Avi Rubin: What Happens When Hackers Hijack Our Smart Devices? Computer scientist Avi Rubin says all our smart devices — cars, phones, even fitness trackers — can be hacked. He warns that our network of connected technology puts us at risk for cyberattacks.

Avi Rubin: What Happens When Hackers Hijack Our Smart Devices?

  • Download
  • <iframe src="https://www.npr.org/player/embed/509355546/509494876" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


On the show today, ideas about the Power Of Networks how those connections, those pathways define the world around us.

AVI RUBIN: Well, in my house, my doorbell is connected to my cell phone which is connected to my laptop which is connected to...

RAZ: This is computer scientist Avi Rubin.

RUBIN: ...The thermostat which is connected to the alarm system, and I can sit in my bathroom after I've taken a shower and before I've gotten dressed and pick up my phone and turn on the heat in my car. And then turn on the coffeemaker and the toaster.

RAZ: And we're all headed in this direction, right?

RUBIN: Yeah.

RAZ: I mean, our homes and our appliances - they are basically becoming extensions of us.

RUBIN: Yes. It's known as the internet of things, and all these devices are not only connected to each other, but they're connected to pretty much every other device on the Internet.

RAZ: So I should probably mention here that Avi's area of expertise is computer security which means he understands how all of this connectivity can also make us incredibly vulnerable.

Is everything that we own that's connected to the internet, can all of that in theory be hacked?

RUBIN: I would say that that's a fair assumption.

RAZ: That's totally crazy.



UNIDENTIFIED REPORTER #1: If you had internet trouble this morning, you weren't alone. Hackers disrupted...

UNIDENTIFIED REPORTER #2: A series of cyber attacks today against the internet.

RAZ: You might remember this. It was a few months ago. Some of the biggest sites on the internet like Amazon and Google went down across large parts of the U.S.


UNIDENTIFIED REPORTER #3: The attacks began early this morning as websites from Twitter to Netflix...

RAZ: And that disruption was caused by an attack, an attack that actually began inside the internet of things, inside the devices we use every day.

RUBIN: Unbeknownst to us, hackers out there were able to put malicious software on these devices by taking advantage of bugs in the software when these things were manufactured.


UNIDENTIFIED WOMAN: Basically your everyday household things.

UNIDENTIFIED REPORTER #4: Experts say cheap, generic devices are usually the most susceptible...

UNIDENTIFIED WOMAN: Like routers, security cameras, DVRs...

RUBIN: So some attacker sent the command to all these devices at the same time saying attack.


UNIDENTIFIED REPORTER #5: The attacks focused on Dyn Inc., an internet switchboard for numerous major websites. The attacks continued throughout the day.

RUBIN: And so that attack was able to produce a situation where a lot of users were not able to communicate with some of the services that they rely on the most, like Twitter and Google and other sites. The service simply wasn't available.

RAZ: Just not available.

RUBIN: And it's not in most people's threat model.

RAZ: Yeah.

RUBIN: People don't say, well, I'll watch Netflix if it's available. They just say, I'm going to watch Netflix. You assume it's going to be there.

RAZ: OK, losing Netflix for a day or two - not the end of the world, right? But what Avi is worried about is that hackers can exploit our growing dependence on the internet of things to do some really serious damage, which he explained on the TED stage.


RUBIN: So let me talk about a couple of more interesting internet of things hacks. One of them is Samsung's new smart fridge, OK? Samsung realized that in order to know what's on your calendar, people don't want to have to pull out their phone or go look on their computer. They can just look on their fridge. And so they designed a smart fridge that you could log into with your Google credentials and see your calendar right there on your fridge. The only problem is the people that built that may not have had a lot of security training. And they don't validate the SSL certificates. For those of you that are not technical, trust me, that means bad stuff will happen.


RUBIN: And what you can do is if the certificates aren't validated, you can create a man-in-the-middle attack which will allow somebody to get the person's Gmail email, all the history of all of their email, and to log into their Gmail account, basically, because they have a smart fridge. Now, we've all seen these fitness trackers that are all the rage. Everybody is tracking their steps and their running and their health and their fitness. What I'm showing you here is a fitness tracker, one of the top models, that had a bug in the software. And it causes the sensors to sample way too much. And it injured this person.

Another device that is in the health and fitness space that I purchased was this blood pressure monitor. You use your iPhone, and then you can see - you know, say start and you can see your progress, et cetera. So I put this thing on and I activated it, and it started squeezing my arm. And it squeezed really, really hard. And I tend to be pretty claustrophobic, and I was starting to wonder if this thing was going to rip my arm off. I mean, it really, really, really hurt. So it didn't rip off my arm, fortunately, but I got a really scary reading. I was supposed to be dead in about three minutes based on my blood pressure reading when I did that.

And there are even things like implantable devices, like defibrillators that go right into a person, and those have connectivity to devices that can control them. And if you think about it, it makes sense, right? If somebody needs to change their defibrillator settings because their medical condition changed, you shouldn't have to cut the person open and do that if you can do it wirelessly. But at the same time, you have to design that system so that someone can't sit in, you know, Grand Central Station and put out wireless signals and have people dropping all around them because they just killed them.

