“Let me tell you a secret: when you hear that the machine is “smart”, what it actually means is that it’s exploitable. “Smart” means “exploitable”. “Smart TV” means an “exploitable TV”; “smart phone” means an “exploitable phone”, and so on. That’s what it means.” ~ Mikko Hypponen, Chief Research Officer, F-Secure
With so much attention being paid to Sony’s recent cyber attacks, F-Secure’s Mikko Hypponen provides a shocking insight into cyber warfare that is being waged from more familiar shores – and on European neighbours.
The implications for the so-called “smart grid”, with web-enabled “smart meters”, are very concerning. As Hypponen says, the Internet is on fire.
The Beverly Hills Country Club was a nightclub and a restaurant. A huge one. It could seat up to three thousand people every single night. People who would come to enjoy multi-course dinners and watch first-class entertainment. On the 28th of May in 1977, a nineteen-year-old guy called Walter Bailey was working at the Beverly Hills Country Club as a waiter. At around 8 o’clock that evening, Walter was stopped by another waiter who asked Walter if he knew where the owners of the club are. And Walter didn’t and he asked why. And the other waiter told him that there’s a small electrical fire in one of the rooms in the center of the complex, so he’s trying to find the owners.
Walter got interested and he decided to investigate, so he left his ballroom where he was serving and he went to the center of the Country Club, towards the room which had the fire. And as he was getting closer to this room he could see that there was smoke pouring out from the top of the door that led to the room. So he realized that there’s a big fire inside the room and he was clever enough not to open the door. Instead he returned back to his ballroom. The complex had multiple different ballrooms and the one where he was serving in had over 900 people seated down. So he went there and he found his boss and he told his boss, “There’s a fire in the building and we have to evacuate this room”. And his boss was just looking at him blankly. And now you have to understand there were nine hundred people seated down there, and these people were celebrating things like their weddings. There were multiple wedding parties in the audience, like brides in their wedding dresses; there were people celebrating their 50th anniversaries or fiftieth birthdays with their families, watching entertainment and drinking and enjoying the food. And then Walter saw that there was actually a queue of people who are still coming into the room So he went to the queue and he told them “Everybody follow me”. And then he walked this queue through different corridors out from the complex to the courtyard and he told them “Please wait here.” Nobody even asked why; they were just following orders.
But as Walter returned to his ballroom, to his horror he saw that everybody was still sitting down. The band was still playing, people were still ordering cocktails. And then he decided to act. He thought to himself, “I’m gonna get into trouble over this”, but nevertheless he climbed to the stage, he took the microphone from the singer of the band, he told the band to stop and then he addressed the crowd. He told the crowd, “Everybody listen up. If you look on your right side, there’s an exit in the wall over there. If you look on your left side, there’s an exit in the wall over there, and in the back there’s one more exit. Everybody stand up right now and leave the room.” And that’s what people did; they followed orders. And that night the Kentucky Country Club burned to the ground. The ballroom that Walter – the 19-year-old Walter – evacuated was engulfed in flames in ten minutes from the moment when he took the mike. Walter saved hundreds of people. There were other people in the complex who weren’t so lucky. Over 165 people died that night in that fire.
But that story reminds me of our own actions today, in our lives today, in our digital lives today, because our lives are moving more and more to the online world. We’re seeing things going wrong in our online world, and very few people are taking action. And we hear a lot of talks about things like the Big Brother or “Big Brother society”, but I’d like to actually quote a late futurologist and a fellow Finn, Mika Mannermaa, who in his books wrote a lot about the future, and he wrote about how he actually doesn’t believe in a Big Brother society. He sort of believed more that we will be entering a “Some Brother” society. A society where there’s always someone watching. Not necessarily the Big Brother, not necessarily the government, but someone. And he also made the note that we are living an aquarium life, where we have no walls, or we have walls, but they can be seen through.
