NPR logo

Street Lights, Security Systems And Sewers? They're Hackable, Too

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Street Lights, Security Systems And Sewers? They're Hackable, Too

Privacy & Security

Street Lights, Security Systems And Sewers? They're Hackable, Too

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Moving on now to a less light-hearted topic in tech - cyberattacks. Recently we heard allegations about the Chinese military hacking into U.S. corporations. And during his State of the Union Address last month, President Obama had this warning.

PRESIDENT BARACK OBAMA: Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.

CORNISH: So what would a full fledge cyberwar look like? NPR's Steve Henn tried to imagine it.

STEVE HENN, BYLINE: Whether you know it or not, you're surrounded by a network of machines that are talking to each other. Right now, I'm standing on California Street, downtown San Francisco.

DON BAILEY: It may not be easy to recognize but almost everything around you in that area is Internet capable. The streetlights are outfitted with machine-to-machine technology to remotely control them. The vehicles driving down the street, even security systems for office buildings, they're remotely controlled and monitored over the Internet.

HENN: That's Don Bailey. He runs a cybersecurity firm called Capitol Hill Consultants. Right now, Bailey is working for DARPA, the Defense Department's Advanced Projects Research Agency. He's mapping out security holes in these kinds of connected systems. But in the past, Bailey has hacked into new cars using the cell phone network. He says even modern sewers could be hackable.

And a lot of this stuff is possible. Because over the last decade, the Internet and the mobile phone network have been layered on top of all kinds of technologies that were not built with security in mind.

BAILEY: It's true. We're seeing a major change in the way technology is deployed.

HENN: Everyone wants connectivity and control and that means connecting all kinds of systems - switches and machines to the Internet - that were never designed to live online; devices that are fundamentally insecure.

TIFFANY RAD: Sometimes that can't be patched.

HENN: Tiffany Rad is a security researcher who works for a defense contractor in Columbia, Maryland. She says insecure industrial switches have been built into oil pipelines, power plants, even prison. These switches are programmable so you can set them to say turn off the pressure in a pipe, if it gets too high or too low. But a generation ago, switches like this weren't designed to be connected online.

RAD: So when you see systems that are legacy like this, some of them 30 years old, it's a very hard proposition when you tell someone who's running these facilities: Take them off-line we got to fix this, replace that.

HENN: A couple years ago, she and some friends demonstrated that built-in vulnerabilities made it possible to hack open cell doors in federal prisons.

RAD: If we wanted to unlock the prison doors, we could do that. And what we're also able to show is if the doors were unlocked and they were open, the guards would - it would show on their computer screen that they actually were still closed and locked.

HENN: Now, Rad didn't bust anyone out of jail, but she did proved this kind of attack was possible and let officials know. One reason prisons were vulnerable is that their control rooms were connected to the Internet.

DILLON BERESFORD: I'm not convinced it would take a nation-state and a bunch of funding to do something like this.

HENN: Dillon Beresford a cybersecurity consultant based in Texas. A couple years ago, working by himself, he duplicated some of the most novel aspects of what's probably the most famous cyberwarfare attack in history: Stuxnet. That's the virus that caused Iran's nuclear centrifuges to spin out of control.

BERESFORD: I guess, when I looked at Stuxnet, I saw techniques that were being used back in the late - you know, early 2000, late '90s. I mean, like people in the hacking community.

HENN: So he thought...

BERESFORD: Why not look at these controllers, right, in my own spare time and see if I can find some vulnerabilities. And what I found - at least for me was surprisingly shocking. I mean, there were a lot of trivial bugs that could be exploited.

HENN: Writing those exploits took Beresford just a couple of weeks and cost just a few thousand dollars. Tiffany Rad's team - which hacked prison doors - had just four people and a tiny budget. Beresford says, many engineers who rely on these kinds of automated industrial switches now realize how vulnerable they are.

BERESFORD: They're pretty much at this point, they're just waiting for something to happen.

HENN: In the past year, close to 200 cyberattacks on critical infrastructure have been reporter to the Department of Homeland Security. But Beresford says talking about cyberwar probably doesn't help. Today, switches made by Siemens and GE are built into infrastructure all over the world. Parts made in China can end up here.

BERESFORD: We should be working together to solve some of these problems.

HENN: He believes the only way to make all of us safer is through a kind of public hacking diplomacy. When Beresford finds a bug in a system, he says he discloses it and pushes manufactures to find a fix. He's helped plug holes in the U.S., and in China, and all over the world. And ultimately, he hopes this kind of research will make cyberwarfare harder to wage.

Steve Henn, NPR News, Silicon Valley.

Copyright © 2013 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.