As reported by NPR: Shane Walker hops into his Toyota Prius hybrid and puts on his Google Glass. It's a lightweight glasses frame with a tiny computer built into the lens.
Google is at the forefront of a movement in wearable technology, gadgets we put on our bodies to connect us to the Internet, and perhaps nothing embodies that more than Glass. But the eyewear is raising eyebrows outside the high-tech industry. Before Glass even hits stores, lawmakers in several states want to ban it on the roads.
Walker, an independent developer living in San Francisco, turns on the GPS app and starts driving. Instead of talking out loud, like an app on a smartphone might, it shows him his route as a thin blue line and a triangle on the upper right corner of the lens.
"Google did a good job of making it nonintrusive, so it's not directly in your line of sight," he says.
But Walker's favorite feature is the camera. Say you're on a road trip. With a tap of the side, you can record the entire thing in decent resolution and then, with another tap, share it with your friends. Or you can wink and take a picture.
At a stop sign, Walker strokes the Glass frame with his right index finger. He's flipping through stored photos. The movement is so discreet — no bending his neck down like you would with a smartphone — and I have to ask him: "Is it something you would do if there was a police officer right in front of you?"
"I mean, it's debatable," he replies. "It is hands-free, so I do feel like in my legal right, it's OK for me to interact with stuff that doesn't require my hands, like winking, taking pictures."
Legislative Battle Over Public Safety
Ira Silverstein, a Democratic state senator from Illinois, disagrees. "Yeah, it's hands-free, but it can affect your vision," he says.
He's written a bill that says using Glass distracts drivers. "The first offense would be a misdemeanor. The second offense if, God forbid causes death, could be a felony."
Leading car insurance companies have not yet taken a position on Glass, but at least eight states have proposed legislation banning the use of Google Glass on the road. In West Virginia, Republican state Delegate Gary Howell says lawmakers need to act before Glass gets out of hand.
Glass is the ultimate multitasking machine. It streams incoming emails and scans the human eyelid for commands. But Howell says its high-tech creators aren't seeing a basic fact about the real world.
"Have they driven on mountain roads in West Virginia, where you've got one 15-mile-an-hour turn after another one, where you really need to be concentrating on what you're doing?" he says. "You could be wearing it, not looking at your driving but watching a video screen."
Google is responding to this roadblock by sending lobbyists around the country to dispel concerns. Spokesman Chris Dale says Glass can help drivers.
"It's actually not distracting, and it allows you — rather than looking down at your phone, you're looking up and you're engaging with the world around you," Dale says. "It was specifically designed to do that: to get you the technology you need, just when you need it, but then to get out of your way."
Not Texting, But Text
Back in Walker's car, Glass does something that a smartphone can't do. We turn a corner past a golden fire hydrant, and obscure facts suddenly start streaming in front of Walker's iris.
"When San Francisco burst into flames in the days following the disastrous 1906 earthquake, much of the city's network of fire hydrants failed," Walker reads. "Miraculously, this fire hydrant, nicknamed 'The Little Giant,' is said to have been the only functional ..." He goes on reading like this for about half a minute.
"Are you reading all of that from the upper right-hand corner of your eye?" I ask.
"Yeah," he says. "It's pretty cool. It's like text just floating in air."
Walker has a theory about why the text is not distracting him: "The layer is transparent, so your eye does a good job of seeing through it while also staring at it."
Earl Miller, a professor of neuroscience at MIT who specializes in multitasking, says this sounds like wishful thinking.
"You think you're monitoring the road at the same time, when actually what you're doing [is] you're relying on your brain's prediction that nothing was there before, half a second ago — that nothing is there now," he says. "But that's an illusion. It can often lead to disastrous results."
In other words, the brain fills in the gaps in what you see with memories of what you saw a half-second ago. Among scientists, that statement is not controversial. The politics of Google Glass — and where it's worn — clearly is.
As reported by Gizmodo: Do
you drive a car in the greater Los Angeles Metropolitan area? According
to the L.A. Police Department and L.A. Sheriff's Department, your car
is part of a vast criminal investigation.
The agencies took a novel approach in the briefs they filed in EFF and the ACLU of Southern California's California Public Records Act lawsuit seeking a week's worth of Automatic License Plate Reader (ALPR) data. They have argued that "All [license plate] data is investigatory." The fact that it may never be associated with a specific crime doesn't matter.
