If you are worried about your smart TV recording your most intimate conversations in its “Fake Off” mode and sending those over the internet to a covert CIA server, you are right to be worried.
As we saw in the WikiLeaks’ Vault 7 dump, the CIA’s malware known as “Weeping Angel” places the target television in a “Fake Off” mode, so that the owner falsely believes the TV is off when it is on. In “Fake Off” mode, the TV operates as a “wiretap,” recording conversations in the room and streaming them back to the CIA.
Regardless of the form bots take, they will become a major component of our digital, always-on world.
But as worried as you may be right now, the future will be far more frightening.
Chat bots, which are commonly used to pose as “real” people (e.g., Facebook friends) and trick us into doing things like installing a browser extension that can read and change personal data on the websites we visit, are increasingly popular with criminals. Turning these bots into attack vectors that can burrow into our home electronics will be the next wave of cyberterror that will soon be making headlines everywhere.
The automated botnet attack that brought our internet access to a halt for most of the day back on October 21 of last year was caused by an organized blitzkrieg of randomly compromised IoT devices like cameras and DVRs. Any internet-connected thing makes the perfect attack botnet as they are easy to compromise, hard to patch, and their takeover is completely transparent. Most home computer-related or internet-connected devices employ default passwords which are easy to hack and most consumers don’t ever change them — let alone know they exist.
It often doesn’t occur to us that we offer up our personal information to services like Google and Amazon and tons of other apps that we access via our smartphones. We do this so the folks at Amazon and Google can serve us better. And Alexa and the Google Assistant, for example, know far more about us than we realize. In order to get better at understanding your voice commands, they both capture and process clips of your chatter throughout the day.
Since both are activated via a voice prompt, they are in constant “listening” mode, and while they are both careful to assure that their privacy-compliant algorithms prevent them from recording or transmitting non-transactional data, how confident are you that sophisticated hackers are not able to capture and record this data for other purposes? If Weeping Angel is pointed at a smart TV, why not Alexa?
We should assume that all communications with chat bots, which are the backbone of all social networks, will be logged in perpetuity and available for arbitrary monitoring and review by private and governmental organizations at any time and for any purpose. U.S. executive order (12,333), policies like USSID 18, and other accompanying guidelines clearly state that our information intelligence agencies can collect, retain, and share any “US personal information and data without a probable cause warrant.” This is the law of the land today.
IoT bots pose an even more insidious threat than this ongoing capture of our personal information. Ransomware became one of the main cybersecurity threats of 2016. It is designed to attack personal and corporate computers, locking valuable files and only unlocking them in return for a paid ransom. In spite of a lot of cybersecurity attention spent trying to combat these attacks, ransomware is still growing as a threat and the attack styles have become more sophisticated. In other words — we can’t stop it.
While traditional ransomware attacks your computer and locks your files, IoT ransomware will target control systems in the real world, shutting down vehicles, turning off power, stopping production lines, and shutting down power grids, water supplies, and shipping ports. An interesting target would be surgical devices in operating rooms and implantables. What would you pay to restart your pacemaker, defibrillator, or insulin pump?
Regardless of the form bots take, they will become a major component of our digital, always-on world. They will become ubiquitous and a text or the click of an app will be part of the open book called “your life” that their algorithms will relentlessly extrapolate. Their potential for arguably improving the quality of our lives has been aptly demonstrated, and there are tons of business cases that prove their value.
But if there ever was a rational argument for government intervention, it is here in the realm of IoT device manufacturing and control. There are simply no security regulations that manufacturers need to comply with when developing that next cool thermostat or toaster or even that new app or software control system. I am the last guy to argue for government regulations or government anything, but for the same reasons we have the Centers for Disease Control and Prevention stopping the spread of disease, we need a set of rigorous controls over how IoT devices and associated software are manufactured. This is one place where the free markets will not prevail as the average consumer is unaware of the dangers inherent in all of these IoT thingies.
We will no doubt continue to offer up goldmines of personal information to services like Amazon and buy new home electronics that make our lives easier through the magic of our smartphones — but when hackers learn to monetize IoT vulnerabilities and decide to take full advantage, it will be too late to turn the ship around.
I am confident the Trump administration recognizes these dangers and is working hard at creating a cybersecurity policy that reaches across the computer and IoT landscape and establishes baseline controls for creating these products and for limiting our government’s ability to monitor every aspect of our daily lives.
That’s what a business guy, who is not beholden to special interests, would do.
Steve King is the COO and CTO of Netswitch Technology Management.