It’s widely known Google has some of the best software engineers on the planet. Last July, one of them — a Google engineer who works in the company’s Sunnyvale offices — decided to put his skills to the test. Er, against his employer.
David Tomaschik found a software vulnerability that allowed him to hack open doors on campus that you were supposed to need an RFID keycard for. He hacked up some code, sent it across the company’s network, and quickly saw the light on the door to his office turn from red to green.
Tomaschik talked with Forbes about what he’d done following a talk he gave on this in early August at the DEF Con Internet of Things Village in Las Vegas. “It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House,” reports Forbes, “the creator of the office controllers managing the physical security of the California site.”
Last summer, the publication goes to explain, Tomaschik was looking at the encrypted messages the Software House devices called iStar Ultra and IP-ACM were sending across the Google network. He discovered they were non-random, whereas encrypted messages “should always look random if they’re properly protected. He was intrigued and digging deeper discovered a ‘hardcoded’ encryption key was used by all Software House devices.”
That meant all he needed to do was copy the key and either write commands like asking a door to unlock or replay legitimate commands. And here’s the crazy part. Tomaschik found that he was able to do this without leaving any digital trail of his actions, and he could also fix it so that Google employees were prevented from opening doors they should have been able to get into. “Once I had my findings it became a priority. It was pretty bad,” he told Forbes.
Google, naturally, has taken steps to fix all this. For one thing, the company has segmented its network to prevent people on its properties from doing something like this. The Software House devices also now apparently use a stronger form of encryption — though, according to Tomaschik, Software House came up with a solution that requires a change of hardware at customer sites. His implication being there are lots of locations and businesses that could be open to a similar hack, though a spokesman for Software House owner Johnson Controls told Forbes, “This issue was addressed with our customers,” without providing additional details.
Meanwhile, even though the hacker here had good intentions, this is yet another reminder of the destructive potential of Internet of Things vulnerabilities. Specifically, of how lax security can open up such Internet-connected devices to real-world mischief.
To be reminded of the worst-case scale of such damage, recall the 2016 Mirai botnet attack that co-opted vulnerable webcams and other IoT devices to launch attacks that crippled Internet services around the world, temporarily knocking services like Netflix and Twitter offline. Lawmakers have been slow to get involved in mandating changes that would protect against this kind of thing, and manufacturers are still proving slow to improve the security of the hardware they sell, which means for now we’re still reliant on hackers like Tomaschik to find and fix vulnerabilities, like keeping doors closed that aren’t supposed to be open.