物联网:黑客正在看着你
当乔治•奥威尔(George Orwell)在《1984》里构想“电幕”(telescreen)——对观众进行持续监视的一种双向电视——时,他预言政府会使用技术手段闯入我们的私人生活。
Confidential documents published by WikiLeaks this week purport to show that the Central Intelligence Agency created its own 21st century telescreen by hacking into smart TVs. You may be watching YouTube or Netflix, not forced military propaganda, but spies are still able to listen into your living room. Developers used vulnerabilities in Samsung TVs to ensure the products would capture conversations even when they appeared to be switched off.
维基解密(WikiLeaks)近期公布的机密文件意在表明,美国中情局(CIA)通过入侵智能电视,创造了自己的21世纪电幕。你可能正在观看YouTube或Netflix——而不是强迫性观看的军事宣传片——但间谍仍能对你的客厅进行监听。开发人员利用三星(Samsung)电视的漏洞,让电视即使在关机状态也能捕获谈话。
In what WikiLeaks describes as the first instalment of the “largest intelligence publication in history”, the CIA appears eager to exploit the new spying opportunities created by the internet of things — everyday objects that are connected to the web. Market research group Gartner forecasts there will be more than 20bn appliances, TVs and other devices connected to the internet by 2020.
维基解密称此次公布的机密文件仅是“史上最大规模情报公开”的第一部分。从这些文件来看,中情局似乎急于利用物联网——将日常设备连接到网络——开发新的监视手段。市场研究集团高德纳(Gartner)预测,至2020年,将有逾200亿台家电、电视机及其他设备连接到互联网。
The CIA’s engineering development group had a “to do” list for the smart TV that included the ability to record video and break into its browser and apps. Other documents seemed to show it had explored infecting vehicle control systems used by connected cars.
中情局的工程开发团队有一个智能电视“待办清单”,其中包括录像功能,以及入侵其浏览器和应用程序。其他文件似乎表明中情局已试图入侵联网汽车的车辆控制系统。
“This is the most troubling WikiLeaks ever. We’ve learned the CIA has all the tools to spy on American citizens,” said John McAfee, the antivirus pioneer who is now chief executive officer of MGT Capital Investments. “And now it is in the hands of some unknown hacker organisation or nation state.”
杀毒软件McAfee创始人、现MGT Capital Investments首席执行官约翰•麦卡菲(John McAfee)表示:“这是迄今最令人不安的一次维基解密。我们了解到中情局有各种工具来监视美国公民。而现在这些工具掌握在一些未知的黑客组织或国家手中。”
The CIA has refused to comment on the veracity of the documents. Samsung says it makes security a top priority and is looking into the matter.
中情局对这些文件的真实性不予置评。三星表示公司将安全问题置于最高优先,目前正在研究此事。
The basic vulnerabilities inherent in the internet of things — one of the biggest concepts being pursued in the technology industry — have been known for some time. Samsung even warned customers in 2015 that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition”.
物联网是科技产业追求的最大概念之一,人们对其基本的固有漏洞早已了解。三星甚至在2015年警告用户“如果你说的话包含个人或其他敏感信息,该信息将与其他数据被你所使用的语音识别捕捉,并传输给第三方。”
Cyber security researchers have highlighted holes in everything from cars to cameras, robots to refrigerators. It was revealed last month that children’s conversations with WiFi-enabled teddy bears from one toymaker had been leaked online.
网络安全研究人员强调从汽车到照相机、机器人到电冰箱等一切设备都存在安全漏洞。上个月有消息披露,一家玩具制造商生产的可WiFi联网泰迪熊与儿童的对话被泄露到互联网上。
Law enforcement has become interested in using audio collected by devices such as Alexa, Amazon’s voice-controlled personal assistant. A prosecutor in an Arkansas murder case has requested the data from Alexa. Amazon resisted the request until the suspect said the recordings could be handed over.
执法部门已对利用亚马逊(Amazon)声控个人助理Alexa等设备收集的音频产生兴趣。一名检察官在处理阿肯色州一桩谋杀案时要求获得Alexa数据。亚马逊拒绝了这一要求,直到嫌疑人说可以移交录音。
Cyber criminals are also targeting the internet of things, infecting systems with malicious software that demands a ransom, usually to be paid to an anonymous account in bitcoin. Hackers repeatedly struck a hotel in the Austrian Alps last year by attacking the electronic key card system. The hoteliers are returning to old-fashioned locks after being forced to pay €1,500 to allow guests back into their rooms. Last Christmas, one family in the US had their smart TV taken over by ransomware, disabling it for four days.
