Future Crimes
Page 39
“We Are All Cyborgs Now”
You know, anyone who wears glasses, in one sense or another, is a cyborg.
EVGENY MOROZOV
The term “cyborg”—short for “cybernetic organism”—conjures up images of a scary world populated with humanoid aggressors, such as the Cylons in Battlestar Galactica, the Borg in Star Trek, or the Cybermen in Doctor Who. Though the term is relatively new, the act of augmenting the limitations of the human body dates back millennia, with ancient peoples using wood, copper, and iron to replace missing or deformed limbs. Since then, prosthetics have come a long way, not merely replacing partial bodily functionality lost because of injury or disease, but actually improving the capabilities of well-functioning biological equivalents. These advances were highlighted in the case of the gold-medal-winning South African sprinter Oscar Pistorius, the double below-the-knee amputee, who was persistently targeted by other athletes who complained his “blade runner” artificial limbs gave him an unfair advantage.
Today, technology is artificially augmenting not only our limbs and senses but our minds as well. Over 90 percent of smart-phone owners report keeping their mobile phones within three feet of them, all hours of the day, a number that will surely increase in the future. These devices amount to not just external brains but also phantom limbs to which we are persistently attached, deeply anxious when they are far away or accidentally left behind. We use our mobiles as external sources of memory (they can remember the thousand phone numbers we cannot) and as additional means of communication, sharing our thoughts across the planet by SMS, status updates, tweets, and e-mails. We will also increasingly wear and eventually embed intelligent devices in our own bodies, and when that happens, we too will join the Internet of Things. These wearable computers, implantable medical devices, bionics, and exoskeletons will be interacting with the world around us, providing new physical and mental capabilities, as well as continuous health monitoring and feedback. Just as the number of microchips in our cars has increased over time, united in a single controller area network, so too will all the devices on us and in us, to form their own body area network in the future. With these changes will come the profound security and privacy issues affecting the broader Internet of Things at large, except this time we ourselves will be nodes on the Internet.
Whether our cyborg future more closely resembles the horror portrayed in Mary Shelley’s Frankenstein or the heroic possibilities of Tony Stark in Iron Man remains to be seen. One thing is clear, however: Crime, Inc. has shown time and time again its willingness and ability to leverage any emerging technology to its advantage, and hacking you and your body may be an opportunity too good to pass up.
More Than Meets the Eye: The World of Wearable Computing
Perhaps one of the earliest wearable-computing devices to gain wide acceptance was the hearing aid, which has transformed from a deck-of-cards-sized transistor unit visibly worn over the chest with attaching shoulder straps to a fully contained digital-microprocessor-enabled unit, small enough to fit inconspicuously inside a user’s ear canal. Not surprisingly, today’s modern hearing aids use Bluetooth technology and are capable of streaming multiple audio sources and amplifying them for the hearing impaired. Using mobile phone apps, users can control and adjust hearing aid settings on their phones to choose whether to listen to ambient sound, a telephone conversation, or the music on an iPod, all at the press of a button. But now even the humble hearing aid, just like the Bluetooth headsets worn by the general public, can be hacked using a variety of widely available underground Bluetooth programs previously mentioned. As a consequence, not only is it feasible to remotely intercept what another person is hearing in real time, but it would also be possible to play sounds or noises directly into the ears of the hearing impaired. Whether it be heavy metal music or threatening voices that the person wearing the device alone could hear, these noises are sure to cause annoyance and consternation on the part of those affected.
Hearing aids have now been joined by a panoply of additional choices when it comes to the sensors, trackers, and computers available to be worn on our bodies today. Many of these developments have been driven by the “quantified self” movement, which employs a variety of methodologies for collecting data about an individual’s life using technological tools. Every day, millions of quantified-self adherents record every aspect of their lives, thoughts, and experiences via self-tracking tools in search of a better life through “life logging.” They track and measure their sleep, weight, calories burned, biofeedback, heart rate, brain waves, EKG rhythms, happiness, number of steps in a day, all in an effort to improve mental and physical performance, easily gathered through the introduction of wearable-computing devices known as wearables.
By providing measurable feedback collected by small computers worn on the body, the devices let dieters know with precision how many steps they have taken and how active they have been. The information can be displayed on beautifully designed data dashboards on a computer, clearly delineate fitness trends, and even offer elements of gamification with leaderboards and badges when predetermined goals have been met. Armed with this information, dieters can make behavior changes such as eating less or moving more in order to meet their weight loss goals. The devices may also play important roles in disease prevention and improving general health.
Over 100 million wearables were sold globally in 2014, expected to grow to 485 million units by 2018. Wearable devices fall into several broad categories such as bracelet activity trackers, including the Fitbit Flex, Jawbone’s UP, Nike FuelBand; smart watches (the Pebble, Samsung’s Galaxy Gear, the Apple Watch); or even eyewear such as Google Glass. Though wearables have been mostly a niche item until now, they are poised to go mainstream in the near future.