This
argument is completely counter to our criminal justice system, in which
we assume law enforcement will not conduct an investigation unless there
are some indicia of criminal activity. In fact, the Fourth Amendment
was added to the U.S. Constitution exactly to prevent law enforcement
from conducting mass, suspicion-less investigations under "general
warrants" that targeted no specific person or place and never expired.
ALPR
systems operate in just this way. The cameras are not triggered by any
suspicion of criminal wrongdoing; instead, they automatically and
indiscriminately photograph all license plates (and cars) that come into
view. This happens without an officer targeting a specific vehicle and
without any level of criminal suspicion. The ALPR system immediately
extracts the key data from the image—the plate number and time, date and
location where it was captured—and runs that data against various
hotlists. At the instant the plate is photographed not even the computer
system itself—let alone the officer in the squad car—knows whether the
plate is linked to criminal activity.
Taken to an
extreme, the agencies' arguments would allow law enforcement to conduct
around-the-clock surveillance on every aspect of our lives and store
those records indefinitely on the off-chance they may aid in solving a
crime at some previously undetermined date in the future. If the court
accepts their arguments, the agencies would then be able to hide all
this data from the public.
However, as we argued in the Reply brief
we filed in the case last Friday, the accumulation of information
merely because it might be useful in some unspecified case in the future
certainly is not an "investigation" within any reasonable meaning of
the word.
LAPD and LASD Recognize Privacy Interest in License Plate Data
In another
interesting turn in the case, both agencies fully acknowledged the
privacy issues implicated by the collection of license plate data. LAPD stated in its brief:
"[T]he
privacy implications of disclosure [of license plate data] are
substantial. Members of the public would be justifiably concerned about
LAPD releasing information regarding the specific locations of their
vehicles on specific dates and times. . . . LAPD is not only asserting
vehicle owners' privacy interests. It is recognizing that those
interests are grounded in federal and state law, particularly the
California Constitution. Maintaining the confidentiality of ALPR data is
critical . . . in relation to protecting individual citizens' privacy
interests"
The
sheriff's department recognized that ALPR data tracked "individuals'
movement over time" and that, with only a license plate number, someone
could learn "personal identifying information" about the vehicle owner
(such as the owner's home address) by looking up the license plate
number in a database with "reverse lookup capabilities such as
LexisNexis and Westlaw."
The
agencies use the fact that ALPR data collection impacts privacy to argue
that—although they should still be allowed to collect this information
and store it for years—they should not have to disclose any of it to the
public. However, the fact that the technology can be so privacy
invasive suggests that we need more information on where and how it is being collected, not less. This sales video from Vigilant Solutions
shows just how much the government can learn about where you've been
and how many times you've been there when Vigilant runs their analytics
tools on historical ALPR data. We can only understand how LA police are
really using their ALPR systems through access to the narrow slice of
the data we've requested in this case.
We will be arguing these points and others at the hearing on our petition for writ of mandate in Los Angeles Superior Court, Stanley Mosk Courthouse, this coming Friday at 9:30 AM.
As reported by MIT Technology Review: Starting next month, many car buyers will be getting a novel feature:
Internet connections with speeds similar to those on the fastest
smartphones—and even a few early dashboard-based apps, engineered to be
as dumbed-down as possible.
