The immediate benefits of 5G deployment are, at best, nebulous. On 4G you can already stream Facebook videos until either your phone battery or your brain expires, so speed enhancements alone are going to be a tough sell. It’s often said that we won’t know exactly what the world-changing effects of 5G will be until it’s arrived and the innovators of the world start playing around with it. The idea being, first you had 4G, then you had Uber – not the other way around. Or, to put it another way, if you build it, they will come. In this case, that may be true IoT.
It’s widely predicted that the deployment of 5G will pour rocket fuel into the concept of the Internet of Things, Smart Homes, and Smart Cities – basically the process of hooking absolutely everything in sight up to the internet.
These are ideas that have been teased for over a decade. They paint a picture of a future where autonomous cars – loaded with mega-fast and always-on connections to powerful cloud based mainframes – ferry people around cities which have themselves become a hive of connected devices.
Solar powered Skyscrapers whizz by the car windows, dotted with specialised devices to monitor and improve air quality. Other sensors on streetlights, in bins, on traffic lights gather streams of information improve all sorts of civic functions like optimising traffic, targeting refuse clean ups, or providing law enforcement bodies with data to power their predictive policing algorithms.
What if companies aren’t motivated to properly secure devices that are launched into this new ecosystem?
Once delivered back to your home, pre-heated via a smartphone app, the front door will open automatically thanks to biometric scanners – just as an autonomous food delivery truck arrives with groceries your smart fridge ordered for you.
If this is a future we are heading towards, are there any downsides to having every conceivable object hooked up to the internet with regards to IoT hacks? What are the implications of surrounding ourselves with an increasing number of devices gathering data on an industrial scale?
How does having infrastructure, heavy plant and militaries plugged into the internet effect the nature of warfare and terrorism? What if companies aren’t motivated to properly secure devices that are launched into this new ecosystem?
We spoke to Troy Hunt, an Australian Microsoft Regional Director and MVP (Most Valuable Professional) and the creator of Have I Been Pwned? (HIBP) data breach notification service.
Troy has previously testified in front of US Congress on the impact of data breaches, and we picked his brains on the current state of the cyber security landscape, Huawei, and whether whilst building the connected world of the future, we should be more aware of the threats that are come along for the ride.
It’s a little bit hard to tell what’s genuinely getting more dangerous and what is down to greater transparency on what’s already been happening for a while.
I think particularly when we are talking about state actors, going back to the 2016 elections in the US, that was the point where we all started going ‘this is actually a really big thing’. Of course, a lot of that wasn’t hacking per say, it was disinformation campaigns. But it’s all brought the ‘state actor’ thing out to the forefront. Everyone is just a lot more aware of it than they were before.
The players that always seem to feature the most are Russia, China, Israel is very well equipped, as the US is. Any country with enough resources is putting a huge amount of it into information security, because this is the new frontier for everything from information campaigns through to warfare.
Any country with enough resources is putting a huge amount of it into information security, because this is the new frontier.
Countries like Australia are not quite as well equipped as other parts of the world, but obviously there’s a lot of information sharing that goes on too.
Well that’s where it gets really interesting. You can imagine in the wars of the future, and even some of the present, the ability to have offensive cyber capability is enormously powerful. And inevitably this becomes one more arm of offence and defence.
In the era we’re in now, you have everything from the US talking about having a Space Force, through to online capabilities, and the whole ‘air, sea, land’ thing is just developing into new frontiers.
I think it will inevitably be a combination of the different forces we have at present. I can’t imagine a war of significance where there isn’t physical violence as well, that’s unfortunately the nature of it.
But we might find that they are combined, and the information that we have online equips ground forces very well. It may be that ground forces have to gain access to systems as well, and unfortunately that’s something that’s going to involves blood loss as well.
You’re right about that, and it goes both ways doesn’t it? There’s an enormous amount that nation states can do by having connected services and devices – the unmanned aerial vehicles, it’s nice to not have to have pilots in these things. You would also imagine there’s a huge amount of value in other nations states having the ability to disrupt devices like that as well, so I’m sure that they are investing heavily into that.
It’s inevitably the sort of one-upmanship we see with all sorts of other online disputes as well – someone builds a capability, someone else tries to break it. And the cycle continues.
I think there’s a lot of different ways you can look at it. The sensationalist ones are, what if someone gets control of the nuclear power plants and blows it up? And yes, that would be pretty spectacular. But you can think about other, perhaps more subtle, attacks as well. What about banking systems? What if people lose confidence in financial systems? What happens if everyone starts running to the bank to take their money out?
The sensationalist [threats] are, what if someone gets control of the nuclear power plants and blows it up? And yes, that would be pretty spectacular. But you can think about other, perhaps more subtle, attacks as well.
