Hacking Embedded Devices
Interview with Ted Harrington, author of “Hackable, How to do Application Security Right,” and Executive partner at Independent Security Evaluators.
Ted Harrington’s company, made up of ethical hackers, was born out of the PhD program at Johns Hopkins University. In this interview, he explains how his research team has been able to hack cars, phones, medical devices, and other embedded systems.
Ted defines an IoT device as “anything that you can communicate with.” He talks about how critical medical devices can be exploited to cause harm or fatalities to patients in healthcare settings. “We found a variety of ways we could do that,” he says. For example, his team was able to execute remote code execution on the device so, say, a heart monitor can report fake vital signs to their doctors.
He also talks about how his team pioneered car hacking research going back to 2005 before cars were connected over WiFi like they are today. At the time, they were able to immobilize cars between the car entry key and its onboard computer to disable the ignition.
“The system at the time was considered to be ‘unhackable.’ But if you say that to a team of hacker-minded computer scientists, they’re going to say, ‘challenge accepted.’ So my business colleagues at Johns Hopkins University at the time reverse engineered the cryptographic algorithm, and then built a weaponized software radio with which they were able to communicate with the onboard communicator without the authentic car key.”
Embedded system failure occurs on all levels – from product security management to change management to security investment and threat modeling, he adds. “It’s the leadership’s responsibility to prioritize security. My advice to developers is to think like a hacker. I would argue that there’s a hacker in all of us.”
*** This is a Security Bloggers Network syndicated blog from Shift Left authored by Deb Radcliff. Read the original post at: https://shiftleft.grammatech.com/hacking-embedded-devices
