物聯(lián)網(wǎng)：黑客正在看著你

When George Orwell envisioned the “telescreen” — the TV that keeps constant tabs on its viewers — in 1984, he predicted that governments would use technology to cross the threshold into our private lives.

當(dāng)喬治•奧威爾(George Orwell)在《1984》里構(gòu)想“電幕”(telescreen)——對(duì)觀眾進(jìn)行持續(xù)監(jiān)視的一種雙向電視——時(shí)，他預(yù)言政府會(huì)使用技術(shù)手段闖入我們的私人生活。

Confidential documents published by WikiLeaks this week purport to show that the Central Intelligence Agency created its own 21st century telescreen by hacking into smart TVs. You may be watching YouTube or Netflix, not forced military propaganda, but spies are still able to listen into your living room. Developers used vulnerabilities in Samsung TVs to ensure the products would capture conversations even when they appeared to be switched off.

維基解密(WikiLeaks)近期公布的機(jī)密文件意在表明，美國(guó)中情局(CIA)通過(guò)入侵智能電視，創(chuàng)造了自己的21世紀(jì)電幕。你可能正在觀看YouTube或Netflix——而不是強(qiáng)迫性觀看的軍事宣傳片——但間諜仍能對(duì)你的客廳進(jìn)行監(jiān)聽。開發(fā)人員利用三星(Samsung)電視的漏洞，讓電視即使在關(guān)機(jī)狀態(tài)也能捕獲談話。

In what WikiLeaks describes as the first instalment of the “largest intelligence publication in history”, the CIA appears eager to exploit the new spying opportunities created by the internet of things — everyday objects that are connected to the web. Market research group Gartner forecasts there will be more than 20bn appliances, TVs and other devices connected to the internet by 2020.

維基解密稱此次公布的機(jī)密文件僅是“史上最大規(guī)模情報(bào)公開”的第一部分。從這些文件來(lái)看，中情局似乎急于利用物聯(lián)網(wǎng)——將日常設(shè)備連接到網(wǎng)絡(luò)——開發(fā)新的監(jiān)視手段。市場(chǎng)研究集團(tuán)高德納(Gartner)預(yù)測(cè)，至2020年，將有逾200億臺(tái)家電、電視機(jī)及其他設(shè)備連接到互聯(lián)網(wǎng)。

The CIA’s engineering development group had a “to do” list for the smart TV that included the ability to record video and break into its browser and apps. Other documents seemed to show it had explored infecting vehicle control systems used by connected cars.

中情局的工程開發(fā)團(tuán)隊(duì)有一個(gè)智能電視“待辦清單”，其中包括錄像功能，以及入侵其瀏覽器和應(yīng)用程序。其他文件似乎表明中情局已試圖入侵聯(lián)網(wǎng)汽車的車輛控制系統(tǒng)。

“This is the most troubling WikiLeaks ever. We’ve learned the CIA has all the tools to spy on American citizens,” said John McAfee, the antivirus pioneer who is now chief executive officer of MGT Capital Investments. “And now it is in the hands of some unknown hacker organisation or nation state.”

殺毒軟件McAfee創(chuàng)始人、現(xiàn)MGT Capital Investments首席執(zhí)行官約翰•麥卡菲(John McAfee)表示：“這是迄今最令人不安的一次維基解密。我們了解到中情局有各種工具來(lái)監(jiān)視美國(guó)公民。而現(xiàn)在這些工具掌握在一些未知的黑客組織或國(guó)家手中。”

The CIA has refused to comment on the veracity of the documents. Samsung says it makes security a top priority and is looking into the matter.

中情局對(duì)這些文件的真實(shí)性不予置評(píng)。三星表示公司將安全問(wèn)題置于最高優(yōu)先，目前正在研究此事。

The basic vulnerabilities inherent in the internet of things — one of the biggest concepts being pursued in the technology industry — have been known for some time. Samsung even warned customers in 2015 that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition”.

