Last October at Melbourne's grand Intercontinental Hotel scores of technophiles watched a researcher for IOActive, a Seattle-based computer-security firm, demonstrate an ingenious new way to kill someone—a method that one can imagine providing a sensational plot twist in an episode of Homeland.
The IOActive researcher, a man named Barnaby Jack, was so worried about the implications of his work that he intentionally obscured many of the details in his presentation. As a further precaution, he asked the attendees not to take any pictures—a tough request in a crowd full of smartphones and laptops.
Jack's work concerned pacemakers and implantable cardioverter-defibrillators (I.C.D.'s). More than three million American heart patients carry around these small, computerized devices, which monitor their heartbeat and deliver jolts of electricity to stabilize it when needed. To check and adjust these devices, many doctors use wand-like wireless programmers that they wave a few inches above patients' chests—a straightforward and seemingly safe procedure. But now, with a custom-built transmitter, Jack had discovered how to signal an I.C.D. from 30 feet away. It reacted as if the signal were in fact coming from the manufacturer's official I.C.D. programmer. Instructed by the counterfeit signal, the I.C.D. suddenly spat out 830 volts—an instantly lethal zap. Had the device been connected to an actual human heart, the fatal episode would likely have been blamed on a malfunction.
Let's face it: Barnaby Jack is a man who is quite literally looking for trouble. This is a guy who had demonstrated the year before how he could wirelessly direct an implantable insulin pump to deliver a lethal dose. The year before that, he hacked an ATM to make it spray out bills like a slot machine. But trouble-making is what he's paid to do at IOActive, and in that role he has developed a particular respect for the looming power of smartphones. Terrorists have already used cell phones to kill people in the crudest possible way: detonating explosives in Iraq and Afghanistan. But smartphones bring a new elegance to the endeavor and will bring new possibilities for mayhem into the most mundane areas of life.
The day is not far off, Jack says, when the manipulation of medical devices, for which he had needed to build special equipment, will be done routinely and remotely by punching keys on a smartphone. Indeed, in just a few minutes of online searching, I was able to find a dozen ventures developing smartphone apps for medical devices: pacemakers, defibrillators, cochlear implants, insulin pumps, cardiovascular monitors, artificial pancreases, and all the other electronic marvels doctors now are inserting into human bodies.
To engineers, the advantages are clear. Smartphones can relay patients' data to hospital computers in a continuous stream. Doctors can alter treatment regimens remotely, instead of making patients come in for a visit. If something goes wrong, medical professionals can be alerted immediately and the devices can be rapidly adjusted over the air. Unfortunately, though, the disadvantages are equally obvious to people like Barnaby Jack: doctors will not be the only people dialing in. A smartphone links patients' bodies and doctors' computers, which in turn are connected to the Internet, which in turn is connected to any smartphone anywhere. The new devices could put the management of an individual's internal organs, in the hands of every hacker, online scammer, and digital vandal on Earth.
I asked Jack if he thought anyone would actually use smartphones to try to fiddle with other people's pacemakers, or change the dosage of their medications, or compromise their eyesight, or take control of their prosthetic limbs, or raise the volume of their hearing aids to a paralyzing shriek. Will this become a tempting new way to settle a score or hurry up an inheritance? He said, "Has there ever been a box connected to the Internet that people haven't tried to break into?" He had a point: a few years ago, anonymous vandals inserted flashing animated images into an Epilepsy Foundation online forum, triggering migraines and seizure-like reactions in some unfortunate people who came across them. (The vandals were never found.) Jack was reluctant to go into detail about what he thinks the future may hold. "I'm not comfortable trying to predict exact scenarios," he said. But then he added, calm as a State Department spokesman, "I can say that I wouldn't want to discover a virus in my insulin pump."
Smartphones taking control of medical devices: the tabloid headlines write themselves. But medical devices represent only one early and obvious target of opportunity. Major power and telephone grids have long been controlled by computer networks, but now similar systems are embedded in such mundane objects as electric meters, alarm clocks, home refrigerators and thermostats, video cameras, bathroom scales, and Christmas-tree lights—all of which are, or soon will be, accessible remotely. Every automobile on the market today has scores of built-in computers, many of which can be accessed from outside the vehicle. Not only are new homes connected to the Internet but their appliances are too. "Start your coffee machine with a text message!" says a video for Electric Imp, a device created by former Gmail and iPhone employees, whose stated goal is to "apply [Internet connectivity] to any device in the world." Even children's toys have Internet addresses: for instance, you can buy an add-on wi-fi kit for your Lego robot. The spread of networking technology into every aspect of life is sometimes called "the Internet of Things."
