• United States




10 terrifying extreme hacks

Jun 15, 201515 mins

Nothing is safe, thanks to the select few hacks that push the limits of what we thought possible

Extreme Hacks to Be Paranoid About
Credit: Thinkstock

Any device with a computer chip can be hacked, but not all hacks are created equal. In fact, in a world where tens of millions of computers are compromised by malware every year and nearly every company’s network is owned, truly innovative or thought-provoking hacks are few and far between.

These extreme hacks rise above the unending morass of everyday, humdrum hacks because of what they target or because they employ previously unknown, unused, or advanced methods. They push the limit of what we security pros previously thought possible, opening our eyes to new threats and systemic vulnerabilities, all while earning the begrudging respect of those who fight malicious hackers.

This is a look at the handful of hacks that have truly raised eyebrows in the security community in the past few years. Here’s to hoping that the good guys find the most dangerous exploits before the bad guys can use them against us.

Extreme hack No. 1: ATM hacking

Most automated teller machines (ATMs) contain a computer that runs a popular OS, so it should come as no shock that they can be hacked. For the most part, this means Microsoft Windows, with a smaller percentage running some version of Linux. Moreover, ATM OSes often include an implementation of Java, one of the most bug-filled, hackable software products the world has ever known. Worse, ATMs are often never patched. Those that are patched are certainly not on a monthly patch cycle, the traditional approach with computers. Nope, patches in ATMs, if ever applied, are sporadic at best.

Plus, the ATM software that rides on top of the OS also contains security vulnerabilities, many of which were, until a few years ago, easy to exploit. Additionally, ATM makers would ship ATMs to customers — ATM owners, banks, and so on — with shared default passwords and common remote access methods. Sure, they would tell their customers to change the defaults, but few did. All this adds up to the obvious: Full of cash, ATMs are often hacked, using either physical hacks or attacks over their remote management ports.

The most infamous and interesting ATM hacker was Barnaby Jack, who passed away in 2013. He would delight crowds at security conferences by bringing one or two commonly used ATMs on stage and within a few minutes have them spitting out fake cash. He used a wide array of tricks, but his most reliable method was to plug in a malware-laden USB storage device to the ATM’s physical USB port, which isn’t always protected from unauthorized access despite advice from ATM makers. Jack’s custom software would connect to the ATM over a known network port to the remote access console and run a public, known vulnerability, which then completely compromised the ATM. Jack would then run a few ATM administration commands and instruct the ATM to produce money.

Jack’s attack demos often brought cheers from the crowd, and his hacking method became known as “Jackpotting.” Videos of his ATM exploits are readily available on the Internet.

Extreme hack No. 2: Shocking pacemakers

Barnaby Jack’s ATM exploits caught the attention of ATM manufacturers, inspiring them to set about defeating his easiest attacks. Jack then turned his skills toward medical devices. His most extreme demonstrations included being able to send unauthorized, lethal shocks to pacemaker patients from a remote location and lethal doses of insulin to diabetic patients.

Most medical devices undergo five to 10 years of development, testing, and certification approval before they can be used on human patients. Unfortunately, this means that any software used in the devices has five or more years of unpatched vulnerabilities by the time they ship. Worse, developers of medical devices often rely on the relative obscurity of their devices as a means of providing some sort of artificial protection — aka “security by obscurity.”

The situation isn’t getting better. As recently as April 2014, Wired ran an article on how easy it is to hack hospital equipment, largely due to hard-coded, default passwords that cannot be changed.

Of course, medical devices must be easy to use, and they must “fail open” — that is, they must continue to operate even when security has been breached. This makes securing them very challenging. Long, complex, and changing custom passwords work against the device’s ease of use, so they are not often employed. Plus, nearly all communication between devices is unauthenticated and unencrypted.

Because of this, any hacker who finds the right ports can read the data and change it, without causing an operational interruption to the device, its management software, or other interfacing systems, such as electronic medical records. In fact, most medical device communications lack basic integrity checksumming, which would easily catch most malicious changes.

Medical device hacking has been around for at least a decade. White-hat hackers often demonstrate on medical devices at popular hacking conferences, and the FDA has issued a warning about the vulnerabilities. Medical device developers are working hard to close the easy-to-exploit holes, but their lengthy development cycles still make it hard to fix known problems in a timely manner.

The fact that it wouldn’t take significant effort for a malicious, motivated hacker to kill people shows how important it is for us to shore up the defense of our medical devices — quickly.

Extreme hack No. 3: Card skimming

Less morbid are card skimmers, which can, however, mess up your financial life. The hack is relatively simple: The hacker places a device called a skimmer on another device, such as an ATM, gas pump, or payment terminal, to capture your debit or credit card information and your PIN number, if typed in.

