Monday, November 14, 2011

Hackable Everything - Part I

The internet was created on a dream.

What if computers could talk to each other?

It's easy to lose sight of what a revolutionary dream that once was.  There was a time when most computers were not sold with modems or network connections of any sort.  You transferred files by putting them on floppy disks.  If you were especially tech savvy, you hooked two PCs together through their parallel ports and were able to transfer files directly from one to the other.  It seemed like magic at the time.

Then Al Gore invented the internet, and suddenly computers all over the world could talk to each other.  This happened so suddenly that nobody knew what to do with it.  You think I'm kidding, but I'm not.  The first corporate websites in the 90s looked like they should be hanging on the walls of a third grade art class.  Take a look at some of these if you don't believe me.

Then we upgraded everybody to broadband, and figured out what to use the Internet for: just about anything you could do on a computer.  You could browse.  You could shop.  You could communicate.

Anything you could do on a computer.

What if we could connect to the internet without a computer?

Between shrinking chip sizes and mobile protocols such as wi-fi and bluetooth, this dream was barely formulated before it came to life.  Email on your cell phone?  Check.  Emergency service and navigation in your car?  No problem.  Bluetooth connectivity for your insulin pump?  Why not?

Maybe we should have tried a little harder to answer that last question.

Because the inventors were not the only ones dreaming.

What if any device with a network connection could be hacked?

Finding unintentional uses for computers is a past-time as old as computers itself.  One of the first demonstrations ever of a personal computer was done on a machine lacking a monitor and printer.  Lacking a formal method of output, the programmer timed the cycles of the CPU just right to cause the radio interference generated to play some simple songs from the static of a nearby radio.  Computers weren't designed to leak radio signals.  It was simply possible, and a really clever person figured out how to exploit it.

The world is chock full of really clever people.  Not all of them have good intentions.

The problem is, we still don't really understand our connected, online devices, any more than we really understood the internet back in the 90s.  We still expect them to act like old fashioned devices, just better.  Hacking an insulin pump?  Whoever heard of such a ridiculous notion?  When security researcher Jerome Radcliffe demonstrated that he could issue unauthorized commands to his insulin pump over bluetooth, the manufacturer, Medtronic, just laughed.  They issued a dismissive statement saying: "...there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of use."  Because we haven't seen this before, it couldn't happen now.  Go away, and trust us.

Then McAfee reproduced the hack.  And improved it, so it could work from 300 feet away.  And demonstrated how easy it would be to request the pump to deliver a lethal dose of insulin.  Medtronic isn't laughing anymore.

On November 14th, the New York Times published an article discussing Google's top secret research labs, where researchers are figuring out, among other things, how to put just about anything on the internet.  Garden planters.  Coffee pots.  Refrigerators.

What happens if Google succeeds?  Could a clever hacker figure out how to shut your freezer off for a few days while you were away from home, then turn it back on, causing you to unknowingly eat spoiled and possibly lethal food?  How about turning on your furnace full blast in the middle of an August heat wave?  And God help us if they ever figure out how to hack one of Google's driverless cars.

We live in a brave new world.  Everything is going online.  Everything is potentially hackable.  Unimaginable opportunity.  Unimaginable risk.

Anybody who claims to know how this will play out is selling something.

No comments:

Post a Comment