RAZ: I mean, it seems like if you're a sophisticated hacker this is, like, a golden age because everybody is connected, everything around the world is connected, and more so every day. And we haven't even thought about what that means.

RUBIN: I think we're living in a honeymoon phase where we get most of the benefits of the internet without the hackers completely taking over and destroying all of this. But, you know, most people are not security specialists. And so they see software as an enabler. And you see more and more devices that you wouldn't normally consider to be smart or things that you would even want to be smart. You wonder, why would somebody make a smart one of those? And yet they do.

RAZ: Right. I mean, we were just hearing from Wanis Kabbaj and, I mean, he was saying how driverless cars could solve all these problems for us. And now I'm thinking, I mean, how vulnerable they would be to hacking, right? And not even driverless cars - all cars, the cars that are on the road today.

RUBIN: Well, some of that's already happened. There have been demonstrations - numerous demonstrations of being able to hack into cars, actual commercially deployed vehicles that people are driving, and getting them to break, getting them to run up to very high speeds, disabling the brakes. All of that can be done today.

RAZ: Avi Rubin will be back in just a moment to explain how pretty much any modern car can be hacked. On the show today, the Power Of Networks for good and for not so good. I'm Guy Raz, and you're listening to the TED Radio Hour from NPR.


RAZ: It's the TED Radio Hour from NPR. I'm Guy Raz. And on the show today, ideas about the Power Of Networks, the ones in the natural world and the ones we build for ourselves. And we were just hearing from computer science professor Avi Rubin about how so many of the things in our lives, even our cars, are networked, connected to the internet, which makes those things incredibly vulnerable to hackers.


RUBIN: This is a car, and it has a lot of components, a lot of electronics in it today. In fact, it's got many, many different computers inside of it, more Pentiums than my lab did when I was in college. And they're connected by a wired network. There's also a wireless network, which can be reached from many different ways. So there's Bluetooth. There's the FM and XM radio. There's actually Wi-Fi. There are sensors in the wheels that wirelessly communicate the tire pressure to a controller onboard.

And what happens if somebody wanted to attack this? Well, that's what the researchers that I'm going to talk about today did. They actually carried out their attack in real life. They bought two cars, and I guess they have better budgets than I do. The first threat model was to see what someone could do if an attacker actually got access to the internal network on the car, OK? So think of that as someone gets to go to your car, they get to mess around with it and then they leave. And now what kind of trouble are you in?

And so they connected to the diagnostic unit on the in-car network, and they did all kinds of silly things. Like, here's a picture of the speedometer showing 140 miles an hour when the car's in park. Now, you might say, OK, that's silly. Well, what if you make the car always say it's going 20 miles an hour slower than it's actually going? You might produce a lot of speeding tickets.

Then they went out to an abandoned airstrip with two cars, the target victim car and the chase car, and they launched a bunch of other attacks simply by hacking the computer. One of the things they were able to do from the chase car is apply the brakes on the other car. They were able to disable the brakes. They also were able to install malware that wouldn't kick in and wouldn't trigger until the car was doing something like going over 20 miles an hour or something like that.

They were able to compromise every single one of the pieces of software that controlled every single one of the wireless capabilities of the car. And when they gave this talk, even though they gave this talk at a conference to a bunch of computer security researchers, everybody was gasping. Am I scaring you yet?


RAZ: Yeah, this is pretty scary stuff. Like, has this actually happened in the real world? Like, have hackers been able to do this?

RUBIN: Well, so far, all of those have happened in the lab and they've happened by responsible people who have published their work. But the car companies are scrambling. I know, firsthand, that they are spending millions of dollars on security. And there has been research that's shown that the car manufacturers have a bit of a ways to go to get their cars to be secure against hackers.

RAZ: You're basically saying that we're in for a pretty dark period in the future.

RUBIN: Well, if I want to try to be optimistic, I would say that the security guys are going to come through. And I think that the way that we'll come through is we're going to have to change the internet infrastructure. We're going to have to change the way software is developed. Some of these changes are happening already but not as fast as the attacks are happening.

But once the attackers are able to regularly disable the internet, once we go two weeks without any connectivity whatsoever, by necessity, we will invent ways to communicate once again in a much more secure and protected way.

RAZ: You're saying that we, in our lifetimes, may witness weeks without the internet.

RUBIN: Yeah, I think we'll someday long for the days where we only had a few-hour outage of the internet.

RAZ: Is there any argument to be made that, like, maybe we should just put the genie back in the bottle, like, maybe we should unnetwork parts of our world?

RUBIN: I think the genie is out for good. I don't think there's any way to do that. Unfortunately, the bad guys might do that for us. But there's no way to impede progress. You can't, for example, propose that we eliminate electricity and not use electricity. And just as we can't go back to the days before electricity, we're never going to go back to the days before networks and connectivity.


RAZ: Avi Rubin is a professor of computer science at Johns Hopkins University. You can see his entire talk at ted.com.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.