Skimmers have matured over the years, from obvious devices that can be recognized by almost anyone looking for something out of the ordinary, to ones that even experts have a hard time spotting. Skimmers are often inserted inside device cabinetry, where they can’t be seen. Some include wireless Bluetooth connections so that hackers can pull up a short distance away and retrieve all the stolen information, rather than having to retrieve the device itself.

Skimmers often insert dozens of devices in a common geographic area — often near highways for quick getaways — and use the stolen information to generate new, fraudulent cards. They then hire a large gang of people to withdraw money or use the cards — either in stores selling expensive merchandise that they can resell or return, or online. This is done quickly, usually within a few hours. By the time the card providers have detected or been notified of the fraud, the skimmers have made their profit and escaped capture.

Brian Krebs, who provides deep coverage of the latest skimming devices and news, recently reported a victory of sorts against card-skimming technology. In this case, police hid GPS-tracking devices in active skimming devices they had discovered. When the bad guys showed up to remove their devices, the police were able to track and arrest them. Of course, as Krebs mentioned, when word of GPS tracking gets around, the bad guys will increase their use of Bluetooth communications to keep from having to physically remove their skimming devices. For now, the cops are in the fight.

Extreme hack No. 4: Wireless card hacking

If your credit or debit card contains an RFID “contactless” payment mechanism, such as MasterCard PayPass or American Express ExpressPay, its information can likely be read by a hacker who walks by your wallet or purse. This is because any nonprotected RFID device can be hacked, including RFID-enabled passports, building access cards, and product tracking stickers.

RFID transmitting devices contain almost no security. “Energize” the RFID transmitter, using low-voltage radio waves, and it will transmit the information it contains. Credit card magnetic stripes are as insecure and can be read by any magnetic stripe reader, which goes for about $15 and is readily available on the Internet. The difference is that RFID readers make it possible to scoop information without ever coming in contact with the card.

Walk within three feet of a malicious RFID reader, and you are hacked. Over time that distance will likely increase; some RFID hacking experts predict hacking distances of several hundred feet within five years, which would enable one malicious hacker to collect thousands of victim cards an hour simply by stationing themselves at a busy city intersection or building entrance.

If you have an RFID-enabled card, you can buy RFID-hack-defeating “shields” and wallets for about $25 to $50. Fortunately, RFID hacking thus far is mostly confined to white-hat hackers demonstrating how easy it can be. Security experts also expect that growing use of chip-enabled cards will make RFID hacking disappear right about the time that hackers improve their wireless hacking distances.

Extreme hack No. 5: BadUSB

Last year, researchers demonstrated that about half of the USB ports installed on computers can be compromised by a maliciously configured USB device. Simply plug in a USB thumb drive to an unsuspecting computer, and it will automatically execute any commands configured, bypassing any security controls, firewalls, or antimalware software you have activated.

There is no defense against the exploit, dubbed “BadUSB” by its public discoverers, beyond physically damaging the port or preventing all unauthorized physical access. (I say “public discoverers” because there is no way of knowing whether the NSA or a nation-state privately discovered this vulnerability earlier.) Worse, there is no way of knowing whether a USB device plugged into your computer contains BadUSB. There is also no way of knowing whether an infected USB key was intentionally spread by a friend or associate. Their USB key may have been infected without their knowledge, and it ended up infecting your computer by accident (or good planning).

Extreme hack No. 6: Stuxnet

Which brings us to the world’s most advanced cyber war attack to date: Stuxnet. Easily the most advanced and flawless malware program ever written, Stuxnet did not use BadUSB, but it spread via USB keys and a previously publicly unknown USB execution method, along with three other zero-day attacks.

Publicly discovered in June 2010, Stuxnet forced the previously unacknowledged cyber war to be recognized as a real battle with the ability to cause physical damage. Stuxnet is said to have been a collaboration between Israel and the United States to thwart Iran’s nuclear weapons program, though neither Israel nor the United States have publicly acknowledged this.

Getting malware into Iran’s high-security, air-gapped, nuclear facilities was considered impossible by many computer experts. But Stuxnet’s creators purportedly infected the USB keys of foreign nuclear consultants who worked on the Iranian centrifuges. Whether the foreign workers knew they were carrying infected USB keys or not is up for speculation.

The malware launched from the USB keys, making its way into the Windows-based reactor management computers, then to the programmable logic controllers of the centrifuges themselves. Once there, the malware recorded normal operational values and fraudulently played back those values while maliciously creating fatal operational conditions that destroyed many of the centrifuges and controlling equipment.

A source code review by several companies led examiners to conclude that it would have taken many teams, composed of dozens of people each, a year or longer to write such a malicious computer worm. However, since Stuxnet’s discovery, several other advanced computer worms have been discovered. As futuristic as Stuxnet was, most experts believe it is now a common baseline from which all future cyber warfare programs will begin. The digital cold war has started.

