Hackers Eye Their Next Targets, From Schools to Cars
October 8, 2020
Hackers will tell you that just about anything with software and an internet connection can get hacked. The next decade will test how much that is true, and the challenge it poses to everyday life.
Security experts expect cyberattacks to increase in frequency and severity in the coming years, as more consumer goods are sold with internet connectivity embedded by default. At the same time, cyberattacks have become a commodity—“ransomware-as-a-service,” says
, a security researcher and “friendly” hacker, also known as a “white-hat” hacker, who typically hacks to educate or to demonstrate security vulnerabilities rather than commit crimes. For cyberattackers, hacks are getting more accessible: Attacks that once cost $100,000 go for a mere $1,000 now, says
, founder of DEF CON, an annual conference for hackers. Devices that are secure today may not be tomorrow.
The Future of Everything
A look at how innovation and technology are transforming the way we live, work and play.
Adding to the problem is that manufacturers have been reluctant to acknowledge and address cybersecurity flaws, though experts say that is slowly changing. Still, technology is advancing faster than public policy, leaving consumers without clear ways to evaluate the relative cyber safety of products. In other words, if you buy a car, you can compare which models have the best crash-safety ratings. And if the car crashes because of a manufacturer error, government agencies, dealerships and even lawyers can help make things right. Equivalents don’t exist to, for example, assess the relative vulnerabilities of vehicle infotainment systems, or to assign liability or get compensation if someone hacks that system and immobilizes your car.
“As a society, we haven’t figured any of this stuff out,” Mr. Moss says. “Over the next decade, I bet we will.”
To get a sense of future threats, The Wall Street Journal compiled a list of common devices, equipment and infrastructure vulnerable to attacks in the coming years, based on the assessment of cybersecurity researchers, national-security experts and white-hat hackers.
Keep in mind: This is only a small sample of what could be threatened. Experts consider the following to be likely future focuses for criminals. In some cases, researchers have already demonstrated that they are vulnerable. Attackers are innovative. “Things are only impossible until the first person does it,” says
, a cybersafety innovation fellow with the Atlantic Council.
Implanted medical devices
Implanted medical devices, such as insulin pumps, pacemakers and cochlear implants, have been hacked repeatedly, but so far only by researchers, ethical hackers and fictional characters in television shows. The risk of criminals targeting these devices is expected to increase as more of them come equipped with GPS trackers, Bluetooth and internet connectivity.
The devices also pose a “potential unwitting insider threat to national security,” according to research from Virginia Tech’s Hume Center for National Security and Technology. Unlike smartphones or fitness trackers, these permanent or semi-permanent devices cannot be removed when members of the intelligence community enter secure facilities, offering a way for malicious actors to remotely gain access. Devices with microphones and cameras are of particular concern, the research says, though technological and policy mitigations could minimize the threat.
Smartphones tend to be more secure than smart-home devices, but their ubiquity and importance make them ripe for attacks. The risk could grow as smartphones become even more embedded in our lives, becoming our passports, car keys and more. Companies that aggregate data generated by mobile apps and connected devices are also targets. “If data is the new oil, then we’re also going to see oil spills—toxic data breaches,” says Ms. Elazari. Attacks may get more targeted: Criminals could use GPS data stolen from companies to locate high-profile targets, including corporate executives and celebrities, to commit real-world crimes or to influence the political process or company share prices, she says.
The home office
The pandemic-related shift to remote work has created more opportunities for cyber attackers, as home offices are typically less secure than corporate workplaces. “These criminals have used the pandemic to invade, to come up with new business models,” Ms. Elazari says. Even old-school phishing attacks, where a bad actor cons victims into opening malicious links or email attachments to steal data, are poised to become more serious, says
, chief hacking officer of KnowBe4, a Clearwater, Fla.-based security-awareness training company. Hackers could gain access to more information by targeting personal email accounts while people are using work computers, he says.
Connected smart-home devices such as doorbells, locks, lights, ovens and coffee makers can be highly vulnerable to cyberattacks. Many lack basic security features, such as the ability to change the default password. Manufacturers, which mostly compete on speed-to-market and price, have little incentive to safeguard their products.
That is changing in some jurisdictions. In 2018, the U.K. passed a list of 13 best practices for smart-device manufacturers, service providers and mobile-app developers to create more secure products, including allowing for unique passwords and implementing secure software updates. As of Jan. 1, California also began requiring manufacturers of connected devices to include certain security features. Oregon has a similar law that applies to a smaller group of devices.
About five years ago, two researchers demonstrated their ability to remotely hack a Jeep Cherokee while the driver was inside. They blasted cold air, turned on the radio and even immobilized the vehicle on a highway overpass. Researchers have since replicated similar attacks with different vehicles. There doesn’t appear to be evidence that criminals have done this to individual cars yet, but it may happen in the future as internet connectivity becomes standard for vehicles. “Have I ever heard of this being used in the wild? No. Can it be done? Yes,” Mr. Mitnick says. Hackers have also exploited weaknesses in dealership software, GPS tracking apps and car-alarm systems.
