Future Crimes

by Marc Goodman

  At the scene of a suspected crime, cops will be able to interrogate the refrigerator and ask the equivalent of “Hey, buddy, did you see anything?” Child social workers will know that there hasn’t been any milk or diapers in the home and the only thing stored in the fridge has been beer for the past week. The IoT also opens up the world for “perfect enforcement.” When sensors are everywhere and all data are tracked and recorded, it becomes more likely that you will receive a moving violation for going twenty-six miles per hour in a twenty-five-mile-per-hour zone and get a parking ticket for being seventeen seconds over on your meter. As today’s red-light cameras have already shown, when everything is connected, nothing can be hidden, particularly when infractions translate into revenue for government agencies and their business partners.

  The former CIA director David Petraeus has noted that the Internet of Things will be “transformational for clandestine tradecraft.” While the old model of corporate and government espionage might have involved hiding a bug under the table in the conference room to listen in on your conversation, tomorrow the very same information might be obtained by intercepting in real time the data sent from your Wi-Fi lightbulb to the lighting app on your smart phone. Thus the devices you thought were working for you may in fact be on somebody else’s payroll, particularly that of Crime, Inc.

  Hacking Hardware

  A much rarer breed of hacker targets the physical elements that make up a computer system, including the microchips, electronics, controllers, memory, circuits, components, transistors, and sensors—core elements of the Internet of Things. These hackers attack a device’s firmware, the set of computer instructions present on every electronic device we encounter, including TVs, stereo receivers, mobile phones, game consoles, digital cameras, hard drives, printers, automobiles, avionics, heating and air-conditioning systems, network routers, alarm systems, CCTVs, SCADA industrial control systems, USB drives, traffic lights, parking meters, gas station pumps, digital watches, sensors, smart home management systems, robotics, and programmable logic controllers (such as those used by the Iranians in Natanz). The overwhelming number of “smart” objects are dead dumb and have no capacity whatsoever to have their firmware upgraded.

  Indeed, the small embedded computers that comprise the IoT, and most of our everyday electronic devices, have very limited processing power and memory. As a result of these limitations, they must be built to exceedingly tight specifications that barely accommodate the functions their designers need to make the devices work, leaving precious little room for anything as “trivial” as security, often a far afterthought in the manufacturing process. Most firmware lacks a common automatic mechanism for updating itself to fix any functionality or security issues detected after the device has been shipped, meaning that a preponderance of devices already online for five to ten years are sitting ducks. For some more expensive items, such as smart phones, the device’s firmware is meant to be upgradable so that improvements and security patches can be downloaded. Yet for the majority of other electronic devices, manufacturers rarely change a device’s firmware over its useful lifetime, as doing so might require the integrated circuits on the item to be physically replaced—a profoundly expensive economic nonstarter. But even if your phone has the latest firmware, there are still dangers to consider.

  While many iPhone or Android users may understand that downloading the wrong app or computer file might give their phones a virus, few if any understand that their choice of mobile phone charger can do the very same thing. Hackers have already successfully built a hardware virus directly into a compromised USB charger capable of targeting Apple devices. The mere plugging in of your phone to one of the rogue power cords is all you need to get infected. By modifying the firmware and electronics of the innocent little plug we use to charge our phones, attackers were able to bypass the iPhone’s security safeguards and infect the phone. No pop-up alert was provided, and the stealthily running malware was not visible anywhere on the list of running programs. In the background, however, the rogue charger installed a back door on the device that allowed hackers to make phone calls, read texts, steal banking information, capture account passwords, and track the movements of phone users. The phenomenon is known as juice jacking, and the malicious charger was built for under $50—something to consider the next time you’re plugging in your battery-starved smart phone at a public charging station kiosk at an airport, hotel, or local shopping mall (the very places hackers would place these devices to infect the greatest number of victims).

  Illicitly modified chargers aren’t the only hardware surprises we need to be on the lookout for today. Just about anything with a microcontroller or sensor can arrive in your home with “enhanced features” that nobody would ever want. In 2013 in Russia, customs officials noticed that a series of consumer goods manufactured in China, including electronic teakettles and clothing irons, arrived with modifications that Russian authorities were none too pleased about. The devices contained hidden miniature Wi-Fi cards capable of spreading malware to any open Internet network within two hundred meters and were able to “phone home,” relaying secret messages back to China. Not only could these irons and teakettles surreptitiously join your Wi-Fi network (something nobody would ever expect from an ordinary everyday iron), but they could use your own network to spread viruses to the other computers in your home and disseminate spam messages to your neighbors and the rest of the world. While we’d like to believe that spying irons and hacked iPhone chargers are some bizarre oddities, the fact of the matter is they are the harbingers of much more widespread and serious threats posed by the rapid assimilation of billions of networked objects to the worldwide information grid.

