物聯(lián)網(wǎng)：黑客正在看著你

When George Orwell envisioned the “telescreen” — the TV that keeps constant tabs on its viewers — in 1984, he predicted that governments would use technology to cross the threshold into our private lives.

當喬治•奧威爾(George Orwell)在《1984》里構想“電幕”(telescreen)——對觀眾進行持續(xù)監(jiān)視的一種雙向電視——時，他預言政府會使用技術手段闖入我們的私人生活。

Confidential documents published by WikiLeaks this week purport to show that the Central Intelligence Agency created its own 21st century telescreen by hacking into smart TVs. You may be watching YouTube or Netflix, not forced military propaganda, but spies are still able to listen into your living room. Developers used vulnerabilities in Samsung TVs to ensure the products would capture conversations even when they appeared to be switched off.

維基解密(WikiLeaks)近期公布的機密文件意在表明，美國中情局(CIA)通過入侵智能電視，創(chuàng)造了自己的21世紀電幕。你可能正在觀看YouTube或Netflix——而不是強迫性觀看的軍事宣傳片——但間諜仍能對你的客廳進行監(jiān)聽。開發(fā)人員利用三星(Samsung)電視的漏洞，讓電視即使在關機狀態(tài)也能捕獲談話。

In what WikiLeaks describes as the first instalment of the “largest intelligence publication in history”, the CIA appears eager to exploit the new spying opportunities created by the internet of things — everyday objects that are connected to the web. Market research group Gartner forecasts there will be more than 20bn appliances, TVs and other devices connected to the internet by 2020.

維基解密稱此次公布的機密文件僅是“史上最大規(guī)模情報公開”的第一部分。從這些文件來看，中情局似乎急于利用物聯(lián)網(wǎng)——將日常設備連接到網(wǎng)絡——開發(fā)新的監(jiān)視手段。市場研究集團高德納(Gartner)預測，至2020年，將有逾200億臺家電、電視機及其他設備連接到互聯(lián)網(wǎng)。

The CIA’s engineering development group had a “to do” list for the smart TV that included the ability to record video and break into its browser and apps. Other documents seemed to show it had explored infecting vehicle control systems used by connected cars.

中情局的工程開發(fā)團隊有一個智能電視“待辦清單”，其中包括錄像功能，以及入侵其瀏覽器和應用程序。其他文件似乎表明中情局已試圖入侵聯(lián)網(wǎng)汽車的車輛控制系統(tǒng)。

“This is the most troubling WikiLeaks ever. We’ve learned the CIA has all the tools to spy on American citizens,” said John McAfee, the antivirus pioneer who is now chief executive officer of MGT Capital Investments. “And now it is in the hands of some unknown hacker organisation or nation state.”

殺毒軟件McAfee創(chuàng)始人、現(xiàn)MGT Capital Investments首席執(zhí)行官約翰•麥卡菲(John McAfee)表示：“這是迄今最令人不安的一次維基解密。我們了解到中情局有各種工具來監(jiān)視美國公民。而現(xiàn)在這些工具掌握在一些未知的黑客組織或國家手中。”

The CIA has refused to comment on the veracity of the documents. Samsung says it makes security a top priority and is looking into the matter.

中情局對這些文件的真實性不予置評。三星表示公司將安全問題置于最高優(yōu)先，目前正在研究此事。

The basic vulnerabilities inherent in the internet of things — one of the biggest concepts being pursued in the technology industry — have been known for some time. Samsung even warned customers in 2015 that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition”.

物聯(lián)網(wǎng)是科技產(chǎn)業(yè)追求的最大概念之一，人們對其基本的固有漏洞早已了解。三星甚至在2015年警告用戶“如果你說的話包含個人或其他敏感信息，該信息將與其他數(shù)據(jù)被你所使用的語音識別捕捉，并傳輸給第三方。”

Cyber security researchers have highlighted holes in everything from cars to cameras, robots to refrigerators. It was revealed last month that children’s conversations with WiFi-enabled teddy bears from one toymaker had been leaked online.

網(wǎng)絡安全研究人員強調從汽車到照相機、機器人到電冰箱等一切設備都存在安全漏洞。上個月有消息披露，一家玩具制造商生產(chǎn)的可WiFi聯(lián)網(wǎng)泰迪熊與兒童的對話被泄露到互聯(lián)網(wǎng)上。

Law enforcement has become interested in using audio collected by devices such as Alexa, Amazon’s voice-controlled personal assistant. A prosecutor in an Arkansas murder case has requested the data from Alexa. Amazon resisted the request until the suspect said the recordings could be handed over.

執(zhí)法部門已對利用亞馬遜(Amazon)聲控個人助理Alexa等設備收集的音頻產(chǎn)生興趣。一名檢察官在處理阿肯色州一樁謀殺案時要求獲得Alexa數(shù)據(jù)。亞馬遜拒絕了這一要求，直到嫌疑人說可以移交錄音。

Cyber criminals are also targeting the internet of things, infecting systems with malicious software that demands a ransom, usually to be paid to an anonymous account in bitcoin. Hackers repeatedly struck a hotel in the Austrian Alps last year by attacking the electronic key card system. The hoteliers are returning to old-fashioned locks after being forced to pay €1,500 to allow guests back into their rooms. Last Christmas, one family in the US had their smart TV taken over by ransomware, disabling it for four days.

網(wǎng)絡犯罪也開始瞄準物聯(lián)網(wǎng)，犯罪分子用惡意勒索軟件入侵系統(tǒng)，通常要求用比特幣支付給匿名賬戶。奧地利阿爾卑斯山一家酒店去年遭到黑客多次攻擊其電子鑰匙卡系統(tǒng)，酒店經(jīng)營者被迫支付1500歐元后，客人才得以回到他們的房間，隨后酒店經(jīng)營者換回了老式門鎖。去年圣誕節(jié)，一個美國家庭的智能電視被勒索軟件控制，電視被禁用了四天。

Vulnerabilities in connected devices risk destabilising the entire web. A malicious network known as a botnet built from tens of millions of internet-connected cameras and DVR players was last year harnessed to attack Dyn, a domain-name services provider used by websites from the New York Times to Twitter. Millions in the US were unable to access services including Spotify and Airbnb as Dyn struggled to resist the distributed denial-of-service attack.

聯(lián)網(wǎng)設備的漏洞可能危及整個網(wǎng)絡的穩(wěn)定。去年，一個由數(shù)千萬臺聯(lián)網(wǎng)攝像機和數(shù)字錄像機組成的被稱為僵尸網(wǎng)絡(botnet)的惡意網(wǎng)絡，被用來攻擊紐約時報(New York Times)、Twitter等網(wǎng)站所使用的域名服務提供商Dyn。在Dyn努力對抗分布式拒絕服務攻擊時，美國有數(shù)百萬人無法訪問Spotify和Airbnb等網(wǎng)站服務。

Cesar Cerrudo, chief technology officer at cyber security company IOActive, says hackers from the CIA to less sophisticated cyber criminals will invest more in finding vulnerabilities in the internet of things.

網(wǎng)絡安全公司IOActive的首席技術官塞薩爾•塞魯多(Cesar Cerrudo)表示，從技術精湛的中情局黑客到?jīng)]那么厲害的網(wǎng)絡犯罪分子，都將投入更多精力去尋找物聯(lián)網(wǎng)的漏洞。

“We are getting extremely dependent on technology. We need to start understanding that cyber security is important,” he says. “We suffer the consequences, are attacked, hacked, lose information. And it has a big impact on our daily lives.”

他說：“我們正變得極端依賴科技。我們需要開始懂得網(wǎng)絡安全的重要性。我們會承受種種后果，包括遭到攻擊、被黑客入侵、失去信息。而這對我們的日常生活影響很大。”

The enthusiasm to connect everything to the internet shows no sign of letting up: there is a kettle that messages instead of whistling, a rice cooker controlled by smartphone and shoe insoles connected to a map app that vibrate to push you toward your destination.

將一切都連接到互聯(lián)網(wǎng)的熱情尚未表現(xiàn)出減弱的跡象，現(xiàn)在已經(jīng)有了不再鳴哨、改發(fā)信息的開水壺;有了智能手機控制的電飯煲;還有連接地圖應用的鞋墊，通過振動將你推向你的目的地。

But cyber security has been sidelined in the rush. Security defences are often decades out of date — if they exist at all. Many lack passwords, or have a default password that cannot be changed. The signals that devices send to connect with a server are often barely encrypted.

但網(wǎng)絡安全在這波熱潮中遭到忽視。安全防御往往落伍幾十年——如果還有安全防御的話。許多聯(lián)網(wǎng)設備沒有密碼，或只有一個不能更改的默認密碼。設備發(fā)送給服務器的連接信號通常沒有加密。

Mikko Hypponen, chief research officer of Finnish cyber security company F-Secure, says the attackers who created the botnet to target Dyn only tried 35 passwords before hitting on the right one. The lax security within the internet of things is repeating “the same mistakes we already fixed 20 years ago”, he warns. “It is a clear and present danger to the internet.”