物聯(lián)網(wǎng)是科技產(chǎn)業(yè)追求的最大概念之一，人們對(duì)其基本的固有漏洞早已了解。三星甚至在2015年警告用戶“如果你說(shuō)的話包含個(gè)人或其他敏感信息，該信息將與其他數(shù)據(jù)被你所使用的語(yǔ)音識(shí)別捕捉，并傳輸給第三方。”

Cyber security researchers have highlighted holes in everything from cars to cameras, robots to refrigerators. It was revealed last month that children’s conversations with WiFi-enabled teddy bears from one toymaker had been leaked online.

網(wǎng)絡(luò)安全研究人員強(qiáng)調(diào)從汽車到照相機(jī)、機(jī)器人到電冰箱等一切設(shè)備都存在安全漏洞。上個(gè)月有消息披露，一家玩具制造商生產(chǎn)的可WiFi聯(lián)網(wǎng)泰迪熊與兒童的對(duì)話被泄露到互聯(lián)網(wǎng)上。

Law enforcement has become interested in using audio collected by devices such as Alexa, Amazon’s voice-controlled personal assistant. A prosecutor in an Arkansas murder case has requested the data from Alexa. Amazon resisted the request until the suspect said the recordings could be handed over.

執(zhí)法部門已對(duì)利用亞馬遜(Amazon)聲控個(gè)人助理Alexa等設(shè)備收集的音頻產(chǎn)生興趣。一名檢察官在處理阿肯色州一樁謀殺案時(shí)要求獲得Alexa數(shù)據(jù)。亞馬遜拒絕了這一要求，直到嫌疑人說(shuō)可以移交錄音。

Cyber criminals are also targeting the internet of things, infecting systems with malicious software that demands a ransom, usually to be paid to an anonymous account in bitcoin. Hackers repeatedly struck a hotel in the Austrian Alps last year by attacking the electronic key card system. The hoteliers are returning to old-fashioned locks after being forced to pay €1,500 to allow guests back into their rooms. Last Christmas, one family in the US had their smart TV taken over by ransomware, disabling it for four days.

網(wǎng)絡(luò)犯罪也開始瞄準(zhǔn)物聯(lián)網(wǎng)，犯罪分子用惡意勒索軟件入侵系統(tǒng)，通常要求用比特幣支付給匿名賬戶。奧地利阿爾卑斯山一家酒店去年遭到黑客多次攻擊其電子鑰匙卡系統(tǒng)，酒店經(jīng)營(yíng)者被迫支付1500歐元后，客人才得以回到他們的房間，隨后酒店經(jīng)營(yíng)者換回了老式門鎖。去年圣誕節(jié)，一個(gè)美國(guó)家庭的智能電視被勒索軟件控制，電視被禁用了四天。

Vulnerabilities in connected devices risk destabilising the entire web. A malicious network known as a botnet built from tens of millions of internet-connected cameras and DVR players was last year harnessed to attack Dyn, a domain-name services provider used by websites from the New York Times to Twitter. Millions in the US were unable to access services including Spotify and Airbnb as Dyn struggled to resist the distributed denial-of-service attack.

聯(lián)網(wǎng)設(shè)備的漏洞可能危及整個(gè)網(wǎng)絡(luò)的穩(wěn)定。去年，一個(gè)由數(shù)千萬(wàn)臺(tái)聯(lián)網(wǎng)攝像機(jī)和數(shù)字錄像機(jī)組成的被稱為僵尸網(wǎng)絡(luò)(botnet)的惡意網(wǎng)絡(luò)，被用來(lái)攻擊紐約時(shí)報(bào)(New York Times)、Twitter等網(wǎng)站所使用的域名服務(wù)提供商Dyn。在Dyn努力對(duì)抗分布式拒絕服務(wù)攻擊時(shí)，美國(guó)有數(shù)百萬(wàn)人無(wú)法訪問(wèn)Spotify和Airbnb等網(wǎng)站服務(wù)。

Cesar Cerrudo, chief technology officer at cyber security company IOActive, says hackers from the CIA to less sophisticated cyber criminals will invest more in finding vulnerabilities in the internet of things.

