There’s going to be a lot of this

A hacker set off all 156 emergency sirens in Dallas which wailed for 90 minutes overnight.

The hacker tricked the system into sending repeated signals 60 times from 11.42 pm until 1.17am on Saturday morning.

Rocky Vaz, director of the city’s Office of Emergency Management said the hacker was from Dallas, USA Today reported.

However, the culprit has yet to be found.

The hacker created havoc in the city. The sirens are normally used to warn of severe weather, such as tornadoes.

I am so not looking forward to the internet of things. Because absolutely no fucker is ever going to secure these things, are they?

So, you’ll be able to wi fi the toaster to start up when the alarm goes off. And instead it will have been making coffee for some spotty teenager in Minsk all night.

31 comments on “There’s going to be a lot of this

  1. Sorry, Tim, i’d like to comment but am too busy watching the HK 7s live.

    Teams that even the best RL players couldn’t live with, topped by the incomparable Dan Norton.

    Currently watching Kenya v Russia.

  2. Well,

    We’ve hopefully got a research project about to kick off in to how we can enable the consumer to check their IoT devices and update those that can be updated.

    There is plenty of high-end programmable IoT functionality in the crowd-funded hobbyist end of the market, and things like the Nest, Alexa, Apple TV have very significant extendability.

    The point is (intended to be) how can we make that easily available to the Phillips Hue / “I just bought it in Tesco” sector of the market? Hopefully the answer isn’t “we can’t”. It might be a bit of govt pressure on the big manufacturers (pressure – not regulation or legislation.) It might be a bit of accelerator funding for startups. An MSc student may just write a simple app*. Dunno, yet.

    * Nah, too complicated an ecosystem. Several MSc students, however …

  3. I think we can thank the mischievous brats over at 4Chan for the sirens thing which they’ve been been winding people up with for the last few days.

  4. For those unfamiliar with the Fourth Age of Sand:

    There was a guy, a computer research student at Carnegie Mellon, who liked to drink Dr Pepper Light. There was a drinks machine a couple of storeys away from him, where he used to regularly go and get his Dr Pepper, but the machine was often out of stock, so he had quite a few wasted journeys.

    Eventually he figured out, ‘Hang on, there’s a chip in there and I’m on a computer and there’s a network running around the building, so why don’t I just put the drinks machine on the network, then I can poll it from my terminal whenever I want and tell if I’m going to have a wasted journey or not?’

    So he connected the machine to the local network, but the local net was part of the Internet – so suddenly anyone in the world could see what was happening with this drinks machine.

    Now that may not be vital information but it turned out to be curiously fascinating; everyone started to know what was happening with the drinks machine. It began to develop, because in the chip in the machine didn’t just say, ‘The slot which has Dr Pepper Light is empty’ but had all sorts of information; it said, ‘There are 7 Cokes and 3 Diet Cokes, the temperature they are stored at is this and the last time they were loaded was that’.

    There was a lot of information in there, and there was one really fabulous piece of information: it turned out that if someone had put their 50 cents in and not pressed the button, i.e. if the machine was pregnant, then you could, from your computer terminal wherever you were in the world, log on to the drinks machine and drop that can! Somebody could be walking down the corridor when suddenly, ‘bang!’ – there was a Coca-Cola can! What caused that? – well obviously somebody 5,000 miles away!

    Now that was a very, very silly, but fascinating, story and what it said to me was that this was the first time that we could reach back into the world. It may not be terribly important that from 5,000 miles away you can reach into a University corridor and drop a Coca-Cola can but it’s the first shot in the war of bringing to us a whole new way of communicating. So that, I think, is the fourth age of sand.

    http://www.biota.org/people/douglasadams/

  5. By the time the IoT becomes that ubiquitous spotty kids will have got bored with messing about with toasters and will have moved on to other things, probably involving sex robots.

    So the only people who need to worry are those who have pissed of petty ego maniacs who bear grudges. Ah, I see your problem, Tim.

  6. You can just imagine the news stories…

    “Police say yesterday’s massive terrorist attack on the UK’s National Grid, which has blacked out swathes of the country, was performed by three teenagers causing every internet connected oven, immersion heater and fridge compressor in Britain to switch itself on and off randomly for 20 minutes…”

  7. These things can be made secure. The question is why they are not. There are lots of reasons, including that crypto is hard; it’s expensive (and therefore likely to be assigned a low priority by managers); the asymmetry in resources between the device manufacturers and the intruders. Sadly this is one area where we are probably going to need legislation and/or market punishment along the lines of a pharmaceutical company going bust and the managers jailed after knowingly putting out a drug that kills people. Because sooner or later, people are going to die.

