Disclaimer: this article is meant to prevent the hostile use of technology by encouraging transparency and highlighting the major risks that await us during the coming years. I live on a planet where I don’t want to have nuclear weapons and especially not nuclear weapons that can be hacked^.
Computer viruses and hacking have been around since the dawn of the Internet. But while some time ago the platform was used almost exclusively by academics and the tech-savvy, the Internet is now quickly becoming one of the central technological pillars of our society. Particularly in developed countries, countless vital social systems are now connected to it, ranging from the run-of-the-mill residential heating system to critical infrastructure such as hospitals, public transport and even military.
In the same time, the skills and tools in the cyber-soldier’s arsenal have greatly increased in potency. Even more importantly, the interest and will to compromise connected systems has increased exponentially in the past decade. Some years ago, the Internet was home to mostly petty crime and the occasional larger security breach. Now-a-days, state actors such as the United States^, North Korea^, and pretty much all major powers and nation-states involved in military conflicts, train and make use of cyber-hacking squads.
Independent hackers (not aligned with any nation-state or political cause) and hacktivists^ (hackers with a presumably ethical agenda) have also evolved. They’ve become very well organized and armed, sometimes using digital weapons acquired from state agencies. One of the biggest vulnerabilities of cyber-weaponry is that it can be copied and distributed in a matter of seconds.
In 2017, the NSA was humiliatingly robbed^ by hackers. Immediately after, the agency’s arsenal was distributed and sold^ to organizations across the globe. Some major^ security incidents^ followed. I’m sure that what was made public so far only scratches the surface^ of the damage done. The increasing popularity of ransomware^ will lead to many more such attacks in the future^. After all, it appears like North Korea got itself quite a bit of money using WannaCry^.
Judging by the trend of the past decade, it sure looks like things will get worse before they get better. As more and more devices come online, the risks will only increase. The cyber-arsenal of the 2020s is beginning to look very scary, especially when considering the exponentially increasing number of targets. Combined with the way technology permeates our lives (and how much of our personal information is in the hands of companies that profit from selling data^), a country could find itself brought to its knees before a single shot was fired.
Throughout the past few years I’ve been compiling a list of cyber-attack methods ranging from the mundane to the most interesting and devious. Later in the article I’m going to present you with a few scenarios showing how these methods could be used against a nation-state. I do this in the hope that governments will take the necessary steps to protect their citizens (and, in fact, the entire world) from what I consider to be the blitzkrieg of the 21st century.
Means of Cyberattack
This list is by no means exhaustive and I aim to regularly maintain it. It’s important to also keep in mind that none of the items on this list is particularly devastating by itself. The power of today’s cyber-attacker lies in mastering the art of combining several attacks to reach the desired result, something that will be covered in the second part of the article.
- Worms^ and viruses are the oldest means of cyberattack. Despite the popularity of antivirus programs, these old acquaintances of ours can still wreak havoc long before antivirus makers can issue the required countermeasures. The omnipresence of the Internet has allowed viruses and worms to maintain their feasibility.
- Spyware^ is commonly perceived as a tool employed by shady organizations in order to acquire user data (with the purpose of monetizing it). It’s much more dangerous than that. I’m unsure if espionage saved more lives than it destroyed, but through the use of spyware, people with little foresight (for example script kiddies^) can gain access to information that can destabilize a fragile geo-political and economic balance. What’s even more dangerous is that influential leaders can be blackmailed using data grabbed by spyware. And this sort of attack has been evolving as of late. Check this one about ultrasound tracking^.
- Exploits^ are another very old acquaintance in security circles. All software has bugs. Vulnerability scanners^ are a means of automatically and easily discovering ways to deliver attack payloads such as trojan horses^. It became much worse in the past few years because various technology companies started giving remote access “features” to their devices^ – in fact, these “features” have quickly turned into messy back-doors. I suspect governments have played quite a role in motivating device manufacturers to install these back-doors. Perhaps I can entrust a government to spy only for fighting crime, but unfortunately these same tools quickly get into the hands of the same category of people the government is presumably trying to reduce. However, I think that the privacy compromises made in the name of “fighting crime” are causing more damage than they prevent.
- Social engineering^ and phishing^ are newer additions to the cyber-arsenal. These means of obtaining private information and gaining access to restricted systems have become popular thanks to the Internet, and particularly when millions of less tech-savvy people started using it.
- And now onto more inventive means of attack. In 2017, students demonstrated that sonic attacks^ can be used to disrupt vehicle steering systems. This is just the tip of the iceberg though.
- As far back as 2016 (which is ages ago in technology), researchers have proven that a Skype call’s sound^ can be scraped to detect up to 41.89% of the keystrokes somebody presses during the call. The ratio goes up to 91.7% if there is knowledge about the keyboard model being used and the user’s typing behavior. With the advent of machine learning^, I’m quite sure that these numbers can be greatly improved. Given enough data, a program can recognize the model of the keyboard being used after analyzing the sound of a couple of sentences being typed, and then be able to map every sound to the appropriate key. When in doubt, the same program can employ a dictionary of common words and phrases to figure out the gaps.
- Hacking robots is quickly becoming a serious threat. One of the most famous cyberweapons ever employed was the Stuxnet^ worm, which was responsible back in 2009^ for damaging Iran’s nuclear program. Legal experts have actually concluded that, despite the worm’s “good intentions”, its use was illegal^. Despite my opposition to nuclear weapons, I find it hypocritical when one country forbids another to build them through dehumanizing excuses such as “you are irresponsible warmongers”.
