Wednesday, October 21, 2009

Hardware hacking a cat and mouse game

By JO TIMBUONG

TOOLS OF THE TRADE: Grand showing some of the tools hardware hackers use, which are available at affordable prices. He was one of the speakers at this year's Hack in The Box Security Conference.

IF YOU ask Joe Grand, president of Grand Idea Studio — an R&D and product design company, he’ll tell you that no piece of hardware can ever be safe enough from hackers.

“If something has electronics running inside, it can easily be tampered with, and many such products are susceptible to being compromised by even simple attacks,” he said.

According to him, hardware hacking has recently reappeared on hackers’ radars because of the plethora of easily available tips and tools available on the Internet.

He said the tools of the trade are very affordable and for a paltry sum experienced hardware hackers can have a die made of the circuit board they wish to hack.

This form of outsourcing is something new in the hardware hacking world, Grand said in his keynote address at the recent Hack in The Box Security Conference (HITBSecConf) here.

“Things that used to be difficult to do for hardware engineers and hackers have become so easy that there really isn’t any excuse now for hackers not to hack into hardware,” he said.

A mix of new and old methods can also help with the process of hacking hardware.

Citing an incident where he hacked into parking meters in San Francisco, Grand applied social engineering techniques to learn how the meters worked. “and the officials were only too happy to tell me everything.”

With that information and some software tools, he managed to confound the system running the parking meters into granting him US$999.99 (about RM3,600) worth of parking time.

“I didn’t use it, of course. I informed the city council about it and they are currently doing something to fix (the loophole in the) system,” he said.

Another trend that is making the job of a hardware hacker even easier is product enthusiasts disassembling a product and then posting detailed pictures of its components on the Internet.

“This shows hardware hackers what kind of components are used to build the product, which can clue them in to its vulnerabilities,” he said.

Good and bad

Just like with any other hacking activity, hardware hacking can lead to detrimental consequences, such as service theft or having your product cloned by unscrupulous parties.

But there is a silver lining, Grand said. If product developers make an effort to understand the skills of hardware hacking, they will be able to build a more secure product.

He said hardware designers usually leave a lot of clues on how to hack into a product because they are always in a hurry to put the devices on the market and place little emphasis on security.

Grand said hacked hardware is probably a more costly problem to solve than hacked software.

“In the software world all it takes is an inexpensive patch but it’s not that simple when it comes to hardware. A lot of times, it requires the companies to issue a new version of the hardware which can be a costly fix,” he said.

Having said that, Grand believes that it is impossible to devise a totally secure hardware product, no matter how much a company chooses to spend on this. The trick is for the company to keep staying ahead of the hackers.

“It’s a cat and mouse game. Hardware developers will try to make their products secure but there’ll always be an unplugged hole somewhere,” he said. This keeps everyone on their toes.


No comments: