When I talk to non-tech people about information security (InfoSec) I usually get one of two responses.
The first is, ‘Oh wow! That’s scary. I bet that will be a big problem in the future.’
The second is, ‘So what? No one targets little fish like me.’
Both are reasonable responses from non-tech people. But when I talk to people in the InfoSec world, there’s only one thing on their mind. We have a big problem, and that problem exists right now.
Over the last few days at BlackHat USA 2015 I’ve heard a common phrase. It more or less goes, ‘People and businesses don’t take security seriously enough…still.’
And it’s true. I can categorically show you how three hackers made an impact on billion dollar companies overnight. These three hackers have done two main things.
The first is they have exposed a flaw that affects millions of everyday people. You could already be one of them. The other is they have singlehandedly impacted the stock price of publicly listed companies.
That alone is a massive problem. Luckily these guys fight on the good side of the digital battle. They’re ‘All-Star WhiteHat Hackers’. But if these guys can do it, that means there are plenty of bad guys that can do it too. And it’s these BlackHat hackers that will look to do the same or worse for personal gain.
Hacking a global network for less than $1,000
The box cost just under US$1,000. When you look at it, it barely even looks like it’s got that much worth of gear in it.
In reality this box was able to hack into the GlobalStar [NYSEMKT:GSAT] satellite communications (SATCOM) global network.
Cyber security researcher Colby Moore put together this little box to conduct some research. He was able to hack into a ubiquitous tracking chip that forms part of the GlobalStar satellite network.
The way this network operates is through satcom. Up in space GlobalStar has a bunch of satellites. These relay information between GlobalStar tracking services and the assets people want to track.
This includes things like shipping containers, yachts, cars and even people. For example someone might install a GlobalStar tracker on their yacht. If someone steals the yacht, they can track it through the GlobalStar network.
Or as an example given by Moore, a journalist in a politically unstable region might have a tracker on them in case of kidnapping.
What Moore was able to do with his box was to data sniff the network. He explained how easy it was, because there was no security. There were no checks or signatures that stopped him while he did his thing.
By data sniffing he was able to track the location of any number of assets. For example, he could find out the exact location of an armoured bank truck. He could track its route and know exactly where it was at any given time.
But what’s even more worrying is Moore says he is 100% certain that he is able to inject false data back into the network. That means not only could he track said armoured car, but he could feed the network a false location for it.
Or in the event of the journalist he could feed back to the network that she was in a safe place when in reality she was in danger.
Moore broke this story through Wired only a week ago on the 30th July. Here’s what GlobeStar’s stock price did in the week after.
Source: Google Finance
The stock is down over 10% since the story broke. After Moore’s presentation yesterday, the stock is down over 2% again today alone.
His research identified a danger to people in the real world. And as a byproduct it’s also had a significant impact on the company’s stock price.
From satellites to Jeeps, nothing is unhackable
When it comes to the biggest ‘all-stars’ of hacking, none come close to Chris Valasek and Charlie Miller. Miller and Valasek are the two guys that spent the better part of two years trying to remotely hack an unaltered Jeep Cherokee.
Let’s get something straight from the outset here too. These guys both have day jobs. They both work full time. This research was their ‘weekend project’.
You’ve probably heard the story by now. If you haven’t, the guys were able to remote hack into a Jeep, taking control of critical systems like steering and brakes. They got in through a combination of points.
The first was the Sprint Corp [NYSE:S] mobile network. The second was the car’s Uconnect infotainment system made by Harman Kardon. Harman Kardon is a subsidiary of Harman International Industries [NYSE:HAR]. The third was a simple chip, the V850, which connects it all together.
The result of their research led to FIAT Chrysler Automobiles [NYSE:FCAU] recalling 1.4 million affected vehicles to fix the flaw. It also led to Sprint changing their network to block the port the hackers used to get into the car remotely.
In the last few days alone more new research has come out about hacking cars. Researchers have unveiled a flaw in Teslas. Further work shows how a $100 device can hack GM’s OnStar RemoteLink . And we’ve seen the vulnerabilities in DAB radio systems.
This work is all critically important. And has real world implications.
What kind of implications? Well aside from ones that might affect your safety there’s market implications too.
The Jeep hack story went out on Wired on the 21st July. Here’s FIAT Chrysler’s stock price in the trading days after.
Source: Google Finance>
The stock fell over 11% over the following couple of weeks. And as for Sprint’s stock price, well it’s a similar story.
Source: Google Finance>
Sprint is down over 13%. I’ve said before that hackers are having real world impacts with their work. But it’s only been recently with Miller and Valasek that the general public have stood up and taken notice.
I think that’s because the car hack is relatable. It’s something that people can see and understand and fear. You might even own a 2014 Jeep Cherokee and be part of the recall.
We’re lucky that these hackers, Moore, Miller and Valasek, release their information into the public realm. Hackers with the wrong motivations might keep it under wraps. They might sell this info to the highest bidder. They might have held FIAT Chrysler or GlobeStar to ransom.
And what’s just as evident is they can make stock market gains from actions like shorting the stocks they hack. And then buying on the rebound.
When deciding to buy a stock, you might think that it’s important to assess a company’s financial stability. Perhaps the experience of management. Maybe even their track record of beating expectations. All things you’d think about in typical company analysis.
But perhaps even more important is the digital security. The security of the company itself, but also the products and services it makes and delivers. Security must be a fundamental priority, and in any company where it’s not, well perhaps that’s not a company you want to invest in.
Editor, Money Morning