Future Crimes
Page 34
In this world, the unknowable suddenly becomes knowable. For example, groceries will be tracked from field to table, and restaurants will keep tabs on every plate, what’s on it, who ate from it, and how quickly the waiters are moving it from kitchen to customer. As a result, when the next E. coli outbreak occurs, we won’t have to close five hundred eateries and wonder if it was the chicken or beef that caused the problem. We will know exactly which restaurant, supplier, and diner to contact to quickly resolve the problem. The IoT and its billions of sensors will create an ambient intelligence network that thinks, senses, and feels and contributes profoundly to the knowable universe.
Not only does the unknowable become knowable, but the impossible suddenly becomes possible. Things that used to make sense suddenly won’t, such as smoke detectors. Why do most smoke detectors do nothing more than make loud beeps if your life is in mortal danger because of fire? In the future, they will flash your bedroom lights to wake you, turn on your home stereo, play an MP3 audio file that loudly warns, “Fire, fire, fire.” They will also contact the fire department, call your neighbors (in case you are unconscious and in need of help), and automatically shut off flow to the gas appliances in the house. You’re not the only one who might have your life saved by the Internet of Things—so too might your plants. Cheap moisture sensors placed in the soil of house plants have been using home Wi-Fi networks to send out tweets since 2009 screaming, “URGENT! Water me!”
Not futuristic enough? What about an interspecies Internet—one that links elephants, dolphins, and great apes for “the purposes of enrichment, research, and preservation”? Though it may sound crazy, it’s already here. In Australia, for example, there are over 300 sharks on Twitter (no, they did not sign up themselves). Researchers fitted 338 sharks, including many great whites, with acoustic tags that send an electronic signal to shore-based receivers when the animals come within half a mile of the beach. For a country that has suffered more fatal shark attacks than any other, this IoT development is saving human lives, and the sharks have attracted nearly forty thousand beach-going Twitter followers as a result.
The by-product of the Internet of Things will be a living, breathing, global information grid, and technology will come alive in ways we’ve never seen before, save for in science fiction movies. While this future may seem far-fetched, M2M communications have already supplanted all human-originated online activities, with more than 61.5 percent of worldwide Internet traffic being generated by things as of late 2013. As we venture down the path toward ubiquitous computing, the results and implications of the phenomenon are likely to be mind-blowing. Just as the introduction of electricity was astonishing in its day, it eventually faded into the background, becoming an imperceptible, omnipresent medium in constant interaction with the physical world. Before we let this happen, and for all the promise of the Internet of Things, we must ask critically important questions about this brave new world. While its multifold benefits seem manifest, an Internet of everything also poses tremendous risk. For just as electricity can shock and kill, so too can billions of connected things networked online.
Connecting Everything—Insecurely
Connecting products to the Web will be the twenty-first-century electrification.
MATT WEBB, CEO, BERG CLOUD
In order for things to go online and communicate with one another, they must first be enabled with the technological equivalent of speech. As we saw with Texas Auto Center and technologies such as the WebTeckPlus black box, cars today can indeed “talk,” squawking data about their location, condition, and state. Central to achieving the vision outlined by the proponents of the Internet of Things is giving everyday objects the capacity to speak to us and to each other.
In order to make this happen, the IoT relies on a series of competing communications technologies and protocols. At a distance, cellular and mobile data transmission standards such as LTE, 4G, GSM, and CDMA will connect devices to the mobile phone network. Many larger things will be able to communicate via fixed wired lines such as Ethernet and optical fiber, but for price and convenience perhaps the largest number of connections will take place via wireless networks. The result will be billions of embedded chips in things using standards such as Wi-Fi, Bluetooth, ZigBee, Z-Wave, near-field communication, and radio-frequency identification in order to communicate. As the price of these tools drops, new consumer products such as Apple’s iBeacon and Tile’s location tags may soon become an omnipresent feature in our daily lives, allowing us to track objects with centimeter precision.
The first of these IoT enabling technologies, RFID, was patented in 1983 and is a wireless low-energy device that can be embedded into any object to make it “smart,” or able to interact with RFID readers. RFID tags are printed electronic circuits no thicker than a piece of paper, often come in sticker format, many the size of a dime, and can be produced for under a penny. They are capable of performing real-time, constant data exchange and can be read by scanners, some as far as up to one hundred meters away. Even if you are unfamiliar with RFID technology, chances are you have already encountered it in your life, whether it’s the security ID card you use to swipe your way into your office, your “wave and pay” credit card, the key to your hotel room, your subway pass, or the little box you use to pay for highway tolls, such as E-ZPass. Though the convenience of RFID, considered by many the gateway to the Internet of Things, sounds great, there’s one problem: it’s eminently hackable.
