News

Researcher: Flaw Exposes Hack Threat

Terrorists and other criminals could exploit a newly discovered software flaw to hijack massive computer systems used to control critical infrastructure like oil refineries, power plants and factories, a researcher said Saturday.

Ganesh Devarajan, a security researcher with 3Com Corp.'s TippingPoint in Austin, Texas, demonstrated the software vulnerability he uncovered to attendees at the Defcon hacker conference on computer security.

The software is used to manage supervisory control and data acquisition, or SCADA, systems -- computers that regulate the functioning of such important infrastructure as oil and gas pipelines, water treatment and power transmission facilities and the giant factories used by large technology companies.

The flaw could crash certain SCADA computer systems, particularly older ones, Devarajan said. The intrusion works by attacking sensors within the facilities that are linked to the Internet through unencrypted connections.

Devarajan declined to identify the software company whose product he hacked in his demonstration but said his firm has notified the company of the vulnerability so it can fix the problem.

Similar weaknesses likely exist in other programs, Devarajan said.

"SCADA systems are scary because they control your day-to-day life," he said. "And they use lightweight software -- all you need to do is send some false requests and you can talk to them easily. These are scary threats."

Authorities have become increasingly concerned about vulnerabilities in SCADA systems as they've moved from closed networks to being connected to the Internet, said Linton Wells II, the Defense Department's former chief information officer and now distinguished research professor at National Defense University.

"People need to realize this is not just the techie, geek, adjunct stuff that doesn't affect their lives," he said before Devarajan's presentation.

Officials have cited vulnerabilities in such infrastructure as an important terrorism concern before, though some analysts question whether the technological difficulty of a such strike would lead criminals to stick to more physical methods of attack.

Defcon ends Sunday, capping five days of training and hijinks for thousands of hackers and other security researchers at the renegade Defcon and its more polite cousin, Black Hat.

Known for its wild contests, Defcon includes such events as timed lockpicking races, a target-shooting competition between robotic guns and a contest to spot federal agents trying to keep a low profile at the conference.

In another notable demonstration Saturday, Zac Franken, a 38-year-old London technology executive, showed how it's possible to break into a building by tampering with the devices used to read security badges.

Franken said a fundamental flaw exists in the protocol that allows the badge readers to communicate with the central access-control systems that decide who to allow into the building.

In his demonstration, Franken used a circuitry model to show how an intruder could pry open one of the devices with a knife, attach a programmable microcontroller to the wiring inside and fool the device into letting an intruder into the building.

Franken said he was also researching how criminals might use Bluetooth wireless technology to trick retina-scanners by sending a signal from a cell phone.

Access-control systems need stronger tamper protections and a way to encrypt transmissions, Franken said.

"The bottom line is, the main security is two screws and a plastic cover," he said.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.