Hacking seismometers deployed around the world can cause fake earthquakes and bring economic destruction – researchers
Now this is earth shattering news. Imagine the havoc a fake news of an 8.1 Richter Scale earthquake hitting New York would cause. It would cause a mini economic collapse and drive many companies to bankruptcy not to mention the futures contracts in oil, food grains and other commodities. Is such a thing possible? Yes, say two security researchers from Costa Rica. They found that it was possible to fake Earthquakes by hacking seismometers deployed at different locations around the world.
Countries around the world have deployed such seismometers to measure seismic waves generated by things and give them early warning of natural calamities such as earthquakes and volcanic eruptions. However, the two researchers found that these seismometers are connected to the internet with no security protections.
Giving a demonstration at the Defcon 24 hacker conference, Bertin Bervis and James Jara said they had found ways to hack into and control seismometers placed on the ocean floor or in remote land locations. Bervis and Jara claimed that if potential hackers were to hack the same, oil and gas drilling operations, mine safety and earthquake detection could all be disrupted, with possibly dire results, not to mention stock market crashes around the world.
“The average attacker is not interested, but governments might be,” Jara said. “You’re playing with devices that measure natural disasters. This could lead to financial sabotage against a particular country or company.”
Bervis and Jara found seismometers all over the world with their own NetDB search engine, which searches the Internet for embedded devices, similar to the better-known Shodan search engine. The researchers found that most of the devices were Taurus and Trillian seismometers, made by an Ontario company called Nanometrics.
Upon researching the Taurus seismometers, the duo found that had built-in Web servers that were transmitting unencrypted data across the open internet, including precise location and altitude coordinates. The researchers located one in central England, another in Oklahoma and a third at the bottom of the North Sea. The other Nanometrics product, Trillian was designed for rough environments like ocean floors or South Pole. It ran on a version of Linux that still was susceptible to the two-year-old.
The duo found that both of them ran on a version of Linux that still was susceptible to the two-year-old Shellshock vulnerability. Jara and Bervis got a copy of the Trillium firmware from Nanometrics, and found multiple other flaws, including a hardcoded remote-access password that would have let anyone remote take control of the device.
Jara and Bervis also found another seismometer maker, Britain’s Güralp, protects its Web-connected devices with encrypted HTTPS connections, but the encryption is poorly implemented and can be hacked easily. Not only they can be hacked, they can also be taken offline with a very low scale DDoS attack because they dont have adequate protection. “What if you denied service to multiple devices at once?” Jara wondered. “You could mess up some expensive research.”
The most worrying thing is that Jara and Bervis found that they could inject their own false data into the data streams these devices were communicating. In other words, they could make it look like an earthquake had occurred when none actually had.
“We are in control of the device, the network and the software running on it,” Jara said.
The researchers have already notified U.S. Computer Emergency Response Team (US-CERT), a branch of the Department of Homeland Security about the vulnerability and the destruction it can cause. In turn, the researchers said, US-CERT had notified the vendors.