Backseat passengers could get streaming movies and fast Wi-Fi
connections to smart watches and tablets in (and near) the car. For
drivers, high-resolution navigation maps would load quickly, and
high-fidelity audio could stream from Internet radio services. But the
first dashboard apps will be limited, spare versions of familiar ones
like the Weather Channel, Pandora, and Priceline. The first U.S. model with the fast wireless connection—known as 4G
LTE, around 10 times faster than 3G connections—is expected to be the
2015 Audi A3, which goes on sale next month for a starting price of
$29,900. Data plans will cost extra—an average of around $16 a month. GM says it expects to sell 4G-equipped 2015 Chevrolets and other
models starting in June. Many other carmakers, including Ford and
Toyota, are following suit, both in the U.S. and worldwide, using
partnerships with wireless carriers to deliver the connectivity. By providing apps, carmakers see an opportunity for product
differentiation and steady revenue streams. They also suggest that
connectivity can lead to new safety features, and that using these
onboard services will be safer than furtively glancing at phones. But when drivers browse the GM AppShop,
they shouldn’t expect what they get on an iPhone or a Galaxy phone. GM
expects to provide just 10 apps initially, most of them mapping, news,
and radio services. That’s partly because the automaker’s screening process for apps is
brutal, says Greg Ross, director of product strategy and infotainment
for GM vehicles. “They go through rigorous safety and security
standards,” he says. “And since it’s pulling data from the car, it’s
locked down before it ever gets into the vehicle.” As a result, the technology and interface need to be almost as simple
as an analog radio knob, says Bruce Hopkins, cofounder of BT Software,
based in San Diego. He is one of a very few developers whose apps will
be available in GM cars. Called Kaliki, BT Software’s app provides audio readings of
stories—done by humans, not text-to-speech software—pulled from
mainstream publications such as USA Today and TV Guide,
as well as podcasts from radio and TV stations. (Its advantage over the
radio? “Radio has been around for the last eight decades, and you still
can’t pause it,” he says.) Hopkins followed detailed rules from GM—no pinch-zoom controls or
tiny icons allowed, for example—and spent two years developing the app,
including time in a test facility in Detroit. “One of the terms GM talks
a lot about is driver workload,” he says. “You cannot have anything
that would require the driver to have several different things they have
to think about. At the end of the day, they want something that works
as simple as the regular radio.” The apps know if you are driving. Drivers will never be able to open a
“terms and conditions” screen—or play a game, assuming games ever
come—unless the vehicle’s transmission is in “park.” Despite the hurdles, 4,000 developers have registered with GM’s app
store, because the payoff could be large for them: getting their apps
included in a car could help them market versions that work on
smartphones. And apps in cars command much more attention if they are
among just a few that a driver can choose from while sitting behind the
wheel for an hour or two every day. In the longer term, apps will emerge that draw on data generated by
the car, says GM’s Ross. This could be useful for maintenance or driving
efficiency—or to generate data for insurance discounts. Apps tapping
information from many cars could alert drivers to accidents; signals
indicating hard braking or slipping wheels in other cars could warn of
slick roads ahead. Sensors can ultimately help bring about
semi-autonomous or fully autonomous cars (see “Data Show’s Google’s Robot Cars Are Smoother, Safer Drivers Than You or I”). Henry Tirri, CTO of Nokia, says the potential for apps in cars is
vast, given the amount of data vehicles produce. “The car is already
probably the densest sensor hub that an individual owns right now,” he
says. (See “After Microsoft Deal, What’s Left of Nokia Will Bet on Internet of Things.”)
In Audi’s case, the service will cost $100 for up to five gigabytes
of data over six months, or $500 for 30 gigabytes over 30 months. GM has
not announced pricing except to say that customers can get various
plans combining service to their homes, phones, and cars. Both GM and
Audi are using AT&T to provide service (see “GM and AT&T Blur Line Between Car and Smartphone”).
Turn off your Wi-Fi. This flying drone could be hacking your
smartphone from the air.
As reported by International Business Times: UK security firm Sensepost has discovered that unmanned flying drones
can be used to hack into smartphones by simply flying over London
pretending to be a Wi-Fi network.
Smartphones are constantly sending out signals trying to find
familiar Wi-Fi networks to connect to, such as your home or work
network, or even the Starbucks free Wi-Fi network you accessed two weeks
ago.
Using a simple off-the-shelf helicopter drone it bought on Amazon,
the researchers were able to create a piece of software called Snoopy
that can detect those signals and trick the phone into thinking that the
drone is a familiar Wi-Fi network.
Once the phone is connected to the drone, all data traffic sent from
apps like email, Facebook and even banking apps captured and fed back to
those controlling the drone. This shows that cybercriminals don't have
to infect your smartphone with malware in order to monitor your
activity.
Sensepost developers tested their flying drone two weekends ago by
flying it over people's heads on a sunny afternoon in London Fields,
Hackney, and to their amazement, no one noticed the drone at all.
The drone is watching you
"In the old days, to hack someone you needed a laptop with a big
antenna which would be really obvious, but now we're in the age of
really small devices. We thought, can we apply an old-school Wi-Fi hack
called Karma?" Sensepost's chief operating officer Daniel Cuthbert tells
IBTimes UK.
Not only can the drone monitor your smartphone, but it's also very
easy to track someone's movements and habits through their phone.
