WASHINGTON (TheStreet) -- If anything in your home communicates data over a network or to an outside source, it can be hacked.
That's the harsh reality online security companies such as Symantec (Stock Quote: SYMC) and Houston-based Superior Solutions face and one device-centric security firm Mocana is preparing for in a post-PC world where everyone is wired and every device from a smartphone to the kitchen refrigerator is connected to a network. Even without hackers figuring out how to access every corner of a user's life, cybercrime is becoming a big industry.
A report released by Symantec earlier this month found that cybercrime cost victims $388 billion in time and money last year alone from 431 million people in 24. That number is rising steadily; the 54% of online adults who were victims of computer virus or malware attacks this year is up from 51% last year. Attacks against mobile devices are soaring as well, with Kapersky Labs finding that 65% more smartphones, tablets and other devices were targeted for malware attacks last year than in 2009. A Mocana survey, meanwhile, found that 64% of professionals at companies including Apple (Stock Quote: AAPL), AT&T (Stock Quote: T), Intel (Stock Quote: INTC), IBM (Stock Quote: IBM) and Microsoft (Stock Quote: MSFT) had an attack on a non-PC device requiring the attention of their IT staff. Another 54% said that attack disrupted the company's network, but 51% said their companies still didn't update security or create patches to protect information on devices.
With the researchers at Germany's University of Ulm discovering that Google Android devices not updated to the latest version of their operating system put calendar data, phone numbers, home addresses and email addresses at risk each time they connect to a network, personal smartphones and tablets are becoming prime targets for hackers. The hacking of Sony's (Stock Quote: SNE) PlayStation Network back in April, the ensuing shutdown and the exposure of nearly 100 million users' information brought the hacking problem home without using PC, a tablet or even a smartphone to get in.
"If you look at every sector of the economy, it's consumer electronics, it's smart grid and smart energy infrastructure, it's health care and medical devices, it's industrial control, it's aerospace and defense, it's retail and it's transportation logistics," says Adrian Turner, chief executive of Mocana. "All of those markets have or will have connected devices."
We spoke with executives at Mocana and Superior Solutions and found that security flaws on the following items allow as much access for hackers as a lockless door would for a passing burglar:
There's some great, convenient, connected technology out there that makes life in the living room a lot easier. Those devices also make it a lot easier for hackers to get your information, passwords and even money as you use your HDTV to play around on the Internet.
"In the home, you have this whole other phenomenon which is the explosion of phones, tablets and the next big wave, which is Internet-connected TVs," says Adrian Turner, chief executive of Mocana. "According to Moore's Law and the fact that we think in a linear way and don't realize how powerful these computers are getting -- or that $1 worth of computer power today will be worth three cents in five years -- we don't realize that these TVs are as powerful as the computers that were sitting on our desk 10 years ago."
Mocana went out and bought a bunch of the most popular Internet TVs just before the past holiday season and found them wide open to attacks. While most online TV functions are as benign as checking the weather with a Weather Channel app, getting scores through a Fox Sports app or cruising a Netflix (Stock Quote: NFLX) queue, applications such as Amazon (Stock Quote: AMZN) On-Demand pay-per-view that give hackers financial incentive to access your network and steal passwords and other information prove problematic even when secured.
The holes in current Internet TV security are just wide enough to allow hackers to present fake credit card forms to fool consumers into giving up their private information, intercept and redirect Internet traffic that can trick consumers into thinking fake bank and shopping websites are legit or steal TV manufacturer's digital "corporate credentials" to access a user's search engine, video streaming and photo sharing services.
The Sony hacks hit users through a network, but Internet televisions cut out the middleman entirely if not properly secured. That's upsetting now but could be much more troublesome in 2015, the year television market research group DisplaySearch says 500 million Internet-connected TVs will be sold worldwide.
"There are issues with the majority of customers we work with, and a lot of the problem is implementation," Turner says. "You look at the Sony PS3 incident and that was a well-thought-through, multilayered security model where they made some poor decisions when it came to implementation."
Home security systems
Sure, it's great that you can control your alarms, locks and remote notification through your smartphone and check your security cameras online. Just realize that means hackers can use those same commercial-friendly conveniences against you if they're able to access your home security system.
"People tend to think of these things as very different but they're actually the same from a security perspective," says Turner, whose company also provides security software for video surveillance equipment, security systems and even Honeywell's (Stock Quote: HON) building automation systems. "It's an Internet-connected device, it has a certain processor and operating system and it's that combination of OS and CPU that people looking to break into a system or automated scripts to find devices are looking for."
But how would a hacker get in? If your home is protected through an X10 automation system, for example, the answer lies in the power lines. Last month, two security researchers went to a convention in Vegas and showed off tools they'd created that could tap into the power lines home automation systems use to communicate. From there, hackers could monitor the house lights to see when occupants are away, jam alarm signals, block alerts to police and fire, disable motion sensors or even just overload the system with a flood of commands.
