Beautiful. Unethical. Dangerous.
That’s how Lucius Fox described Batman’s hacking wizardry in part two of Christopher Nolan’s Batman trilogy, The Dark Knight.
In the film, the caped crusader took Fox’s single-cellphone sonar concept and used it to light up every microphone on every mobile phone in Gotham, creating a real-time sonar soundscape, all to find one bad guy, the Joker, among millions of innocents.
It was beautiful for its audacity and creativity and also deeply troubling. The technology so disturbed Fox that he quit.
The dream of hackers might be a Dark Knight-style listening technology powered by all our our devices.
In real life, it isn’t just the good guys who are looking to use every available digital device to find the unfindable.
When I read through portions of WikiLeaks’ Vault 7 data dump, a treasure trove of alleged CIA-supported hacking activity, what struck me was not that the CIA is building and hoarding zero-day hacking tools, but the array of targets and how the dream of hackers (inside and outside the CIA) might be a Dark Knight-style listening technology powered by all our our devices.
Forget quaint notions of a basement-dwelling hacker wondering if he can break into the latest version of Windows (he probably still can) or even someone hoping to drop a malware-filled app on your Android. The hacker’s canvas is now as vast as our digital lives. The CIA (or the contractors they hired) are looking at everything, including specific tools to hack:
The last category is encompasses so many devices that it no longer bears categorization.
In the documents, here’s how the CIA (or the hacker contractors) defines Internet of Things:
Technical: A single-purpose device that has a firmware running a software operating system.
Non-technical: A computer serving a singular function that doesn’t have a screen or keyboard.
Really non-technical: “The Things in the Internet of Things”
IoT can include almost any piece of technology in your house: you thermostat, refrigerator, washer/dryer, front door lock and even light bulbs. If it has a chip, an operating system, power and is connected to the internet, it fits the profile.
Earlier this year, LG promised to make all its appliances Wi-Fi-enabled and cloud-connected. What a hacker hears is “more attack vectors.”
I get the concern about the CIA potentially building all these tools, but the assumption should not be that they are building them to spy on us (most of us are just not that interesting). As a spy agency, CIA’s job is to spy on those outside the U.S. Its goal is to protect (and further) U.S. interests.
As a spy agency, CIA’s job is to spy on those outside the U.S. Its goal is to protect (and further) U.S. interests.
It’s safe to assume that their work in this case is a reverse mirror image of the work hackers around the world are currently engaged in, all hoping to somehow steal information from the U.S. government and its citizens.
Today’s level of device intelligence and connectivity has, obviously, transformed out lives for good. Technology is the 21st century’s greatest tool. But that tool is a double-edged sword, swiftly cutting through the distance that separates us and the fog of too little or too much information to find answers that matter. The other side? It can cut like a knife, in an instant.
It’s clear from the Vault 7 documents that both parties see the same buffet of opportunity arrayed around them: So many products with chips. So many connected to the Internet. So many with built-in cameras and microphones.
In virtually every spy movie and TV show produced in the last 40 years, the very first thing a spy does to surviel her target is place a “bug” or microphone somewhere on the person or in their home or office. That’s totally unnecessary now. The CIA hackers, thinking as spies do, looked for the path of least resistance:
“Oh, there’s a microphone in Samsung TVs? How do we access that?”
Granted, the CIA didn’t get very far. They found an awesome firmware vulnerability that would make the TV look like it was off when it was still on, engaging the microphone at the same time, relaying audio back to home base. Still, the vulnerability was limited: Even though these TVs are, like everything else, connected to the Internet and have their own IP address, the only way the CIA could find to infect the sets was through the built-in USB ports. In other words, hacking the TVs required physical access to the sets.
Even so, point made.
If the CIA contractors are doing their job, though, they must be thinking about all the other avenues. Amazon’s Echo has an excellent, built-in microphone array. It can hear you almost whisper “Alexa” from across the room. How’s the security on that?
Most new cars are now connected to the Internet. Imagine how enticing all that sounds to hackers.
Naturally, the hackers were also looking at our cars or, as they call them, “Vehicle Systems (e.g. VSEP).” They are, essentially, motorized computers. There are microphones so you can speak to your cars and intelligence (sensors, robotics, AI) that helps you avoid accidents — sometimes even drive the car for you. And most new cars are now connected to the Internet. Imagine how enticing all that sounds to hackers.
It’s not clear from this initial document dump if the CIA got very far with their car-hacking efforts, but that doesn’t mean they’re done trying.
Putting aside for a moment the concerns about why the CIA was doing this and even why they so poorly protected this sensitive information and didn’t share vulnerabilities they found with the companies whose products they affected (like Apple and Google), we face an uncomfortable truth.
The more connected and plugged in we are, the more attractive every aspect of our lives is to hackers.
The Dark Knight’s fanciful idea of lighting up millions of cellphone microphones to find a dangerous needle in a haystack starts to sound a lot more plausible when you realize how many IoT devices have microphones. Sure, they will pick up mostly useless noise, but if the tools are out there or at least being built by the good guys and the bad guys, it’s only a matter of time before hackers outside the U.S. look for ways to listen wherever they can to find intelligence and even basic personal information they can use to steal your identity. It’s not hard to imagine an ongoing terror threat that would make listening to every American somehow sound reasonable.
It’s an utterly terrifying idea and, as Lucius Fox succinctly reminded Batman, “This is wrong.”