  More Connections, More Vulnerabilities

  For all the untold benefits of the Internet of Things, its potential downsides are colossal. Adding 50 billion new objects to the global information grid by 2020 means that each of these devices, for good or ill, will be able to potentially interact with the other 50 billion connected objects on earth. The result will be 2.5 sextillion potential networked object-to-object interactions—a network so vast and complex it can scarcely be understood or modeled. The IoT will be a global network of unintended consequences and black swan events, ones that will do things nobody ever designed or purposely planned. While there may be serendipitous benefits of such a network, there is also every chance many of its developments will be undesirable, negatively affecting global security, personal privacy, and human rights. Moreover, if you think the number of error messages and application crashes we face today are a problem, just wait until the Web is embedded in everything from your car to your sneakers to your microwave. Having to reboot your refrigerator, your thermostat, and your garage door in order to get them to run won’t be much fun either.

  If ever there were a technology that embodied the butterfly effect, it is surely the Internet of Things. In this world, it is impossible to know the consequences of connecting your home’s networked blender to the same information grid as an ambulance in Tokyo, a bridge in Sydney, or a Detroit auto manufacturer’s production line, and yet it will all be connected in one way or another.

  While some of the world’s smartest research and technology firms are rushing forward to build the Internet of Things (and claim their share of its multitrillion-dollar economic bounty), their colleagues back in the IT security department are frantically working to combat yesterday’s zero-day attack or the malware vulnerability crisis du jour. There is little time to speculate and prepare for what is coming next. The vast levels of cyber crime we currently face make it abundantly clear we cannot even adequately protect the standard desktops and laptops we presently have online, let alone the hundreds of millions of mobile phones and tablets we are adding annually. In what vision of the future, then, is it conceivable that we will have any clue how to protect the next fifty billion things to go online? Given our inability to secure today’s global information matrix, how might we ever protect a world in which eve
ry physical object, from pets to pacemakers to self-driving cars, is connected to the Net and hackable from anywhere on the planet? The obvious reality is that we cannot.

  The Internet of Things will become nothing more than the Internet of Things to be hacked, a cornucopia of malicious opportunity for those with the means and motivation to exploit our common technological insecurity. The IoT and its underlying insecure protocols will open a Pandora’s box of security vulnerabilities on an unprecedented scale, potentially creating systemic malfunctions whose reach will be simultaneously unpredictable, extraordinary, and terrifying.

  Houston, we have a problem, particularly with our threat surface area—that is to say, the sum of the different points or attack vectors through which an enemy can strike. The challenge with the Internet of Things is that our technological threat surface area is growing exponentially and simply stated we have no idea how to defend it effectively. The logic is clear: the more doors and windows you have, the more places a burglar can enter your home—particularly one connected to the Internet.

  CHAPTER 13

  Home Hacked Home

  We estimate that only one percent of things that could have an IP address today have one, so we like to say that ninety-nine percent of the world is still asleep. It’s up to our imaginations to figure out what will happen when the ninety-nine percent wakes up.

  PADMASREE WARRIOR, CHIEF TECHNOLOGY OFFICER, CISCO

  Blake Robbins, a student in Pennsylvania’s Lower Merion School District, couldn’t imagine why he’d been summoned to the principal’s office. When the assistant principal accused the sixteen-year-old student of “inappropriate behavior,” Robbins responded that he had no idea what the school official was talking about. The assistant principal then clarified: she knew the student was dealing drugs and threatened him with suspension. The sixteen-year-old vigorously denied the allegations until suddenly the administrator turned around her laptop and showed Robbins several pictures of himself in his own bedroom holding small oblong-shaped pills in his hand that he then proceeded to ingest. Shocked, the boy asked where the photographs had come from, a point the school official did not feel she needed to address.

  Robbins went home and told his parents about the incident, who then confronted the school district. As it turned out, Robbins was not using or dealing drugs, but had merely been eating red-colored Mike and Ike candy, a fact known to his parents. But how the hell did school officials get a photograph of a sixteen-year-old boy in his own bedroom eating candy? Through an elaborate spying program purportedly meant to protect school property.

  Officials in the affluent school district had provided twenty-three hundred high school students MacBook laptops to support their studies. What they failed to disclose to either students or parents, however, was that the laptops had secret software installed that gave administrators remote access to all student activities on the devices, including student chat logs and records of the Web sites they visited. It also allowed officials to remotely commandeer the laptop’s camera to photograph and record students anytime the devices were open—all allegedly to help track lost or stolen laptops. The remote spying system was set to silently snap photographs automatically every fifteen minutes whenever any student’s laptop was up and running, though officials could set the time-frame intervals to every sixty seconds for students suspected of “inappropriate behavior.”

  The photographs were uploaded to the school district’s Web server, where they were individually reviewed by district officials. District officials captured over fifty-six thousand images, including photographs of naked children in their bedrooms, bathrooms, and any other venue they traveled with their laptops. Administrators covertly snapped more than four hundred images of Robbins alone once he came under suspicion of bad behavior, though police were never notified and no search warrants were ever obtained for the school district’s invasive activities. Once news of the school district’s egregious behavior became public, numerous lawsuits were filed, including by Robbins’s parents, and an FBI criminal investigation against the district ensued. As Robbins told Good Morning America, “They might as well be sitting in my room watching me without my knowing.” Unfortunately, at the time the sophomore had received his “free” laptop, he was too young to have yet studied the prophetic warning about Greeks bearing gifts, a topic he would likely cover two years later when assigned Virgil’s Aeneid in his senior English class.