網(wǎng)絡(luò)安全公司IOActive的首席技術(shù)官塞薩爾•塞魯多(Cesar Cerrudo)表示，從技術(shù)精湛的中情局黑客到?jīng)]那么厲害的網(wǎng)絡(luò)犯罪分子，都將投入更多精力去尋找物聯(lián)網(wǎng)的漏洞。

“We are getting extremely dependent on technology. We need to start understanding that cyber security is important,” he says. “We suffer the consequences, are attacked, hacked, lose information. And it has a big impact on our daily lives.”

他說(shuō)：“我們正變得極端依賴科技。我們需要開始懂得網(wǎng)絡(luò)安全的重要性。我們會(huì)承受種種后果，包括遭到攻擊、被黑客入侵、失去信息。而這對(duì)我們的日常生活影響很大。”

The enthusiasm to connect everything to the internet shows no sign of letting up: there is a kettle that messages instead of whistling, a rice cooker controlled by smartphone and shoe insoles connected to a map app that vibrate to push you toward your destination.

將一切都連接到互聯(lián)網(wǎng)的熱情尚未表現(xiàn)出減弱的跡象，現(xiàn)在已經(jīng)有了不再鳴哨、改發(fā)信息的開水壺;有了智能手機(jī)控制的電飯煲;還有連接地圖應(yīng)用的鞋墊，通過(guò)振動(dòng)將你推向你的目的地。

But cyber security has been sidelined in the rush. Security defences are often decades out of date — if they exist at all. Many lack passwords, or have a default password that cannot be changed. The signals that devices send to connect with a server are often barely encrypted.

但網(wǎng)絡(luò)安全在這波熱潮中遭到忽視。安全防御往往落伍幾十年——如果還有安全防御的話。許多聯(lián)網(wǎng)設(shè)備沒(méi)有密碼，或只有一個(gè)不能更改的默認(rèn)密碼。設(shè)備發(fā)送給服務(wù)器的連接信號(hào)通常沒(méi)有加密。

Mikko Hypponen, chief research officer of Finnish cyber security company F-Secure, says the attackers who created the botnet to target Dyn only tried 35 passwords before hitting on the right one. The lax security within the internet of things is repeating “the same mistakes we already fixed 20 years ago”, he warns. “It is a clear and present danger to the internet.”

芬蘭網(wǎng)絡(luò)安全公司F-Secure首席研究官米科•許波寧(Mikko Hypponen)表示，創(chuàng)建僵尸網(wǎng)絡(luò)攻擊Dyn的黑客只試了35個(gè)密碼，就碰到了對(duì)的。他警告說(shuō)，物聯(lián)網(wǎng)內(nèi)安防的松懈正在重復(fù)“我們20年前已確定的錯(cuò)誤。這是互聯(lián)網(wǎng)當(dāng)前一個(gè)顯而易見的危險(xiǎn)。”

The most vulnerable products are produced by companies that specialise in making toasters or blood sugar monitors, not in software or security. The budding industry is fragmented, regulation has not kept pace and consumers either do not care or struggle to judge how secure a product is.

最容易被攻擊的產(chǎn)品出自那些專門制造烤面包機(jī)或血糖儀的公司，而不是軟件或安全公司。這一新興產(chǎn)業(yè)還呈碎片化，監(jiān)管尚未跟上，消費(fèi)者或壓根不在乎，或難以判斷產(chǎn)品的安全性。

Eric Ahlm, research director at Gartner specialising in security, says the these manufacturers have no incentive to spend time or money on security.

高德納安全問(wèn)題研究主管埃里克•阿爾姆(Eric Ahlm)表示，這些制造商缺乏在安全方面投入時(shí)間或金錢的激勵(lì)。

“It is more of a question of economics than security,” he says. “A consumer buying a smart TV is probably going to buy the one with equivalent features at a lower price. It is almost a penalty for manufacturers of these smart consumer devices to go the extra mile.”