Most wearable devices sync with a user’s mobile phone, via Bluetooth or Wi-Fi connectivity, and when they do, your personal health information joins the Internet of Things as well, easily hackable just like other IoT objects. Moreover, many wearables are tightly integrated with social networks so that, for example, your Fitbit tracker can automatically post the number of daily steps you have taken directly to your Facebook page. Doing so, however, raises a variety of privacy concerns, in particular who owns your data, how are they being secured, and how can they be shared with third parties? Surprisingly, however, 52 percent of fitness apps had no available privacy policies. And as we’ve learned, information that seems harmless now can come back and bite you later. Poor sleep patterns documented automatically by your wearable can be directly relevant in a court case about a traffic accident. Will your health insurance company require you to don an activity tracker to get its best rates, just as car insurance companies are doing with their black boxes in your car?
One of the latest trends in wearable computing is the incorporation of video cameras into the devices, whether it be the popular GoPro HD Wi-Fi-enabled camera used in extreme action photography or something more subtle such as the camera embedded in Google Glass. While the idea of most people walking about our streets wearing Internet-enabled video camera eyeglasses may seem preposterous at the moment, keep in mind that the same thing was said about the personal computer and the mobile phone. Google has already partnered with the eyewear giant Luxottica to build Glass into Oakleys and Ray-Bans, and Deloitte has predicted millions of pairs of smart glasses will be sold in 2015. Devices like Google Glass will offer myriad technical conveniences, all in one highly portable device, such as the ability to take pictures, send photographs, record video, make phone calls, search the Internet, send SMS messages, and read e-mail. These capabilities are at the pinnacle of what is possible in today’s wearable-computing marketplace and will be empowered through a variety of Wi-Fi, Bluetooth, and GPS connections, also conveniently tethered to the mobile data plans on our smart phones. As noted in earlier chapters, with observations by both Mr. Burns of The Simpsons and Mr. Chertoff of Homeland Security, with all of Google Glass’s power and connectivity come a host of privacy
and public policy issues. But there are important security threats to be considered as well.
The fear of filming has led to Google Glass’s being banned in a number of public venues, including sporting events, concerts, gym locker rooms, bars, restaurants, strip clubs, casinos, hospitals, and U.K. movie theaters. Cited reasons for the prohibitions against the device include everything from card counting to film piracy and industrial espionage. But there is another concern. Google Glass can be hacked to secretly take photographs and record video, silently streaming the data to Crime, Inc. anywhere in the world, all without the knowledge of the device’s owner. Just as we saw with the malware used to subvert your mobile phone or laptop, IoT eyeglasses can be switched on without any visible indication they are recording.
In fact, hackers had already cracked Google Glass’s security before the device even went on sale to the general public. The security holes in Google Glass mean that the device can be “rooted,” subverted to transmit everything you see and hear in real time, including your account details and password as you type them for your online bank account. The GPS features of Glass mean that Crime, Inc. will also be able to tell your precise location, such as when you are at an ATM typing in your PIN number. While your grandma never needed antivirus programs for her eyeglasses, you may. A variety of malware and spyware tools have already been created for Google Glass, and as a result, now for the first time in human history, our eyeballs can be hacked too.
Given the pace of technological progress, wearing a “bulky” computer in our eyeglasses will soon become too cumbersome to bear for the next generation, and so surely the next iteration of these devices will be the Internet on a contact lens. While Google has yet to publicly confirm a contact lens version of Google Glass, it did surprise the world in mid-2014 when it announced that it was working on an IoT “smart contact lenses” project with the pharmaceutical firm Novartis. The companies’ lens will offer an array of microchip sensors and antennas that will for the first time make it possible to continuously monitor a diabetic’s blood sugar levels without the need for the painful needle pricks required by today’s glucose-testing systems. The device is in early stages of testing with the FDA. Not to be outdone, Samsung is developing its own full-fledged Internet contact lens, which will display all the Web data currently available with Google’s eyeglasses but in contact lens format, using mounted light-emitting diodes and a mix of graphene and silver nanowires. Yet for as advanced as wearable computing promises to become, there is still a further frontier in the quest to fully integrate man and machine—implanting computers inside the body itself.
You’re Breaking My Heart: The Dangers of Implantable Computers
The first time an electronic medical device was successfully implanted into the human body was 1958. The historic operation was performed by two Swedish surgeons on Arne Larsson, an engineer who went on to live another forty-three years—a lifetime of memories and experiences he would never have lived to see had it not been for the hockey-puck-sized computer installed in his abdominal cavity driving his heart to beat normally. Now, nearly sixty years on, the world of medicine has made phenomenal strides in advancing the breadth and capabilities of implantable medical devices (IMDs). These devices have seen multifold increases in portability, battery life, and efficacy and today remotely transmit critical information to a patient’s doctor over the Internet. The first Wi-Fi pacemaker in the United States was implanted in the chest of Carol Kasyjanski of Roslyn, New York, in 2009, and when the surgery was complete, her beating heart became the first to join the Internet of Things.
