Written by Hopeton Smalling
I received a link to a video that Professor AVI Rubin presented a year ago on the subject of device security. This professor explained how hackers could compromise medical devices, cars, phones, and P25 transmitters. He then shared a presentation that was the equivalent of a horror film about everyday technology. Specifically, he showed how devices such as a defibrillator could be reversed engineered and hacked. To demonstrate the medical device hack they placed this medical device into a piece of meat, (what a way to sound the alarm, huh?) and then disrupted its operation. He continued and showed the same attack process for cars, phones and police scanners model P25. However, I believe that these examples have the same syllogistic error.
Explaining some of this error is the central point of my post. My criticism will examine the strength of examples presented by Professor Rubin. To begin, I find his first error is in his title, “all devices can be hacked”. This use of assumption using universal statements can be found throughout this presentation. This error can be described as a existential fallacy. This is the form of a categorical syllogism with two universal or absolute premises with a particular conclusion.The errors presented in many of his examples can be found when the exploited vulnerabilities of these devices need not be instantiated.
The first cellphone exploit that he presented utilized the reflection of someone using a cellphone. This exploit relied on several specific events to successfully exploit someones data.These events include the following:
1. The user wearing reflective sun glasses
2. The user entering a password
3. The user remaining still while a camera captured all of this data
The fallacy is that this risk may never exist if these events don’t occur in this specified order. If the exploit relied upon reflection then, it would need perfect lighting conditions also. Many users set their phones to be password free and further variation can occur with non numeric log in screens. I argue that any of these events may never occur. Further, if they did occur and someone’s password was captured, they would still need to access (wireless/wired) the target phone to use it.
The second example was that medical devices can be hacked and controlled by wireless access. The shock value of this argument was the use of meat and statement that this device could be deactivated. The error of this argument is that this recreated exploit doesn’t present a concern because our medical data is protected by HIPPA. Since 1996, federal law prohibits anyone form gaining our confidential information. I argue that if someone can gain this information with evil intent, they’re too close and wouldn’t need to hack a medical device to cause harm.
My final example of the error of his argument is the exploit using the accelerometer. (A accelerometer allows smart phones to detect motion.) This exploit relied on several specific vulnerabilities to successfully exploit someones data.
1. An iPhone being left in proximity of someones keyboard.
2. Someone typing on a keyboard.
3. Being able to retrieve this iPhone and capture the data.
The main error of this example is that it assumed that a traditional keyboard would be used. The facts are that desktop sales are declining each year and may not be the primary computer used by someone typing. Further, other devices such as tablets and web conferencing don’t rely on keystrokes of sensitive data. (Just ask SIRI) Consider the likelihood of someone ignoring an iPhone on a desk and typing confidential information next to it. Unless it were cloaked, wouldn’t the average person return it to lost and found? (I’ve been told that not returning an iPhone could be considered petty larceny, but this is besides the point.)
Bottom line is that all devices may have vulnerabilities but its unrealistic to be a victim of hacking with the scenarios presented by Dr. Rubin. Don’t be foolish there are real dangers today from potential hacking attacks on everyday devices. However, personally I’m not scared by the broad lose argument presented here. One way to protect yourself from the average exploit is to be vigilant about physical security. Protect your passwords, be aware of your surroundings and lock up all your devices and software from the untrusted. Just because someone is your “friend” on Facebook doesn’t mean they should have the keys to your car. Use wisdom with technology and protect yourself from cyber terrorism in 2013.
Please contact me with any questions at firstname.lastname@example.org, and leave a comment.