The embrace of a new technology by ordinary people leads inevitably to its embrace by people of malign intent. Up to now, the stakes when it comes to Internet crime have been largely financial and reputational—online crooks steal money and identities but rarely can inflict physical harm. The new wave of embedded devices promises to make crime much more personal.
Consider the automobile. Surely nobody involved in the 2000 Bridgestone/Firestone scandal—a series of deadly rollovers in Ford Explorers, linked to disintegrating tires—realized that they were laying the groundwork for a possible new form of crime: carjacking-by-tire. In the aftermath of the accidents, Congress quickly toughened tire-safety regulations. Since 2007, every new car in the United States has been equipped with a tire-pressure-monitoring system, or T.P.M.S. Electronic sensors in the wheels report tire problems to an onboard computer, which flashes a warning icon on the dashboard.
By itself, the T.P.M.S. represents no great leap. Modern cars are one of the most obvious examples of the Internet of Things. It is a rare new vehicle today that contains fewer than 100 of the computers, called electronic control units, which direct and monitor every aspect of the vehicle. When drivers screech to a sudden stop, for instance, sensors in the wheels detect the slowdown and send the information to an E.C.U. If one wheel is rotating more slowly than the others—an indicator of brake lock—the E.C.U. overrides the brake and the accelerator, preventing the skid. Even as it fights the skid, the computer reaches into the seatbelt controls, tightening the straps to prevent passengers from slipping under them in case of an accident. The software for these complex, overlapping functions is formidable: as much as 100 million lines of computer code. (By contrast, Boeing's new 787 Dreamliner makes do with about 18 million lines of code.)
Many of these functions can be activated from outside. Door locks are opened by radio pulses from key fobs. G.P.S. systems are upgraded by special C.D.'s. Ignitions can be disabled by remote-controlled "immobilizers" in case of theft or repossession. Cars increasingly offer "telematics" services, such as OnStar (from General Motors), BMW Assist, MyFord Touch, and Lexus Link, that remotely diagnose engine problems, disable stolen cars, transmit text messages and phone calls, and open doors for drivers who have locked themselves out. As cars grow more sophisticated, their owners will, like computer owners, receive routine, annoying updates for the code that runs these features; Tesla, the electric-vehicle manufacturer, announced the planet's first over-the-air car-software patch in September. A security-research team from InterTrust Technologies, a company that makes protected computer systems for businesses, describes today's automobiles as full-time residents of cyberspace, scarcely distinguishable from "any other computational node, P.C., tablet, or smartphone."
The tire-pressure-monitoring system is an example. As a rule, it consists of four battery-operated sensors, one attached to the base of each tire valve. The sensors "wake up" when the wheels begin rotating. Typically, they send out minute-by-minute reports—the digital equivalent of messages like "I'm the right front tire; my pressure is 35 p.s.i."—to an E.C.U. To make sure the E.C.U. knows which tire is reporting, each sensor includes an identification number with its report. The ID is specific to that one tire. In 2010, researchers from Rutgers and the University of South Carolina discovered that they could read a tire's ID from as far away as 130 feet. This means that every car tire is, in effect, a homing device and that people 130 feet from an automobile can talk to it through its tires.
Schrader Electronics, the biggest T.P.M.S. manufacturer, publicly scoffed at the Rutgers–South Carolina report. Tracking cars by tire, it said, is "not only impractical but nearly impossible." T.P.M.S. systems, it maintained, are reliable and safe.
This is the kind of statement that security analysts regard as an invitation. A year after Schrader's sneering response, researchers from the University of Washington and the University of California–San Diego were able to "spoof" (fake) the signals from a tire-pressure E.C.U. by hacking an adjacent but entirely different system—the OnStar-type network that monitors the T.P.M.S. for roadside assistance. In a scenario from a techno-thriller, the researchers called the cell phone built into the car network with a message supposedly sent from the tires. "It told the car that the tires had 10 p.s.i. when they in fact had 30 p.s.i.," team co-leader Tadayoshi Kohno told me—a message equivalent to "Stop the car immediately." He added, "In theory, you could reprogram the car while it is parked, then initiate the program with a transmitter by the freeway. The car drives by, you call the transmitter with your smartphone, it sends the initiation code—bang! The car locks up at 70 miles per hour. You've crashed their car without touching it."
Systematically probing a "moderately priced late-model sedan with the standard options," the Washington–San Diego researchers decided to see what else they could do. They took control of the vehicle by contacting the hands-free system through the built-in cellphone and playing a special audio file. They compromised the hands-free microphone and recorded conversations in the car as it moved. They reprogrammed a mechanics' diagnostic computer to let them take over the sedan's operation remotely, at a time of their choosing. They used Bluetooth signals to start cars that were parked, locked, and alarmed. They did all this with instructions sent from a smartphone.