网络犯罪也开始瞄准物联网,犯罪分子用恶意勒索软件入侵系统,通常要求用比特币支付给匿名账户。奥地利阿尔卑斯山一家酒店去年遭到黑客多次攻击其电子钥匙卡系统,酒店经营者被迫支付1500欧元后,客人才得以回到他们的房间,随后酒店经营者换回了老式门锁。去年圣诞节,一个美国家庭的智能电视被勒索软件控制,电视被禁用了四天。
Vulnerabilities in connected devices risk destabilising the entire web. A malicious network known as a botnet built from tens of millions of internet-connected cameras and DVR players was last year harnessed to attack Dyn, a domain-name services provider used by websites from the New York Times to Twitter. Millions in the US were unable to access services including Spotify and Airbnb as Dyn struggled to resist the distributed denial-of-service attack.
联网设备的漏洞可能危及整个网络的稳定。去年,一个由数千万台联网摄像机和数字录像机组成的被称为僵尸网络(botnet)的恶意网络,被用来攻击纽约时报(New York Times)、Twitter等网站所使用的域名服务提供商Dyn。在Dyn努力对抗分布式拒绝服务攻击时,美国有数百万人无法访问Spotify和Airbnb等网站服务。
Cesar Cerrudo, chief technology officer at cyber security company IOActive, says hackers from the CIA to less sophisticated cyber criminals will invest more in finding vulnerabilities in the internet of things.
网络安全公司IOActive的首席技术官塞萨尔•塞鲁多(Cesar Cerrudo)表示,从技术精湛的中情局黑客到没那么厉害的网络犯罪分子,都将投入更多精力去寻找物联网的漏洞。
“We are getting extremely dependent on technology. We need to start understanding that cyber security is important,” he says. “We suffer the consequences, are attacked, hacked, lose information. And it has a big impact on our daily lives.”
他说:“我们正变得极端依赖科技。我们需要开始懂得网络安全的重要性。我们会承受种种后果,包括遭到攻击、被黑客入侵、失去信息。而这对我们的日常生活影响很大。”
The enthusiasm to connect everything to the internet shows no sign of letting up: there is a kettle that messages instead of whistling, a rice cooker controlled by smartphone and shoe insoles connected to a map app that vibrate to push you toward your destination.
将一切都连接到互联网的热情尚未表现出减弱的迹象,现在已经有了不再鸣哨、改发信息的开水壶;有了智能手机控制的电饭煲;还有连接地图应用的鞋垫,通过振动将你推向你的目的地。
But cyber security has been sidelined in the rush. Security defences are often decades out of date — if they exist at all. Many lack passwords, or have a default password that cannot be changed. The signals that devices send to connect with a server are often barely encrypted.
但网络安全在这波热潮中遭到忽视。安全防御往往落伍几十年——如果还有安全防御的话。许多联网设备没有密码,或只有一个不能更改的默认密码。设备发送给服务器的连接信号通常没有加密。
Mikko Hypponen, chief research officer of Finnish cyber security company F-Secure, says the attackers who created the botnet to target Dyn only tried 35 passwords before hitting on the right one. The lax security within the internet of things is repeating “the same mistakes we already fixed 20 years ago”, he warns. “It is a clear and present danger to the internet.”
芬兰网络安全公司F-Secure首席研究官米科•许波宁(Mikko Hypponen)表示,创建僵尸网络攻击Dyn的黑客只试了35个密码,就碰到了对的。他警告说,物联网内安防的松懈正在重复“我们20年前已确定的错误。这是互联网当前一个显而易见的危险。”
The most vulnerable products are produced by companies that specialise in making toasters or blood sugar monitors, not in software or security. The budding industry is fragmented, regulation has not kept pace and consumers either do not care or struggle to judge how secure a product is.
最容易被攻击的产品出自那些专门制造烤面包机或血糖仪的公司,而不是软件或安全公司。这一新兴产业还呈碎片化,监管尚未跟上,消费者或压根不在乎,或难以判断产品的安全性。
Eric Ahlm, research director at Gartner specialising in security, says the these manufacturers have no incentive to spend time or money on security.
高德纳安全问题研究主管埃里克•阿尔姆(Eric Ahlm)表示,这些制造商缺乏在安全方面投入时间或金钱的激励。
“It is more of a question of economics than security,” he says. “A consumer buying a smart TV is probably going to buy the one with equivalent features at a lower price. It is almost a penalty for manufacturers of these smart consumer devices to go the extra mile.”
他说:“这更多是一个经济学问题,而不是安全问题。消费者购买智能电视时,多半会选择功能相同,但价格更低的商品。对智能消费设备制造商来说,付出额外的精力几乎无异于掏一笔罚金。”
Even if consumers wanted to, they could not buy additional protections because the devices are powered by tiny computers that security software makers cannot access, like those in fitness wristbands or vacuum cleaners.
即使消费者有这方面想法,他们也无法购买额外保护,因为这些设备由微型计算机驱动,而安全软件制造商无法访问,如健身手环或真空吸尘器里的微型计算机。
“You can’t put antivirus software on your Fitbit or Roomba,” Mr Ahlm says.
