Schneier on Security's Journal
 
 [Most Recent Entries] [Calendar View]

Friday, August 23rd, 2013

    Time Event
    6:00a
    Hacking Consumer Devices

    Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children's bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child's father unplugged the monitor.

    What does this mean for the rest of us? How secure are consumer electronic systems, now that they're all attached to the Internet?

    The answer is not very, and it's been this bad for many years. Security vulnerabilities have been found in all types of webcams, cameras of all sorts, implanted medical devices, cars, and even smart toilets -- not to mention yachts, ATM machines, industrial control systems and military drones.

    All of these things have long been hackable. Those of us who work in security are often amazed that most people don't know about it.

    Why are they hackable? Because security is very hard to get right. It takes expertise, and it takes time. Most companies don't care because most customers buying security systems and smart appliances don't know enough to care. Why should a baby monitor manufacturer spend all sorts of money making sure its security is good when the average customer won't even notice?

    Even worse, that consumer will look at two competing baby monitors -- a more expensive one with better security, and a cheaper one with minimal security -- and buy the cheaper. Without the expertise to make an informed buying decision, cheaper wins.

    A lot of hacks happen because the users don't configure or install their devices properly, but that's really the fault of the manufacturer. These are supposed to be consumer devices, not specialized equipment for security experts only.

    This sort of thing is true in other aspects of society, and we have a variety of mechanisms to deal with it. Government regulation is one of them. For example, few of us can differentiate real pharmaceuticals from snake oil, so the FDA regulates what can be sold and what sorts of claims vendors can make. Independent product testing is another. You and I might not be able to tell a well-made car from a poorly-made one at a glance, but we can both read the reports from a variety of testing agencies.

    Computer security has resisted these mechanisms, both because the industry changes so quickly and because this sort of testing is hard and expensive. But the effect is that we're all being sold a lot of insecure consumer products with embedded computers. And as these computers get connected to the Internet, the problems will get worse.

    The moral here isn't that your baby monitor could be hacked. The moral is that pretty much every "smart" everything can be hacked, and because consumers don't care, the market won't fix the problem.

    This essay previously appeared on CNN.com. I wrote it in about half an hour, on request, and I'm not really happy with it. I should have talked more about the economics of good security, as well as the economics of hacking. The point is that we don't have to worry about hackers smart enough to figure out these vulnerabilities, but those dumb hackers who just use software tools written and distributed by the smart hackers. Ah well, next time.

    1:23p
    How Security Becomes Banal

    Interesting paper: "The Banality of Security: The Curious Case of Surveillance Cameras," by Benjamin Goold, Ian Loader, and Angélica Thumala (full paper is behind a paywall).

    Abstract: Why do certain security goods become banal (while others do not)? Under what conditions does banality occur and with what effects? In this paper, we answer these questions by examining the story of closed circuit television cameras (CCTV) in Britain. We consider the lessons to be learned from CCTV’s rapid -- but puzzling -- transformation from novelty to ubiquity, and what the banal properties of CCTV tell us about the social meanings of surveillance and security. We begin by revisiting and reinterpreting the historical process through which camera surveillance has diffused across the British landscape, focusing on the key developments that encoded CCTV in certain dominant meanings (around its effectiveness, for example) and pulled the cultural rug out from under alternative or oppositional discourses. Drawing upon interviews with those who produce and consume CCTV, we tease out and discuss the family of meanings that can lead one justifiably to describe CCTV as a banal good. We then examine some frontiers of this process and consider whether novel forms of camera surveillance (such as domestic CCTV systems) may press up against the limits of banality in ways that risk unsettling security practices whose social value and utility have come to be taken for granted. In conclusion, we reflect on some wider implications of banal security and its limits.
    4:00p
    Friday Squid Blogging: New Research in How Squids Change Color

    Interesting:

    Structural colors rely exclusively on the density and shape of the material rather than its chemical properties. The latest research from the UCSB team shows that specialized cells in the squid skin called iridocytes contain deep pleats or invaginations of the cell membrane extending deep into the body of the cell. This creates layers or lamellae that operate as a tunable Bragg reflector. Bragg reflectors are named after the British father and son team who more than a century ago discovered how periodic structures reflect light in a very regular and predicable manner.

    As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

    << Previous Day 2013/08/23
    [Calendar]     		Next Day >>

Schneier on Security   About LJ.Rossia.org