There was nothing to stop them. "Except for medical devices," Stuart McClure, chief technical officer of the anti-virus company McAfee, told me, "nobody regulates any of this stuff." And medical devices are regulated for safety, not security. Because government isn't wielding a cudgel, security is entirely up to the manufacturers. In McClure's view, "maybe 90 percent" of the vendors don't see security as critical. The same thing was true of computer-software companies, he pointed out. Not until credit-card numbers by the millions began to be stolen did they begin to pay attention. "We live in a reactive society," McClure went on, "and something bad has to happen before we take problems seriously. Only when these embedded computers start to kill a few people—one death won't do it—will we take it seriously."
It is a commonplace that most murders occur at home, which leads (solely for the purposes of illustration) to my own. My wife is an architect, so when we recently built a house we built one to her design. Late last spring, we moved in, hauling boxes as workers hurried to finish the last details. One day I walked into the basement to find the plumber peering in puzzlement at a device installed next to the circuit breakers. It was a white, lozenge-shaped object with a small L.E.D. panel on its face that showed a "dotted quad"—an Internet address in the form of four numbers separated by periods. "What's that?" asked the plumber. "It looks like your house is connected to the Internet."
I didn't know. The contractor didn't know, either. Nor did the cable guy or the house-alarm guy. After a few phone calls, I learned that our electric company had installed the mystery box to monitor the new solar panels on the roof. Our house—or at least our roof—was part of the Internet of Things.
The white lozenge, it turned out, was part of a "smart meter," one of the most common among a wave of new devices that will, developers hope, produce the domestic dream of a "smart home." In smart homes, residents can control their lighting, heating, air-conditioning, fire and burglar alarms, lawn sprinklers, and kitchen appliances with the touch of a button. Increasingly, that button is on a computer or smartphone. These systems can help make homes more convenient, energy efficient, and safe. They are also a point of entry for online intruders—no different, really, from an open window or an unlocked door.
Computer-security researchers are focusing attention on smart meters in part because utilities have been installing them by the millions. (The Obama stimulus bill provided $4.5 billion for "smart grid" projects; the European Union has mandated a switch-over to smart meters by 2022.) Instead of learning about energy consumption inside a home or building from meter readers in white vans, electric companies now know about power usage in real time, from streaming data provided over the Internet, letting them avoid the cascading failures that lead to blackouts. Utilities talk up the environmental benefits of smart meters—no more wasted power! Utilities are quieter about "remote disconnect"—the possibility, created by smart meters, of cutting power to nonpaying customers with the flick of a switch or the punch of a phone key.
Because smart meters register every tiny up and down in energy use, they are, in effect, monitoring every activity in the home. By studying three homes' smart-meter records, researchers at the University of Massachusetts were able to deduce not only how many people were in each dwelling at any given time but also when they were using their computers, coffee machines, and toasters. Incredibly, Kohno's group at the University of Washington was able to use tiny fluctuations in power usage to figure out exactly what movies people were watching on their TVs. (The play of imagery on the monitor creates a unique fingerprint of electromagnetic interference that can be matched to a database of such fingerprints.)
Like the computer on my home-office desk, the smart-meter computer in my basement is vulnerable to viruses, worms, and other Internet perils. As long ago as 2009, Mike Davis of IOActive was able to infect smart meters with virus-like code. The infected meters could then spread the malware to other, nearby meters. In theory, smart-meter viruses could black out entire neighborhoods at a stroke. They could also ripple back and infect the central controls at utility companies. Because those utility networks are usually decades old, they often lack basic security features, such as firewalls and anti-virus protection. "If I'm a bad guy, I'll wait till there's a major snowstorm or heat wave," said McClure. "Then kill the heat or A/C." Under such circumstances, he observed, "the elderly die very easily."
For average homeowners like me, smart meters are almost as invisible as their risks. We're much more aware of the new temperature, security, and lighting controls operated by smartphones or tablets. (In September, the big real-estate developer Taylor Morrison announced a nationwide rollout of "interactive home" that include front-door video monitoring, whole-house Internet audio integrated with iTunes, and remotely programmable lighting and appliances.) Just around the corner, according to tech analysts, are refrigerators that alert families when they've run out of milk, ovens that can be turned on from the office, counters that double as video displays for recipes, videos, or Skype chats, and sensors that detect when residents are ill or hurt and that automatically call 911.