  8. Police say yesterday’s massive terrorist attack on the UK’s National Grid, which has blacked out swathes of the country, was performed by three teenagers causing every internet connected oven, immersion heater and fridge compressor in Britain to switch itself on and off randomly for 20 minutes

    This is one of the reasons that I refused a smart meter.

  9. What will we call it when the internet locks up permanently because it is jammed with an exponentially-increasing number of firmware and app updates for an exponentially-increasing series of devices, all being delivered at exponentially short time intervals?

    Bearing in mind that those apps stop working if they don’t get their latest update fix right now, I propose: Toastmageddon.

  10. “director of the city’s Office of Emergency Management said the hacker was from Dallas”: then he’s a liar.

    He can’t possibly know where the hacker lives. As Wikileaks showed for anyone who doubted it, it’s dead easy for hackers to hide their locations and drop fake hints to somewhere else.

  11. to echo BiCR – there’s no difference between securing an IoT device and a server, so just ignore the MSM outlook on this. They run computers with TCP/IP stacks that can handle HTTP/HTTPS. You can secure them. I have done this. We send data out to thousands of machines. These machines require authentication.

    The biggest problem is bad security policy. I’m not even talking about hiring the best security ninjas, but just following some good rules that almost anyone can do. Most security breaches are the equivalent of someone leaving a door unlocked or the key under the mat by the backdoor, not someone picking the lock.

  12. along the lines of a pharmaceutical company going bust and the managers jailed after knowingly putting out a drug that kills people.

    Put the FDA shits in jail, first.

  13. BTW that Douglas Adams story just doesn’t ring true. I kinda get the point of it, that we can control things elsewhere, but untrue examples create bad thinking.

    The speech is in 1998. At that time, ethernet wasn’t that common. Hell, internet wasn’t that common and especially not in small devices. They were calling home around then, but my guess back then is that it would have been a 34K modem dialling back over the phone network. Partly because the vending company would have wanted a standard machine. One that could work anywhere. And also without any dependency. A lot of these sorts of machines use mobile phone technology just because it’s without dependency and can be put anywhere. These aren’t “college” machines. They’re owned by a vending company.

    On top of that, I seriously doubt that anyone ever put a “vend” action that could be triggered remotely without any sort of security.

    And all of this assumes things like no-one is ever going to the machine to report on the coin box. Even if everything else is true, that machine would empty fast, at which point someone would be called to restock it and check the coin box and wonder why it’s got a huge discrepancy.

    Unless someone can name the student at C-M, I don’t believe this.

  14. to echo BiCR – there’s no difference between securing an IoT device and a server, so just ignore the MSM outlook on this.

    In theory, your theory is perfect. In practice, your practice is appalling. There are a number of relevant issues – power, bandwidth, processor, RAM and complexity. Yes, I have a Linux server that is smaller than a £2 coin. But I’m a geek. Also, frankly, securing (and keeping secure) a server requires regular attention from a skilled technician. Who are rare and relatively expensive resources that probably will never be able to be wasted on a remotely dimmable light bulb.

    It may not be terribly important that from 5,000 miles away you can reach into a University corridor and drop a Coca-Cola can but it’s the first shot in the war of bringing to us a whole new way of communicating.

    An acquaintance rattled a space weight Standard Block II in the VLS of his previous ship, deployed in the Persian Gulf, from his BOQ at the US Navy War College. This was a few years ago. It resulted in a few critical software changes (as well as shifting the War College BOQs off the military network!)

  15. there’s no difference between securing an IoT device and a server

    One big difference I see is that (mostly) a server needs incoming, whereas an ordinary client device does not.

    Hence, at the most simplistic level, basic firewall rules (deny all) can protect a client device in a way that by implication they can’t necessarily do (so effectively) for a server?

  16. Surreptitious Evil,

    But you’re only maintaining 1 copy of the software. Test that and you then roll it to the 100, 1000, million copies of the hardware.

    And yes, power etc is a problem, but most of the IoT compromises aren’t because of those restrictions but cost restrictions. No-one’s hacked a Nest or those Philips bulbs.

  17. PF,

    The stuff I work on is like that. The machine is calling in every few minutes to ask for instructions and sending things in. They don’t receive requests. And that’s for that reason. But other use cases may require it.