There have been dozens of exploits against RFID technology, whose electronics can be readily hacked, spoofed, and jammed, and there is an active “RFID underground” continually working on improving its offensive techniques. The overwhelming majority of today’s RFID tags have no effective security, encryption, or privacy protocols in place. These shortcomings have allowed the security hacker Francis Brown to build his own RFID readers for under $400 that can scan, copy, clone, and steal data from your smart cards. As a result, while you’re standing in line at the grocery store, sitting in a crowded subway car, riding the elevator up to your office, or waiting for your morning latte at Starbucks, Brown can conduct a “brush pass” attack. As he stands there smiling and perhaps even chatting with you, the concealed portable RFID reader in his backpack can query the office key card you have in your wallet, pocket, or purse and abscond with all the details encoded in it. So what?
Here’s why it matters. Brown can then plug his RFID reader into his computer at home and use it to clone RFID cards all day long. That means he can get into your office, hotel room, or home anytime he likes. Every Fortune 500 company in America uses RFID in its employees’ badges to control access to its office buildings, and Brown has a 100 percent success rate in cloning the cards. The implications of this for everything from industrial espionage to common burglary to employee safety are enormous. Relying on insecure RFID identity cards as the primary system we use for security and identity in the workplace means the current system is completely broken. Worse, these cards cannot simply be updated like your home computer by downloading new software. Each of them would need to be replaced—an expensive proposition for a corporation with 100,000 employees.
Even if you don’t use an RFID card for work, there’s a good chance you either have it or will soon have it embedded in the credit card sitting in your wallet. Hackers have been able to break into these as well, using cheap RFID readers available on eBay for just $50, tools that allow an attacker to wirelessly capture a target’s credit card number, expiration date, and security code. Seconds later, using a $300 card-magnetizing tool, the data is then encoded on a new card, allowing fraudulent purchases in a process that can be completed in just a matter of minutes. Welcome to pocket picking 2.0, where the thieves don’t even need to stick their hands in your pocket anymore.
The techniques to hack RFID are easy to emulate, and there are hundreds of instruction sites and videos online telling hackers exactly how. Troubling given that billions of things coming online will be using RFID as th
eir primary language to speak and interact with the world. RFID chips can also be infected with viruses, and just like GPS signals RFID can be jammed, preventing you from getting into your office and allowing thieves to shoplift expensive goods electronically tagged by retailers. Another popular IoT communications technology is RFID’s younger brother, known as near-field communication (NFC) and currently built into 20 percent of mobile phones, particularly Android models, as well as the latest iPhone 6 devices. There are many uses for NFC, but one of the most common is for mobile payment services such as Google Wallet.
Just swipe your phone past an NFC reader to pay for a product, and the funds will be deducted from your phone’s virtual wallet or charged to your credit card. But like RFID, NFC has been compromised on many occasions, with hacker apps such as NFCProxy capable of copying NFC credit card data in real time and replaying them later when the bad guy uses them to buy goods and services of his own choosing. Google Wallet has also been hacked repeatedly, including reading your PIN without authorization and accessing funds stored on your phone. And now that the iPhone is enabling mobile payments with Apple Pay, it’s likely that criminals will turn their attention to getting around Apple’s security system too.
In another instance, a hacker successfully targeted the NFC chip in a nearby mobile phone to take command of the device and make phone calls, text, and access files—all without the knowledge of the device’s rightful owner. NFC apps on mobile phones are already being used to pay for local transit systems, and crooks in San Francisco and New Jersey have hacked the NFC turnstiles by using an app called UltraReset, which automatically replenishes any fares deducted by the train operators, equating to free subway rides for life.
Another IoT wireless communications technology that has surged in its usage and popularity is Bluetooth, but like RFID and NFC it too is easily subverted. There are dozens of easy-to-use free apps and programs such as Blue Scanner, Blue Bugger, BT Browser, and Blue Sniff that make it simple for any malicious individual to connect to a Bluetooth-enabled device and take control of it. These tools provide unauthorized access, known as Bluesnarfing, via the Bluetooth port to any data stored on smart phones, desktops, and laptops. They can also intercept data you type on your wireless keyboards, read your text messages, snap photographs without your knowledge, and even eavesdrop on your Bluetooth headset as you’re seated in the airport awaiting your flight.
The gold rush of the Internet of Things is upon us, and there will be no turning back. While connecting everything to a global Internet of Things may indeed have tremendous value, connecting everything insecurely does not. Before we add billions of hackable things and communicate with hackable data transmission protocols, important questions must be asked about the concomitant risks with regard to the exponential implications for the future of security, crime, terrorism, warfare, and privacy.
Obliterating Privacy
Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters—all connected to the next-generation Internet using abundant, low-cost, and high-power computing.
DAVID PETRAEUS, CIA DIRECTOR (RETIRED)
In the same way our every move online can be tracked, recorded, sold, and monetized today, so too will that be possible in the near future in the physical world. Real space will become just like cyberspace, and as all the objects around us join the Internet of Things, any meaningful distinction between the online and the off-line worlds will disappear.
