Smart burglars will ride the surf of inter-connected hackability
Let’s invent a dustbin that throws itself away
Posted in Security, 23rd June 2017 09:02 GMT
Something for the Weekend, Sir? What the world needs now is an intelligent dustbin. It would be the pinnacle of achievement for the Internet of Things sector.
But wait – it already exists! And in common with its robotic, pseudo-not-actually-AI brethren, it has a suitably daft anthropomorphic moniker. Instead of labelling it with a gender-presumptive name such as Beryl or Daryl, they’ve called it Baryl.
That’s right: Baryl. As in “of laughs”, “of bullshit”, “they’ve got you over a”, “shooting fish in a”, or, most appropriately for the IoT market, “scraping the bottom of a”.
Have a look here at Baryl in action, unnecessarily trying to clean up the already spotless passenger concourse at Montpellier train station.
Notice how insistently Baryl pursues potential bylaw offenders, eager to chomp their waste and prevent untidiness. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are relieved of your litter.
Just imagine the fun you could have hacking into Baryl. If you were feeling small-minded, you could get it to chase people around the concourse while bleating “om-nom-nom” although as far as I can see, it pretty much does that already.
Much more likely for any self-respecting Reg reader would be to reprogram it to trundle up to the automated ticket machines and get it to purchase cross-European railcards using the details from the last credit card entered into the slot.
Lawyers, calm down. I am not suggesting that Baryl is easy to hack. It could well be that a robot dustbin has been designed with far tighter security protection than, say, all the billion-dollar corporates which are currently suffering customer data loss and ransomware attacks on a daily basis. I am, however, stating that Beryl is as much a potential hacking target as every other Thing on the Internet.
The key word here is “target”. As the variety of interconnected devices increases, you no longer have to head straight for the one you’re after. Instead, you simply break into the device with the worst security and ride the interconnected surf until you hit gold. Even the most basic two-factor authentication doesn’t seem to figure in IoT once the little buggers are talking to each other.
Take the car industry, for example. It was little surprise, least of all to vehicle owners, that those rinky dinky card-keys could be spoofed by a determined thief. Yet these same owners are shocked to discover that thieves, having unlocked your car, have no interest in driving away in it. Instead, they upload malicious code from a USB stick via the car’s infotainment system.
As the current wave of ransomware attacks demonstrate, your car probably won’t be the target any more. Stuff your Mazda, pal. It’s the rest of your personal data and ultimately your wallet they’re after.
My favourite hack scare of the moment is the one about breaking into a computer by recharging an electronic cigarette. Who’d have thought that plugging a device directly into a USB slot could have security implications? I know, you must be as shocked as I am.
Sure, there’s not much storage space on a vape block but you only need enough to trigger a download of the full code and away it goes, hunter-seeking its way across whatever else your computer is connected to.
I have just returned from a lovely product demonstration intended to play upon my paranoia. It was an indoor home security video gadget that watches your hallway, back door or any other part of your house you wish and sends you smartphone app alerts if it notices anything untoward.
So far, so commonplace. The clever bit was that the device uses a bit of AI to learn to recognise faces, so it only alerts you if it sees someone unfamiliar entering your home. Or the cat.
To put my data security terrors at ease, I was assured that the device records its video feed locally to an SD card plugged in at the back. So when you choose to access any of it, you do so sort-of directly from app to device rather than via the intermediary of cloud storage.
Of course, if the burglar (or the cat) notices the device when breaking in, he could always unplug it from the mains and take it home with the rest of the swag, SD card and all. Even if you configured it to upload alert videos automatically from SD card to Dropbox, it might not have enough time to start uploading before the foul deed is done.
In the device’s favour, it records in sharp HD – a far cry from good ol’ CCTV which captures video quality akin to a VHS copy of Die Hard rented from Blockbusters after Christmas 1989. In CCTV’s favour, traditional security cameras tend to be situated inaccessibly high up a wall rather than sitting conveniently in front of you on a bookshelf near a wall socket.
God forbid that the burglar thinks of wearing a mask to disguise his identity. What next? Gloves?
But all of this is academic. A nifty burglar will hack into your home security device through a chain of infection, starting from a humble e-cig. Malicious code will then flow though your connected junk of unnecessary gadgetry, via your smart lampshades, robotically enhanced cutlery and intelligent toilet seats, and simply put your security camera in sleep mode.
On the way, it will change the timer on your boiler, unlock your autonomous vehicle and reprogram the skills in Alexa. You’ll come home to find the only warm place in the house is the fridge, your car has driven itself to Devon for the weekend and Amazon has delivered 4,000 bananas.
So beware: it’s through the small things that we’ll get targeted. Hang on, I’ve just thought of a really good use for Baryl.