Monday, October 26, 2020

Cybersecurity for our hyperconnected future (Cybersecurity Awareness Month, Day 26)

Graphic for: Do Your Part. #BeCyberSmart’, helping to empower individuals and organizations to own their role in protecting their part of cyberspace

We are now in the final week of Cybersecurity Awareness Month, 2020. The theme for this week is to look at the future of connected devices, specifically:

"how technological innovations, such as 5G, might impact consumers’ and business’ online experiences (e.g. faster speeds and data transmission, larger attack surface for hackers), as well as how people/infrastructure can adapt to the continuous evolution of the connected devices moving forward."

I am quoting there from the guidelines on the National Cybersecurity Alliance website. They go on to say: "No matter what the future holds, however, every user needs to be empowered to do their part." So what does that mean in practice? I will try to answer that question this week, beginning with this article, written for day 26 of Cybersecurity Awareness Month.

But first, we need some context, and if you like to get your context via video, watch this short one from the StaySafeOnline website. It makes the important point that "as technologies evolve, so will the behaviors and tactics of cyber criminals." 

Image of temperature control app, making the important point that "as technologies evolve, so will the behaviors and tactics of cyber criminals

I captured this image from the video because it suggests a cool way of researching people's attitudes to technology. First, we show our subjects a clip of this, without the text, then you ask what they saw. Most people will probably say something like: it's a person using a smartphone app to adjust the temperature of something, maybe a room somewhere. 

Now we ask our subjects second question: Assume this is a person changing the temperature of a room somewhere and give me all the reasons you can think of for doing this? If none of the answers involve some sort of negative reason—such as "annoying the person in that room" or "proving to the owner of the room that you have taken control of their heating system"—then I suggest that this group of subjects needs more cybersecurity awareness training.

Why do I say that? Because protecting technology from abuse requires us to think about what could possibly go wrong. In fact, what could possibly go wrong is something of a mantra for people working in cybersecurity. Because if you're not thinking about what could possibly go wrong with any given piece of hardware or software or combinations thereof, you're probably not going to do a good job of preventing it actually going wrong.

Of course, what could possibly go wrong is used in contexts other than cyber, often with a question mark. You can sometimes find the hashtag #WCPGW trending. I used it when I tweeted my response to this Apple announcement a few months ago: "The digital car key on your compatible iPhone allows you to conveniently and securely lock, unlock, and even start your BMW." I mean WCPGW!

That response is not me being some cynical old white dude, even though I might look like one. It is me being aware of dozens of examples of new technology being hailed as cool and convenient and safe, only to become yet another contributing factor in the relentless expansion of global cyberbadness (see the list of tech that I have posted on the right, about which I will have more to say later).

Still think it's just me be a cranky curmudgeon? Look at what happens when we Google can thieves steal keyless cars. Right away we see that: 

Criminals can easily steal top keyless-car models using cheap equipment that's available online ... The study looked at 237 models of cars that can be started with an electronic rather than mechanical key, and found thieves could unlock 230 of them without much difficulty. (Fortune, 28 Jan 2019)

Of course, technophilic tech bros may discount Fortune magazine as just a bunch of cynical old white dudes, but the facts speak for themselves, and so does the app, the one that my local police force uses to let folks know whenever a car is stolen without keys.

Which brings us back to cybersecurity awareness, which for millions of people now includes their keyless cars. If you are one of them, here are the top five security tips from a leading UK locksmith

  1. Use a blocking pouch
  2. Turn off keyless fob's wireless signal
  3. Use a steering wheel lock or car alarm
  4. Re-programme your keys
  5. Park defensively

Jackware: a case study in future threats

Bearing all of the above in mind, you can maybe understand why, back in 2016, I tried to raise awareness of a future cyber-threat that I called jackware, a threat that was not "real" at the time, but one which will—I firmly believe—become real under the "right" circumstances. 

Here's how I first described jackware on this blog: "Think of jackware as a specialized form of ransomware. With ransomware, the malicious code encrypts your documents and demands a ransom to unlock them. The goal of jackware would be to lock up a car or other piece of equipment until you pay up."

A formal definition of jackware would be: malicious software that seeks to take control of a device, the primary purpose of which is not data processing or communications, for example: your car. In my original article I said jackware would become particularly dangerous when there are more self-driving cars and vehicle-to-vehicle networks; and I suggested this nightmare scenario: 

"You're in a self-driving car. There's a drive-by infection, silent but effective. Suddenly the doors are locked with you inside. You're being driven to a destination not of your choosing. A voice comes on the in-car audio and calmly informs you of how much Bitcoin it's going to take to get you out of this mess.

