There are a lot of things Denver is known for being high on -- mostly altitude. Lately, it isn’t just the sticky green political battle that has been gaining attention. It’s the high-altitude antics of our local information security enthusiast Chris Roberts. But, like most highs and hacked aviation systems, this story is bound to plummet into the lifeless, high-desert plains. Why? News agencies are reporting that Chris Roberts, as a passenger, took control of an airplane mid flight by hacking the plane’s entertainment system, and was able to briefly redirect the flight’s course.
The fact is that the information security industry, the Department of Defense, the aviation industry, and other agencies, have known that this is possible for years. The capability itself is not news, and even if information security analysts want to presume they are the first to uncover a hole such as this, they aren’t. Embedded systems engineers, especially ones managing and building critical systems, are aware of these risks, and are continually working towards cost effective measures to combat these risks. After researching Internet of Things technology and embedded systems for over a decade, I came to realize that most engineering teams do understand the risks, but they are limited by budgetary constraints, talent, corporate politics, and time.
So how do we mitigate the risk? It’s not through a dramatic stunt such as redirecting the course of an airplane.To take control of a plane mid-flight, and potentially perform an action against the best judgment of the humans in control of the cockpit, against the flight management system that constantly evaluates sensors and statistical models far faster than a human is able to react, is a benefit to no one. Dramatizing the potential for loss of human life is a benefit to no one. No one wins by creating fear, uncertainty, and doubt. So why do it?
Over the past several years, the information security industry has exploded from a small group of loose-knit hackers who all knew each other, to an industry of millions of wannabe professionals vying for a speaker slot at the world-renowned Black Hat Briefings, DEFCON, or Hack In The Box security conferences. Our little universe has suddenly become saturated by newcomers that want to make a name for themselves, and stake a claim on the high salaries that come with notoriety. But, we’re also at a critical juncture in the technological advancement of the Internet, embedded systems, and accessibility.
The Internet of Things movement eschews the common perception of the Internet as a hidden highway of bits and bytes flowing through ethereal tubes, somehow disparate from the physical reality in which we all live. Instead, the IoT and modern embedded systems create a conglomeration of the human experience and the digital highway; fusing together the somatic human experience with intangible algorithmic expressions. The binding of these two universes means that, for the first time in human history, actions in an abstract virtual environment have a perceivable, tangible effect on the physical world. In other words, our thoughts now have consequences. Real consequences. And because of this, there are no more free thoughts. There is, instead, a quantifiable cost to everything we do as information security professionals.
When I performed the first remote hack of a vehicle security system in 2011 at Black Hat Briefings Las Vegas, I wasn’t aware of the real significance of what I had accomplished. To me, it was as simple as taking a small piece of technology and understanding its risks, and abusing its weaknesses, to achieve a goal that the device wasn’t meant to achieve. I knew that I had proven there was a new set of risks to users of IoT technology, but I wasn’t conscious of how entwined our lives would become in this next iteration of the Internet, nor did I realize how quickly IoT would explode into every aspect of our lives. It became obvious very quickly that we, as a society, were evolving far faster than we intended, as we turned the Internet into the Internet of Us; the human-digital existential experience. And, as we all know, innovation far outpaces sound security practices.
Another early researcher into IoT technology, Barnaby Jack, proved that there was a direct risk to humans with his research into pacemaker hacking, automated saline drip systems, and even Automated Teller Machine (ATM) attacks. For about a year we happened to live in the same apartment building in San Francisco. One afternoon, months before he was scheduled to give a speech on pacemaker hacking at Black Hat, I ran into him in the elevator.
“What do you think is going to happen with this new era of embedded risks? Any predictions?” I asked.
“I don’t know, but I don’t think it’s going to be pretty.”
I’ll never forget how forlorn Barnes looked, realizing that our actions now meant human lives were hanging in the balance of information security professionals. It’s a scary thought, that the right hacker could save hundreds of thousands of lives, or harm them. It’s a scary thought that Andrew Auernheimer was sent to prison for far less than probing critical medical systems. It’s a scary thought that Aaron Schwartz was persecuted, and subsequently committed suicide, for simply downloading documents. It’s a scary thought that Stephen Watt was imprisoned for years for writing a computer program. It’s a scary thought that engineers are developing the next iteration of the Internet with no requirements from the government, or engineering organizations, to adhere to safety and security standards. It’s a scary thought that some of our own information security scene members would risk the lives of people on their own plane just to prove a point, far exceeding the legal sins of Andrew, Aaron, and Stephen.
As we traverse through this brave new world of technology and an industry saturated by newcomers throwing bows for attention and viability, we can’t allow our ranks to disintegrate into some Industry of Cool, where we only care about what will grab people’s attention. We now have to consider the end-user’s physical safety, and adhere to ethics that ensure the consumer is considered far before any headline grabbing desires. Risking the lives of the people we are supposedly trying to save is not just unethical, it’s abhorrent. We need to mature our industry beyond its infantile rock star thought models, and build a foundation of trust between our ranks, systems engineers, business owners, and especially consumers. Now, more than ever, consumers need us to speak on their behalf, not put them at risk.
Every topic we research, everything we hack, every joke we make on Twitter, now, more than ever, has a quantifiable cost. Think the next time you make a statement that could put those around you at tangible risk. Because now, in this brave new world of self-driving cars, WiFi-enabled pacemakers, and bionic limbs, there absolutely are no more free thoughts without consequences.