Any device with a computer chip can be hacked, but not all hacks are created equal. In fact, in a world where tens of millions of computers are compromised by malware every year and nearly every company's network is owned, truly innovative or thought-provoking hacks are few and far between.
These extreme hacks rise above the unending morass of everyday, humdrum hacks because of what they target or because they employ previously unknown, unused, or advanced methods. They push the limit of what we security pros previously thought possible, opening our eyes to new threats and systemic vulnerabilities, all while earning the begrudging respect of those who fight malicious hackers.
This is a look at the handful of hacks that have truly raised eyebrows in the security community in the past few years. Here's to hoping that the good guys find the most dangerous exploits before the bad guys can use them against us.
Extreme hack No. 1: ATM hacking
Most automated teller machines (ATMs) contain a computer that runs a popular OS, so it should come as no shock that they can be hacked. For the most part, this means Microsoft Windows, with a smaller percentage running some version of Linux. Moreover, ATM OSes often include an implementation of Java, one of the most bug-filled, hackable software products the world has ever known. Worse, ATMs are often never patched. Those that are patched are certainly not on a monthly patch cycle, the traditional approach with computers. Nope, patches in ATMs, if ever applied, are sporadic at best.
Plus, the ATM software that rides on top of the OS also contains security vulnerabilities, many of which were, until a few years ago, easy to exploit. Additionally, ATM makers would ship ATMs to customers -- ATM owners, banks, and so on -- with shared default passwords and common remote access methods. Sure, they would tell their customers to change the defaults, but few did. All this adds up to the obvious: Full of cash, ATMs are often hacked, using either physical hacks or attacks over their remote management ports.
The most infamous and interesting ATM hacker was Barnaby Jack, who passed away in 2013. He would delight crowds at security conferences by bringing one or two commonly used ATMs on stage and within a few minutes have them spitting out fake cash. He used a wide array of tricks, but his most reliable method was to plug in a malware-laden USB storage device to the ATM's physical USB port, which isn't always protected from unauthorized access despite advice from ATM makers. Jack’s custom software would connect to the ATM over a known network port to the remote access console and run a public, known vulnerability, which then completely compromised the ATM. Jack would then run a few ATM administration commands and instruct the ATM to produce money.
Jack's attack demos often brought cheers from the crowd, and his hacking method became known as "Jackpotting." Videos of his ATM exploits are readily available on the Internet.
Extreme hack No. 2: Shocking pacemakers
Barnaby Jack’s ATM exploits caught the attention of ATM manufacturers, inspiring them to set about defeating his easiest attacks. Jack then turned his skills toward medical devices. His most extreme demonstrations included being able to send unauthorized, lethal shocks to pacemaker patients from a remote location and lethal doses of insulin to diabetic patients.
Most medical devices undergo five to 10 years of development, testing, and certification approval before they can be used on human patients. Unfortunately, this means that any software used in the devices has five or more years of unpatched vulnerabilities by the time they ship. Worse, developers of medical devices often rely on the relative obscurity of their devices as a means of providing some sort of artificial protection -- aka “security by obscurity.”
The situation isn’t getting better. As recently as April 2014, Wired ran an article on how easy it is to hack hospital equipment, largely due to hard-coded, default passwords that cannot be changed.
Of course, medical devices must be easy to use, and they must “fail open” -- that is, they must continue to operate even when security has been breached. This makes securing them very challenging. Long, complex, and changing custom passwords work against the device’s ease of use, so they are not often employed. Plus, nearly all communication between devices is unauthenticated and unencrypted.
Because of this, any hacker who finds the right ports can read the data and change it, without causing an operational interruption to the device, its management software, or other interfacing systems, such as electronic medical records. In fact, most medical device communications lack basic integrity checksumming, which would easily catch most malicious changes.
Medical device hacking has been around for at least a decade. White-hat hackers often demonstrate on medical devices at popular hacking conferences, and the FDA has issued a warning about the vulnerabilities. Medical device developers are working hard to close the easy-to-exploit holes, but their lengthy development cycles still make it hard to fix known problems in a timely manner.
