Considering Our Future Cyber War

It’s not if a cyber war will happen, but when. Precisely what form such a war will take depends on the perpetrators and their goals. I’ve spend quite of time discussing the relative insecurity of the Supervisory Control and Data Acquisition (SCADA) systems out there. However, I’m only assuming that SCADA is going to be targeted at some point because it’s such low hanging fruit and no one seems to have any interest at all in securing. Plus, the attack would be of the sort that we’d have a hard time defending against (and possibly identifying at first as the hospitals fill with victims of some mysterious problem).

I recently read an article by John Dvorak entitled, “What if Facebook Is Hacked Next?” John makes some excellent points, but probably doesn’t go far enough. Why would an attacker stop with just Facebook? Why not attack all of the sources of social media out there, including places like LinkedIn and Twitter? The confusion created by the loss of all social media would be amazing. It could easily act as a smokescreen for some other activity even more devastating than the loss of data. While everyone is scrambling to fix their social media issues, someone could work in the background to do something truly horrible.

Actually, the attacker might not even have to do anything other than disrupt all online activities. Think about the number of jobs lost, the hit to online commerce, and the other problems that such an attack would cause. Perhaps these people are simply waiting until more brick and mortar stores close that people no longer have local resources to help in such an emergency. For example, think about the problems that the loss of online stores would have to IT professionals who maintain huge networks of computer systems. The potential for truly terrifying results is amazing.

A cyber war is coming. Just when it will arrive is the topic of much speculation, but my feeling is that it’ll come sometime soon. What sorts of security measures do you have in place? Have you done anything else to prepare? Let me know about your thoughts on cyber war at [email protected].

 

Our Borders are Porous

No, I’m not talking physical borders here—I’m talking cyber borders. I’ve talked a number of times about the relative insecurity of Supervisory Control and Data Acquisition (SCADA) systems. My biggest personal concern is how leaks in these systems can affect people with special needs. At a minimum, implanted devices used by people today are open to hacking. However, there are some reports that say that hackers could eventually become murderers. I wrote Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements with the idea that implanted devices and other aids should help people, not hurt them.

However, other sorts of devices are leaky. Just about any hacker could attack our water supply, power grid, or any other utility. A hacker could turn off your car engine by remote control, lock you into the car, and then do whatever nefarious deed seemed pleasant at the time. These posts aren’t meant to scare you as much as to inform you that the borders of your devices are wide open to attack in many cases. Yet, despite a huge number of newspaper articles, radio talk shows, government inquiries, and odd assorted other do nothing activities, surprisingly little has been done to secure anything.

It probably won’t surprise you to know that the latest casualty, in a long list of problematic devices, is the gas pump. Yep, your gas pump can turn against you. I hadn’t really thought about a gas pump as being anything particularly worthwhile to hack. Yes, you could possibly turn on the pump and get free gas or deny someone else their gas, but it really didn’t strike me as something that hackers would invest time in learning about. Actually, it turns out that gas pumps are connected to all sorts of monitors and messing with the pump can cause those monitors to go off. It doesn’t seem like alarms are anything to worry about either, but think about someone intent on disrupting the emergency services network in a city so that they can attack in some other way. While everyone is distracted with the gas pump spills that haven’t actually happened, someone could do something that would cause the city to go into overload because emergency services are already overwhelmed.

The thing that gets me about a lot of these deficiencies is that they aren’t caused by systems that are secured, but someone has manged to get into anyway. They’re caused by systems that have no security at all. That’s right—someone connected those gas pumps to the Internet so they could monitor them remotely and didn’t add any security at all. Someone who knows the right information can just walk right in and cause all sorts of mischief.

From direct attacks on our infrastructure, to feints used for distraction, to personal attacks, SCADA systems will let us down at some point. I’m surprised that we haven’t had a major issue so far. Perhaps someone is out there right now planning just the right sort of attack that’s designed to cause a maximum of damage. Until we make security a priority, these open systems will continue to pose a serious risk to everyone, whether you have special needs or not. Let me know your thoughts about insecure SCADA systems at [email protected].

 

Death by Connected Device

The title for this post is dramatic on purpose. In my book, Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements, I describe all sorts of useful technologies for making the lives of those with special needs better. In fact, this particular book has received so much attention that I’ve expanded its coverage significantly by devoting forty (and counting) posts to it. The fact is that implanted devices will continue to be a part of our lives and their use will only increase, which is why articles, such as Cyber crime: First online murder will happen by end of year, warns US firm, have me more than a little concerned. The fact is that we’re all in line for a major wake-up call at some point if something isn’t done to secure the Supervisory Control and Data Acquisition (SCADA) systems we all rely on to connect devices to the Internet today. The hardware, software, and other functionality required to make everything happen is encapsulated in a technology known as the Internet of Things (IoT). Soon, everyone will know about IoT, but few people will know or understand the underlying SCADA systems that goes with it.

