Technology in the last decade has assumed a fundamental role in our daily lives. We are increasingly surrounded by discrete intelligent components designed to provide us with more sophisticated choices designed to enhance our personal experience and quality of life. From our phones, to our home security system, to the refrigerator in our house, an increasing number of devices are constantly connected to the internet and with each other.
We are talking about ambient intelligence, and what is known as “the Internet of things”, whereby devices can communicate and interact between one another, as well as interacting online with other web services, based on events or other design parameters.
It is these smart objects which will constitute the revolution of the next generation internet. A simple example may be a smart fridge which detects that the sell by date of a product on a shelf has expired, or it automatically orders fresh supplies when certain items have been consumed. Nowadays one can monitor their property, control their central heating, switch on an oven in advance of their arrival, open the curtains and blinds simply via the internet or even a mobile phone. There is no doubt that these advancements can contribute significantly to enhancing our quality of life as well as the inherent ecological benefits that can also be achieved through efficiency and other advancements.
However, the rise of ubiquitous services and the integration of the network within the objects of everyday life (each person is typically surrounded by some 4000 objects), exchanging and accumulating vast quantities of data, raises important serious questions about privacy, trust, security and governance which need to be considered in their inherent design.
Private companies and intelligence agencies are aware of potentialities of such devices, and are interested to exploit the intelligent component of their architectures. Many experts are convinced that this is the new frontier of cyber espionage, being able to spy on a subject interacting with the objects that are in the environment that surround it.
Security concerns are justifiably high… These devices which can communicate and exchange information with one another, can supply all kinds of information about us, our experience and habits. They can potentially be controlled remotely in order to spy on us, even worse, maybe deliberately tampered with remotely, in order to cause damage. For example, an attacker could burst into the life of any citizen trivially through their TV, or gaming console. The issue is extremely delicate and deserves careful study.
Further complicating this scenario is the interference of the entertainment industry, who are developing an increasing number of smart devices which expose a user’s privacy to serious risk. Only last month Microsoft obtained a patent titled “CONTENT DISTRIBUTION REGULATION BY VIEWING USER”. The major concerns here are related to the use of cameras or video devices such as PC’s, mobile devices and TVs to monitor and identify the number of persons, in order to verify their rights for viewing licensed content. Additionally this can be used to monitor their habits and behavior in order to target them with new personalized offers based on information gleaned through and from their devices.
How would Microsoft use these cameras?
There are several technologies that can serve the purpose, probably using “facial recognition techniques” combining with analysis of video and audio input. The patent states:
”In an alternative embodiment, a fee can be charged for each viewer of the content for each view. In another alternative, at 225 and 240, a per-viewer license may comprise counting the number of viewers in a viewing area and directly charging for each identified user in the viewing area. Viewers may be uniquely identified and a count of the viewers determined, with the licensee then charged for each viewer accessing the content. Age and identity restrictions can be applied in this embodiment as well. “
TV, PC and gaming consoles are technology objects which have evolved and advanced rapidly thanks to sensors, cameras and microphones which are able to operate meticulous control of their surroundings.
The security of these devices has to be carefully analyzed, and it must be properly approached in every cyber strategy which also takes into account the intelligent components of the things that surround us.
Some months ago former CIA Director David Petraeus, during a summit for In-Q-Tel, the CIA’s venture capital firm, alerted the community about the emergence of an “Internet of Things”, he said:
“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,” “particularly to their effect on clandestine tradecraft.”
“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation Internet using abundant, low cost, and high-power computing,” “the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.”
This declaration by the official demonstrates the high interest intelligence agencies like the CIA are taking, in the development of new capabilities to intercept and steal secrets with zero effort, such as simply acquiring access through an appliance, or through our gaming consoles.
The US Government is financing several activities to investigate and hack into the technology spread into every device that ordinarily surrounds us. This is the next step in warfare, spying on and attacking foreign enemies, simply by accessing devices that are present in their offices, in their houses and in their cars. Every device connected to the internet could be a target for a possible attack. The in-built intelligence can be used for numerous purposes, exploiting the lack of awareness of the cyber threats.
For this reason, American cyber strategy has concentrated its research in this area, with the intent to qualify, in detail, the threats looking to benefit from and exploit this captive knowledge (in devices). The U.S. Government last year promoted a project to hack into video game consoles requesting the “Development of Tools for Extracting Information from Video Game Systems.”
The idea is simple and effective, given that nowadays consoles have the same computational capabilities as personal computers. They are always on-line, providing a huge range of services to the end customer. The latest generation of gaming consoles have advanced their communication capabilities. Using these devices, users are able to communicate with every other player connected to the gaming platform (over the internet). They can make payments ,transfer files and facilitate chat rooms as well as interact with other services. All communications and any other sensitive information stored in the console are objects of interest to the US intelligence agencies.
The U.S. Navy has reported that scope of the project is to hack into used consoles to access any sensitive information exchanged through their messaging services. It has also guaranteed that spying technology will only be used on nations overseas, due to internal law restrictions which don’t allow this practice to be carried out on US citizens.
The official U.S. Navy statement is:
“This project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems.”
The description from the actual contract from the Federal Business Opportunities website, posted on March 26 is:
“R & D effort for the development and delivery of computer forensic tools for analyzing network traffic and stored data created during the use of video game systems.”
The project has been assigned by U.S. Government to the California-based company Obscure Technologies, signing a contract of $177,237.50 for the job.
Similar projects have already developed in the past. In 2008, a project called “Gaming Systems Monitoring and Analysis Project” was launched by law enforcement to investigate crime relating to paedophilia. For that project law enforcement authorities requested help from the DHS’ Science and Technology Directorate asking for an instrument that could observe game console data. DHS then went to the Naval Postgraduate School (NPS) to find Simson Garfinkel, a NPS computer science professor, to offer a contract to a company that could conduct the research and offer a product.
Obviously there are many concerns about the project and its legality, the Electronic Freedom Foundation (EFF) spokesman Parker Higgins has alerted the world wide community regarding the illegality of the access to sensitive information stored on a console without that the storage has been specifically requested by the user.
The main problem is “Which are the sensitive information that consoles keep without explicit information authorization of the users?”
Parker Higgins said:
“You wouldn’t intentionally store sensitive data on a console,”
“But I can think of things like connection logs and conversation logs that are incidentally stored data. And it’s even more alarming because users might not know that the data is created. These consoles are being used as general-purpose computers. And they’re used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console.”
The interest of US, is not isolated, many other governments are exploring the possibility to hack the “intelligent component” of the objects that we ordinary use. The main purpose of course is the cyber espionage but it must be considered also that network capabilities of many devices could to be enrolled for a cyber attack. Gaming consoles, mobile phones and TV could all be used to conduct a DDoS attack against strategic targets.
Imagine a botnet made up of millions of mobile phones, which simultaneously launch an attack against a target! It is not science fiction, it is reality. Similar attacks may cause extensive damage in a scenario of warfare, and government is aware of it.
It must be considered that technology components are steadily increasing in every sector despite the crisis. We will always strive to support the creation of new opportunities for developing security systems to mitigate the new cyber threat, but it is essential that ordinary people, like you and I, understand the power of the devices we use and the inherent associated risks. This is only possible through a massive awareness campaign.
About the Authors :
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress )
David Pace is Project Manager of the ICT Gozo Malta Project, and a freelance IT Consultant
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Support Awards.www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT Professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cyber security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at [email protected] or phone +356 79630221 .