Now some of this “Some Brother” watching mentality can be seen from the actual action of governments. For example, during just this year, in our labs at F-Secure, we’ve analyzed five malware families which we believe to be coming from the Russian government. Malware like Sandworm and Cosmicduke, which have mostly been found from Ukraine, which is a country in the middle of a crisis right now, or malware like Havex, which is the first malware we’ve seen since Stuxnet that’s actually trying to find and fingerprint factory automation gear. And we believe these are coming from the Russian government. And then we have the Chinese government. In fact the very first targeted attacks launched by any government anywhere in the world we ever saw were coming from the Chinese government, and that was more than ten years ago. And exactly a year ago I was on this very stage speaking to you about attacks right here in Brussels, about attacks targeting local telcos. Attacks that we now understand much better. A year later, we understand them much better.
For example, we now know exactly where these attacks were coming from. They were coming from the UK intelligence, from GCHQ. We also know which exact malware was being used in these attacks. It’s a piece of malware called Regin, which we believe was developed together with the British intelligence and the US intelligence. And we learned much more about the targets of these attacks, because they were many more targets than just what we knew a year ago. For example, we know that this malware and these operations launched by the UK intelligence were targeting academics here in Belgium. Professors, people like that. They were also targeting targets in Austria, including the IAEA – the International Atomic Energy Agency in Austria.
Now we also know that one of the largest amounts of targets anywhere in the world were in Ireland, which is a good indication of who’s behind the attacks. Who’s interested in Ireland? Well, the United Kingdom is interested in Ireland. And it’s quite remarkable when we have a situation like this, where fellow EU countries are launching active government-funded malware attacks against fellow EU countries. But that’s where we are today.
But there are parties which are trying to fight back. The US government tried to gain access to the data of several of the Silicon Valley companies a couple of years ago. One of the companies was Yahoo. Yahoo tried to fight back those attacks, and these attacks are actually very similar to the attacks we’ve been seeing just now in Germany.
This guy is Ali Fares. He works for a company called Stellar, which is a German telco company, a German telecommunications provider which provides connectivity over satellite links. Der Spiegel magazine did an investigation in which they found out that once again the British intelligence had been breaching telcos in Europe, in this case the network of Stellar.
So here we have a video clip of the Der Spiegel journalists going and meeting engineers at this Stellar company and showing them files leaked by Edward Snowder. Files which prove that Stellar – their own company – has been targeted and hacked by British intelligence. They are now seeing for the very first time these slides which list their own company among the targets which have been hacked by UK intelligence agencies. Then they’re shown another slide, which lists the targets: the names of the engineers in the company. And they see their own names listed in this top secret file. They just now realize that they personally have been hacked.
So returning back to Yahoo. Yahoo tried to fight the US government. They didn’t want to give access to their customers’ data. And this fight was happening in a secret court; there are such things, secret courts, in the United States. It’s the so-called FISA court or Foreign Intelligence Surveillance Act court, in which a lawyer from Yahoo was trying to defend the users of Yahoo against the US government. And the judges in the court made interesting comments.
For example, one of the judges was claiming that they couldn’t possibly be any damage to customers of Yahoo, since this surveillance will be secret, which means that the customers will not know that they are being watched. So how could they possibly have any damage, since they will not know that they are being watched? And he was actually right, this actually stood, based on the US law and Yahoo’s case was thrown out. And it was then used as a legal precedent to do similar surveillance against other Silicon Valley-based companies as well.
So let me quote a friend of mine, Aral Balkan from Indie Tech. He made a great comment about how “private” used to mean something completely different. “Private” used to mean something where you would go with your friend – just the two of you – where there’s no one else and you would speak in private. That’s what it used to mean.
Well, today in the online world “private” doesn’t mean that. For example, when you’re on Facebook and you send a private message, you don’t actually send it to someone else; you give it to Facebook and Facebook gives it to your friend. This is sort of like you would tell your private message to your creepy uncle and then the creepy uncle would tell it to your friend. Right? That’s the equivalent.