In the rush to put computers into everything, neither manufacturers nor consumers think about the possible threats. "I would be shocked if a random parent at Toys R Us picked up a toy with a wireless connection and thought, I wonder if there are any security problems here." Kohno said to me. As he has himself demonstrated, children's Erector Sets with Web cams can be taken over remotely and used for surveillance. Kohno added, "I just hope you can't use them to turn on the broiler and set the house on fire." It was meant as joking hyperbole. But you won't need an Erector Set to physically turn on the broiler. Smartphone apps will do that for you. And when that's done—what the heck—you can kill the power, disable the fire alarm, suppress the call to 911, and for good measure start the car and leave it running in the garage.
Today, of course, these threats are remote. Only experts like Kohno can digitally hijack a house. But it is the nature of software to get easier to use and more widely available. Creating the first Internet worm required months of work in the late 1980s by a brilliant computer-science student, Robert T. Morris, who is now a professor at M.I.T. Today "virus construction kits" are readily downloadable on the Web, intended for teenaged miscreants with little programming ability. The expertise and time required for this type of vandalism have steadily declined. As a result, Internet threats have steadily risen. As I researched this article, every single computer-security expert I spoke with said they expected precisely the same pattern—obscure and rare to common and ubiquitous—to hold for the Internet of Things.
More than 1.5 million external defibrillators—flat, plastic devices that deliver shocks to people in cardiac arrest—have been installed in American offices, malls, airports, restaurants, hotels, stadiums, schools, health clubs, and, of course, hospital wards. (Usually bright red or yellow, they are typically mounted in boxes that look a bit like big fire alarms.) A.E.D.'s, as they are called, administer shocks through two pads taped to patients' chests that also monitor their heartbeats. Many have the ability to simultaneously call 911 when they are used. A.E.D.'s are, in fact, computers, and most of them are updated with Windows-based software on a U.S.B. stick.
Last year, Kevin Fu of the University of Massachusetts and five other researchers decided to find out whether an A.E.D. could be hacked. They discovered four separate methods for subverting the apparatus, two of which would allow the A.E.D.'s to be used as a portal for taking over nearby hospital computers.
In a way, Fu told me, using A.E.D.'s to hijack hospital computers was "irrelevant," because computers are often already compromised by other means. Critically important devices like the fetal monitors for women with high-risk pregnancies can be so burdened with malware they no longer function. "I remember one computer in a radiology room that was absolutely riddled with viruses because the surgeons and nurses checked their e-mail on it," Fu said. "And it was the computer that ran the radiology equipment." Why didn't people check e-mail on a separate computer? "They said there wasn't enough room on the table for two machines," he said.
Even when staffers aren't careless, hospital-security problems can be difficult to fix. Medical manufacturers, Fu said, frequently will not allow hospitals to modify their software—even just to add anti-virus protection—because they fear that the changes would have to be reviewed by the U.S. Food and Drug Administration, a complex and expensive process. The fear is wholly justified; according to the F.D.A., most medical-device software problems are linked to updates, patches, and revisions.
Hospital equipment like external defibrillators and fetal monitors can at least be picked up, taken apart, or carted away. Implanted devices—equipment surgically implanted into the body—are vastly more difficult to remove but not all that much harder to attack.
You don't even have to know anything about medical devices' software to attack them remotely, Fu says. You simply have to call them repeatedly, waking them up so many times that they exhaust their batteries—a medical version of the online "denial of service" attack, in which botnets overwhelm Web sites with millions of phony messages. On a more complex level, pacemaker-subverter Barnaby Jack has been developing Electric Feel, software that scans for medical devices in crowds, compromising all within range. Although Jack emphasizes that Electric Feel "was created for research purposes, in the wrong hands it could have deadly consequences." (A General Accounting Office report noted in August that Uncle Sam had never systematically analyzed medical devices for their hackability, and recommended that the F.D.A. take action.)
Some 20 million Americans today carry implanted medical devices of some kind. As the population ages, that number will only grow, as will the percentage of those devices that are accessible by smartphone. So will the number of connected smart homes. Possibly people will own versions of Google's driverless car, in which all navigation is controlled by computers and sensors—devices that a hacker with a smartphone can adjust with satisfactorily grim results. If Ridley Scott, say, were to attempt a remake of Dial M for Murder, I'm not sure he'd know where to begin.
"In 10 years," Kohno told me, "computers will be everywhere we look, and they'll all have wireless. Will you be able to compromise someone's insulin pump through their car? Will you be able to induce seizures by subverting their house lights? Will you be able to run these exploits by cell phone? What's possible? It's more like 'What won't be possible?'"
Post a Comment