The Science Scientists Forgot: Privacy and Security - Who Needs Them Anyway?



This year marks the 31th anniversary of the first mobile phone in Australia. Ten years later, in the Swiss headquarters of CERN, the Computer Scientist Tim Berners Lee created the World Wide Web.

Despite the relative 'youth' of these technologies, it is hard to imagine a world without them. They are fundamental. They have changed the way we interact forever. They have changed the way we communicate, the way we work and the way we relax.

As always, there is a price to pay for such a rapid change and development in technology. As a society, we have left gaping holes in security and privacy as we march on, ever modernising and digitising. These effects are so far reaching that they concern the security of nations, the integrity of corporations and the privacy of individuals. Yet are scientists and engineers to blame? When have we ever stopped and considered the privacy and security implications of the technology we develop?

In 2010 Ali Akbar Salehi, the head of Iran's atomic energy agency, announced that completion of Bushehr (Iran's first Nuclear power plant) would be delayed a further 3 months. They denied any connection to 'stuxnet'.

Stuxnet, a computer worm, has been described by the Internet security firm Semantic as "the most complex threat they have ever analysed". Described as a master of stealth, stuxnet transmitted itself to over 45,000 devices; of which 60% were in Iran. Ordinary computer users would not have noticed a change; for there was nothing to notice. It was designed to install itself on a USB flash drive, and hide. It then waited for the right set of conditions to occur.

Those conditions are unique to specific Siemens machines called SCADA systems. These are high end machines that run and monitor systems such as manufacturing plants, water treatment facilities, civil defence systems and... power plants around the world. Even the smallest security breach to one of these systems could wreck havoc on society - power plants would halt, water treatment systems would stop, traffic control systems would crumble.

The elegance of stuxnet was the target computer didn't need to be connected to the Internet at all - all it needed was an infected USB to be inserted into one of these high-end SCADA systems.

Stuxnet was not looking for just any SCADA system, but rather it had targets. Curiously the only SCADA systems believed to be affected by the worm were those involved in the Iranian nuclear program. It is believed that stuxnet was the product of a state-backed attack to delay Iran's nuclear ambitions. Politically motivated, no doubt; but stuxnet serves to highlight an important point - technology is now a weapon, and security our only defence.

In a world of increasing technology and connectedness, it is near impossible to keep any system isolated. Traffic systems, airports, power plants... all are susceptible to similar attacks. Our society has modernised and interconnected itself so rapidly that scientists and engineers who create the technology have been unable to strike the balance between security and advancement.

Nations are not the only ones affected. In April 2011, the Japanese juggernaut Sony and its PlayStation Network and Qriocity service were crippled by hackers for a cringe-worthy 23 days - an eternity in Internet time. In the process, over 77 million credit cards and other personally identifiable information was stolen.

The examples are plentiful: Britain's National Health Service (hacked), CityGroup network (some 200,000 clients' information stolen), Epsilon database (2500 companies' emailing lists stolen).

Even the Australian government is vulnerable to cyber attack. Despite similar attacks back in 2007, in February of this year the government was stung once again. Up to 10 Federal ministerial computers (including the Prime Minister's) were compromised.

Perhaps the most confronting breaches to our own privacy and security are self-inflicted. The technology that represents the biggest breach of our privacy and security is often the most integral and entrenched... our mobile phones.

Our mobile phones never leave us. They are the last thing we check at night as we go to sleep, and the first when we wake. One smart phone alone has the computing power that was used to send man to the moon. Despite this, society is generally blind to the risks they present; and to the implications this causes.

Ever since GPS chips started appearing in phones there has been a resulting privacy fallout. Apple's latest iPhones come with GPS tracking built-in; should the phone become lost or stolen. However, this service is always on; and because our phones are always with us, it becomes a very simple and covert way to track someone's whereabouts. GPS tracking is a feature, not an oversight. Without much difficulty at all, parents can covertly track their children's whereabouts, wives can check up on their husbands, and bosses can monitor their staff.

Nowadays, when a picture is taken, most GPS-enabled phones will automatically include the location in the photo data. This isn't a problem until the image is widely distributed; and potentially thousands can discover the location it was taken. With services like email, Twitter and Facebook; this is easy. Most will strip out the location data, but many, including email, will not. Technology such as this runs the risk of exposing the locations where photos are taken, with pinpoint accuracy. Often, these are people's homes and workplaces.

Sometimes, the apps are also to blame. Blendr is a mobile dating app with a twist - It shows users how many kilometers they are from each other. Many such users are unaware, but by sampling distances from three different positions and using triangulation, it's possible to compute a person's location, without them explicitly revealing it.

Chinese and US researchers have shown a proof-of-concept Android smart phone application that spies in on users' phone calls, listening for credit card numbers and pins. With the app running in the background, when the user made a call, the app would monitor the microphone for someone speaking or dialing a string of numbers (as in telephone banking) then log the information surreptitiously. It was just an experiment, but startling nonetheless.

The solution is clear... there is no going back. The only solution is to move forward. Society owes a great deal of gratitude to the scientists and engineers who create these immensely powerful technologies, but it does not excuse these professionals from their responsibilities. There is a high risk to our privacy and security today. It is the responsibility of the creators to inform and make society aware of the dangers of these technologies, rather than just providing them.

Whether it's a nation, a corporation or an end user... security is more important than we think. We need to address the issue of privacy and security in the industry, and for scientists and engineers; security and privacy need to be a priority, not an after thought.




newer post older post