[Dailydave] Junk Hacking Must Stop!

Andreas Lindh andreas.lindh at isecure.se
Tue Sep 23 04:19:46 EDT 2014 

So after stirring up some shit on Twitter about this, I thought I¹d post
some thoughts about it here too.

While I agree that ³junk hacking² is in a lot of cases fairly pointless from
a security standpoint, it can still serve an educational (not to mention
entertaining) purpose. The problem starts when threat models are
exaggerated, as is often the case. I¹m guessing this has to do with hackers
assume that real world attackers are like them, when in fact they in most
cases are not. The most obvious difference being the objective; whereas a
hacker largely does things because it¹s fun, real attackers have monetary or
other reasons for what they do. This also means, as Dan Guido has pointed
out several times, that attackers are unlikely to work harder than they have
to, so while pwning a toaster to gain access to a dishwasher to gain access
to a tv to gain access to a home alarm may be technically doable, it is far
more likely that the attacker (or burglar in this case) will just go
somewhere that doesn¹t have an alarm.

Of course, we should not completely disregard ³junk hacking² either, a
refrigerator botnet is still a botnet etc., and there will very likely be a
number of extremely critical issues with the internet of crap. But let¹s at
least try to keep it on a somewhat realistic level.

Andreas



From:  Dave Aitel <dave at immunityinc.com>
Date:  måndag 22 september 2014 20:53
To:  "dailydave at lists.immunityinc.com" <dailydave at lists.immunityinc.com>
Subject:  [Dailydave] Junk Hacking Must Stop!

Look, I get how we all love free trips to various locales other than Seattle
or Boston or whatever (which are not, technically "locales" so much as just
"places people happen to live"). But one more hacking talk about breaking
into some random piece of electronics that people might use somewhere like a
Internet-connected bed-warmer, or a MRI machine, or a machine people use to
make MRI machines, and the whole hacking community is going to be wearing
the cone of shame for a week!



Yes, we get it. Cars, boats, buses, and those singing fish plaques are all
hackable and have no security. Most conferences these days have a whole
track called "Junk I found around my house and how I am going to scare you
by hacking it". That stuff is always going to be hackable
whetherornotyouarethecalvalry.org.

I get that Barnaby hacked an ATM. I thought it was stupid then, and it's
even stupider now when your basic ATM runs XP so it can display ads to you
while you take money out of it. But it's not stunt hacking unless it can wow
you. If you are wowed by someone owning XP these days, then you are out of
it and need to be re-reading Carolyn Meniel's HappyHacker website. Yes,
there is Junk in your garage, and you can hack it, and if you find someone
else who happens to have that exact same Junk, you can probably hack that
too, but maybe not, because testing is hard.

Cars are the pinnacle of junk hacking, because they are meant to be in your
garage. Obviously there is no security on car computers. Nor (and I hate to
break the suspense) will there ever be. Yes, you can connect a device to my
midlife crisis car and update the CPU of the battery itself with malware,
which can in theory explode my whole car on the way to BJJ. I personally
hope you don't. But I know it's possible the same way I know it's possible
to secretly rewire my toaster oven to overcook my toast every time even when
I put it on the lowest setting, driving me slowly but surely insane.

So in any case, enough with the Junk Hacking, and enough with being amazed
when people hack their junk.

-dave :>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140923/c194642e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cone_of_shame_blackhat.jpg
Type: image/jpeg
Size: 60126 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140923/c194642e/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2814 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140923/c194642e/attachment-0001.p7s>

More information about the Dailydave mailing list