他說(shuō)：“這更多是一個(gè)經(jīng)濟(jì)學(xué)問(wèn)題，而不是安全問(wèn)題。消費(fèi)者購(gòu)買智能電視時(shí)，多半會(huì)選擇功能相同，但價(jià)格更低的商品。對(duì)智能消費(fèi)設(shè)備制造商來(lái)說(shuō)，付出額外的精力幾乎無(wú)異于掏一筆罰金。”

Even if consumers wanted to, they could not buy additional protections because the devices are powered by tiny computers that security software makers cannot access, like those in fitness wristbands or vacuum cleaners.

即使消費(fèi)者有這方面想法，他們也無(wú)法購(gòu)買額外保護(hù)，因?yàn)檫@些設(shè)備由微型計(jì)算機(jī)驅(qū)動(dòng)，而安全軟件制造商無(wú)法訪問(wèn)，如健身手環(huán)或真空吸塵器里的微型計(jì)算機(jī)。

“You can’t put antivirus software on your Fitbit or Roomba,” Mr Ahlm says.

阿爾姆說(shuō)：“你不能給你的Fitbit或Roomba裝殺毒軟件。”

Pedro Abreu is chief strategy officer of ForeScout, which helps businesses keep devices separate from their main corporate network. The idea is to prevent attacks like the data breach at US retailer Target in 2013, when hackers accessed the system through the air conditioning provider. He says it is a “myth” that manufacturers will be able to solve the security problem.

ForeScout負(fù)責(zé)幫助企業(yè)將設(shè)備與公司主網(wǎng)分離，其想法是防止企業(yè)遭受2013年美國(guó)零售商塔吉特(Target)數(shù)據(jù)泄露那樣的攻擊，當(dāng)時(shí)黑客通過(guò)空調(diào)提供商侵入塔吉特的系統(tǒng)。ForeScout首席戰(zhàn)略官佩德羅•阿布雷烏(Pedro Abreu)表示，制造商如果能解決安全問(wèn)題，將是一個(gè)“神話”。

But there is a large industry built around protecting smartphones and PCs, which are made by more sophisticated companies than those creating devices for the internet of things, Mr Abreu says. “Even those with the best profit margins cannot secure their devices; imagine the guy building the device in the garage next door from parts built in China,” he says. “But that should not prevent us from demanding manufacturers have better standards.”

阿布雷烏表示，但是圍繞智能手機(jī)和電腦的保護(hù)已經(jīng)建立起了一個(gè)龐大的產(chǎn)業(yè)。智能手機(jī)和電腦制造商的技術(shù)，比聯(lián)網(wǎng)設(shè)備制造商的技術(shù)先進(jìn)。他說(shuō)：“就連那些最賺錢的公司都保證不了他們的設(shè)備安全;想象一個(gè)人在隔壁的車庫(kù)里用中國(guó)制造的零件打造設(shè)備。但這不應(yīng)阻止我們要求制造商遵循更高標(biāo)準(zhǔn)。”

But a push to tackle serious flaws in device security has begun. Vizio, a manufacturer of smart TVs, paid $2.2m last month in a settlement with the US Federal Trade Commission and the New Jersey attorney-general after it was caught collecting viewer data and selling the information to advertisers without their permission. Terrell McSweeny, FTC commissioner, says she supports comprehensive data security legislation that would allow a “regulatory approach” for the whole sector.

但解決設(shè)備安全嚴(yán)重缺陷的行動(dòng)已經(jīng)開始。智能電視制造商Vizio上個(gè)月支付了220萬(wàn)美元，與美國(guó)聯(lián)邦貿(mào)易委員會(huì)(Federal Trade Commission)和新澤西州總檢察長(zhǎng)達(dá)成和解協(xié)議。此前該公司被抓住在未經(jīng)觀眾許可的情況下，收集他們的數(shù)據(jù)并將信息賣給廣告客戶。聯(lián)邦貿(mào)易委員會(huì)委員特雷爾•麥克斯威尼(Terrell McSweeny)表示她支持就數(shù)據(jù)安全進(jìn)行全面立法，從而可以對(duì)整個(gè)行業(yè)采取“監(jiān)管模式”。

The FTC has been putting more resources into prosecuting connected device makers and improving its in-house tech capabilities. It is also working on international co-operation for privacy enforcement as devices are often exported from other countries, and looking at whether manufacturers have an obligation to still secure a device once they have stopped making it.