Extreme hack No. 7: Road sign hacks

Hacking electronic road signs — aka portable changeable message signs — is illegal and can get you in serious trouble. But it’s hard not to crack a smile at a good “Caution! Zombies! Ahead!!!” road sign hack on an otherwise unused sign that does not create a dangerous situation.

Some road sign hackers are former Department of Transportation or construction employees who programmed signs as part of their job. But the truth is, road sign manuals are readily available on the Internet, and they almost always contain built-in default passwords as simple as “password,” “Guest,” “Public,” and “DOTS.” Hackers can simply find the model of the road sign they are targeting and download the manual.

For most road signs, physical access to a locked-up panel is necessary, although often the panels are left unlocked. Once the hacker gains physical access, they use the console keyboard to log on with a default or guessed credential. Barring that, they can often reboot the sign’s computer while holding down a series of keys, as defined in the manual, and this resets the sign back to the manufacturer’s defaults, including default built-in passwords. Even in the case where a road sign has distinct user and admin credentials, the sign’s message can be changed without admin rights, which are necessary mainly for changing power, fan, and other equipment settings.

Extreme hack No. 8: The NSA’s order book

Anyone who has been paying attention to revelations from former NSA employee Edward Snowden knows the NSA has what is essentially an “order book” for ordering advanced hacks and advanced hacking devices. This book is nearly the definition of extreme hacking.

One such advanced hacking method, known as Quantum Insert, sees the NSA and other nation-states using readily purchasable packet injection tools to imperceptibly redirect target victims from one website to another website where they can be further manipulated. If the redirect page is rendered to look a lot like the victim’s intended website, they probably won’t know they’ve been redirected. Enforced encryption (HTTPS) can help thwart packet injection attacks, but most websites don’t require encryption and most browser users don’t enable it when it’s optional. This hack has been in use since 2005.

Among the other hacks an NSA operative can order:

  • Malicious monitor cables for $30, which monitor and report the data sent between the computer and monitor
  • BIOS and firmware hacking to plant malicious software that survives a reformat, OS reinstall, or even a new hard drive install
  • $40,000 Stingray devices, which are fake cellphone towers that can maliciously redirect victim cellphone conversations for monitoring
  • Malware that attacks and lives in hard drive firmware
  • Persistent malware, software, or hardware for firewalls
  • Devices that can record room audio
  • 802.11 wireless network injection tool
  • Keyboard cable tapping devices

After reading what the NSA can order, it should be quite clear that the NSA (and any other nation-state entity) can pretty much spy on whatever device it wants, and there is little we can do about it — as long as it remains legal and the agency can gain access. Many of these devices and software programs are created by private companies and available for purchase to any paying customer.

Bruce Schneier offers additional information about nation-state programs.

Extreme hack No. 9: Cryptographic attacks

Gary Kenworthy, of Cryptography Research, specializes in revealing cryptographic keys that had been thought to be highly secure, from all sorts of computing devices. He can remotely monitor a device’s radio frequency or electromagnetic radiation emissions and tell you the 1s and 0s that made up its secret key. He has done this in public and private demos around the world the past few years. You can see him determine a mobile device’s private key simply by monitoring its EM fluctuations.

Kenworthy’s recent advances against the very devices we are told will protect us have shaken many in the cryptography community. To be sure, Kenworthy and his company profit from providing protections against the attacks he demonstrates, but his attacks are real and essentially reduce the security of most devices running cryptography that do not implement his suggested defenses.

Extreme hack No. 10: Car hacking

Car manufacturers are racing to put as much computing functionality as possible in their cars, and it should come as no surprise that these same computers are incredibly vulnerable to attack. Early on hackers learned how to unlock cars using their wireless remote key fobs and to prevent car owners from locking their cars despite thinking they have.

Dr. Charlie Miller, who started his career hacking Apple devices and winning multiple Pwn2Own hacking contests, is among the best car hackers. In 2013, he and his fellow researcher, Chris Valasek, demonstrated how they could control the brakes and steering on a 2010 Toyota Prius and Ford Escape using a physical attack that interfaces with the car’s Electronic Control Units and onboard bus systems. Thankfully, the hack didn’t work wireless or remotely.

Last year, Miller and Valasek discussed wireless remote hacks against 24 different cars, ranking the Cadillac Escalade, Jeep Cherokee, and Infiniti Q50 as the most hackable. They were able to document that the car’s remote radio features were linked or could be linked to the car’s critical control systems. Last year the U.S. Senate concluded in a report that nearly every car produced today is hackable.

Now car manufacturers are following the lead of traditional software companies: They are hiring hackers to help improve the security of their car systems.

Think about that the next time you’re at a dealership, tempted by the model with the best Wi-Fi.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author