Even the state sponsored influence that we’ve seen around media campaigns – what happens when people simply don’t know what they can trust anymore? There are a whole bunch of more concerning subliminal ways this can happen as well. It’s not always going to be loud bangs an explosions.
Stuxnet was a perfect example of that, gradual degradation of centrifuge as opposed to big explosions.
It’s really, really hard to tell. We’re back to the disinformation campaigns again where people don’t know who to trust in terms of messaging. I think unequivocally there is political brinkmanship happening, particularly between the US and China, there’s no doubt about that.
By the same token we know that China has been very effective with their information security campaigns, especially with things like corporate espionage. This is indisputable and very extensively documented.
The problem then is trying to tell the difference between them a case like Huawei, which makes good gear at good prices. How much of a risk is this? And we don’t seem to have consensus among western states. The NCC for example recently said we think we can mitigate the risks.
A lot of the stuff we’ve seen come out of Huawei in terms of risks in code, very often it’s hard to tell what might be a Chinese back door, and what might be some sh**ty code.
A lot of the stuff we’ve seen come out of Huawei in terms of risks in code, very often it’s hard to tell what might be a Chinese back door, and what might be some sh**ty code. And a lot of it does seem to be the latter as well.
I am trying to look at the positive of this and look at things and say, look if Google is effectively nuking their ability to run android and we end up with a third player on the mobile market, which we really haven’t had for quite some time, maybe that’s good. Maybe that will help us get away from the duopoly we have at the moment. But then in terms of what it means for 5G networks, we just have no idea at the moment.
The irony of this is some of the things that came out of Snowdon leaks, about the pressure the US government puts on tech companies as well. Remember if we go back a few years ago, in particular European countries worried about running on things like American cloud services. We’ve got situations like the Dublin case, where we had an American court trying to hand over data that’s in the EU.
We’ve got lots of precedents that go the other way as well. And we tend to get very focussed on China, but let’s not forget where the issues really are too.
That’s certainly part of it. I guess I just lament the fact it divides us a little bit culturally as well. There’s a bunch of people in China trying to make a good job of the hardware and software they’re making just like there are in other parts of the world.
I think it’s a bit of a yes and no answer here, and I’ll give you a bit of an answer for each.
Let’s take the example of an insulin pump. This is a device which is life saving for people dependent of getting the right dose of insulin, having the whole thing controlled carefully and being able to monitor things like Glucose.
Their priorities are around making this thing convenient in a way that keeps them alive, the security risk in many ways almost go by the by. In terms of priorates, they have to be way down there. The number one priority is stay alive.
They’re frivolous, verbose and unnecessary. And we’re seeing serious security vulnerabilities in some that create risks where we never needed to create them in the first place.
But that’s a life saving, critical device. If we look at the other extreme, like kids toys – we’re seeing things like connected teddy bears you put in your bed, or kid’s tracking watches. You do not need these things! They are the absolute other end of the scale to things that will save your life.
They’re frivolous, verbose and unnecessary. And we’re seeing serious security vulnerabilities in some that create risks where we never needed to create them in the first place.
So yes we can have risks across all these things, but some of them are really critical where the security side of it is a very low priority. But others are quite the opposite.
This is almost like the IoT fish tank temperature device. Did we really understand the risk? The problem is, and I guess where I’m sympathetic for the parents, take something like the GPS tracking watches for kids. I’ve written about this, one of my contacts in England from a pen testing firm discovered vulnerabilities [in a GPS watch]. We put one on my daughter and we were able to reposition her in the ocean and make unsolicited phone calls to her, and all sorts of weird things like that.
Parents buying these devices never think about security and frankly they should never need to either, they should be able to buy these devices with the expectation that they’re going to work as advertised.
What’s happening is we’re getting these companies set up, very often on a shoestring, never giving it any thought, and really the accountability does lie with them.
There’s definitely a bit of that. With the GPS watch, when we went through and unravelled the whole thing, we discovered that the Australian company had outsourced the development to Sri Lanka. Now inevitably that was a cost driven exercise. And I’m sure there’s some very good software that’s written in Sri Lanka, but clearly the focus here was ‘how do we build this thing cheaply’.
There’s a number in the request, you change the number, you get someone else’s data. That’s the first thing anyone would ever check, and it was never tested.
And it was never security tested, it was literally insecure direct object references. There’s a number in the request, you change the number, you get someone else’s data. That’s the first thing anyone would ever check, and it was never tested.
Everything seems to amplify. We have more data than we ever had before, its cheaper to store it, it’s easier to make it available to other people, we collect it via more devices.
Imagine how many devices there are just in this room collecting data now. All these things amplify more and more and it’s just no surprise whatsoever that we’re seeing more data breaches than we ever have before. Particularly when we’re starting to collect them from the likes of cars, teddy bears, even padlocks are getting connected to the internet. So we’re just going to keep seeing more of this now.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…