The firm first programmed an old Nokia N900 smartphone to become a
spying device two years ago, put the device in their pocket and then
spent some time hanging out in major London train stations Liverpool St,
Oxford St, Victoria and Kings Cross St Pancras.
While they blended in and sat having a coffee, the device picked up data from over 60,000 smartphones in the four stations.
Sensepost took the data and put it into Wigle, an open-source
geo-location service. When they cross-referenced the data with Google
Streetview, they were then able to track all the people and their
smartphones as they moved throughout the stations and beyond.
Turn off your Wi-Fi
"People put so much trust into the Internet, it's mind-boggling. Stop
putting so much trust in the Internet. When you go out, turn your Wi-Fi
off on your phone," Cuthbert warns.
"We want more pressure put on the developers of iOS, Android, Windows
Phone and BlackBerry to improve security on smartphones. You wouldn't
buy a car with poor security, why are we willing to do it with the Internet?"
Cuthbert also warns against connecting to free public Wi-Fi if you're not sure where it's coming from.
"If you don't know who the Wi-Fi network belongs to, how do you know
if it's malicious? Someone could be accessing your data and you don't
know where it's going," he says.
Sensepost will be presenting their research at the Black Hat Asia cybersecurity conference in Singapore next week.
The firm is also working on non-security deployments of unmanned
flying drones being used for crowd management and to collect data about
people in a certain geographic location, so that advertisers can serve
them targeted advertising.
IBM researchers have developed an algorithm that predicts
your home location using your last 200 tweets.
As reported by MIT Technology Review: One of the optional extras that Twitter allows is for each
tweet to be tagged with the user’s location data. That’s useful if you
want people to know where you are or so that you can later remember
where certain events took place. It also gives researchers a valuable
tool for studying the geographical distribution of tweets in various
ways.
But it also raises privacy issues, particularly
when users are unaware, or forget that, their tweets are geotagged.
Various celebrities are thought to have given away their home locations
in this way. And in 2007, four Apache helicopters belonging to the US
Army were destroyed by mortars in Iraq when insurgents worked out their
location using geotagged images published by American soldiers.
Perhaps
these kinds of concerns are the reason why so few tweets are geotagged.
Several studies have shown that less than one per cent of tweets
contain location metadata.
But the absence of geotagging
data does not mean your location is secret. Today, Jalal Mahmud and a
couple of pals at IBM Research in Almaden, California, say they’ve
developed an algorithm that can analyse anybody’s last 200 tweets and
determine their home city location with an accuracy of almost 70 per
cent.
That could be useful for researchers, journalists,
marketers and so on wanting to identify where tweets originate. But it
also raises privacy issues for those who would rather their home
location remained private.
Mahmud and co’s method is
relatively straightforward. Between July and August 2011, they filtered
the Twitter firehose for tweets that were geotagged with any of the
biggest 100 cities in the US until they had found 100 different users
in each location.
They then downloaded the last 200
tweets posted by each user, rejecting those that posted privately. That
left them with over 1.5 million geotagged tweets from almost 10,000
people.
They then divided this data set in two, using 90
per cent of the tweets to train their algorithm and the remaining 10
per cent to test it against.
The basic idea behind their
algorithm is that tweets contain important information about the
probable location of the user. For example, over 100,000 tweets in the
dataset were generated by the location-based social networking site
Foursquare and so contained a link that gave the exact location. And
almost 300,000 tweets contained the name of cities listed in the US
Geological Service gazetteer.
Other tweets contained
clues to their location like phrases such as “Let’s Go Red Sox”, a
reference to the Boston-based baseball team. And
Mahmud and co say that distribution of tweets throughout the day is
roughly constant across the US, shifted by time zone. So a user’s
pattern of tweets throughout the day can give a good indication of which
time zone they’re in.
So the question these guys
set out to answer was whether it was possible to use this information
to predict a user’s home location, a result they could test by matching
it against the user’s geotagged metadata.
Mahmud and co
used an algorithm known as a Naive Bayes Multimonial to do the number
crunching. The trained it by feeding it the training dataset along with
the geolocation data.
They then tested the algorithm on the remaining 10 per cent of the data to see whether it could predict the geolocation.
The
results are interesting. They say that when they exclude people who are
obviously travelling, their algorithm correctly predicts people’s home
cities 68 per cent of the time, their home state 70 per cent of the time
and their time zone 80 per cent of the time. And they say their
algorithm takes less than a second to do this for any individual.