- Continuing with robot hacking, we’re living in an age when more and more of the technology we use becomes “smart” (read: exploitable). Enter “smart” cars (read: hackable cars^). And this Internet of Things^ thing is gaining momentum despite all the warnings out there^. As internet pioneer Bruce Schneier recently pointed^ out, “it might be that the internet era of fun and games is over, because the internet is now dangerous.”
- Last but not least, here’s my absolute favorite cyber-attack. Hardware backdoors^! As the Wiki article points out, “China is the world’s largest manufacturer of hardware which gives it unequaled capabilities for hardware backdoors”. A well-hidden back-door^ may never be discovered until too late. This is one of the most effective and most expensive weapons in the cyber-arsenal; only nation-states or large corporations can afford deploying it. And I’m quite sure that almost all of our devices are ridden with such crafty points of entry.
So now that the little list of doom is more or less complete, let’s see what attack vectors combinations are likely to be used in a major confrontation where the target is a technologically-developed country. Here, the imagination’s the limit, so I’ll just give a few scary examples to make a point and leave the rest of the inventing to those that have more time (and money) for it.
- A country can be very easily thrown into chaos by a well-orchestrated cyberattack. Just suppress the invasion alert system^, shut down the power grid^, overload the communication networks^, mess with the self-driving traffic and other robots, disrupt stock markets and, of course, invade with conventional troops that have a better knowledge of the invaded country than the defending army does. Sounds difficult? Not for a nation-state that does its homework. There is so much personal data and so many vulnerabilities out there! A secret agency can work its way into the system by blackmailing the right people and ask them to do seemingly harmless favors at just the right time. Slowly but surely, foreign software is everywhere and plenty of vulnerabilities have been created and exploited.
- How about taking over an armed outpost with no casualties on the attacking side? It can be done by taking out all the guards, silently and quickly. It’s easy when the attacker knows their patrol routes^ by heart. The article I linked shows how a seemingly harmless app reveals such information because some soldiers use it to track their fitness. Hilarious and dangerous in the same time. Because of the hardware backdoors most likely present in our devices, it’s fairly safe to assume that at least some countries on Earth can probably activate GPS tracking on seemingly harmless mobile devices in case of war. Even if measures are taken to counteract this, we’re talking 21st century technology here: conventional weapons have evolved and, used in conjunction with various surprise elements, can win a war faster than nukes. This is because nukes simply destroy everything, whereas a well-orchestrated attack can result in hostages, hijacked equipment and most importantly, access to secure data systems.
- One of the most awful attacks I’ve ever read about was when an epileptic journalist was sent into a seizure^ after somebody sent him a strobing image using social media. This led to an arrest. It shows not just what our technology allows, but also how deviously inventive people can be. The attacks combined here are knowing something about somebody and then employing a means of delivery (social media) for sending a dangerous payload (an image causing an epileptic seizure).
- And we can’t forget meddling into politics. It’s already well-known that Russia interfered^ in the 2016 election over in the USA. And guess what: they still interfere in daily life there^. It’s already turning into a fashion, and probably other countries are taking notes and getting ready to follow suit. Now-a-days not a single shot needs to be fired to push a country over the brink. A clever use of cyber-weapons can give a nation-state a solid advantage in a trade or cultural war. Divide et impera.
- Some time ago, somebody deactivated Trump’s Twitter account^. Even though hopefully nobody would believe a nuclear war declaration from a Twitter account, such a security breach could be coupled with fake radar signals or other misleading information. A paranoid adversary might be quick to pull the trigger and in the aftermath, there won’t be many winners.
- As our technology evolves, so will our use of various robots. Self-driving cars, fully automated factories and countless jobs that will soon be given to robots. It’s not hard to imagine the amount of damage that can be done to a country’s infrastructure and population by a well-orchestrated cyberattack.
- Last but not least, let’s talk machine learning. As I pointed out before, AI is not really intelligent yet^. Many developed countries make use of machine learning for all sorts of things, such as super-fast trading on the stock market. As the years pass, we will see more systems being automated, but not able to discern right from wrong. And what will happen when such systems are hijacked? What would a terrorist do with an AI? This is a door that my imagination doesn’t want to open.
Security needs to be taken much more seriously. In 2017, a bunch of big names got together with the purpose of securing the Internet of Things^. At least once in a while, it’s good that corporations seem capable of actually cooperating. Or can they?
The website of the famed alliance looks deserted^; there are very few resources there and it seems like it hasn’t been updated since its launch in early 2017. Unfortunately, in the age of hyper-consumerism^, such a publicity stunt is probably enough to keep people thinking that these companies actually care about security (they don’t seem to). So, the majority keeps buying insecure devices that can eventually be used against them (and their countries).
Shortly after writing this article (12 days, to be precise), a new, fancier alliance between tech behemoths launched the Cybersecurity Tech Accord^ with great fanfare. Let’s wait and see if their website^ will still be around in about a year from now…
I believe the only way for society to protect itself from online threats is to:
- Use open source software exclusively and thoroughly verify it, line by line.
- Rely on open source hardware designs or come up with them itself (it’s not so difficult now-a-days – several countries already do this).
- Build all critical hardware in-house (local factories, local employees).
- Secure communication endpoints with encrypted routers using multiple layers and fallback endpoints, similar to TOR^ but with additional layers of redundancy (similar to two people having to turn the same key at the same time in order to launch a missile).
And last but certainly not least, we have… quantum cryptography^. This could be a savior but it remains to be seen if nation-states and corporations will ever allow its use by the general public. China has been making great strides^ when it comes to this technology. Yes, the same China that manufactures most of our electronics. I wonder why they’re so interested in secure communication…
2018-04-06 – 1.0 – Written.