If all of that seems far too complicated for a novice hacker, why not just sneak in through the automatic garage door? This was much easier years ago, where garage door locks used a PIN code set on the remote and garage door control. But even today's newer systems using what's called an IperCODE are fairly easy to get around, as evidenced by the sheer number of hacking products that come up under a simple search engine query for IperCODE.
"While it offers more protection, it too, has been hacked," says Michael Gregg, chief operating officer of Superior Solutions. "There are programs (not in the Apple Store) that can create rolling codes to attempt to pair with the garage door and obtain access."
Once you're in the garage, it gets much easier to access ...
Slim jims, wire hangers, bashed windows? These are the methods cavemen use to break into and steal cars. Today, it's a lot less messy and labor intensive.
"Beyond the TV, we think the car is the next connected platform," Mocana's Turner says. "It is security services, diagnostic services and entertainment services and there's a lot of promise for these systems to communicate with each other."
Five years ago, cybercriminals stole two of soccer superstar David Beckham's BMW X5s by using a laptop and a transmitter to unlock them and activate the ignition. A jammer is placed close to the car and prevents the owner from being able to remotely lock or unlock it while a scanner rolls through all possible codes looking for a match. As there are about 3 billion codes, the 10- to 15-minute process still isn't the most effective way for hackers to break into an automobile.
Given the other, potentially deadlier options, car owners should feel lucky if only their locks and starter are hacked. Car dealerships are more commonly using remote vehicle immobilization systems to cut the ignition or repeatedly honk the horn of cars whose owners aren't paying in a timely fashion. A recently laid off worker at an Austin-area dealership hacked into his former employer's records, began tampering with payment information and disabled 100 cars before the dealership reset all employee passwords and police traced the employee's IP address.
Even that seems like a prank compared with what scientists from the University of California and University of Washington were able to do with cars last year: hack a car's computer through wireless connections similar to General Motors' (Stock Quote: GM) OnStar system, control the car while it was in motion, apply the brakes, selectively brake each wheel to steer and shut down the engine completely. They were also able to shut down the brake and accelerator completely so the driver would have no control whatsoever -- then removed malware once the vehicle had crashed.
"To date, automotive systems have not been widely targeted, primarily because attackers like to go where there is access to money or sensitive data," Superior Solutions' Gregg says. "There's no big monetary prize in attacking such devices. However, many of these products are relying on security by obscurity."
Basically, automakers are just hoping hackers won't spend the time or effort to figure out cars can be hacked through tire pressure monitors, as researchers from Rutgers University and the University of South Carolina discovered last year, or through Bluetooth connections and music files as the same University of Washington and University of California researchers found earlier this year.
"There's a lot of discussion about the car systems and entertainment systems being on separate buses within the car so if someone breaks through via a browser-based or entertainment-based system they won't be able to set off the airbags or muck with the brakes," Mocana's Turner says.
But even hacking your car, cutting the brakes and setting up a potentially fatal crash seems less direct that remotely pulling the plug on ...
Yeah, so that pacemaker that keeps your heart going or that defibrillator that gives grandpa a jolt if his heart stops or that insulin pump that keeps your diabetic sibling stable ... it's all completely hackable.
"These devices also send data to the outside world by means of radio frequency communication which could allow someone to send rogue instructions to an implanted device by intercepting the device's wireless signal and then broadcasting a different signal," Superior Solutions' Gregg says. "When a computer fails, you reboot it, but when a pacemaker fails, someone could die."
He's not kidding and neither researchers, lawmakers nor the Federal Drug Administration are laughing. In June, the FDA stopped treating medical device software updates as accessories that required weeks or months of premarket approval processes and started treating them as patches critical to the safety of patients that need to be released immediately. Just last month, researchers at the Massachusetts Institute of Technology and the University of Massachusetts Amherst proposed a method for jamming foreign signals that could shut down defibrillators and prompted members of the House Energy and Commerce Committee to call for hearings on the safety of said devices.
"What different about this era of computing is that a lot of these devices are going into critical context and then this data that's moving across them is becoming more valuable, whether you're talking about a handset with enterprise data or a medical device that's in the field," Mocana's Turner says. "Unfortunately, these systems are so porous today that bad things will happen and there will be physical consequences because of the nature of the devices."
At the very least, Turner insists that vulnerability will lead to lawsuits that will lead insurance companies to enact a universal, manufacturer-neutral set of guidelines for securing said devices before they can be insured. In the worst-case scenario, however, a hacker's keyboard just became a deadly weapon.
"While this may seem far-fetched, attackers will always think outside the box," Superior Solutions' Gregg says. "Such attacks could be of interest to terrorists or others looking to target government officials or military leaders."
To get an idea of which hacker groups you need to worry about (and which you don't), check out MainStreet's look at Hackers: Are They All Villains?