Ubiquitous Roots

Our stuff is becoming ever more connected. For several years we have been told of the delights of a utopian consumer technology dream of ubiquitous computing that allows the coffee pot to add filters to my shopping list when I am almost done with a box worth. Or perhaps a water dispenser that emails the Sparkletts delivery man every week with my drinking water usage so that he knows how many bottles to drop off.

However this new dawn of processors and internet connections in everything opens up some very significant security concerns. A good way to start to think about them are to try to answer two questions. If everything is computerized, what is worth rooting, and what is worth protecting. We’ll start with the bit about rooting.

The simple answer is that everything would be worth taking control of. My table lamp is the perfect node for a botnet. It would always be on and connected (waiting for the light switch to send it a network request to turn on). It would be neglected. No one is going to download firmware upgrades for their lights. Security vulnerabilities will go unpatched on most devices that have almost invisible computing/communications functionality. Another part of that neglect is that as long as the infection doesn’t break my lamp I am unlikely to suspect anything is wrong and so I probably won’t run a virus scan on it.

Household appliances and the like will be great targets for the botnet spammers and DDOS crowd. Truly though, anything that is connected is a good target for them. The next two layers of usefulness come from information gathering and subversion of core functionality.

Your smartphone is the perfect thing to gain control of if I want to know everything about you. I can log your gps coordinates to see where you go and where you are currently. I can see your text messages and emails. I can even turn on the cameras and microphone without you knowing to eavesdrop on a sensitive meeting.

Your refrigerator and pantry are great targets. They will be two of the main nodes in your household inventory control system that watches the RFIDs of all your stuff to see what you need more of. The grocery store in town that you don’t have a loyalty card with would love to know exactly what you are low on so that it can send you perfectly targeted coupons to try to suck you in.

Lots of your stuff would be useful to the many different types of hackers that collect and sell personal information. Onto subversion.

Turning my toaster on isn’t a very useful hack for pretty much anyone. Setting off my home alarm, keeping it from sending the usual cry for help over the network to the alarm company, and then showing up dressed like someone from the alarm company after the alarm has been going off for fifteen minutes in the middle of the day when no one is home would be a good way to cover gaining entry to my house for a quick raid on my air gapped(non network connected) hard drive that contains all my swiss bank account numbers.

Subverting my car is great if you want to kill me, or just make me late for a meeting.

Protection. Obviously I have a strong personal interest in protecting against subversion of critical systems. I also have a personal interest in protecting myself against information gathering, but I might not want to put as much effort into protecting against this as I do against subversion. Finally, I don’t give a rip if my microwave is spamming you with extended auto warranty advertisements.

However, there is a societal interest in avoiding this. As addressed earlier, cyber crime enables cyber war/terrorism which no one wants. Also, botnets suck up public resources such as bandwidth, electricity, and consumer tolerance for ads. Luckily it only takes very occasional scanning and patching to usefully protect against this type of threat since it is the aggregate infections that matter, not the individual infections.

To sum up, when everything is computerized, everything will be worth attacking to a greater or lesser extent, and everything will be worth defending with varying amounts of effort and cost. How those defenses will be implemented is an important question that needs to be answered soon because I don’t want to buy a Norton license for my doorbell.