In particular Doctorow looks at examples such as Dieselgate in which the manufacturer wants to lie to the world about what the Thing does:
All these forms of cheating treat the owner of the device as an enemy of the company that made or sold it, to be thwarted, tricked, or forced into conducting their affairs in the best interest of the company’s shareholders. To do this, they run programs and processes that attempt to hide themselves and their nature from their owners, and proxies for their owners (like reviewers and researchers).Doctorow's piece provides many examples, but a week later he provides another, seemingly benign example. Tesla provided some of their cars with an over-the-air temporary range upgrade to help their owners escape hurricane Irma. They could do this because:
Increasingly, cheating devices behave differently depending on who is looking at them. When they believe themselves to be under close scrutiny, their behavior reverts to a more respectable, less egregious standard.
Tesla sells both 60kWh and 75kWh versions of its Model S and Model X cars; but these cars have identical batteries -- the 60kWh version runs software that simply misreports the capacity of the battery to the charging apparatus and the car's owner.And it would be a crime to upgrade yourself to use the battery you bought:
[Tesla] has to rely on the Computer Fraud and Abuse Act (1986), which felonizes violating terms of service. It has to rely on Section 1201 of the DMCA, which provides prison sentences of 5 years for first offenders who bypass locks on the devices they own.It is easy to see that the capability Tesla used could be used for other things:
The implications of this are grim. A repo depot could brick your car over the air (and it would be a felony to write code to unbrick it). Worse, hackers who can successfully impersonate Tesla, Inc. to your car will have the run of the device: it is designed to allow remote parties to override the person behind the wheel, and contains active countermeasures to prevent you from reasserting control.Doctorow concludes:
The software in gadgets makes it very tempting indeed to fill them with pernicious demons, but these laws criminalize trying to exorcise those demons.Just go read both of his pieces.
There’s some movement on this. A suit brought by the ACLU attempts to carve some legal exemptions for researchers out of the Computer Fraud and Abuse Act. Another suit brought by the Electronic Frontier Foundation seeks to invalidate Section 1201 of the Digital Millennium Copyright Act.
Getting rid of these laws is the first step towards restoring the order in which things you own treat you as their master, but it’s just the start. There must be anti-trust enforcement with the death penalty – corporate dissolution – for companies that are caught cheating. When the risk of getting caught is low, then increasing penalties are the best hedge against bad action. The alternative is toasters that won’t accept third-party bread and dishwashers that won’t wash unauthorized dishes.
Today's example of the demons in the Things is HP's surreptitious re-deployment of their lock-in that ensures their printers won't use non-HP cartridges.
There's a flaw in Amazon Key that's common to many WiFi-connected Things in the Internet:
"if you flood the camera off the wireless network with deauthorization packets – and an attacker doesn't need to know your Wi-Fi password to do this – it effectively freezes the equipment and prevents the door from being locked."
So Amazon's delivery driver can get back into the house unseen and steal stuff without being seen on video.
What could possibly go wrong?:
"One of Amazon's top-selling electronic gun safes contains a critical vulnerability that allows it to be opened by virtually anyone, even when they don't know the password."
"[Nicole] Eagan gave one memorable anecdote about a case Darktrace worked on in which a casino was hacked via a thermometer in an aquarium in the lobby.
"The attackers used that to get a foothold in the network," she said. "They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."
From Oscar Williams-Grut at Business Insider.
Post a Comment