That
could be a useful tool. Journalists, for example, could use it to
determine which tweets were coming from a region involved in a crisis,
such as an earthquake, and those that were just commenting from afar.
Marketers might use it to work out the popualrity of their products in
certain cities.
And it also suggests ways that people can improve their privacy–by not mentioning their home location, of course.
Mahmud
and co say their algorithm could do better in future. For example, they
think they can get more fine-grained detail by searching tweets for
mentions of local landmarks that can be pinpointed more accurately.
Whether that turns out to be possible, we’ll have to wait and see.
An
interesting corollary to all this is that our notion of privacy is more
fragile than most of us realize. Just how we can strengthen and protect
it should be the subject of considerable public debate.
As reported by the Imperial Valley Press: The history of agriculture is full of ideas and concepts that
have allowed farmers to incrementally improve efficiency to
unprecedented levels.
Global Positioning System satellites orbiting the Earth — the
same satellites that guide automobiles and allow smartphone users to
“check in” are helping farmers reach unprecedented levels of efficiency
even as they try to figure out the best use for it.
“GPS in agriculture is new as far as heavy
implementation,” said Tom Mastin, bio-resource and agricultural
engineering lecturer at Cal Poly San Luis Obispo. “Without GPS, large-scale farming is going to be
way too inefficient. Large-scale farms now have guidance systems and a
GIS (geographical information system) manager.” Some applications are obvious. Farm implements, like tractors and fertilizer applicators, nowadays are self-guided and require minimal driver input. “As far as a guidance system, it has reduced labor,” Mastin said. Other applications are arguably more impressive. For instance, GPS technology allows farmers to
precisely level their fields and map the location of ditches,
underground tile drainage lines and subsurface drip irrigation tape. “You can disc the surface and you never lose the
(subsurface drip) tape,” said David Layton, manager of an alfalfa farm
in Calipatria. Extensive use of GPS technology has allowed his
company to profitably work land that might not be economically viable
with conventional techniques. He asked that the name and location of the
company not be published. The idea is to be able to not just fine-tune the
amount of water and fertilizer for given field, but to maximize the use
of space. “GPS makes the whole thing work,” said Ed Hale, an Imperial Valley farmer and consultant for Layton’s company. Hale cites subsurface drip irrigation technology as a case in point. “Drip (irrigation) doesn't work without GPS,” he noted. He said he keeps running across examples where good concepts did not reach their potential. “We’re tearing out the evidence of the drip that
was tried by the Israelis during the late ’70s and early ’80s. They’re
the pioneers of drip. When they first started they were so enamored with
drip, they thought that it cured everything. That was a fallacy. They didn't have GPS technology.” While he declined to say how much money that his
companies have saved through a systematic use of GPS technology, he said
that water savings at the Calipatria farm were “substantial.” “Our feeling is that true conservation isn't so L.A. can grow. It’s so we can get more crop per drop,” Hale said. The technology allows his operation to compete with growers around the world that operate with fewer constraints. “Large ranches have compared efficiency with and
without GPS,” he said. “GPS is 22 percent more efficient. That’s the
difference between losing money and making a profit.” The cost of fuel and equipment has skyrocketed in recent years, he noted. “Our costs are local. Markets are global. We’re
competing with guys growing the same crop in Argentina, where there are
no regulations or social safety nets. My local costs are important to
me,” Hale said.
Modern electric cars are just one category of Internet of Things
devices that will be targeted by hackers.
As reported by The Guardian: As with any buzz topic in the tech world, there’s a lot of misinformation around the Internet of Things. And in the security sphere, there’s much
unnecessary FUD - Fear, Uncertainty and Doubt – spread by industry
vendors to get people suitably scared so they splash cash on purportedly
necessary protection.
Take the case of the spamming
refrigerator. Researchers suggested the smart fridge had been
compromised to relay reams of annoying emails, as often happens to
normal PCs. Yet Symantec discovered the fridge was simply on the same network
and using the same IP address as a hacked Windows PC, which was really
the thing responsible for the spam. Digital listeria this was not.
Yet
there are reasons to be fearful of the Internet of Things (IoT), a name
covering the networks of embedded devices, from smart meters to
connected automobiles, which communicate with each other in an automated
fashion to help make our lives more efficient.