The part of the articles that I’ve read so far that intrigues me most is that politicians and others in the know have been disconnecting themselves from the Internet. Note the mention of Dick Chaney disconnecting himself from the wireless part of his implanted device in the aforementioned article. If the devices and their connections were secured, our former vice president wouldn’t be quite so worried. Unfortunately, the rest of us probably won’t be quite so lucky unless we refuse to have the devices implanted at all (which would seem to be a self-defeating stance to take). I’ve actually been discussing this issue for quite some time now. The latest significant treatment of the topic appears in my An Update On Special Needs Device Hacking post. I’ve also broached the topic in Determining When Technology Hurts. The point is that this issue isn’t new, but we certainly haven’t done anything about it.

Will it actually require a slew of front page news stories depicting people assassinated through their implanted devices for someone to get the idea that there are really awful people out there who would like to kill someone (anyone) with impunity? It seems to be the case. So, now we’re seeing stories about the event actually taking place sometime soon. Even if we don’t see someone killed, I can see a situation where people have money extorted from them by hackers who have gained illegal access to their implanted devices.

I’m all for the advancement of technology that has significant potential to help people. I’ve written more than a few posts on the topic. Helping people to walk, see, hear, touch, and have generally better lives is a great idea in my book. However, the time is long past for securing these devices in a meaningful way so that only those who really need access will actually get it. Just why there hasn’t been any legislation regarding this need is beyond me. Our politicians are obviously aware of the problem and have done the work required to protect themselves, but they don’t see to be in much of a hurry to protect their constituents.

Given what I’ve seen in the past, I’m sure the medical community won’t be in any hurry to secure these devices because security has been a legislated requirement in the past. With this in mind, what do you feel needs to happen with these devices to make them a better deal for those who need them? Let me know your thoughts about the lack of security for implanted devices and devices connected to IoT in general at [email protected].

 

Understanding the Relative Insecurity of SCADA Systems

It wasn’t long ago that I wrote about how Supervisory Control and Data Acquisition (SCADA) systems affect those with special needs in Security and the Special Needs Person. I then posted an update on that original message in An Update On Special Needs Device Hacking. In both cases, I decried the lack of security for SCADA systems that affect those with special needs. I realize that only a truly nasty person would turn off someone’s insulin pump in order to kill them, but our world is unfortunately filled with some pretty nasty people.

One person (who shall remain nameless) wrote to tell me that it was fine that I was worried about special needs people, but that he wasn’t worried about it because these problems don’t affect him. Well, let’s say that you truly are superhuman and will never once need to use any sort of special needs device in your entire life (statistically, you’d really need to be superhuman or die early). Let’s put the whole SCADA issue in another light. Let’s look at your car.

Your car contains SCADA systems. Those ads you see for turning your car on, opening the windows, flashing the lights, and so on using a cell phone are really telling you about the SCADA systems in your car. If you can access your car using a cell phone, someone else can do the same thing. All they need to do is break the security, which someone has already conveniently done for them. CNET News recently ran an article about how an expert hacker had broken into a car.

Imagine now that you’re on an off-ramp. There are cars crowding you on both sides. A crook uses his cell phone to turn off your car engine and unlock the doors. Bam, you’re suddenly in a world of hurt because the car manufacturer thought it would be a neat idea to let you control your car using a cell phone. I have to wonder why such control is even necessary. Does it even serve a useful purpose? If so, why can’t it be secured better?

Of course, not every drives. So, let’s look at another SCADA issue. A recent InfoWorld article states bluntly that our water system is already under attack by hackers. Sure, the hackers are only kicking the tires of their new toy for now, but how long do you think they’ll wait to do something truly terrifying to your water supply? The experts have been warning about this sort of attack for quite some time, but everyone ignored them as being sensationalists. The sad thing is that the experts probably didn’t scream loud enough this time.

Someone out there is probably thinking that the bad guys can overcome physical security too. You’re right, of course. Someone can remove a padlock, jimmy a car, and overcome physical security in all sorts of other ways. The point is that the bad guy has to be in physical contact with the object to overcome it when you’re using physical security. In addition, if you’re nearby, a physical security system often buys you enough time to call the police or obtain help in some other way. The remote control nature of SCADA systems makes it possible for someone to break into the system and do something nasty with it long before you’re even aware of the intruder.

SCADA systems make a modern world possible by allowing remote control of many of the devices that we need to live. I can fully understand how a utility would need to monitor and control a system from a remote location, and how such control actually makes the system safer. However, it’s time that we realize that these systems are dangerous in the wrong hands and that we need to do something about them before a major accident occurs. Here are some ways to make SCADA systems better:

  • The SCADA systems we do need should be secured better.
  • All SCADA systems should be restricted to wired connections only and those wired connections should be on a private, secure, network.
  • Researchers should be advised not to research break-ins for hackers to use (and then publish them for the whole world to see).
  • Our society also needs to seriously consider where SCADA systems can be removed.

Remote control is a two-edged sword and you can bet the bad guys have no compulsion about playing dirty—count on them not following the rules. If there is a way for you to access something, the bad guys will find a way to access it too. Let me know what you think about the threat of SCADA system break-ins at [email protected].

