Thursday, June 19, 2008

Hacking Appliances

You may have seen the post Tuesday on Security Focus: Compromise by Coffee.

In the post, the owner of what I understand is a very expensive coffeemaker says he’s discovered that the coffeemaker, which has the capacity “to communicate with the Internet via a PC” can be hacked.

The author of the post says that the software vulnerabilities in the system (I gather they’re in the system the coffeemaker uses to communicate online, rather than in the coffeemaker itself) would let someone hack the coffeemaker and, say, alter the strength of coffee or tinker with the water settings and “make a puddle” or just break it and force a service call.

The notion of linking the thing to the Internet is apparently to allow it to be serviced remotely. (It is, apparently, a VERY expensive coffeemaker – when my inexpensive coffeemaker has problems, I just replace it.)

The last line of the post is particularly interesting. It says that the problems with the software would let a remote attacker “gain access to the Windows XP system” it’s running on. That could be interesting. Being merely a lawyer and not an expert in technology, I can’t speculate as to precisely what one could accomplish with that, but I assume it could be worth someone’s pursuing.

This post reminded me of what came to my mind when I installed a new ac/furnace system last year. It’s top of the line, very energy efficient . . . and when they installed it they told me that, if I like, we could hook a laptop up to it. The furnace company could then use the laptop to monitor the system and, if possible, fix at least some problems remotely. They also told me I could connect to it when I’m traveling and alter the settings remotely, from the road (using, of course, the Internet).

Not having any idea why I’d want to do that, I haven’t gone for that option. The furnace is air-gapped, and as far as I’m concerned, is going to stay that way. When they told me about that option, though, I started thinking of interesting things someone could do if they hacked a furnace. I’m sure you could make things pretty uncomfortable in my house (way too hot, way too cold). I wonder if you could compromise the system sufficiently to do some real damage . . . cause a fire, say?

This concept of putting appliances and home systems online is something I talked a bit about in my last book: Law in an Era of “Smart” Technology. It’s a book about law and how it has dealt with technology essentially since there has been technology, of any kind. The law’s approach to technology, I argue in the book, is to segment technology from other aspects of our life, so we get what are often called “technologically-specific” laws.

That has made sense, as long as “using” technology was a discrete, compartmentalized aspect of our lives. It makes sense, in that world, to have “car” laws – laws that define requirements for being able to operate a motor vehicle (of whatever type) lawfully, laws that define what you can and can’t do with one (e.g., no speeding) and laws that make it a crime to do certain things with them (e.g., drive drunk).

As I argue in the book, though, I think that world is rapidly coming to an end as technology beings to subtly and invisibly permeate all aspects of our lives. As interactive technology -- like this coffeemaker -- becomes an embedded part of our lives, we forget we're "using" technology. It recedes into the background of our consciousness, and that has a number of implications.

Many of those implications are great. I like (kind of) the fact that my smart new furnace nags me when it's time to clean its electronic air filters. Makes me much more conscientous when the thing itself keeps telling me what I need to do. I also like the fact that it does all kinds of neat things that improve my service and cut my bills. I like it when other technologies do things for me. I'm looking forward to more of that.

The major downside, of course, is that as we utilize these technologies but remain unaware of the fact that we are, essentially, opening access portals into our lives, we creat all kinds of opportunities for attackers.

No comments: