The well publicised governmental spying on private phone conversations highlights once again how fast we may be approaching the birth of super computer Hal.
Who remembers that film? Not only that but discovering that credit card skimmers were now almost undetectable also evidences the rate at which electronic devices are shrinking. My navel gazing exercise began because a new computer I had installed decided to update itself without any warning and, importantly, without permission from me. All done with the “intelligence” built into this device. There had not been the usual options screen to permit choices to control automatic actions and that to me is totally unacceptable!
That prompted me to take stock of my house and list all things that had that intelligence capacity or capability. After all, computer codes are simply a choice of a “one” or a “zero” and not difficult to interchange. All very much like a traffic light that instructs us to go on green and stop on red. In earlier times the great technological advance was the PLC, the ‘programmable logic controller’. It worked on the basis of setting on/off switches in such a manner as to form a logic grid, much like the pseudo code used for computers today. That is where the logic is written out in plain language that is then converted to a computer language code by someone expert in computer programming.
Some devices are obvious: desktops, laptops, wireless routers, televisions, phones and gaming consoles. Increasingly, however, computational capabilities are appearing in our appliances, healthcare devices, children’s toys and the home’s infrastructure.
Examples of all these reside in my house. And I have yet to mentioned refrigerators, microwaves and stoves.
These devices are incorporating new sensors, actuators and network capabilities: a Barbie with a video camera; a lock for your front door controlled by your mobile phone; or a bathroom scale that reports readings over your wireless network. Many of these devices are also subject to control by servers external to the home or are mobile technologies that regularly leave the home’s perimeter and interact with other networks. These trends, which we expect to accelerate in the coming years, create emergent threats to people’s possessions, well-being, and privacy.
We all understand the more common attacks on our computers such as tampering with logs or eavesdropping on network traffic. However, the additional focus on sensors and actuators is something that is not generally encountered with traditional computing devices. Similarly, the high-level goals behind the attacks such as blackmail, extortion, theft and vandalism, among others, are the same motivations that one encounters with all criminal activities. Arguably, the most novel aspects of attacks on the home ecosystem are the intermediate goals: the ways in which the unique capabilities of devices or the assets to which they have access enable criminal opportunities.
In order to highlight some of the unique properties of the home system, I have listed examples of attacks that are not viable with traditional computing platforms:
Determining the locations of lucrative home burglary targets via camera feeds or the distinctive signatures of multiple, expensive devices;
Providing access to homes that have cyber-physical locks that are vulnerable to electronic compromise;
Checking whether or not a home is occupied (and by whom) via: cameras; microphones; motion sensors; logs for lights, thermostats, and door locks; or HVAC air pressure sensors;
Turning up the thermostat settings while the user is away in order to increase heating bills, thereby causing financial harm;
Electronically manipulating a washing machine to cause flooding;
Tampering with home healthcare technologies in order to change treatment, notifications or perform a denial-of-service attack and, on a more extreme end,
targeting entire communities by coordinating their devices to overload the power grid.
It is interesting that the presence of actuators and sensors in the home environment allows interactions between the physical and electronic states of devices. It is possible to perform electronic attacks with physical consequences but it is also possible to perform physical attacks with electronic consequences, or attacks that have both physical and electronic components. As an example of a physical attack that has electronic consequences, an adversary might apply a bright, directed light source to an external light sensor in order to trick outdoor flood lighting into turning off. Similarly, one can imagine an attack where physically tricking a system sensor causes the system to enter a fail-safe mode that is more easily compromised via electronic attack. And these latter instances could well have physical consequences.
So how could we leave ourselves open to such exposure? The possibilities are many such as a device on the home network might be compromised by a direct attack from a device external to the home or compromised by an infected device within the home whether stationary, mobile, or belonging to a guest. If a device is mobile and connects to an infected network, it might become infected. Physically, a device might be infected by a manual interface such as USB or CD. Alternative physical attacks include: receiving an infected device as a gift; purchasing a used, compromised device from a source such as eBay or purchasing a “new” device that has previously been purchased, infected, then returned; or purchasing a device that was infected during its manufacture.
I have left the more obvious to last, the security of our in house wireless network. We transmit TV, Internet, music and games over it now and the phone designers are bent on increasing the integration and options further.
Of far greater concern are the “near field” devices such as supermarket checkouts using our smart phones to pay for our purchases. Should such transactions be harvested, money would literally disappear over the web.
None of this is far fetched. Trawling the web produces reams of date used to base these scenarios on. Indeed if you would like to see a “living” example of technology and how it may be used just go http://www.barbie.com/videogirl/. Such marketing will only teach a new generation covert attitudes.
All I can say is that vigilance is no longer a boring past time; today it has become an absolute necessity of every day life, not only to protect your assets but even your life.
The web is getting scarier by the minute!