Such connected,
autonomous machines have been around for years, but the reason it is now
on the tips of tech firms’ PR tongues every day is that the number of
connected devices is escalating rapidly into new areas, like
toothbrushes and bathtubs. According to Gartner estimates, the IoT will consist of 26 billion units by 2020, and by that time the industry will be worth $300 billion.
The
problem is that many of the manufacturers of these machines are not
taking the secure-by-design approach. “They are learning on the job at
this point in time,” says Gunter Ollmann, chief technology officer at IOActive, a consultancy firm that has done much research on IoT security.
Hacking vehicles
There
are a handful of real and present threats. In automobiles, trucks are a
major concern. Many contain standardized code to manage vehicles, such
as the control area network (CAN) bus protocol, used for internal
communications between devices in a vehicle.
“CAN messages that
control physical attributes are standardized. Therefore, if you figure
out a hack for one manufacturer others could be quite similar if not
identical,” says Chris Valasek, director of security intelligence for
IOActive.
One of the functions that has understandably worried
onlookers in the trucking and security industries is the kill switch
that powers the vehicles down. “Some fleets use the GPS tracking and
‘check-out’ systems to control access to the trucks when they are in
depots or secure overnight storage locations to prevent the truck being
stolen,” Ollmann adds.
“The open architecture of the trucks CAM
bus has made it much easier for the integration of fleet tracking and
control technologies like these. But conceptually, any wireless
technology that can receive remote commands and affect the operation of a
truck is a potential target for researchers and targets. What if
someone figures out the master shutdown code for all the trucks, and
they get all the trucks in London to stop at 7am?”
It’s a nasty
thought, but this isn’t science fiction. Trucking companies are working
with Ollmann and his team to close off any potential flaws that could
lead to disaster. “We’re working with some of them and doing additional
research on this now … they’re worried about it.”
The car industry
is aware of the problems too, at least in its more progressive corners.
When Valasek and noted security researcher Chris Miller showed on video
how they could hack a car when inside the vehicle (below), it gave rise
to both mirth and misery in the car industry.
Tesla has reacted
the most positively. Having recruited some noted security pros,
including former Apple “hacker princess” Kristin Paget, it has set up a
vulnerability disclosure program rewarding researchers for uncovering
flaws. It’s similar to bug bounty programs run by major software
firms, like Facebook, Google and Microsoft. Evidently, the Rubicon has
been crossed.
Those
vulnerabilities were eventually addressed, but Ollmann says there are
numerous flaws in connected home technologies from other manufacturers
that will be disclosed in the near future.
TVs that run Google’s
Android operating system are vulnerable to many of the same attacks that
affect smartphones. MWR Infosecurity, a consultancy, has tested out an
Android exploit on a Kogan TV running Android.
The attack took
advantage of a documented weaknesses that allow hackers to use of a
piece of code known as a JavaScriptInterface, included in ad libraries
to let further actions be initiated on Android machines.
In
theory, anyone hacking a TV in this way could take photos, if the TV had
a built-in camera, or create invasive applications to spy on viewers.
That weakness has been found in numerous ad libraries used by many of
the world’s top free apps.
“It should affect any TV running
Android and definitely if they’re running apps which use the flawed ad
networks,” says David Chismon, researcher at MWR.
Home routers are ridden with vulnerabilities too, as uncovered by digital security non-profit Team Cymru in March.
It found a network of 300,000 home and office routers had been
compromised, thanks to worrying weaknesses in the devices’ software,
from predictable or non-existent passwords to flaws in the web
applications used to control them.
The hackers decided to use
these security holes to redirect victims to whatever website they wanted
when they started using the internet.
Taking over industrial controls
Connected,
and therefore hackable, devices can also be found in control systems
running nations’ critical infrastructure. Researchers across the world
have been panicking about supervisory control and data acquisition
(SCADA) systems, used to monitor and manage industrial machines, from
nuclear power plants to oil and gas pipelines.
SCADA machines
produced by various manufacturers have been shown to contain various
weaknesses, like those exploited by Stuxnet, the infamous malware that
disrupted centrifuges at an Iranian nuclear plant. What’s worrying is
that more vulnerabilities continue to emerge.
In January, the US government’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
issued a warning about a buffer overflow vulnerability, a type of
weakness that allows an outside hacker to write code to a device and
which has been largely eradicated from modern systems.
