Google was hacked by its own employee, who revealed vulnerabilities in the security system of the company's Sunnyvale, California office.
Fortunately, the Google employee had no ill intention, as he apparently just had free time to test the Sunnyvale office's keycard-enabled doors. However, the incident again raises concerns regarding the security of internet-connected devices and systems.
Google Employee Hacks Sunnyvale Campus
According to a report by Forbes, software engineer David Tomaschik was able to hack into the RFID-secured doors of Google's Sunnyvale, California, campus.
It all started last summer, when Tomaschik noticed that the encrypted messages sent by Software House devices were non-random, which meant that they were not properly protected. Software House is the creator of the systems managing the physical security of the Sunnyvale campus.
When he dug deeper, Tomaschik discovered that there was a "hardcoded" encryption key that was used in all Software House devices. This meant that he will be able to copy the key to issue his own commands, such as unlocking doors that require key cards to access. He could also replay legitimate commands to the same effect. Tomaschik also found that he would be able to issue the commands without them being traced back to him.
Tomaschik was soon able to not only open supposedly secure doors but also prevent fellow Google employees from opening them even if they had the required RFID-enabled key cards. Google eventually patched up the problem.
Internet Of Things Security Vulnerabilities
It was a good thing for Google that Tomaschik had no malicious plans for his discovery. However, it again brings Internet of Things security issues to the spotlight, particularly on how inadequate the security measures are in protecting internet-connected devices.
One prime example of the lack of Internet of Things protection was the Mirai botnet, which took out large parts of the internet in October 2016 by hacking into internet-connect devices and using them to launch distributed denial-of-service, or DDoS, attacks.
Tomaschik noted that there are only a handful of RFID keycard security systems manufacturers, which means that the vulnerability that he found in Software House technology is present in a significant percentage of key card doors across the country.
It is also alarming that something like this would happen to as big a company as Google. The embarrassing gaffe follows what happened to Apple, which was recently reported to be hacked by a teenager despite its obsession with security. The teen hacker was able to steal 90 GB of secure files, placing them in a folder on his laptop amusingly named "hacky hack hack."