The Future of Security: A Roundtable
Kevin Poulsen
22427

The Global Spy Network of Deadly Robots

We must take care to not let our love of convenience kill us.

The world is rapidly creating a network of spies and deadly robots: a global network designed to spy on everything we do, report on it to unseen watchers, and containing devices which can potentially kill us. Over the next decade I fear this problem will only grow greater. Because we aren’t calling it “the Global Spy Network of Deadly Robots”, but rather the “Internet of Things” (IoT) or, in an industrial context, “Supervisory Control and Data Acquisition (SCADA) Systems”.

Dr. Nicholas Weaver, Senior Researcher, Networking and Security / UC Berkeley

What we call IoT or SCADA is a catch-all title for taking a sensor (something that observes the world in a particular way) or an actuator (something that can change the state of the world) and hooking it up to the Internet. Our phones, our thermostats, our cars, our power grid, our medical devices, all come with network connections.

Another name for a sensor is “spy”. If the sensor is only under our control, then it is our own safe spy. Unfortunately so many of theses sensors are not under our control. With most “cloud connected” sensors, like a Nest thermostat or smoke alarm, the device is continually communicating back to a central operator, one which often can see the raw data. This is even before we consider the threat from hackers breaking into our IoT systems.

So many of these sensors, notably our cellphones, also run effectively arbitrary code provided by third parties. On your phone, how many applications have permission to access both the microphone and your location? As just a simple example, the developer of any one of those applications could easily convert that application into a “copyright enforcement snitch”, listening for music or sporting events which, combined with location information, allows the application to identify all public spaces which are not properly paying their licensing fees. Voila, a new revenue stream!

Yet for all the threat posed by the Internet of Spies, it is the actuators that are truly frightening. Many of these are really “safe”, after all, the only thing a hacker who can change my refrigerator can do is spoil the milk. But far too many actuators, such as our cars, our medical devices, our power grid, and our oil refineries, are hooked up to actuators that can kill.

In this, we have failed to heed Adama’s Law: “If it can kill you, don’t connect it to the network!” Instead we seem to connect our systems with reckless abandon, and hope that nobody else decides to use these systems against us. Such a belief may be correct, but it is not one I really wish to stake my life on.

I fear this problem will only grow worse over the next decade. The economic pressures leading us to connect everything, irrevocably, to the network seem unstoppable. I can’t even remove the Internet connection from my car without disabling it! What will the future hold if this trend continues?

The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.