The
Guardian knows of one major security firm that is aware of a number of
theoretical flaws, ones that could be used to play with the power
controls on SCADA systems, but they do not currently have the right labs
to test the potential for real-world impact.
This is another key
problem: the threat is poorly understood, with many apparent
vulnerabilities that may or may not be exploited to endanger critical
infrastructure. “We keep seeing small examples of attacks that may or
may not be cyber attacks against SCADA systems, but it’s still a
theoretical threat in terms of spectacular and long lived degradation of
a specific service,” says Steve Santorelli, a researcher at Cymru.
His
outlook for the future of SCADA-like machines is not optimistic,
though. “The internet is not secure frankly, in any way at all. That
matters when it comes to control systems.”
Could your internet fridge be vulnerable? Yes. Photograph: Martin Argles for the Guardian
Send in the Cavalry
Santorelli has a similarly bleak
prospectus for IoT in general. “Someone asked me recently: is my fridge
going to DDoS me and, frankly the answer is, yes … probably,” he adds.
“Anything with an IP address is a commodity in the underground economy,
to be bought or bartered for if there is a way to make money from it.”
“The
privacy and criminal implications are diverse and they need to be at
the heart of the design of these new technologies. The bottom line is
that we've never truly seen security be at the heart of a new technology
and anything that connects to the Internet will be inherently insecure
by its very nature. The future is not looking bright.”
Time to
batten down the hatches and prepare for cybergeddon then? Perhaps not.
Help is on the way, even if it’s not from government.
A movement
started by noted security professional Josh Corman has been gathering
pace in recent months, since it was first conceived at last year’s
DEFCON hacking convention. Its name is I Am The Cavalry.
Its intention is to act as a hub for vulnerability research that
affects four areas: medical devices, automobiles, home services and
public infrastructure.
The plan is to give altruistic researchers a
place to share their findings in a pro bono fashion, in the hope that
the weaknesses will be covered off by whatever manufacturers are
affected. I Am The Cavalry will act as a hyperactive middleman,
coordinating vulnerability disclosures and pushing for more than just
quick fixes. It wants to encourage total cultural change to instill security across organisations’ processes.
It’s an ambitious plan,
born out of a sense of responsibility in a world ridden with hackable
technologies. But will researchers really give away their secrets for
free, especially the most technically gifted who can make millions by
selling just a handful of the most serious flaws to nation states?
Corman believes the ethical side of the hacking community will come out
in force.
“I’m not making an economic argument yet,” he says. “Our
role and what sets us apart is that we’re speaking to those who have
something in them ... that altruistic gene. We’re describing something
that is a shared risk and a shared concern and if that appeals to
someone, they should gravitate to us.”
Praise for Tesla
Even
ahead of its formation as an official organisation (it is consulting
with lawyers on whether to become an educational foundation or an
industry association), I Am The Cavalry has already facilitated some
vulnerability disclosures.
Corman says the body has had successes
in both the car and medical industries, but can’t disclose whom they
involved. He has also been invited to consult with car manufacturers in
the US and Europe, and is particularly impressed with the way in which
Tesla has responded to the problems at hand.
“We are very
encouraged to see such a policy [at Tesla]. A fear we've had as a
research community is that we would have a 10-15 year learning curve
where this new industry was in the denial and lawsuit stage towards
researchers,” says Corman.
“If this is an indicator of how the
rest of the automotive industry will respond in kind, this will
dramatically accelerate the maturity and the engagement of white hat
researchers who wish to help.”
As a sign of his sway with
mandarins walking the murky halls of power, Corman has already met with
Senator Ed Markey of Massachusetts, who recently urged car makers to act
on cyber security issues, and others on Capitol Hill to discuss the
weaknesses that urgently need addressing.
Despite limited “in the
wild” attacks, Internet of Things threats are real. As connected devices
proliferate, the hope is that they do so securely. If they volunteer
for the Cavalry, that might just happen. Then we can go about our
quotidian lives feeling a little less insecure.
"Google did a good job of making it nonintrusive, so it's not directly in your line of sight," he says.
Leading car insurance companies have not yet taken a position on Glass, but at least eight states have proposed legislation banning the use of Google Glass on the road. In West Virginia, Republican state Delegate Gary Howell says lawmakers need to act before Glass gets out of hand.
"Are you reading all of that from the upper right-hand corner of your eye?" I ask.
