In the last few years, we have been bombarded in the media with stories of company after company falling victim to hacks of one sort or another. The consequences can be serious, from regulatory fines to loss of revenue and reputational damage. In extreme cases, companies that lose the trust of their customers can be put out of business entirely as the result of a sufficiently serious hack – as happened to Dutch certificate authority DigiNotar in 2011 after it fell victim to a serious security breach, and subsequently filed for bankruptcy. However, it is easy to become complacent or to believe that hacks and data breaches are simple to avoid.
In this blog post we take a slight tangent from our usual more technical content to look instead at some of the stranger and more esoteric hacks that have been either conducted against companies to date, or that security researchers envisage may become realised in the future. Its an eye-opening list that shows that far from following a typical pattern of attack, hackers are willing – and able – to leverage unexpected attack vectors to either profit or simply cause harm wherever a security weakness can be found. Whilst some of these stories may seem outlandish, they all are based on real hacks that have taken place, or on proof of concepts that have been established by security researchers as credible threats and serve to show how hackers are willing to leverage any angle they can to target an organisation.
Pirates aren’t quite what they used to be, having (largely) swapped their cutlasses and parrots for cybersecurity tooling. In a surprising real-world example of OSINT that we investigated in a previous blog post modern-day pirates are leveraging OSINT techniques to determine bills of lading for cargo ships, allowing them to target the highest value cargoes. According to security researchers and the Verizon Data Breach Digest report, cyber-pirates have also attempted to reroute ships via their navigational systems. With cargoes of larger container ships valued at up to £75m, the stakes are high, and attacks are already known to be occurring.
In a further twist, a Proof of Concept report by PenTest Partners highlighted that the container load planning system used for container ships could potentially be used to cause containers to be loaded in a configuration that would capsize the container ship entirely, causing untold financial loss as well as environmental damage.
One of the most serious hacks on this list is perhaps also one of the most well-known and widely reported: although shrouded in secrecy and official denials, it is now widely accepted in the mainstream intelligence community and press that the United States and Israel jointly developed and deployed a computer worm known as Stuxnet to degrade or destroy over a thousand centrifuges used with Iran’s nuclear program by intermittently changing the centrifuge’s rotational frequency, causing severe disruption to its progress. Somewhat less believably, claims have been made by apparently credible sources that the same malware also caused the Iranian scientists’ workstations to blare out AC/DCs “Thunderstruck” at full volume at random intervals also, but maybe take that addendum with a pinch of salt.
Perhaps the story of the US cyber-security community pranking Iranian scientists with the best that 1970s hard rock has to offer may gain a little more credence in the light of a report from the same year that the British intelligence agency MI6 (or more properly the “Secret Intelligence Service”) hacked into websites distributing al-Qaeda propaganda and substituted content they found such as bomb-making instructions with recipes for cupcakes – specifically white rum and vanilla buttercream variants courtesy of American chat show host Ellen DeGeneres. Sounds delicious to us.
From the “not happened yet, but just you watch” category comes research from a risk analysis published in the journal Nature that there is significant unaddressed risk in a new generation of autonomous crop management technologies beginning to see daylight in the agricultural industry, from autonomous drones to robotic harvesters aimed to reduce the burdens of manual labour. Such “ag-bots” (agricultural robots) are restricted currently to autonomous sensors and drones, but the pace of development is substantial, and it is claimed that autonomous harvesters and sprayers are already being developed for the next generation of farm machinery. It’s hard not to be terrified at the prospect of a rogue robo-harvester mowing down swarms of innocent bystanders on a bloody rampage like an agricultural cross between Robot Wars On Tour and Stephen King’s Christine. Slightly more serious risks envisaged by risk analysts include widescale machinery shutdown, or a coordinated poisoning of regional or national ecosystems via deliberate over-application of fertilizer if a network of devices can be subverted by a state actor.
Digital road signs are a frequent target for hacks, since they often lack significant security features, and hacks are seen as being largely benign on the whole. Two such signs were hacked in San Francisco in 2014, the first warning “Godzilla Attack – Turn Back” and the second following up with “Godzilla rampant in SF”. Whilst the hacker in question was never uncovered, it is worth noting that the hacking coincided with the release of the PG-13 rated eponymous movie starring Elizabeth Olsen. And a large prehistoric sea monster.
In 2017, an American casino was targeted in a data breach attack that led to the theft of a massive amount of company data in a significant data breach. When investigated by a cyber forensic security team, the source of the breach was found to be an internet-connected temperature sensor in a fish tank within the casino. Once compromised, the hackers were able to pivot their attack onto other, more secure systems and those not exposed to external networks directly. The attack is a good example of how the emerging “Internet of Things” (IoT) and the many poorly secured devices – including security cameras, thermostats, smart speakers, and even domestic appliances such as fridges and ovens – can be used to compromise both domestic and organisational networks.
If the threat of data exfiltration seems a little… tame or abstract, how about finding that a hacker has managed to subvert an IoT network-enabled device and cause it to physically attack you? In a presentation at the Black Hat security conference in Las Vegas, security researchers presented a proof of concept that permitted hackers to remotely hijack automatic drive-through car washes and cause them to actively attack vehicles and their occupants, using bay doors, mechanical arms, and other moving elements to attempt to strike or crush vehicles and their occupants.
So there you have it, a bunch of very strange rumoured, potential and actual hacks. As the technology in the world develops, malicious hackers find new and interesting ways to exploit it. Although some of these examples are a little extreme, if you’re worried about your security posture, AppCheck can help you uncover vulnerabilities across your entire organisation’s security footprint. Get in touch today.
AppCheck help you with providing assurance in your entire organisation’s security footprint. AppCheck performs comprehensive checks for a massive range of web application and infrastructure vulnerabilities – including missing security patches, exposed network services and default or insecure authentication in place in infrastructure devices.
External vulnerability scanning secures the perimeter of your network from external threats, such as cyber criminals seeking to exploit or disrupt your internet facing infrastructure. Our state-of-the-art external vulnerability scanner can assist in strengthening and bolstering your external networks, which are most-prone to attack due to their ease of access.
The AppCheck Vulnerability Analysis Engine provides detailed rationale behind each finding including a custom narrative to explain the detection methodology, verbose technical detail, and proof of concept evidence through safe exploitation.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA)
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: email@example.com
No software to download or install.
Contact us or call us 0113 887 8380