The findings, reported by the BBC, were revealed in a presentation at the DEF CON hacker convention this week. The research was completed by Bertin Bonilla and James Jara. They assessed a range of serious security weaknesses in seismic sensors manufactured by Canadian firm Nanometrics.
Nanometrics sensors are deployed throughout the United States and in other countries. Costing $30,000 each, they are situated in extremely sensitive locations, such as around active volcanoes and rifts in the middle of the ocean. The data from the sensors is used as a primary source for seismic activity alerts that could trigger evacuation notices for entire towns and regions.
While creating a search engine for devices connected to the Internet of Things, Bonilla and Jara noticed that the sensors could easily be identified as seismic activity loggers. Because of their unique locations and the patterns of data they transmitted, it proved to be easy to find a Nanometrics sensor despite their remote placements.
What came next was more surprising. By analysing the data flowing to and from the sensors, the researchers found they were able to connect to them using default passwords stored on a central server. From there, they could remotely monitor all of the sensitive data being transmitted and tamper with its contents.
Once connected, the sensors provided the pair with system-level access to all of their features. The network was “completely compromised,” giving Bonilla and Jara the ability to flood Nanometrics’ systems with false readings and deliberately inaccurate data. This could be used to trigger a natural disaster alert that could lead to people being forced to leave their homes.
While the appeal of the attack is likely to be low for most hackers, the basic nature of the exploit may make it attractive to some specialist groups. The researchers speculated that the flaws could be used to financially sabotage a company or even an entire country. The sensors could be used to blackmail leaders into paying a ransom or risk a false natural disaster alert.
The vulnerabilities have been reported to the US Computer Emergency Readiness Team (US Cert) which is responsible for protecting the United States’ digital infrastructure. US Cert has since contacted Nanometrics which convinced the agency not to issue a security alert. In a statement to the BBC, the company blamed the network’s implementation for the weaknesses, claiming it advises sensors to be set up to block connections from unknown computers.
“We have always recommended to our customers that they change the factory default passwords and when using the systems on real-time communications networks, they limit access to known IP addresses and/or use VPN software,” a spokesperson said.
The flaws are an example of the growing concerns surrounding the Internet of Things. By connecting vital pieces of infrastructure to the open web, countries are exposing critical systems to attack. In many cases, simple security best practices are being ignored, giving hackers a new frontier of exploits to experiment with.
The issues in the seismic sensor grid are just one of many Internet of Things-related discoveries to come out of this week’s DEF CON conference. From concerns about net-linked solar panels to a set of hackable smart light bulbs, the event has once again demonstrated how the Internet of Things introduces security concerns that aren’t present in any other area of technology.
