Spy Dolls, Genius Machines: Cybersecurity Firms Look Ahead at RSA
Over the next five years, the number of connected devices will leap from five billion to 50 billion, Symantec CEO Michael Brown told cybersecurity professionals at a keynote address at the RSA Conference this week in San Francisco. The Internet of Things is one of the major trends that will define the security operations centers of the future, Brown said.
“We’re about to see the likes of sensors and compute power on a scale we’ve never seen before,” Brown said. Smart devices create the connection between cyber attacks and physical risks to critical infrastructure, including air traffic, power utilities and telecommunications. “This was inconceivable until five years ago,” he said.
“Some of these devices will be inside our bodies,” said former Secretary of the U.S. Department of Homeland Security Michael Chertoff, executive chairman of the Chertoff Group, a security consulting firm. Regulations should avoid stifling the technology, but they must preserve security and trust, he said.
“Without trust, the economic benefit of the Internet will be squandered,” Chertoff said during a panel discussion on “Beyond Encryption: Why We Can’t Come Together on Security and Privacy—and the Catastrophes That Await If We Don’t.”
At some point, our intelligent machines will be smarter than us, Oxford University professor Nick Bostrom said in a talk called “Safety Issues in Advanced AI.”
“When will we have human-level artificial intelligence?” asked Bostrom, director of the Future of Humanity Institute.
Predictions on the timing abound, but Bostrom has this forecast: “When we reach that point, we will very soon thereafter have superhuman intelligence,” he said.
The key tasks of humans will then be to enforce “scalable control” over the machines, so the machines will serve society’s goals, rather than their own. A machine could even confuse us about our priorities, he said.
“It might be possible for it to give us verbal hyperstimuli, and persuade us even if its argument isn’t sound,” Bostrom said.
Meanwhile, a group of security researchers (read “legal hackers”) were having fun showing conference-goers what mischief they could make by exploiting the known security weaknesses of fairly dumb connected devices already on the market, like talking dolls, door locks, and innocent-looking electric tea kettles.
During a session called “When Good Devices Go Bad,” Balint Seeber, director of vulnerability research at Atlanta, GA-based Bastille Networks, demonstrated that he could defeat an electric door lock and open the door without raising an alert from a wireless alarm system.
Seeber showed how hackers could turn toys into eavesdropping tools, due to electronic components hidden inside playthings like the iSpy Tank (a remote-controlled toy equipped with a camera and Wi-Fi connection) and the “My Friend Cayla” doll (cute pink skirt and sneakers, Bluetooth headset and microphone.) Hackers could also target the wireless tea kettle and force it to scan your data, Seeber said.
“They can log into your home network and do whatever they want,” Seeber said.
In a live experiment during the conference, one prankster was able to create a free admission badge to the costly RSA conference by tinkering with the simple anti-theft tag embedded in a hotel towel, Seeber said.
Lawyers are already thinking about the headaches this kind of thing can create for tech companies.
At a session called “Flaming Toasters to Crashing Cars—The Internet of Things and Mass Liability,” a panel of experts was trying to parse out a precise definition of IoT that would be workable in legal disputes over damage caused by devices.
“IoT, it’s a dumb phrase,” Drinker Biddle & Reath partner Jay Brudz said. “Everything is a thing. So you don’t need the word “Thing,” the attorney reasoned.
“Without ‘Thing,’ you don’t need ‘of,’ ” Brudz said. “It’s just the freakin’ Internet.”