There’s a grand tradition in the security community of clever, cerebral and sometimes downright inane April Fool’s pranks. They often take the form of fake news stories about viruses, world-ending attacks or something involving Bruce Schneier and Chuck Norris. But the security world is bizarre enough on its own without any help, so we’ve collected some of the stranger, scarier and more entertaining true stories of recent times that we wish had been April Fool’s jokes.
This is by no means an exhaustive list, it’s just A list. Enjoy.
- Hackable pacemakers. Even though this definitely falls under the heading of scary, you have to admit it’s also pretty amazing. I mean, the idea that a researcher figured out how to sniff the transmissions between the control PC and the pacemaker and then spoof them so he could drain the device’s battery or turn it off altogether is pretty slick. Creepy and terrifying, but still slick. “You can induce the test mode, drain the device battery, and turn off therapies,” Daniel Halperin, one of the researchers who developed the technique, told VentureBeat at the time of his talk in 2008. “This is something that academics can
do now. We have to do something before the ability to mount attacks
becomes easier.”
- Hackable cars. If you’ve been paying any attention to the amount of electronics and software that automakers have been cramming into their vehicles in the last couple of years, you had to see this one coming. A group of academic researchers figured out ways to compromise the computers on two different models of car and do a bunch of interesting things, including locking the driver inside the vehicle, turn off the brakes and mess with the air conditioning. Sounds like the worst family road trip of all time. “We find that it is possible to bypass rudimentary network security protections
within the car, such as maliciously bridging between our car’s two
internal subnets. We also present composite attacks that leverage
individual weaknesses, including an attack that embeds malicious code
in a car’s telematics unit and that will completely erase any evidence
of its presence after a crash,” the researchers wrote.
- Hackable nuclear reactors. There really isn’t anything funny or entertaining about the Stuxnet attack. It’s just straight up scary. It’s also one of those stories we wish had never happened for all of the potential long-term problems it portends, but it’s probably a good thing that it came to light in the long run. The emergence of Stuxnet has certainly raised the topic of computer security in some very powerful circles. On the other hand, it’s led to a massive cycle of hype and FUD that may have been unprecedented, even in the security community. Either way, Stuxnet made its mark.
- Comodo attack. Again, not funny ha-ha, more like, “Funny, it turns out CAs can be hacked.” The attack on one of Comodo’s registration authorities was only really a surprise in the way that it was disclosed and the way that the attacker got in. And by surprising, I mean not really at all. Security experts have warned for more than a decade that the whole certificate authority infrastructure is sort of a hot mess. Allowing any CA to issue a certificate for any site anywhere? What could go wrong? A lot, as it turns out. And it was a maddeningly simple method the attacker used to get in. The disclosure of the attack, kicked off by some serious detective work by Jacob Appelbaum, was interesting, as it’s not clear how much information would have come out of this at all without Appelbaum applying pressure.
- Hackable ATMs. This was funny, scary and entertaining all at once. When Barnaby Jack demonstrated his technique for remotely jackpotting ATMs at Black Hat last year, the talk got a standing ovation and also got a lot of people worried. If Jack had figured it out, what were the chances that someone else with less pure intentions had too? Well, Jack is really smart and it took him a long time to figure his attacks out, so let’s hope the bad guys don’t have his patience or intellect. But hope isn’t a great defense against determined attackers, especially when you only need about $11 to succeed. “There are attack vectors in all these standalone or hole-in-the-wall
ATMs,” Jack warned, noting that many ATMs are protected by a master key
that can be bought for $10.78 on hundreds of web sites. “With this
master key, I can walk up to a secluded ATM and have access to USB [and]
SD/CF slots. In some cases, opening and inserting my USB key was
faster than installing a skimmer.”
- Just about any advisory issued by a Google researcher. The security team at Google is a fairly large collection of super smart people and they’re forever producing advisories about bugs that we wish we’d never heard of. These aren’t just some random buffer overflows or something. No, the bugs the Google guys produce are usually complex kernel-level vulnerabilities or an interesting way to abuse pretty much every browser on the market. Thankfully, they’re all employed full-time and they’re on the good side of the fence, so they don’t have all day to just look for bugs and break things. Otherwise, it would be time to just unplug and move to a deserted island and forget the Internet ever existed.