LAS VEGAS — Many seismometers deployed worldwide to measure seismic waves generated by things such as earthquakes and volcanic eruptions are connected to the internet with no security protections, two Costa Rican researchers said at the Defcon 24 hacker conference here last week.
Bertin Bervis and James Jara said they had found ways to hack into and control seismometers placed on the ocean floor or in remote land locations. Were malicious hackers to do the same, they said, oil and gas drilling operations, mine safety and earthquake detection could all be disrupted, with possibly dire results.
"The average attacker is not interested, but governments might be," Jara said. "You're playing with devices that measure natural disasters. This could lead to financial sabotage against a particular country or company."
Bervis and Jara found seismometers all over the world with their own NetDB search engine, which searches the Internet for embedded devices, similar to the better-known Shodan search engine. Many of the devices were Taurus and Trillian seismometers, made by an Ontario company called Nanometrics.
The Taurus seismometers had built-in Web servers that were transmitting unencrypted data across the open internet, including precise location and altitude coordinates. The researchers located one in central England, another in Oklahoma and a third at the bottom of the North Sea.
A specialized Trillium model designed for rough environments, such as being dropped on the ocean floor, buried in dirt or deployed at the South Pole, had similar functions. It ran on a version of Linux that still was susceptible to the two-year-old Shellshock vulnerability.
Jara and Bervis got a copy of the Trillium firmware from Nanometrics, and found multiple other flaws, including a hardcoded remote-access password that would have let anyone remote take control of the device.
Nanometrics wasn't the only brand of vulnerable seismometer, the researchers said. Another manufacturer, Britain's Güralp, protects its Web-connected devices with encrypted HTTPS connections, but the encryption is poorly implemented and can be cracked.
Like any unprotected Web server, these devices could also be knocked offline with simple denial-of-service attacks that flooded them with more Web requests than they could handle.
"What if you denied service to multiple devices at once?" Jara wondered. "You could mess up some expensive research."
But it could get worse. Jara and Bervis also figured out how to inject false data into the data streams these devices were communicating. In other words, they could make it look like an earthquake had occurred when none actually had.
"We are in control of the device, the network and the software running on it," Jara said.
He and Bervis made very clear, however, that they're not out to create mayhem. All of what they'd found had already been disclosed to the U.S. Computer Emergency Response Team (US-CERT), a branch of the Department of Homeland Security. In turn, the researchers said, US-CERT had notified the vendors.
"Vendors, please think about data security when you make these things," Jara said.