The fear is that cars could become a target for ransomware. Criminals would disable the car from afar and force people to pay a bitcoin or two to get it moving again, says Andrew Grotto, director of the program on geopolitics, technology and governance at Stanford University and a former senior director for cybersecurity policy in the Obama and Trump administrations. “Maybe it’s right during the morning rush hour. Maybe it’s the Wednesday before Thanksgiving,” he says. Some experts think it will take industrywide cybersafety regulations to force manufacturers to make their vehicles more secure.
Ransomware attacks on cities are no longer the stuff of Hollywood. One of the most high profile hit the city of Baltimore in May 2019, when hackers froze 2,200 devices, impacting some municipal functions for weeks. Baltimore declined to pay a ransom of $76,000 in bitcoin and spent $10 million on recovery costs, plus $8 million in lost revenue, according to a city spokesman. Cities are also vulnerable as they connect more infrastructure to the internet. In August, Dutch security researchers from a company called Zolder revealed that they could remotely manipulate bike-traffic lights in 10 municipalities in the Netherlands by tricking the lights into sensing a steady stream of cyclists. The vulnerable systems have been taken offline, says Zolder co-founder Erik Remmelzwaal. Still, criminals could target traffic lights if such attacks prove remunerative. “As soon as bad guys figure out how to monetize this, they’ll do it,” says Mr. Grotto.
Trains are like “computers on rails,” Mr. Grotto says. They communicate with each other and with stations, and often have their own Wi-Fi networks. None of the major manufacturers of commuter railcars are based in the U.S., opening up a window for companies’ home countries to install malware or spyware on equipment, either initially or during routine maintenance, he says. “Positive train control” technology, which slows or stops trains to avoid accidents caused by human error, is a particular concern. A nation-state or terrorist group could target this system, causing a train to speed up around a curve instead of slowing down, says
Richard A. Clarke
, an author and former White House counterterrorism and cybersecurity chief.
Security researchers and hobbyists have demonstrated hacks on commercial-aviation systems, says the Atlantic Council’s Mr. Woods, who is also a leader of I Am The Cavalry, a cyber-safety advocacy group. According to Mr. Clarke, there is no evidence that a commercial aircraft has been criminally hacked, but he says it is possible though difficult, requiring an understanding of the aviation industry. And an airplane’s flight-control system isn’t the only target. Systems managing ground-crew personnel, air-traffic control, airport kiosks, aircraft catering, baggage claim and plane-to-ground communication could all be attacked—all of which could prevent flights from taking off.
Ultrafast 5G wireless networks could open the door to a new world of cyberattacks. First, 5G is expected to bring billions of new devices online, vastly expanding the number of targets for malicious actors, Mr. Grotto says. The distributed nature of 5G networks also provides fewer opportunities to implement cybersecurity measures. Instead of using hardware to manage network functions, 5G uses software, which has historically proven to be more vulnerable. Lastly, artificial intelligence and other automation will be used to oversee more of this complex infrastructure, opening up another avenue of attack. Criminals are already working to figure out how to target 5G, says Ms. Elazari: “They’re not waiting for it to become popular.”
The surge in remote learning during the pandemic is escalating ransomware attacks on schools. Though malicious actors have immobilized schools’ systems in the past, they typically didn’t steal or expose sensitive information. Lately, they have begun to do both—a trend that experts say will continue as educators are beholden to online technology. Nevada’s Clark County School District, which has about 320,000 students, disclosed an attack in August. Officials had refused a ransom demand in return for unlocking district computer servers. In response, hackers released records including employee Social Security numbers and student grades and addresses, the Journal has reported.
SHARE YOUR THOUGHTS
What is your biggest concern about “smart” devices? Join the conversation below.
Ransomware attacks have compromised hospitals in the past few years. Attackers target patient and billing records, as well as equipment such as magnetic resonance imaging machines. Last month, a malware attack hit
Universal Health Services Inc.,
one of the nation’s largest hospital chains. In some cases, the company postponed surgeries and diverted ambulances. The attack affected facilities in 37 states and Washington, D.C. Experts say attacks could get more dangerous. In September, malware disrupted emergency care at Düsseldorf University Hospital in Germany, and a 78-year-old patient died after her ambulance was diverted to another facility—believed to be the first reported death related to a cyberattack against a hospital.
Attacks on hospitals to date have mostly focused on ransomware, essentially holding the hospital’s data hostage by encrypting it, and then releasing it upon payment. In the coming years, attackers could take control of the hospital’s online systems to manipulate machines (such as increasing the dosage on intravenous drips) and data (swapping blood types in patient records), Mr. Clarke says.
The energy grid
The U.S. energy grid is vulnerable to cyberattacks that could destroy generators, transformers, and oil and gas pipelines. Hackers working for foreign governments, including Russia, have penetrated the U.S. grid, U.S. officials have said. So far, however, they haven’t flipped any switches, Mr. Clarke says. An attack on a U.S. pipeline could involve manipulating pressure flows that could cause an explosion, but even something less serious could cause cascading failures, Mr. Clarke says. Systems that use predictive maintenance—which monitors when equipment is degrading so it can be fixed before breaking—are another weakness. Such attacks would likely be part of an ongoing, broader conflict, Mr. Clarke says. Potential conflicts in the future, with Russia or China, for example, could involve the antagonists turning off each other’s power, he says.