Our growing security quagmire
- 21 May, 2010 05:44
Information security was always an esoteric field but with personal computing came personal security issues, culminating in the identity theft problem that concerns even the most techno-phobic of consumers. It's about to get much worse.
The latest interesting areas for security come from the proliferation of connected computing devices into new areas of our life: mobile devices (for example iPhone, Droid, iPad), building automation (smart-grid) and automotive computing. Up to now, we've worried about computers messing with our money. Now we can add to that the worry of computers tracking our location, killing our power and crashing our cars. As a security professional I am simultaneously appalled and hopeful for my job security.
The iPad and iPhone devices have really got people excited about handheld computing. But few people stop to think about the security implications. No other device is as intimately connected to a user as a smartphone. I often forget my wallet and my keys, but I rarely go anywhere without my smartphone. That makes my phone a fantastic tool for location based personal services, but also for ubiquitous and extremely intrusive surveillance.
The specs of the latest smartphones add up to a serious security problem: GPS, cellular data and location, magnetic compass, accelerometer, microphone and video camera. If you compromise a device that never leaves the side of the owner and contains those features, you have the most sophisticated surveillance system ever devised. It's far worse than compromising a PC or reading someone's e-mail. You could literally bug every conversation while knowing exactly where the user is and even if they are walking or lying down!
Last week, researchers at the University of Washington and the UC San Diego demonstrated the implications of compromising a car's built-in computer network. All modern cars have an embedded computer network that provides diagnostic information and some remote control capabilities. The researchers where able to control the engine, car doors, lights, speedometer and other functions.
Now, today this kind of compromise requires some initial physical access to connect to the OBD-II (On-Board Diagnostics II) port to sniff and inject data packets. But increasingly cars are connected to wireless networks, exposing those capabilities to remote control. One such system for remote control and access is OnStar, but it is easy to imagine a world where every car does telemetry and remote control. Are these systems secure from remote compromise? Just recently a disgruntled employee at a security company (not OnStar) remotely disabled hundreds of cars. Not very reassuring.
Finally, we are seeing the rapid deployment of smart-grid and smart-meter technology, with the explicitly stated goal of linking consumer devices in the home with utility company systems for energy management, visibility and consumer control. What about security? Well most security researchers think that such infrastructure would be more vulnerable to a broad attack than the existing grid.
Information security was once the domain of researchers and defense contractors. When we invited information technology into every aspect of our lives, we made security a household concern. Not that you shouldn't welcome the technology - but you should be prepared to see more security controls and concerns in more areas of your life too.