The fact that it wouldn't take significant effort for a malicious, motivated hacker to kill people shows how important it is for us to shore up the defense of our medical devices -- quickly.
Extreme hack No. 3: Card skimming
Less morbid are card skimmers, which can, however, mess up your financial life. The hack is relatively simple: The hacker places a device called a skimmer on another device, such as an ATM, gas pump, or payment terminal, to capture your debit or credit card information and your PIN number, if typed in.
Skimmers have matured over the years, from obvious devices that can be recognized by almost anyone looking for something out of the ordinary, to ones that even experts have a hard time spotting. Skimmers are often inserted inside device cabinetry, where they can’t be seen. Some include wireless Bluetooth connections so that hackers can pull up a short distance away and retrieve all the stolen information, rather than having to retrieve the device itself.
Skimmers often insert dozens of devices in a common geographic area -- often near highways for quick getaways -- and use the stolen information to generate new, fraudulent cards. They then hire a large gang of people to withdraw money or use the cards -- either in stores selling expensive merchandise that they can resell or return, or online. This is done quickly, usually within a few hours. By the time the card providers have detected or been notified of the fraud, the skimmers have made their profit and escaped capture.
Brian Krebs, who provides deep coverage of the latest skimming devices and news, recently reported a victory of sorts against card-skimming technology. In this case, police hid GPS-tracking devices in active skimming devices they had discovered. When the bad guys showed up to remove their devices, the police were able to track and arrest them. Of course, as Krebs mentioned, when word of GPS tracking gets around, the bad guys will increase their use of Bluetooth communications to keep from having to physically remove their skimming devices. For now, the cops are in the fight.
Extreme hack No. 4: Wireless card hacking
If your credit or debit card contains an RFID "contactless" payment mechanism, such as MasterCard PayPass or American Express ExpressPay, its information can likely be read by a hacker who walks by your wallet or purse. This is because any nonprotected RFID device can be hacked, including RFID-enabled passports, building access cards, and product tracking stickers.
RFID transmitting devices contain almost no security. "Energize" the RFID transmitter, using low-voltage radio waves, and it will transmit the information it contains. Credit card magnetic stripes are as insecure and can be read by any magnetic stripe reader, which goes for about $15 and is readily available on the Internet. The difference is that RFID readers make it possible to scoop information without ever coming in contact with the card.
Walk within three feet of a malicious RFID reader, and you are hacked. Over time that distance will likely increase; some RFID hacking experts predict hacking distances of several hundred feet within five years, which would enable one malicious hacker to collect thousands of victim cards an hour simply by stationing themselves at a busy city intersection or building entrance.
If you have an RFID-enabled card, you can buy RFID-hack-defeating "shields" and wallets for about $25 to $50. Fortunately, RFID hacking thus far is mostly confined to white-hat hackers demonstrating how easy it can be. Security experts also expect that growing use of chip-enabled cards will make RFID hacking disappear right about the time that hackers improve their wireless hacking distances.
Extreme hack No. 5: BadUSB
Last year, researchers demonstrated that about half of the USB ports installed on computers can be compromised by a maliciously configured USB device. Simply plug in a USB thumb drive to an unsuspecting computer, and it will automatically execute any commands configured, bypassing any security controls, firewalls, or antimalware software you have activated.
There is no defense against the exploit, dubbed “BadUSB” by its public discoverers, beyond physically damaging the port or preventing all unauthorized physical access. (I say “public discoverers” because there is no way of knowing whether the NSA or a nation-state privately discovered this vulnerability earlier.) Worse, there is no way of knowing whether a USB device plugged into your computer contains BadUSB. There is also no way of knowing whether an infected USB key was intentionally spread by a friend or associate. Their USB key may have been infected without their knowledge, and it ended up infecting your computer by accident (or good planning).