In addition to pacemakers, there are a variety of other IMDs in common use around the world today, including implantable defibrillators, diabetic pumps, cochlear implants, and neuro-stimulators. While each device has its own therapeutic purpose within the body, IMDs communicate with the outside world via familiar radio-frequency protocols such as Bluetooth, Wi-Fi, NFC, and RFID. Millions of Americans have been equipped with IMDs, and approximately 300,000 patients receive wireless implantable medical devices annually. The devices have become pervasive in modern medicine given their shrinking sizes, their growing capabilities, and the manifest clinical benefits they provide. Wireless medical devices, such as the implantable cardioverter-defibrillators (ICDs), allow physicians to remotely monitor patients’ heartbeats and EKGs in real time, greatly reducing the need for expensive office visits. Should a problem be detected by the ICD, doctors can immediately contact their patients and notify them to come in for treatment. The vast lifesaving potential of these advances cannot be overstated, but as we increasingly integrate information technology with our own biology, more and more people join the cyborg nation—with significant implications for their safety, privacy, and security.
Malfunctioning medical devices are one of the leading causes of serious injury and death in the United States, and the number of device recalls doubled between 2004 and 2014. Nearly 25 percent of these recalls were because of computer-related failures, of which 94 percent “presented a medium to high risk of severe health consequences.” Even in hospitals, a wide variety of therapeutic devices such as MRI, X-ray, and anesthesia machines, IV pumps, CT scanners, and ventilators have been found to be riddled with computer viruses and remotely exploitable by hackers with ease. Indeed, in 2013, the Department of Homeland Security issued an alert advising medical facilities that more than three hundred devices from forty different vendors had vulnerabilities that could readily be exploited by those with ill intentions. As it turns out, just as your Windows computer or iPhone can crash, so too can a medical device on which your life depends. There’s one important difference with IMDs, however. Unlike with your smart phone, you can’t simply download new firmware over the air for your pacemaker; instead, surgeons have to cut open your chest or abdomen and get physical access to the device for a full firmware update or replacement.
Of perhaps even greater concern is the fact that the more we implant tiny computers inside ourselves to monitor and improve our health, the more we create opportunities for others to hack into our bodies and subvert these machines for nefarious purposes. Many medical devices are sold without any security mechanisms in place. Instead, manufacturers of IMDs, like other objects connected to the IoT, tend to rely on security through obscurity—after all, why would anybody want to hack a pacemaker? The flawed logic neglects the fact that there are indeed a tiny minority of cruel and odious people in the world who would be happy for the chance to prove their own technical prowess at the expense of others. Such was the case when hackers in 2008 altered the national Epilepsy Foundation’s Web site to include hundreds of rapidly flashing animated images, causing violent seizures among epileptics innocently visiting the site for medical advice.
A team of researchers from the Universities of Massachusetts and Washington also showed the threat to medical devices was quite real when they successfully compromised the wireless security of Medtronic’s combination heart defibrillator and pacemaker. After gaining unauthorized access to the device, they not only were able to read confidential patient information but, much more troubling, were fully capable of delivering jolts of electricity to a normally functioning heart—an act that would prove fatal to a hapless innocent. For hackers, IMDs represent an irresistible new yardstick by which to measure their talents, and the topic is among the most popular at the annual Black Hat hacker conference in Las Vegas. One well-known hacker, Barnaby Jack, had particularly good success in subverting a range of IoT devices from ATMs to pacemakers. In 2012, Jack uncovered serious software flaws within the IMDs produced by several manufacturers that allowed him to commandeer the devices. From fifty feet away, using nothing more than his laptop, the hacker was able to remotely order an implanted defibrillator to deliver 830 volts of electricity directly to a person’s heart—a shock so powerful it would surely kill anyone with an implanted pacemaker.
Fearing the profound risk of such an attack, the cardiologist to the former vice president Dick Cheney physi
cally altered the VP’s ICD to remove its wireless capabilities lest terrorists attempt to send a lethal shock to the almost commander in chief’s already ailing heart. In a case of art imitating life, a fictionalized but entirely viable version of just such an attack was memorably portrayed on the Emmy Award–winning Showtime drama Homeland, in which the terrorist bad guy Abu Nazir directs the assassination of the veep over the Internet by fatally compromising his implanted cardiac defibrillator. But pacemakers are not the only wireless IMDs that hackers have cracked. Hundreds of thousands of people in the United States also rely on diabetic pumps, a device meant to dispense insulin in carefully controlled amounts to those needing help regulating their blood sugar levels. Once again, the talented Mr. Jack proved his technical expertise and readily defeated the weak security protecting some of the most common diabetic pumps on the market. Using a specialized radio antenna that he devised, Jack was able to locate and compromise any insulin pumps within a three-hundred-foot radius, causing the forty-five-day supply of insulin held within the device to be released instantaneously and all at once, a remote cyber attack almost certain to result in death without immediate treatment.