    I’m really puzzled by this story. Like, how did a hacker find the IP addresses of these sirens in the first place? Did they get into the main server and find the data of what to call or get them from a list or what? Seems awfully “needle in a haystack”. My “Occam’s Razor” of a bunch of alarms all going off together is that someone changed the software and made a faux pas.

  18. SE: it’s not that every IoT device needs a DevOps guy to configure it, it’s that apparently the device manufacturers think it’s acceptable to pay a bunch of cretins in Bangalore $2 an hour to litter their TCP stack with calls to strcpy(). The software engineering practices of even the big name brands like Samsung are utterly diabolical. Unless and until they are made to suffer financially and legally they will not change their behaviour.

    BiW: here’s an experiment. Set up an Internet-connected Linux PC running iptables and SSH with public key access only*. Log the packets coming in on port 22 trying to perform a login as ‘root’ or ‘admin’ (this is harmless; you’ve disabled password access). The first such attempts will arrive about thirty seconds after the PC gets its IP address from the ISP’s DHCP server and will continue to arrive at the rate of several per minute thereafter, until you enable fail2ban at which point attempts will drop off a bit. Geolocating the IPs (for what it’s worth—not much) will reveal the traffic appears to be coming from all over the world, but especially Eastern Europe, South America and Far East Asia. If you try enough door handles in a car park, you will find someone who’s forgotten to lock their door. If you can try several hundred cars a second, it won’t be long.

    * really, don’t allow password access to edge devices. Just don’t. This is half the battle.

  19. @InternetofShit

    Is presently compiling an all time “Hall of Shame”

    My favorite was the WiFi (or was it Bluetooth?) connected vibrator that uploaded usage stats secretly … but I daresay the Japanese now have a toilet seat now with a webcam….

  20. We can’t even get manufacturers to release security updates for year-old phones. And people think they’ll get security updates for their ten–year-old ‘smart’ fridge?

    And don’t forget that many of these devices are controlled by ‘cloud’ services. Your phone app to control your fridge connects to a ‘cloud’ server, which then tells it what to do. That means that when the fourteen-year-old hacker breaks into the ‘cloud’ service, they can turn a hundred million fridges on or off, or get them to each order a hundred frozen turkeys from Amazon.

  21. Rhyds –
    “Police say yesterday’s massive terrorist attack on the UK’s National Grid, which has blacked out swathes of the country, was performed by three teenagers causing every internet connected oven, immersion heater and fridge compressor in Britain to switch itself on and off randomly for 20 minutes…”

    If it was a BBC article you can guarantee the final paragraph would be from their technology correspondent – ‘It is important to remember that the teenagers could be suffering psychological problems and are not in any way linked to any middle eastern militant organisations.’

  22. BiCR,

    I get that about devices. You see a similar thing if you look at logs on WordPress sites – they’re basically firing requests that will log in and replace your site contents with ads for russian brides and viagra. And it’s easy to protect yourself – avoid plugins you don’t know and fairly regularly patch your WordPress setup. I’m not sure it’ll keep the most wilful, skilled person out, but then, are they going to bother?

    The thing I see with most hacks is that they’re simply avoided. A lot of “downloaded the database” hacks are about not blocking SQL injection. That’s so easy to stop in this day and age. Just… use an ORM layer and it’ll parse everything for you.

  23. The speech is in 1998. At that time, ethernet wasn’t that common. Hell, internet wasn’t that common and especially not in small devices.

    Ethernet may not have been installed in many residential homes in 1998 (obviously, mine was cat5 all over) but it was certainly common in universities and a lot of network-connected business sites by then.

    At the time I was working for a company making ISDN routers, and ethernet was definitely provided for the LAN side. IIRC both RJ45 and BNC ports were installed.

    Internet was ubiquitous in universities by 1998. It was also increasingly common for residential – my street had cable modem support installed round about then, and it was by no means the earliest area around here.

    On top of that, I seriously doubt that anyone ever put a “vend” action that could be triggered remotely without any sort of security.

    The action had been paid for – why would they care if the button had been pressed physically or virtually?

  24. And the situation with IoT in general (and this includes autonomous vehicles, power stations, …) is that increasingly they’re a monoculture – Linux systems running on ARM processors.

    Find one exploitable weakness in one system and you’ve a good chance you can get most of them.

    We probably need a new system architecture and some swingeing financial penalties for misbehavior.

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.