Friday, August 22, 2008

Bay State hackers find security holes in defibrillators, RFID

By Brendan Lynch

Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week’s Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient’s heart, said William Maisel of the Beth Israel Deaconess Medical Center.

Such devices are becoming more common and are transmitting over greater and greater distances, according to Maisel. Other implantable devices, such as spinal cord stimulators, cochlear implants, insulin pumps and artificial hearts, could be similarly vulnerable to hacking, said Maisel, who was a member of the Defcon presenters along with Kevin Fu of the University of Massachusetts Amherst.

Infrastructure outside the body may be at risk as well, according to Peiter “Mudge” Zatko, security researcher at BBN Technologies Corp. and former member of 1990s hacker supergroup L0pht Heavy Industries. The increasing ubiquity of unsecured wireless networks gives hackers a means to “sniff” business transactions. Feeds from internal cameras and RFID cards for office entry are also a potential target.

“There’s lots of stuff to play with, and lots of curious folks out there,” Zatko said.

Zatko said laziness and thriftiness combine to create vulnerabilities when companies and organizations roll out new systems.

“What’s the saying? ‘Fast, secure and cheap. Choose one,’ ” he said. 

Too easy
There often comes a moment when a hacker “slaps the hand to the head” in disbelief that the target made it so easy, according to Zatko. In the late 1990s, L0pht set its sights on the Massachusetts Turnpike Authority’s then-new RFID-based Fast Lane toll system. L0pht called to order developers’ kits from the supplier, Texas Instruments Inc., and found the company hadn’t yet finished the system’s security component. Fast Lane was up and running with no security. L0pht was able to impersonate drivers or get information from any car using a transponder. “By the time the security came out, we were working on other things,” Zatko said.

Even highway transponder systems with security systems aren’t so secure. Last week, a presentation at another conference, Black Hat, showed California’s Fastrack to be susceptible to the same type of hack L0pht pulled on Fast Lane 10 years ago.

Zatko’s group also hacked the computer terminals in police cruisers, watching communications transmissions go back and forth. He said networks he hacked with L0pht were likely to be even less secure now because security hasn’t improved in the intervening years, and the online presence of companies and organizations has grown larger.

Vulnerabilities in systems such as the Charlie Card aren’t new, but the MIT student hackers sued by the Massachusetts Bay Transportation Authority to prevent their presentation on hacking the T’s Charlie Card fare system showed that it doesn’t take a well-funded nation state to pull off such an attack, but rather “a hundred bucks and eBay,” Zatko said. He also said the trio may have been targeted because of the comical, mocking tone of their presentation.

“It reminds me of the old Abbie Hoffman street theater that inspired me,” he said.

Both Zack Anderson, one of the three MIT students sued by the MBTA, and Zatko said the impulse to crack new technology is nurtured at MIT.

“It’s encouraged by the culture,” Anderson said. “We take things apart and figure them out.”

Anderson said he was happy the court order preventing the presentation at Defcon was thrown out, if frustrated it came a week too late for his group — which included fellow students RJ Ryan and Alessandro Chiesa — to make their presentation. He said MIT, also named in the suit, had been supportive through the ordeal.

Ironically, the T had the infrastructure in place for a secure fare system — if it had made a few minor changes to the software. The T could have prevented a media circus that Anderson said he and his colleagues never intended to start.

“Who would have thought (of this) a few weeks ago?” Anderson said.