A demo at Black Hat next week will remotely hack a car alarm, unlock the doors and start the vehicle, but that's just a parlor trick to call attention to a bigger problem that has the Department of Homeland Security on alert.
The same type of exploit could just as easily knock out power grids and water supplies, says Don Bailey, a security consultant with iSec Partners, which is presenting the research at the conference in Las Vegas.
The common thread is that the car alarm and certain devices on critical infrastructure networks are all connected to public phone networks in ways that are fairly simple to compromise, he says. That could enable unauthorized remote manipulation of supervisory control and data acquisition (SCADA) systems and potentially endanger assets like public utilities. "Now I can make your water undrinkable," says Bailey. "That's scary."
Black Hat notifies Homeland Security if research being presented could offer tools to terrorists, Bailey says, and he has briefed DHS on his talk with the aim of warning vendors about the vulnerabilities so they can close them.
Bailey and his fellow researchers took a look at devices that are attached to phone networks for the purpose of receiving control messages and discovered two types. Then they figured out how to distinguish these devices from all the less interesting devices connected to phone networks such as phones, modems and faxes.
By following clues in owner's manuals or with a little reverse engineering of some hardware, they were able to send control messages to individual devices. He says they were able to compromise the car alarm in about two hours.
He says he won't reveal the names of makers of vulnerable products, but that his team and the DHS are spreading the word to them so the threat can be minimized.
The devices in question are attached to phone networks to directly receive messages at specific phone numbers, via SMS or over IP networks. If they are controlled over IP networks, customers that own the devices access them via a network set up by the manufacturer of the product, he says.
He was able to tap into those networks by buying one of the devices and monitoring its output to determine how it called home, then use that type of message to access and give control messages to other similar devices, he says.
The problem is that these devices don't ensure confidentiality of the control messages being sent back and forth to the devices. A fix would be to integrate security into the development of the software controlling the devices, he says. It seems the firmware for the devices was designed for functionality but not security, leaving them vulnerable.
"We're not doing rocket science here," Bailey says about the hacks of the devices. "I shouldn't have been able to take that car alarm and own it in less than two hours."