Late July 2016 roundup

Here are a few news stories that caught my interest lately. Maybe one of them will be good for a story.

Internet-connected cameras are a terrible idea

These devices seem like a great idea. You use one like a security camera, but it’s connected to the internet and has a web interface, so that you can log on to it from anywhere to download footage or pictures.

Unfortunately many devices like this don’t get much attention from the manufacturer after production. It turns out that lots of these cameras all have the same remotely-exploitable command injection vulnerability. So it’s not hard to use one or more of these cameras to perform distributed denial-of-service attacks on other targets. These cameras also have a common signature which makes them fairly easy to locate in things like the Shodan search engine.

A SANS infosec article about this points out that people install these devices on the same networks where they have servers hosting sensitive resources. So it’s not a stretch to imagine your main character using Shodan to find vulnerable cameras on a target network and using the cameras to attack the target’s web servers.

Turn your head and cough

Medical devices can have a similar problem. A hospital buys an X-ray machine, and it’s really expensive and mission-critical (it’s in the business of saving lives, after all), so no one wants to mess with it. The hospital just wants to install it and have it run perfectly forever.

But over time vulnerabilities creep in that neither the manufacturer nor the hospital wants to take the risk of patching, because who wants to stick a patient in an MRI machine only to find that the control system stopped working after running an update last night? As a result some of these medical devices are riddled with malware that crooks can use to attack riper targets. Does your character want to hack a hospital to get at patient data he can use for identity theft? It might not be that hard.

Grand theft auto

Here’s an article with video of someone using a laptop to steal a 2010 Jeep Wrangler. It’s not clear what the person is doing, but a policeman quoted in the article speculates that the thief used the laptop to persuade the car’s computer to recognize a key fob the thief had with him. It’s probably just a matter of time until that technique is possible with a phone. “There’s an app for that.”

And as if on cue, Fiat Chrysler is running a bug bounty to pay people to find and report security problems in cars’ computer systems.


Author: carl

A web programmer and Linux system administrator who would like to be a writer.