An Update On Special Needs Device Hacking

I previously posted an entry entitled Security and the Special Needs Person where I described current hacking attempts against special needs devices by security researchers. In that post, I opined that there was probably some better use of the researcher’s time. Rather than give hackers new and wonderful ways to attack the human race, why not find ways to develop secure software that would discourage attempts in the first place? Unfortunately, it seems as if the security researchers are simply determined to keep chewing on this topic until someone gets hurt or killed. I never even considered this topic in my book, “Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements” because it wasn’t an issue at the time of publication, but it certainly is now.

Now there is a ComputerWorld article that talks about wearable devices used to jam the signals of hackers trying to attack those with special needs devices. What do we do next—encase people in a Faraday cage so no one can bother them? I did find the paper referenced in the article, “They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices” interesting, but must ask why such measures even necessary. If security researchers would wait until someone actually thinks of an attack before they came up with a remedy, perhaps no one would come up with the attack.

The basis of the shielding technology mentioned in the ComputerWorld article is naive. Supposedly, the shield lets the doctor gain access to the medical device without allowing the hacker access. Unfortunately, if the doctor has access, so does the hacker. Someone will find a way to overcome this security measure, probably a security researcher, and another shield will have to be created that deflects the new attack. The point is that if they want the devices to be truly safe, then they shouldn’t send out a radio signal at all.

The government is involved now too. Reps. Anna G. Eshoo (D-CA) and Edward J. Markey (D-MA), senior members on the House Energy and Commerce Committee, have decided to task the the Government Accountability Office (GAO) with contacting the Federal Communications Commission (FCC) about rules regarding the safety and security of implantable medical devices. I can only hope that the outcome will be laws that make it illegal to even perform research on these devices, but more likely, the efforts will result in yet more bureaucracy and red tape.

There are a number of issues that concern me about the whole idea of people wearing radio transmitters and receivers full time. For one thing, there doesn’t seem to be any research on the long term effects of wearing such devices. (I did find research papers such as, “In-Body RF Communications and the Future of Healthcare” that describe the hardware requirements for transmission, but research on what RF will do to the human body when used in this way seems sadly lacking.) These devices could cause cancer or other diseases. Fortunately, the World Health Organization (WHO) does seem to be involved in a little research on the topic and you can read about it in their article entitled, “What are electromagnetic fields?“.

In addition, now that the person has to wear a jammer to protect the implantable medical device, there is a significant chance of creating interference. Is there a chance that the wearer could create unfortunate situations where the device intended to protect them actually causes harm? The papers I’ve read don’t appear to address this issue. However, given my personal experiences with electromagnetic interference (EMI), it seems quite likely that the combination of implantable medical device and jammer will almost certainly cause problems.

In summary, we have implanted medical devices that use radio signals to make it more convenient for the doctor to monitor the patient and possibly improve the patient’s health as a result. So far, so good. However, the decision to provide this feature seems shortsighted when you consider that security researchers just couldn’t leave well enough alone and had to find a way for hackers to exploit the devices. Then, there doesn’t seem to be any research on the long term negative effects of these devices on the patient or on the jammer that now seems necessary to protect the patient’s health. Is the potential for a positive outcome really worth all of the negatives? Let me know at [email protected].

Security and the Special Needs Person

I’ve written quite a bit about special needs requirements. In my view, everyone who lives long enough will have a special need sometime in their life. In fact, unless you’re incredibly lucky, you probably have some special need right now. It may not be a significant special need (even eyeglasses are a special need), but even small special needs often require another person’s help to fix.

Accessibility, the study of ways to accommodate special needs, is something that should interest everyoneespecially anyone who has technical skills required to make better accessibility aids a reality. It was therefore with great sadness that I read an eWeek article this weekend describing how one researcher used his talents to discover whether it was possible to kill someone by hacking into the device they require to live. Why would someone waste their time and effort doing such a terrible thing? I shook my head in disbelief.

There is a certain truth to the idea that the devices we use to maintain health today, such as insulin pumps, are lacking in security. After all, they are very much like any other Supervisory Control And Data Acquisition (SCADA) device, such as a car, from a software perspective and people are constantly trying to find ways to break into cars. However, cars are not peoplecars are easily replaced devices used for transport. If someone breaks into my car and steals it, I’m sad about it to be sure, but I’m still alive to report the crime to the police. If someone hacks into my pacemaker and causes it to malfunction, I’m just as dead as if they had shot me. In fact, shooting me would probably be far less cruel.

I know that there is a place for security professionals in the software industry, but I’ve become increasingly concerned that they’re focused too much on breaking things and not enough on making them work properly. If these professionals spent their time making software more secure in the first place and giving the bad guys fewer ideas of interesting things to try, then perhaps the software industry wouldn’t be rife with security problems now. Unfortunately, it’s always easier to destroy, than to create. Certainly, this sort of negative research gives the security professionals something to talk about even though it potentially destroys someone’s life in the process.

I’d like to say that this kind of behavior will diminish in the future, but history says otherwise. Unless laws are put in place to make such research illegal, well meaning security professionals will continue dabbling in matters that would be best left alone until someone dies (and even then the legal system will be slow in reacting to a significant problem). I doubt very much that time spent hacking into special needs devices to see just how much damage one can do helps anyone. What is your thought on the matter? Does this sort of research benefit anyone? Let me know what you think at [email protected].