Not long after I wrote that, the possibility of jackware began to generate media attention, in both automotive and IT news outlets. Here are the top 10 articles that address it, only two of which were written by me: 

  1. Jackware: When connected cars meet ransomware
  2. Motor Mouth: Will your self-driving car kidnap you?
  3. Ransomware: The Next Big Automotive Cybersecurity Threat?
  4. Prepare for the day when a hacker takes over your self-driving car and kidnaps you enroute
  5. How Safe Are Cars from Hackers?
  6. Heard of Jackware? When connected cars meet ransomware
  7. Jackware hits the big screen in #Fast8: Fate of the Furious
  8. ‘Who the hell hacked my car?’ Is jackware (ransomware for connected cars) inevitable?
  9. Ransomware + IoT = Jackware?: the evolution of ransomware attacks
  10. Why Data Security is More Important Than Ever

As of today, the nightmare scenario that I described in 2016 has not played out in real life (assuming you don't count the Fast and Furious movies as real life). But even though the automotive industry is taking cybersecurity a lot more seriously today than it did 10 or even five years ago, nothing I have seen or heard in the last four years leads me to think jackware will never happen. 

To be clear, I have been actively tracking this issue. I attended a 2018 talk by the two guys who infamously hacked a Jeep in 2015. I discussed the practical aspects of ransomware with several experts under Chatham House rules, including award-winning researchers at UCSD who were already alerting the automotive industry to weaknesses in vehicle computer systems back in 2010 (and have recently been recognized for their pioneering work). 

My point is that the technology industry has such a long history of getting security wrong—which was the point of the list shown earlier—that there has to be a presumption of failure, perhaps more kindly described as an eventual inadequacy relative to threats. That is what I was getting when I gave this quote in Car and Driver: 

"The computer systems are designed, features are designed, products are brought to market, and people adopt them. On the other side, hackers speculate, probe, develop a proof of concept, [criminals] attack, and then finally monetize the threat.”

When you add to the equation the incredibly low probability of capture and sanction that criminals currently face when monetizing the exploitation of vulnerabilities in technology, and the abject failure of world governments—so far—when it comes to agreeing upon ethical norms in cyberspace, you can see why I am so concerned about the future of cybersecurity.

But what can we do about this?

So here we are, in the final week of Cybersecurity Awareness Month, thinking about how technological innovations might impact consumers’ and business’ online experiences, as well as how people and infrastructure "can adapt to the continuous evolution of the connected devices moving forward," while trying to kind in mind that "no matter what the future holds, however, every user needs to be empowered to do their part."

Keyless Fob Pouch
6,648 reviews, 4.5 stars
Amazon UK
We've looked at a some technologies—such as keyless cars and self-driving cars—that are advancing and spreading rapidly, while at the same time introducing new security challenges. We've even noted several individually empowering security tips, like keeping your keyless car fob in a blocking pouch. Another tip might be to only buy those cars that have the least hackable features. But somehow I don't see steps like that holding back the rising tide of hackable connected devices on our planet and in our lives. 

One 2019 report projects that the number of connected IoT devices will be 24 billion by 2030. If you add up both "normal computers" and IoT devices, that number probably passed 22 billion total during 2018. That works out to just under three connected devices per woman, child, and man. 

The UN reckons humans will number 8.5 billion by 2030. That means there could be six connected devices per every one of them by the early thirties (that 2019 report predicts there will be 50 billion such devices by 2030). 

Now consider the predictions about 5G growth. If those are correct, most of those 50 billion devices will be connecting at very high speeds, from just about everywhere. Stated bluntly, if governments and technology companies don't step up, a decade from now we will have more crime, way faster, in way more places, affecting way more people. 

So how do we get governments and technology companies to step up? We can start by reaching out to them and letting them know how concerned we are. I will offer some suggestions along those lines before the end of the month. For now I will just note that there are many ways in which technology itself can help with this outreach, for example, by making it very easy to contact representatives in the US and just about any elected official in the UK.

P.S. Remember, whenever we vote to elect representatives, we can vote for those most likely to take cybersecurity as seriously as it needs to be taken.


No comments: