The security threat Stephen King warned us about?

OFF THE WIRE
By Taylor Armerding
The security threat Stephen King warned us about.....
Remember the film "Maximum Overdrive," where machines took over and went on a murderous rampage? With cars and appliances ever more computerized, such a security threat seems a little less farfetched as we head into 2012.

Most people know that their computers and smart phones are under the constant threat of attack from hackers. But your car? Your house? Your TV and other consumer electronics?
It seems like a take on Stephen King's short story "Trucks" -- where machines come to life and go on a murderous rampage (the movie version was "Maximum Overdrive"). In this case, hackers find security flaws in the computers running our vehicles, appliances and medical devices and wreak havoc.
See the related Salted Hash blog post, "McAfee report reminds me of 'Maximum Overdrive'"
The real threat is far less dramatic, of course. But just a couple years ago, few people were seriously talking about this as a danger that might someday come to pass. As we look to 2012, however, the potential seems a lot less ridiculous, since our electronics increasingly tend to be part of a home network with an IP address -- one that can be controlled by a mobile device.
Some experts in information security believe 2012 will be a year when hackers focus more on those things.
Anup Ghosh, CEO of Invincea, says that, "in the search for more interesting devices to hack, the adversary is going to transition from traditional IT networks to embedded systems, which we normally think of as physical systems -- your car, TVs, your house, your office building. Systems that are networked and run a lot of software will be fertile ground for hackers."
Ghosh says the devices in the house simply become another node on the home network. "The devices will run an operating system kernel of some kind and accept network connections. Hackers will be able to exploit the network interface and software services running on these devices to gain privileged access to these devices. From there, they can launch attacks against other devices, store data, and exfiltrate data off the home network."
Ghosh says researchers from the University of California at San Diego and the University of Washington have already demonstrated how to hack cars through the CD player and Bluetooth interface. He says that makes any number of subsystems in the car vulnerable to exploitation. Hackers could track a vehicle, kill the ignition switch and unlock the doors.
Jason Rouse, principal security consultant at Cigital, says these capabilities are not new.
"Frankly, we've been able to break into a car for a decade," he says. "There is a worm hole attack that lets you unlock a car door just by walking past the driver. But in most cases that's not that interesting to hackers. Their primary goal is to make money."
But he does agree that there is increased danger to cars and appliances because of the convergence of controls for home or car systems with mobile devices.
Indeed, there are television ads showing mom turning the lights on and off in her house from her smart phone while she sits on an airplane waiting to leave the gate.
"You can turn on your car, you can lock or unlock it with your mobile device. That convergence comes with possible consequences," Rouse says.
"You could imagine hackers getting control of a number of vehicles and then selling that list to criminals. They can say where the vehicles are, what their license plates are, and they could unlock them all at the same time."
Rouse says the best thing consumers have going for them is that hackers tend to be lazy. "Most of them don't have the attention span to do something like that."
The primary danger, experts agree, is not to the car or the home itself but to the personal data that lies behind it -- things like passwords, credit card numbers and other information that can then be easily monetized.
When it comes to office buildings, Brenden Williams, global CTO of Marketing at RSA, The Security Division of EMC, says most companies do a good job of identifying physical assets to be secured.
For more on smart building security, see the interactive case study "Protecting Joe's Office"
"We even build security enclaves in the physical world like we might design in an electronic world. Data centers tend to be like vaults, networking closets are like locked file cabinets, and Wi-Fi is like a chain-link fence," he says.
But, he says, the systems that control the locks may not be so secure. "Are they vaulted?" he asks, "or sitting in a locked closet somewhere in an area of the network that might be accessible remotely?"
Those systems should be in a vault as well, he says.
Ghosh says the responsibility for security of home and office systems "falls squarely on the shoulders of the device manufacturers. As these manufacturers network-enable these devices, they must also engineer them for resiliency against cyber attack.
But Rouse says that may be a long time coming.
Home, auto and office systems that can be controlled remotely, "are very sexy," he says. They are sold by charm. Security is an afterthought."

Read more about network security in CSOonline's Network Security section.