And the largest creepy uncle we have on the Net is Google. Google, who sees exactly what we are doing and what we are thinking. Google, who provides excellent and great services. We all use them, and what’s even better, these services are free. Which is remarkable, when you consider how big a company Google is and how expensive their operations are. In fact Google spends every quarter roughly two billion dollars into their data centers. They’re investing every quarter over two billion into building larger and larger data centers. Yet the services they provide are free. And what’s even more remarkable, Google is profitable. They make $12 billion dollars profit every year, which nicely illustrates that there is no such thing as free. That’s how valuable our data is to Google.
There are no free lunches; there are no free search engines; there are no free cloud storages; there are no free webmails; the only things on the Net which really and truly are free are things like, you know, the Linux kernel, open source projects. Most of the things which are called “free” are not free.
For example, apps. There are no free apps. We know that all the app stores are filled with free apps; none of them are free. And you see this when you go and download something simple. You know, an application which will turn your phone into a flashlight or a torch, and then when you take a closer look at what kind of rights or permissions it requires from your handset, it wants to know your location and gain access to your contacts and to the Internet, of course. Why would a flashlight need that? There is no free lunch; there are no free apps.
So it’s easy to blame the user. The users are making stupid mistakes. I heard a good story about users; about this guy who had an old desktop computer at his work and he got a new computer, so he wanted to move his files from the old computer to the new computer. So what he did is he went to his My Documents folder and with his mouse he selected all of his files then he right-clicked and selected Copy, then he disconnected the mouse from the computer, connected it to the new computer, and clicked Paste. And that’s not a stupid user: that’s actually obviously a very smart man who simply hasn’t had the training – I mean, it could work like that; it just doesn’t.
And another thing users do is that they lie. What is the biggest lie on the Internet? The biggest lie on the Internet is “I have read and I agree to the license agreement”. We all do this. We know you do this, because we actually tested this. We set up a free Wi-Fi hotspot in London earlier this year, so you got free access to a Wi-Fi hotspot, but of course you had to read through the end-user license agreement to get the access. And in our license agreement we had a slight clause which said that you will have to give your firstborn child to us. And everybody clicked OK. Now, we didn’t actually go and pick up the firstborn child; I think we really should have – you know, go through their doors and say “Hello, we’ve come to pick up Jamie”. We didn’t do that.
And we have to accept the license agreements today even when we use our devices, like our smart washing machines or smart doorbells or our smart TVs. Let me tell you a secret: when you hear that the machine is “smart”, what it actually means is that it’s exploitable. “Smart” means “exploitable”. “Smart TV” means an “exploitable TV”; “smart phone” means an “exploitable phone”, and so on. That’s what it means.
And these devices, when you go and read their license agreements, have surprising things. So for example, the Samsung Smart TV explains to you that this voice recognition feature in your TV will record what you speak around the TV, so please be aware that if your spoken words include personal or sensitive information it will be recorded by your television – in your living room. Or if you’re playing a game of football with your X-Box and you happen to swear when the computer scores against you, it will actually record you swearing in your living room and will give you warnings because you swear in your living room. This is sort of like having the creepy uncles in our gaming consoles and inside our television sets. We ARE living an aquarium life.
Or a great thing that happened with the new iPhone, which now has this health app which tracks your health. And one user noticed that it was tracking his steps, so he asked a question online, like, “Okay it’s counting my steps, I actually never enabled this, how do I stop my phone from counting my steps?” And the answer was that actually, it’s been counting your steps already from iPhone 4s – it just never showed it to you before. And obviously if it hasn’t been a problem for you before, how come it’s a problem now? And there’s no way to disable it.
And there are people who will tell you that there’s nothing you could do about these things. There’s nothing that could be done, so you shouldn’t even try to do anything at all. And I don’t believe in that. I believe that when we see things going wrong, we should stop; and even though we might think that this will get us into trouble, we should act.
I hope we have the strength and guts to act. I hope I have the strength and guts to act. I hope you have the strength and the guts to act when things go wrong. I hope you have the strength and guts to think “This will get me into trouble,” but when needed I hope you are the one who will stop the band and grab the microphone. Thank you very much.
~ Mikko Hypponen, TEDx Brussells, December 2014