Using only $1000 worth of equipment, a group of researchers hijacked a small drone, highlighting the vulnerabilities of unencrypted GPS signals. Unmanned aerial vehicles have become a fact of modern warfare, and their presence is even making its way into everyday American life: Amateurs already have turned drones into a popular hobby, and law enforcement agencies want permission to deploy them as well. But while the powerful military drones used overseas use encrypted GPS signals, the ones in the United States rely on signals from open civilian GPS, which makes them vulnerable to GPS “spoofing.”
The Raman spectrometer emits a laser beam.
What’s the News: Using a laser, a super-strong telescope, and some physics know-how, researchers say they have impressive power to look through solid barriers. Scientists have developed a technique to do so using Raman scattering, which is the change in energy of photons bouncing off a material. The technique could be used to detect hidden explosives or do geological analysis.
Tampering with GPS signals can cause big problems in both shipping routes and financial markets, warned experts at a conference on GPS security. The technology is routinely used in navigation and time synchronization nowadays, but signals are left vulnerable to jamming and spoofing.
This is partly because GPS signals are relatively weak: “A GPS satellite emits no more power than a car headlight, and with that it has to illuminate half the Earth’s surface,” said David Last, former president of the Royal Institute of Navigation, to the BBC.
Jamming devices work by broadcasting a signal at the same frequency as GPS, and can be bought for less than $100 online. When researchers set up 20 jamming monitors in locations around the UK, they caught 60 incidents in 6 months. They think most of these are from stolen trucks, where thieves jam the truck’s GPS to keep from broadcasting its location. According to Last, jamming GPS ships on ships isn’t much harder: Tests found that every major system was affected by a device with less than 1/1000 the power of a cell phone. The Financial Times reports:
If you carry classified government information or trade secrets as part of your job, traveling in China is risky. Hackers, whether affiliated with the government, on the payroll of competing companies, or operating alone, are a constant threat, and you generally have to assume that you are never unobserved online. But a piece in the New York Times makes it exceedingly clear just how far one has to go to get even a measure of electronic privacy and security in China:
When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. Kenneth G. Lieberthal of the Brookings Institution takes precautions while traveling. He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”
This is a philosophy that Representative Mike Rogers, chairman of the House Intelligence Committee, calls traveling “electronically naked”; Jacob Olcott, a cybersecurity expert at Good Harbor Consulting, calls it ‘Business 101’ for people involved in commerce in China. Read the NYT piece for more, but here’s one more nugget that emphasizes how dangerous, in terms of information security, it is to have any contact at all with Chinese systems:
McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.
We’ve written before about hapless business owners practically handing hackers customers’ information by failing to observe basic computer security (Subway, we’re looking at you). But this is a security fail on a whole different level. A researcher has just revealed that about ten thousand systems controlling water plants, sewage plants, and other infrastructure are online, mostly unprotected and findable with a simple search.
If you think of your personal computer as almost an extension of yourself, a recent federal court ruling in Colorado sounds a little disturbing. The court has ordered that a woman decrypt files on her laptop so they can be used by prosecutors against her. The woman, who is being tried for mortgage fraud, argued that this is a violation of her Fifth Amendment right to keep from testifying against herself, but the court sees the matter differently. Timothy Lee at Ars Technica’s explanation of the problem gets to the heart of it:
In previous cases, judges have drawn a distinction between forcing a defendant to reveal her password and forcing her to decrypt encrypted data without disclosing the password. The courts have held that the former forces the defendant to reveal the contents of her mind, which raises Fifth Amendment issues. But Judge Robert Blackburn has now ruled that forcing a defendant to decrypt a laptop so that its contents can be inspected is little different from producing any other kind of document.
For some, being forced to decrypt your computer and handing over your password to investigators so they can decrypt it might not seem that different—what’s hidden by your password might well feel as much a part of your mind as your password. But when you think about the precedent a ruling in the other direction might set, things get cloudier. The Department of Justice argues that if encryption is all that’s required to keep documents out of the hands of the courts, then potential child pornographers, drug smugglers, and others can refuse to hand over evidence on the grounds that it’s encrypted. Hmmm.
Another case from this week that shows the difficulty of aligning the modern sense of privacy with the law. The Supreme Court ruled that sticking a GPS device on a suspect’s car to track his whereabouts, without a warrant, is unconstitutional. But the court was divided as to why, on a very important point.
We often write about the amazing, charming, ridiculous things that 3D printers makes possible: see the fabbed hermit crab shells, the space shuttle made of pureed scallops and cheese, the “pirated” Penrose Triangle. But machines that can make any physical object using only resin powder can also be turned to more nefarious ends. Security blogger Brain Krebs reports that someone has deployed at least one impressively sophisticated ATM skimmer in LA that appears to have been 3D printed. The device fits over the front of a bona fide Chase ATM. Just looking at these babies sends a chill down your spine—this person or persons knew what they were doing. Here’s more from Krebs: Read More
On October 14, security company Symantec got word from a research lab that they’d discovered a piece of malware that looked a lot like Stuxnet, the sophisticated computer virus that made headlines last year after its anonymous designers used it to attack Iran’s nuclear program. This new malware, called Duqu by the researchers who discovered it, shares much of Stuxnet’s code, suggesting that it came from the same people who built the first virus, or at least people who had access to the source code. Read More
Many implants like this pacemaker can receive
and transmit wireless signals
What’s the News: Topping the list of things you don’t want hacked is your heart. And with 300,000 medical devices such as pacemakers and drug pumps implanted each year, many of which can be controlled through wireless signals, that might soon be a real risk for patients to consider.
To prevent such attacks, researchers from MIT and UMass Amherst are developing a jamming device that can be worn as a necklace or watch and keeps implants from receiving orders from unauthorized senders. The team will present their experiments with defibrillators [pdf], with off-the-shelf radio transmitters playing the role of the shield, at the SIGCOMM conference in Toronto.
It wasn’t too surprising when scientists first hacked into a car using its own onboard diagnostic port—sure, it’s easy to get into a car’s electronic brain if you’re already inside the car. Now the science of car-hacking has received a digital upgrade: Researchers have have gained access to modern, electronics-riddled cars from the outside. And in so doing, they’ve managed to take control of a car’s door locks, dashboard displays, and even its brakes.
The oddest part of these findings, which were presented this week to the National Academy of Science’s Committee on Electronic Vehicle Controls and Unintended Acceleration, is that they weren’t entirely intentional: It was all part of an investigation prompted by the Toyota acceleration problems, and was meant to probe the safety of electronic automotive systems. But testing those system’s safety also uncovered some flaws.
How It Works
The researchers took a 2009 sedan (they declined to identify the make and embarrass the manufacturer) and methodically tried to hack into it using every trick they could think of. They discovered a couple good ones.