By Margie Murphy, THE TELEGRAPH UK
August 14, 2019
It may seem like something straight out of a thriller: a terrorist hacking into a home, taking over household electronic devices to torture those inside. But, according to some experts, this may not be too far from reality.
Hackers now have the ability to hijack unsecured smart speakers, headphones and laptops to turn them into "offensive" weapons by playing ear-damaging audio, Matt Wixey, a cyber security researcher for PricewaterhouseCoopers has warned.
Wixey said he scanned local WiFi and Bluetooth networks to find devices he could take over and emit both low and high frequencies that surpassed safety guidelines and seriously damage an individual's hearing.
The smart speaker he was able to manipulate - in a safe experimental area away from human ears - "melted" as a result.
This isn't the first time cyber attacks have bled into the physical realm. "Technology plays an increasingly important role in crucial matters of life," says Dr Lukasz Olejnik, research associate at the Centre for Technology and Global Affairs at Oxford University.
"Devices at utility sites, industrial control systems, systems in transportation, medical devices - all of them use technology. Interference with such cyber-physical systems could potentially lead to physical harm and injury."
Finding chinks in the digital armoury of devices we use day-to-day is a burgeoning industry, with teenage hackers making hundreds of thousands by finding and handing a "bug" in to the companies responsible.
Ageing industrial controls in the electric grid and chemical industry are full of vulnerabilities, despite managing critical systems.
In 2016 hackers managed to get into a water utility's control system to change the levels of chemicals used to treat tap water, according to Verizon Security Systems, which has not disclosed the name or location of the company.
The group, linked to Syria, managed to get into the network through its online billing system. They were unable to tamper with the water to a dangerous level - either through lack of understanding how the system worked or because the intent was not there, Verizon suggested at the time.
Hackers have evolved from WannaCry to weaponising cars
In 2017, the NHS was thrown into chaos thanks to the WannaCry malware attack. Although there have been no reports of deaths as a result of the ransomware, which infected a number of NHS trusts' Microsoft PCs, surgery was reportedly delayed.
Industry experts have warned about the potential to hack our roads for years. A report from the US Consumer Watchdog, titled Kill Switch and published in July warns that unlike other "connected" technologies where personal details or money is stolen, "hacked cars have the potential to cause property damage and deaths".
Hackers have been breaking into car software systems since manufacturers began embedding them into vehicle design. It has become so prolific, the topic has its own arena at one of the largest hacking conferences of the year.
The "Car Hacking Village" is a main feature at Defcon. In the same week that Wixey revealed his audio hacking research, Chinese hackers Keen Group disclosed that they had been able to remotely unlock, start and control BMW cars through the BMW Connect app that also controls the airbag, turn-by-turn directions and the temperature of the car.
They needed to set up a fake mobile network, buy an antenna and use a laptop to conduct the attack. BMW patched the flaw in summer last year.
Just months earlier Elon Musk had praised the group for hacking a Tesla's autopilot to swerve into a different lane. It is estimated that by 2022 that two thirds of new cars will have online connections to safety-critical systems, "putting them at risk of deadly hacks", the Kill Switch report warns.
"Technical experts explain that using smartphone technology in cars, technology that was never designed to protect safety-critical systems, is a recipe for disaster. A plausible scenario involving a fleet-wide hack during rush hour in major US metropolitan areas could result in approximately 3,000 fatalities, the same death toll as the 9/11 attack."
Transportation dependent on satellite navigation could pose a risk to those on board, too. Ships around the world could expose crews to radio frequency radiation, IoActive researcher Ruben Santamarta has previously claimed.
In a report published by IOActive in 2018, he said that hackers could take over satellite communication devices to turn them into radiation weapons that could disrupt RF transmissions, potentially cutting off life-saving communication.
Don't panic, but our bodies could be hacked
Then there's the new frontier in health, connected medical devices.
During Defcon 2012 a hacker showed that it was possible to hack a pacemaker and send a fatal electric shock to the wearer. The idea was incorporated into the Homeland TV series assassination plot line, and later, former deputy president Dick Cheney said he had been advised to take his own pacemaker "offline" to thwart anyone trying to tamper with it. In 2017, the federal drug agency recalled 750,000 of device-maker Abbott's implantable pacemaker over concerns it could be hacked.
A year later, Medtronic was forced to temporarily shut down the network that supported its CareLink 2090 after hackers reported a similar vulnerability.
It is feasible that a state-sponsored group may be researching how to build the perfect remote controlled tool for war. But the experts do not think the time has come for such dramatic measures.
In fact, some argue that the largest harm is the mass hysteria sparked by paranoia. "We should be wary of taking the risks of cyber attacks with physical or lethal outcome out of proportions, as such high impact scenarios are today of low likelihood and generally require threat actors with a particularly destructive intentions," says Dr Olejnik. "No such threat actors are active today.
"Unfortunately, spreading misinformation about the alleged outcome of cyber attacks is a problem. I see again and again how harmful it is spreading fear without any evidence at all. Today, whenever a power cut event happens, inevitably someone screams about a 'cyber attack'. These 'suspicions' are never confirmed. But such unsubstantiated rumours cause trouble for those who are already busy with system recovery."