Wednesday, May 24, 2017

The frightening implications of the Internet of Everything


Maybe the most important thing you can read today.

The Threat
A Conversation With Ross Anderson

If you get a safety flaw in a traditional car—say, the A-Class Mercedes, which would roll if you braked and swerved too hard to avoid an elk, they fixed that—they shipped a service pack and changed the steering geometry. Nobody died, so that’s okay. But if you’ve got a flaw that can be exploited remotely over the Internet—if you can reach out and put malware in ten million different Jeeps—then that’s serious stuff. This happened for the first time in public a couple of years ago when a couple of guys drove a Jeep Cherokee off the road. Then the industry started to sit up and pay attention.

That can also be used as a diplomatic weapon. You want sanctions on Zimbabwe? Just stop all the black Mercedes motor cars that Mr. Mugabe hands out to his henchmen as payment. We raised that with the German government. What would your reaction be to an American demand to do that? Well, it was absolute outrage! So diplomacy comes in here.

Conflict also comes in. If I’m, let’s say, the Chinese government, and I’m involved in a standoff with the American government over some islands in the South China Sea, it’s nice if I’ve got things I can threaten to do short of a nuclear exchange.

If I can threaten to cause millions of cars in America to turn right and accelerate sharply into the nearest building, causing the biggest gridlock you’ve ever seen in every American city simultaneously, maybe only killing a few hundred or a few thousand people but totally bringing traffic to a standstill in all American cities—isn’t that an interesting weapon worth developing if you’re the Chinese Armed Forces R&D lab? There’s no doubt that such weapons can be developed.

All of a sudden you start having all sorts of implications. If you’ve got a vulnerability that can be exploited remotely, it can be exploited at scale. We’ve seen this being done by criminals. We’ve seen 200,000 CCTV cameras being taken over remotely by the Mirai botnet in order to bring down Twitter for a few hours. And that’s one guy doing it in order to impress his girlfriend or boyfriend or whatever. Can you imagine what you can do if a nation-state puts its back into it?

All of a sudden safety becomes front and center. And that, in turn, changes the policy debate. At present, the debate about access to keys that we’ve had with Jim Comey’s grumblings in the USA and with our own Investigatory Powers Act here in Britain has been about whether the FBI or the British Security Service should be able to tap your iPhone—for example, by putting malware on it. People might say, “Well, there’s no real harm if the FBI goes and gets a warrant and taps John Gotti’s phone. I’m not going to lose any sleep over that.” But if the FBI can crash your car? Do you still want to give the FBI a golden backdoor key to all the computers in the world? Even if it’s kept by the NSA, then the next Snowden maybe doesn’t sell the golden key to The Guardian, maybe he sells it to the Russian FSB.

We suddenly get into a very different policy terrain where the debates over who gets access to whom, and when, and how, and why, are suddenly sharp. It’s not just your privacy that’s on the line anymore, it’s your life.
Call me paranoid, but i could not help but think of the death of Michael Hastings

No comments: