Information security was always an esoteric field but with personal computing came personal security issues, culminating in the identity theft problem that concerns even the most techno-phobic of consumers. It's about to get much worse.
The latest interesting areas for security come from the proliferation of connected computing devices into new areas of our life: mobile devices (for example iPhone, Droid, iPad), building automation (smart-grid) and automotive computing. Up to now, we've worried about computers messing with our money. Now we can add to that the worry of computers tracking our location, killing our power and crashing our cars. As a security professional I am simultaneously appalled and hopeful for my job security.
Apple Inc.’s iPad and iPhone devices have really got people excited about handheld computing. But few people stop to think about the security implications. No other device is as intimately connected to a user as a smartphone. I often forget my wallet and my keys, but I rarely go anywhere without my smartphone. That makes my phone a fantastic tool for location based personal services, but also for ubiquitous and extremely intrusive surveillance.
The specs of the latest smartphones add up to a serious security problem: global positioning system (GPS), cellular data and location, magnetic compass, accelerometer, microphone and video camera. If you compromise a device that never leaves the side of the owner and contains those features, you have the most sophisticated surveillance system ever devised. It's far worse than compromising a PC or reading someone's e-mail. You could literally bug every conversation while knowing exactly where the user is and even if they are walking or lying down!
Last week, researchers at the University of Washington and the UC San Diego demonstrated the implications of compromising a car's built-in computer network. All modern cars have an embedded computer network that provides diagnostic information and some remote control capabilities. The researchers were able to control the engine, car doors, lights, speedometer and other functions.
Now, today this kind of compromise requires some initial physical access to connect to the OBD-II (On-Board Diagnostics II) port to sniff and inject data packets. But increasingly cars are connected to wireless networks, exposing those capabilities to remote control. One such system for remote control and access is OnStar, but it is easy to imagine a world where every car does telemetry and remote control. Are these systems secure from remote compromise? Just recently a disgruntled employee at a security company (not OnStar) remotely disabled hundreds of cars. Not very reassuring.