I suppose that thus far in my editorial career newsletters have proven to be my primary medium, though website content development and management is rapidly catching up. If I’m counting correctly I have served as editor for seven different newsletters and consulted on the development of at least one other.
I have signed an NDA with my latest newsletter client, and thus cannot just post the newsletter here, nor even disclose the client’s name. However, these stories from recent issues don’t give anything away:
Planes, Trains & Automobiles Vulnerable to Hacking!
How’s this for scary? You’re driving along the highway in your new Jeep Cherokee at about 70 m.p.h. when the air vents start blasting maximum chilled air, the radio switches on and begins blaring Kayne West at full volume, and then the windshield wipers start wiping…all without you touching a control knob. And then the accelerator stops working, making your Jeep slow to a crawl while the r.p.m.s continue to climb. You regain control of the car after turning the ignition on and then off, but then, after getting moving again, the brakes fail to engage and you roll out-of-control into a ditch.
Yep, scary. But not only scary, but also true, as this is what a test driver went through earlier this summer when computer security researchers successfully took control of a Jeep by hacking into its entertainment system via the Fiat Chrysler mobile data network, “Uconnect.” During this test hack the researchers also proved that they could abruptly engage the brakes, kill the engine while it was running in lower speeds, and take control of steering when the car is in reverse. The researchers, who are perfecting their ability to take complete control of the steering, also showed that they can take control of the vehicle from anywhere in the country and remotely keep track of its location.
That test hack led Fiat Chrysler on July 24, to issue a safety recall of 1.4 million of its vehicles in the U.S. to install upgrades in the software of affected vehicles. Following the recall, the National Highway Traffic Safety Administration issued a memo warning that an estimated 2.8 million Harmon International car audio systems installed primarily in Mercedes-Benz, BMW, Subaru and Volvo vehicles could be vulnerable to a similar style hack. Meanwhile, Senators Ed Markey and Richard Blumenthal have introduced legislation designed to establish new digital security standards for the automobile industry.
With so many “Internet-connected” automobiles apparently vulnerable to hacking, it begs the question: what other vehicles that rely on onboard computer systems and wireless/Internet communication might be at risk?
Airplanes? Yep, the friendly skies might certainly turn scary if a hacker gets control of an aircraft’s onboard computers, which, according to the U.S. General Accounting Office (GAO) is a distinct possibility. According to an April 14, GAO report–FAA Needs a More Comprehensive Approach to Address Cybersecurity as Agency Transitions to NextGen– it is theoretically possible for someone with just a laptop to implant a virus into flight control computers, take over the warning or navigation systems, or even commandeer an aircraft.
Noting that the nation is currently upgrading its air traffic control system to use Internet-based technology on both ground systems and in the air, the report concludes that avionics are definitely at risk. “Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems,” according to the report. While the report does not specifically diagram potential hacks, and notes that someone would have to bypass a firewall between the Wi-Fi system and the rest of the plane’s electronics, “because firewalls are software components, they could be hacked like any other software and circumvented.”
In response to the GAO report, the acting Federal Aviation Administration’s (FAA) assistant secretary for administration, Keith Washington, said the agency has “already initiated a comprehensive program to improve the cybersecurity defences of the National Airspace System infrastructure, as well as other FAA-mission-critical systems. We are significantly increasing our collaboration and coordination with cyber intelligence and security organizations across the federal government and in the private sector.”
We trust that the FAA has pushed this onto the priority list, as a security expert claimed that same month that he had been able to successfully take control of a plane in flight via its onboard entertainment system, and in June, Poland’s LOT airline grounded 10 fights due to a cyberattack that temporarily paralyzed the airline’s on-the-ground systems.
Trains? Trains do not appear to have been on the radars of potential hackers, perhaps due to their perception as a low-tech form of transportation. But as the world’s rail systems get more technical and rail components make more use of digital technologies, they to could become subject to more interest. While we have not heard of any successful cyberattacks against U.S. rail systems, a suspected attack against a northwest rail company in 2011 made clear that railway systems were vulnerable to such attacks.
In a memo determining that the incident was not a cyber attack, the Transportation Safety Administration noted that the incident highlights how railway supervisory and control data acquisition systems (SCADA) are at risk. A cyber security expert who examined the incident determined that it proved that all elements of SCADA are vulnerable, including switches, signals, crossing lights, transformers, engine monitors, and sensors. More recently, the United Kingdom’s rail system was warned by cyber security experts earlier this year that a planned upgrade to its digital signalling system could make its trains vulnerable to remote hacking, hijacking and crashing.
Remote hacking, hijacking and crashing!–Apparently not just in the movies anymore.
Is No One Is Safe?
An American teenager has reportedly hacked into the personal email accounts of the U.S. spy chief and the head of U.S. security. The teenager and his accomplices, who go by the moniker “Crackas With Attitude (CWA),” contacted the New York Post and Wired Magazine in mid October to gloat about their exploits and provide evidence of their successful hack.
The hackers reportedly used “social engineering” tactics to trick Verizon employees into giving them personal information about U.S. Central Intelligence Agency (CIA) Director John Brennan, and then used this information to gain access into the director’s private AOL account. CWA also claimed that it gained access to Department of Homeland Security Secretary Jeh Johnson’s private Comcast account.
Among sensitive documents accessed by the hackers were Brennan’s “SF-86” application that the director had filed to obtain top-secret security clearance. Brennan’s account held sensitive documents because he had made the mistake of forwarding them from his work email. Other documents accessed included a spreadsheet of names and social security numbers of intelligence officials and a letter from the Senate regarding its demands that the CIA halt harsh interrogation techniques.
CWA told the New York Post and Wired that they had access to Brennan’s account for three days, and that director re-set his password three different times to regain control of his account, but that they would then “re-jack it.” The hackers then called the director on his mobile phone and advised him that he had been hacked.
In describing the phone call, CWA told wired that when Brennan asked what the hackers wanted they replied, “two-trillion dollars…just joking.”
“How much do you really want?” Brennan, according to CWA, replied.
“We just want Palestine to be free and for you to stop killing innocent people,” CWA said it responded, at which point Brennan hung up.
The CIA director’s private account has been disabled, and the FBI and other federal agencies are investigating. Details about the scope of the Homeland Security secretary’s hack have not emerged, though CWA did provide the Post with screenshots of the account’s billing pages.
A law enforcement source told the Post that “I think they’ll want to make an example of [CWA] to deter people from doing this in the future.” Noting that it’s hard to believe CWA had the nerve to hack the head of the CIA, the source added that the “problem with these older-generation guys is that they don’t know anything about cybersecurity.”