阿尔姆说:“你不能给你的Fitbit或Roomba装杀毒软件。”
Pedro Abreu is chief strategy officer of ForeScout, which helps businesses keep devices separate from their main corporate network. The idea is to prevent attacks like the data breach at US retailer Target in 2013, when hackers accessed the system through the air conditioning provider. He says it is a “myth” that manufacturers will be able to solve the security problem.
ForeScout负责帮助企业将设备与公司主网分离,其想法是防止企业遭受2013年美国零售商塔吉特(Target)数据泄露那样的攻击,当时黑客通过空调提供商侵入塔吉特的系统。ForeScout首席战略官佩德罗•阿布雷乌(Pedro Abreu)表示,制造商如果能解决安全问题,将是一个“神话”。
But there is a large industry built around protecting smartphones and PCs, which are made by more sophisticated companies than those creating devices for the internet of things, Mr Abreu says. “Even those with the best profit margins cannot secure their devices; imagine the guy building the device in the garage next door from parts built in China,” he says. “But that should not prevent us from demanding manufacturers have better standards.”
阿布雷乌表示,但是围绕智能手机和电脑的保护已经建立起了一个庞大的产业。智能手机和电脑制造商的技术,比联网设备制造商的技术先进。他说:“就连那些最赚钱的公司都保证不了他们的设备安全;想象一个人在隔壁的车库里用中国制造的零件打造设备。但这不应阻止我们要求制造商遵循更高标准。”
But a push to tackle serious flaws in device security has begun. Vizio, a manufacturer of smart TVs, paid $2.2m last month in a settlement with the US Federal Trade Commission and the New Jersey attorney-general after it was caught collecting viewer data and selling the information to advertisers without their permission. Terrell McSweeny, FTC commissioner, says she supports comprehensive data security legislation that would allow a “regulatory approach” for the whole sector.
但解决设备安全严重缺陷的行动已经开始。智能电视制造商Vizio上个月支付了220万美元,与美国联邦贸易委员会(Federal Trade Commission)和新泽西州总检察长达成和解协议。此前该公司被抓住在未经观众许可的情况下,收集他们的数据并将信息卖给广告客户。联邦贸易委员会委员特雷尔•麦克斯威尼(Terrell McSweeny)表示她支持就数据安全进行全面立法,从而可以对整个行业采取“监管模式”。
The FTC has been putting more resources into prosecuting connected device makers and improving its in-house tech capabilities. It is also working on international co-operation for privacy enforcement as devices are often exported from other countries, and looking at whether manufacturers have an obligation to still secure a device once they have stopped making it.
美国联邦贸易委员会已投入更多资源去起诉联网设备制造商,并提高自身技术能力。该委员会还在推动国际联合隐私执法——因为这些设备常常从外国进口——同时还在考虑制造商是否有义务在停产后依然维护设备安全。
US regulators are also taking an interest: the National Highway Traffic Safety Administration has created best practices for the car industry, and the Food and Drug Administration has issued guidelines for making medical devices secure. Other organisations are playing a role. The Mayo Clinic, a non-profit medical group, has written specific security measures into its contracts with medical device makers.
美国监管机构也对此产生兴趣,国家公路交通安全管理局(National Highway Traffic Safety Administration)已为汽车行业规定最佳实践,食品药品监督管理局(FDA)也发布了医疗设备安全指引。其他机构也发挥了作用。非营利医疗组织梅奥诊所(Mayo Clinic)已将具体安全措施写进与医疗设备制造商的合同里。
The European Commission is pushing for a system of certification for devices and has set up a group called the Alliance for Internet of Things Innovation. In the US, the President’s Commission on enhancing cyber security, which reported in December 2016, said consumers should be informed about the security capabilities of devices.
欧盟委员会(European Commission)正在推动设备认证体系,并成立了一个名为“物联网创新联盟”(Alliance for Internet of Things Innovation)的组织。直属美国总统的国家网络安全促进委员会去年12月发布报告表示,消费者应被告知设备的安全功能。
Beau Woods, deputy director of the cyber statecraft initiative at the Atlantic Council, says he hopes the commission’s work will lead to products coming with security labels or information sheets, which will in turn deter retailers from selling vulnerable goods.
美国大西洋理事会(Atlantic Council)网络问题国策倡议副主任博•伍兹(Beau Woods)表示,他希望该委员会的工作将让产品附上安全标签或信息表,从而阻止零售商销售存在安全漏洞的商品。
Consumers may be able to better protect themselves from everyday hackers demanding ransoms, but the manufacturers of internet-connected devices may never outrun the CIA.
消费者或许还能加强对自身的保护,免遭黑客日常索要赎金,但联网设备的制造商可能永远都躲不开中情局。
“My advice for people concerned is update everything and unplug things when they are not in use, if you don’t want them to have a surveillance capacity,” Mr Woods says.
伍兹说:“我对联网设备用户的建议是,更新一切设备,不用设备时要拔掉插头,如果你不希望它们有监视能力的话。”