With the widespread adoption of more networked devices, what people do in their homes, cars, workplaces, schools, and communities will be subjected to increased monitoring and analysis by the corporations making these devices. Of course these data will be resold to advertisers, data brokers, and government alike, providing a heretofore-unprecedented view into our daily lives. Unfortunately, just like our social, mobile, locational, and financial information, our IoT data will leak, providing further profound capabilities to stalkers and other miscreants interested in persistently tracking us. While it would certainly be possible to establish regulations and build privacy protocols to protect consumers from such activities, if past is prologue, the greater likelihood is that every IoT-enabled device, whether an iron, vacuum, refrigerator, thermostat, or lightbulb, will come with terms of service that grant manufacturers access to all your data. More troublingly, while it may be theoretically possible to log off in cyberspace, in your well-connected smart home there will be no “opt-out” provision. As a result, more of what happens behind closed doors will be open to scrutiny by parties you would never invite into your home, and in this world pulling down the shades won’t keep out the twenty-first century’s Peeping Toms.
We may find ourselves interacting with thousands of little objects around us on a daily basis, each collecting seemingly innocuous bits of data 24/7, information these things will report to the cloud, where it will be processed, correlated, and reviewed. Your smart watch will reveal your lack of exercise to your health insurance company, your car will tell your auto insurer of your frequent speeding, and your garbage can will tell your local municipality that you are not following local recycling regulations. This is the “Internet of stool pigeons,” and though it may sound far-fetched, it’s already happening. Auto insurance companies such as Progressive are offering discounted personalized rates based on your driving habits. “The better you drive, the more you can save,” according to its advertising. All drivers need to do to receive the lower pricing is agree to the installation of Progressive’s Snapshot black-box technology in their cars and to having their braking, acceleration, and mileage persistently tracked. As we move forward, however, it’s not unreasonable to believe that drivers who do not consent to such devices in their cars will face such outrageously high premiums that they will de facto become obligatory.
The IoT will also provide vast new options for advertisers to reach out and touch you on every one of your new smart connected devices. That means every time you go to your refrigerator to get ice, you will be presented with ads for products based on the food your refrigerator knows you’re most likely to buy. Screens too will be ubiquitous, and marketers are already planning for the bounty of advertising opportunities. In late 2013, Google sent a letter to the Securities and Exchange Commission noting, “we and other companies could [soon] be serving ads and other content on refrigerators, car dashboards, thermostats, glasses, and watches, to name just a few possibilities.” Knowing that Google already reads your Gmail, records your every Web search, and tracks your physical location on your Android mobile phone, what new powerful insights into your personal life will the company develop when its entertainment system is in your car, its thermostat regulates the temperature in your home, and its smart watch monitors your physical activity?
Not only will RFID and other IoT communications technologies track inanimate objects, but they will be used for tracking living things as well. Many pet lovers are already familiar with companies such as PetLink, HomeAgain, and AKC Reunite, which provide implantable RFID chips to veterinarians so that lost dogs and cats can be identified and returned to their homes if they run away. What may be less well known, however, is that increasingly human beings too are forcibly monitored via RFID wristband systems, such as those becoming commonplace in jails and prisons from Los Angeles to Washington, D.C. In some countries, such as the U.K., government officials are even considering implanting RFID chips directly under the skin of prisoners, just as is common practice with dogs. While many might not object to convicted criminals being subjected to such RFID tracking, they may feel differently when similar techniques are applied to their own children.
School officials across the United States have begun embedding RFID chips in student identity cards, which pupils are required to wear on their persons at all times. In Contra Costa County, California, preschoolers are now required to wear basketball-style jerseys with el
ectronic tracking devices built in that allow teachers and administrators to know exactly where each student is. According to school district officials, the RFID system saves “3,000 labor hours a year in tracking and processing students.” Of course, when people are forced to join the Internet of Things, a wide variety of other privacy and public policy issues arise. For example, the same RFID system that enables constant student monitoring will be able to identify those students who move around “too much” and therefore may be deemed hyperactive, disruptive, and better suited for “alternative schools.” Students who do not wish to be tracked are being told “tough luck,” and in 2013 the sophomore Andrea Hernandez in San Antonio, Texas, was suspended when she refused to wear her RFID device on campus.
Meanwhile, the ability to track employees, how much time they take for lunch, length of their bathroom breaks, and the number of widgets they produce will become easy. Moreover, even things such as words typed per minute, eye movements, total calls answered, respiration, time away from desk, and attention to detail will be recorded. The result will be a modern workplace that is simultaneously more productive and more prison-like. Though it won’t only be your employer who will access data from the IoT for reasons of efficiency and control, so too will the government. Already police agencies query local utilities to uncover customers with unusually high electrical bills, thought to correlate to indoor marijuana farms. Based on nothing more than electrical bills, search warrants have been issued and suspected growers arrested. In the future, law enforcement may be able to completely bypass the subpoena and just remotely query your smart meter to see if your energy usage is “out of profile” for homes in your neighborhood.