美國(guó)聯(lián)邦貿(mào)易委員會(huì)已投入更多資源去起訴聯(lián)網(wǎng)設(shè)備制造商，并提高自身技術(shù)能力。該委員會(huì)還在推動(dòng)國(guó)際聯(lián)合隱私執(zhí)法——因?yàn)檫@些設(shè)備常常從外國(guó)進(jìn)口——同時(shí)還在考慮制造商是否有義務(wù)在停產(chǎn)后依然維護(hù)設(shè)備安全。

US regulators are also taking an interest: the National Highway Traffic Safety Administration has created best practices for the car industry, and the Food and Drug Administration has issued guidelines for making medical devices secure. Other organisations are playing a role. The Mayo Clinic, a non-profit medical group, has written specific security measures into its contracts with medical device makers.

美國(guó)監(jiān)管機(jī)構(gòu)也對(duì)此產(chǎn)生興趣，國(guó)家公路交通安全管理局(National Highway Traffic Safety Administration)已為汽車行業(yè)規(guī)定最佳實(shí)踐，食品藥品監(jiān)督管理局(FDA)也發(fā)布了醫(yī)療設(shè)備安全指引。其他機(jī)構(gòu)也發(fā)揮了作用。非營(yíng)利醫(yī)療組織梅奧診所(Mayo Clinic)已將具體安全措施寫進(jìn)與醫(yī)療設(shè)備制造商的合同里。

The European Commission is pushing for a system of certification for devices and has set up a group called the Alliance for Internet of Things Innovation. In the US, the President’s Commission on enhancing cyber security, which reported in December 2016, said consumers should be informed about the security capabilities of devices.

歐盟委員會(huì)(European Commission)正在推動(dòng)設(shè)備認(rèn)證體系，并成立了一個(gè)名為“物聯(lián)網(wǎng)創(chuàng)新聯(lián)盟”(Alliance for Internet of Things Innovation)的組織。直屬美國(guó)總統(tǒng)的國(guó)家網(wǎng)絡(luò)安全促進(jìn)委員會(huì)去年12月發(fā)布報(bào)告表示，消費(fèi)者應(yīng)被告知設(shè)備的安全功能。

Beau Woods, deputy director of the cyber statecraft initiative at the Atlantic Council, says he hopes the commission’s work will lead to products coming with security labels or information sheets, which will in turn deter retailers from selling vulnerable goods.

美國(guó)大西洋理事會(huì)(Atlantic Council)網(wǎng)絡(luò)問(wèn)題國(guó)策倡議副主任博•伍茲(Beau Woods)表示，他希望該委員會(huì)的工作將讓產(chǎn)品附上安全標(biāo)簽或信息表，從而阻止零售商銷售存在安全漏洞的商品。

Consumers may be able to better protect themselves from everyday hackers demanding ransoms, but the manufacturers of internet-connected devices may never outrun the CIA.

消費(fèi)者或許還能加強(qiáng)對(duì)自身的保護(hù)，免遭黑客日常索要贖金，但聯(lián)網(wǎng)設(shè)備的制造商可能永遠(yuǎn)都躲不開中情局。

“My advice for people concerned is update everything and unplug things when they are not in use, if you don’t want them to have a surveillance capacity,” Mr Woods says.

伍茲說(shuō)：“我對(duì)聯(lián)網(wǎng)設(shè)備用戶的建議是，更新一切設(shè)備，不用設(shè)備時(shí)要拔掉插頭，如果你不希望它們有監(jiān)視能力的話。”