchers that I’m going to talk about today did. They basically stuck an attacker on the wired network and on the wireless network. Now they have two areas they can attack: one is short-range wireless, where you can actually communicate with the device from nearby, either through Bluetooth or Wi-Fi, and the other is long-range, where you can communicate with the car through the cellular network, or through one of the radio stations.
Think about it. When a car receives a radio signal, it’s processed by software. That software has to receive and decode the radio signal, and then figure out what to do with it, even if it’s just music that it needs to play on the radio, and that software that does that decoding, if it has any bugs in it, could create a vulnerability for somebody to hack the car. The way that the researchers did this work is they read the software in the computer chips that were in the car, and then they used sophisticated reverse engineering tools to figure out what that software did, and then they found vulnerabilities in that software, and then they built exploits to exploit those.
They actually carried out their attack in real life. They bought two cars, and I guess they have better budgets than I do. The first threat model was to see what someone could do if an attacker actually got access to the internal network on the car. OK. So think of that as: someone gets to go to your car, they get to mess around with it, and then they leave, and now, what kind of trouble are you in?
The other threat model is that they contact you in real time over one of the wireless networks like the cellular, or something like that, never having actually gotten physical access to your car. This is what their setup looks like for the first model, where you get to have access to the car. They put a laptop, and they connected to the diagnostic unit on the in-car network, and they did all kinds of silly things, like here’s the picture of the speedometer showing 140 mph when the car’s in park.
Once you have control of the car’s computers, you can do anything. Then you might say, “OK, that’s silly.” Well, what if you make the car always say it’s going 20 mph slower than it’s actually going? You might produce a lot of speeding tickets.
Then they went out to an abandoned airstrip with two cars, the target victim car and the chase car, and they launched a bunch of other attacks. One of the things they were able to do from the chase car is apply the brakes on the other car, simply by hacking the computer. They were able to disable the brakes. They also were able to install malware that wouldn’t kick in and wouldn’t trigger until the car was doing something like going over 20 miles an hour, or something like that.
The results are astonishing, and when they gave this talk, even though they gave this talk at a conference to a bunch of computer security researchers, everybody was gasping. They were able to take over a bunch of critical computers inside the car: the brakes computer, the lighting computer, the engine, the dash, the radio, et cetera, and they were able to perform these on real commercial cars that they purchased using the radio network. They were able to compromise every single one of the pieces of software that controlled every single one of the wireless capabilities of the car. All of these were implemented successfully.