Cybersecurity was the virtual elephant in the showroom at this month's Consumer Electronics Show in Las Vegas. Attendees of the annual tech trade show, organized by the Consumer Technology Association, relished the opportunity to experience a future filled with delivery drones, autonomous vehicles, virtual and augmented reality and a plethora of "Internet of things" devices, including fridges, wearables, televisions, routers, speakers, washing machines and even robot home assistants. Given the proliferation of connected devices--already, there are estimated to be at least 6.4 billion--there remains the critical question of how to ensure their security. The cybersecurity challenge posed by the internet of things is unique. The scale of connected devices magnifies the consequences of insecurity.
The energy and utility industry represents an attractive target for cyberattacks. As part of the U.S. critical infrastructure, energy and utility companies face threats not only from cybercriminals but also from foreign nation-states. And the problem is only getting worse. Indeed, in mid-March, the Department of Homeland Security reported that it, along with the FBI, had determined that "Russian government cyber actors" had launched "a multi-stage intrusion campaign" that targeted the networks of small commercial facilities in the energy and other critical infrastructure sectors. Attacks against industrial control systems are on the rise and present a significant risk to energy and utility companies.
Peggy Smedley: So, Richard, lots to talk about today. Let's start, if you could, give me your thoughts on the state of cybersecurity today because when I think about it, it's rapidly changing and we've just seen some really interesting things with what's going on with government issuing some big fines for failure to protect citizens. Richard Forno: Well, I get asked that question a lot, and my response to begin with is kind of snarky, but pretty accurate, and that is, WE ARE SCREWED. We have all sorts of wonderful things that technology provides us on the internet and social media and mobile devices, wonderful things, but there are so many risks that are associated with it that a bad guy, whether they're a criminal or a hacker or a foreign country, can take advantage of to cause mischief. So, it's a never-ending struggle between people in society embracing this awesome new tech and balancing the risks that go along with it. So, it's job security for the cybersecurity field, absolutely, but it's also a reality that we all have to deal with on a daily basis. Smedley: So when you look at that, using the expression, "We're all screwed," as you just said, is it the right thing to think about because we all want to be connected 24/7? That's the way we want it.
Calling a product "smart" and "unhackable' does not magically make it so, as two of the largest vendors of car alarms in the world have now found out. Viper -- known as Clifford in the United Kingdom -- and Pandora Car Alarm System, which cater for at least three million customers between them, recently became the topic of interest to researchers from Pen Test Partners. On Friday, the cybersecurity researchers published their findings into the true security posture of these so-called smart alarms and found them falling woefully short of the vendors' claims. Not only could compromising the smart alarms result in the vehicle type and owner's details to be stolen, but the car could be unlocked, the alarm disabled, the vehicle tracked, microphones compromised, and the immobilizer to be hijacked. In some cases, cyberattacks could also result in the car engine being killed during use, which in a real-world scenario could result in serious injury or death. As shown in the video below, such bold assertions will only entice cybersecurity experts to prove you wrong. What makes the situation even worse is how easy it was for Pen Test Partners to refute these lofty statements. The discovery of simple, relatively straightforward vulnerabilities in the products' API, known as insecure direct object references (IDORs), permitted the researchers to tamper with vehicle parameters, reset user credentials, hijack accounts, and more. In Viper's case, a third-party company called CalAmp provides the back-end system. A security flaw in the'modify user' API parameter leads to improper validation, which in turn permits attackers to compromise user accounts. The research team found that the same bug could be used to compromise the vehicle's engine system. "Promotional videos from Pandora indicate this is possible too, though it doesn't appear to be working on our car," Pen Test Partners said. "The intention is to halt a stolen vehicle.
This paper describes design criteria for creating highly embedded, interactive spaces that we call Intelligent Environments (IEs). The motivation for building IEs is bring computation into the real, physical world. The goal is to allow computers to participate in activities that have never previously involved computation and to allow people to interact with computational systems the way they would with other people: via gesture, voice, movement, and context. We describe an existing prototype space, known as the Intelligent Room, which is a research platform for exploring the design of intelligent environments. The Intelligent Room was created to experiment with different forms of natural, multimodai human-computer interaction (HCI) during what is traditionally considered noncomputational activity. It is equipped with numerous computer vision, speech and gesture recognition systems that connect it to what its inhabitants are doing and saying. Our primary concern here is how IEs should be designed and created. Intelligent environments, like traditional multimodal user interfaces, are integrations of methods and systems from a wide array of subdisciplines in the This material is based upon work supported by the Advanced Research Projects Agency of the Department of Defense under contract number F30602--94---C---0204, monitored through Rome Laboratory and Griffiss Air Force Base. Additional support was provided by the Mitsubishi Electronic Research Laboratories.