  Candid Camera

  You can’t assume any place you go is private because the means of surveillance are becoming so affordable and so invisible.

  HOWARD RHEINGOLD

  When a public school district, an organ of the state, has the ability to spy on us in our homes at will and without warrant, it is clear the age of pervasive universal surveillance has upon us. From London to New York and Chicago to Beijing, massive video surveillance, or CCTV, networks have been installed to protect us from threats, real and imagined. In one city alone, Chongqing in southwest China, officials have installed 500,000 cameras to deal with religious and political unrest, in addition to other “organized crimes.” Though once upon a time government had a monopoly on such security systems, today we are as likely to encounter cameras in grocery stores, gas stations, car dealerships, hospitals, schools, office buildings, bridges, tunnels, bars, taxicabs, buses, trains, doctors’ offices, and dry cleaners. We also have them on our laptops, mobile phones, game consoles, televisions, tablets, nanny cams, and home security systems, and the more ubiquitous they become, the less we’re aware they’re even there. Given the near-zero cost of these cheap video sensors, their presence in our lives is about to vastly expand as the Internet itself develops its own sense of vision.

  The capabilities and quality of today’s cameras are improving to unimaginable levels, long since ditching the grainy black-and-white images of yesteryear. The Defense Department has already deployed a 1.8-gigapixel camera that can be attached to a drone and spot targets “as small as six inches at an altitude of 20,000 feet” (technology that will undoubtedly be available commercially in the near future). Moreover, today’s cameras don’t just watch and record; they can see and understand, by linking their sensors to cloud-computing algorithms and big-data analytics. As a result, cameras can perform facial recognition, read your license plate, and even determine that a package (potential bomb) has been left alone in one place too long. This analysis can be done in real time as well as retrospectively, making it possible to unlock millions of hours of long-ago-recorded video footage to search for “a woman with a red hat.”

  Unfortunately, the tools that are meant to protect us can provide a false sense of security, as the hundreds of millions of cameras around the world going online prove themselves vulnerable to attack by hackers with ill intent. As previously discussed, your mobile phone’s camera can easily be turned on remotely without your knowledge, using widely available tools such as Mobile Spy (of which sixty thousand copies have been sold).

  One young woman who learned this lesson the hard way was Cassidy Wolf, Miss Teen USA, whose open laptop in her bedroom was commandeered by a hacker, capturing nude photographs and video of her as she walked around in her own bedroom after coming out of the shower and while getting dressed for school. Her tormentor watched her daily for several months until one day he sent her a “sextortion” e-mail demanding she perform a series of sex acts on camera for him “or I upload these pics and a lot more (I have a LOT more and those are better quality) on all your accounts for everybody to see and your dream of being a model will be transformed into a pornstar [sic].” Upon receiving the e-mailed threat, Cassidy slammed her laptop shut and burst into tears, eventually deciding to go to the police. Three months later, an FBI investigation revealed one of her high school classmates, Jared Abrahams, was her extorter. Abrahams carried out his attack using Blackshades, a Crime, Inc. tool kit readily for sale on Crimeazon.​com, malware he used to target eight other women in Southern California.

  Meanwhile, modern baby cams, w
hich allow parents to monitor their kids not only in the next room but over the Internet, are just another point of presence on the Net waiting to be cracked. Hackers and pedophiles routinely compromise these devices, the majority of which require no password or use a standard well-known one provided by the manufacturer, leading to a lurid trade in nanny cam images in the digital underground, including those of young mothers breast-feeding their infants. The cameras allow for full pan, tilt, and zoom and include two-way audio with a built-in speaker and microphone so parents can both listen and speak to their children. Convenient for mom, dad, and hacker alike, as Heather Schreck of Cincinnati found out when she was awoken from a deep sleep one midnight.

  “All of a sudden, I heard what sounded like a man’s voice, but I was asleep so I wasn’t sure.” Confused, Heather checked the baby camera in the bedroom of her ten-month-old daughter, Emma, using her cell phone. Strangely, the camera was moving, but it wasn’t the mom who was doing it. Suddenly Heather could now hear a man’s voice across her house screaming, “Wake up baby, wake up!” Heather and her husband, Adam, ran into Emma’s room and upon entering saw the baby camera turn from their now crying daughter and directly focus on Adam. The male voice coming through the device observing the parents unleashed a tirade of obscenities on the half-awake couple before Adam had the presence of mind to yank the camera cord from the wall. The baby monitor’s manufacturer, Foscam, later admitted the device had a “firmware vulnerability” that had allowed the creep into the cradle of the Schrecks’ sleeping infant. These incidents are far from isolated, as another family in Houston discovered when they awoke to a man’s voice screaming the name of their two-year-old daughter, Allyson, cursing at her and wailing, “Wake up … you little slut.” The virtual intruder knew the girl’s name because it was written in pink on the wall. It is both ironic and troubling that the devices families purchase to protect themselves can actually be used as weapons to target them and invite trouble into their homes.