芬蘭網(wǎng)絡安全公司F-Secure首席研究官米科•許波寧(Mikko Hypponen)表示，創(chuàng)建僵尸網(wǎng)絡攻擊Dyn的黑客只試了35個密碼，就碰到了對的。他警告說，物聯(lián)網(wǎng)內(nèi)安防的松懈正在重復“我們20年前已確定的錯誤。這是互聯(lián)網(wǎng)當前一個顯而易見的危險。”

The most vulnerable products are produced by companies that specialise in making toasters or blood sugar monitors, not in software or security. The budding industry is fragmented, regulation has not kept pace and consumers either do not care or struggle to judge how secure a product is.

最容易被攻擊的產(chǎn)品出自那些專門制造烤面包機或血糖儀的公司，而不是軟件或安全公司。這一新興產(chǎn)業(yè)還呈碎片化，監(jiān)管尚未跟上，消費者或壓根不在乎，或難以判斷產(chǎn)品的安全性。

Eric Ahlm, research director at Gartner specialising in security, says the these manufacturers have no incentive to spend time or money on security.

高德納安全問題研究主管埃里克•阿爾姆(Eric Ahlm)表示，這些制造商缺乏在安全方面投入時間或金錢的激勵。

“It is more of a question of economics than security,” he says. “A consumer buying a smart TV is probably going to buy the one with equivalent features at a lower price. It is almost a penalty for manufacturers of these smart consumer devices to go the extra mile.”

他說：“這更多是一個經(jīng)濟學問題，而不是安全問題。消費者購買智能電視時，多半會選擇功能相同，但價格更低的商品。對智能消費設備制造商來說，付出額外的精力幾乎無異于掏一筆罰金。”

Even if consumers wanted to, they could not buy additional protections because the devices are powered by tiny computers that security software makers cannot access, like those in fitness wristbands or vacuum cleaners.

即使消費者有這方面想法，他們也無法購買額外保護，因為這些設備由微型計算機驅動，而安全軟件制造商無法訪問，如健身手環(huán)或真空吸塵器里的微型計算機。

“You can’t put antivirus software on your Fitbit or Roomba,” Mr Ahlm says.

阿爾姆說：“你不能給你的Fitbit或Roomba裝殺毒軟件。”

Pedro Abreu is chief strategy officer of ForeScout, which helps businesses keep devices separate from their main corporate network. The idea is to prevent attacks like the data breach at US retailer Target in 2013, when hackers accessed the system through the air conditioning provider. He says it is a “myth” that manufacturers will be able to solve the security problem.

ForeScout負責幫助企業(yè)將設備與公司主網(wǎng)分離，其想法是防止企業(yè)遭受2013年美國零售商塔吉特(Target)數(shù)據(jù)泄露那樣的攻擊，當時黑客通過空調提供商侵入塔吉特的系統(tǒng)。ForeScout首席戰(zhàn)略官佩德羅•阿布雷烏(Pedro Abreu)表示，制造商如果能解決安全問題，將是一個“神話”。

But there is a large industry built around protecting smartphones and PCs, which are made by more sophisticated companies than those creating devices for the internet of things, Mr Abreu says. “Even those with the best profit margins cannot secure their devices; imagine the guy building the device in the garage next door from parts built in China,” he says. “But that should not prevent us from demanding manufacturers have better standards.”

阿布雷烏表示，但是圍繞智能手機和電腦的保護已經(jīng)建立起了一個龐大的產(chǎn)業(yè)。智能手機和電腦制造商的技術，比聯(lián)網(wǎng)設備制造商的技術先進。他說：“就連那些最賺錢的公司都保證不了他們的設備安全;想象一個人在隔壁的車庫里用中國制造的零件打造設備。但這不應阻止我們要求制造商遵循更高標準。”

But a push to tackle serious flaws in device security has begun. Vizio, a manufacturer of smart TVs, paid $2.2m last month in a settlement with the US Federal Trade Commission and the New Jersey attorney-general after it was caught collecting viewer data and selling the information to advertisers without their permission. Terrell McSweeny, FTC commissioner, says she supports comprehensive data security legislation that would allow a “regulatory approach” for the whole sector.

但解決設備安全嚴重缺陷的行動已經(jīng)開始。智能電視制造商Vizio上個月支付了220萬美元，與美國聯(lián)邦貿(mào)易委員會(Federal Trade Commission)和新澤西州總檢察長達成和解協(xié)議。此前該公司被抓住在未經(jīng)觀眾許可的情況下，收集他們的數(shù)據(jù)并將信息賣給廣告客戶。聯(lián)邦貿(mào)易委員會委員特雷爾•麥克斯威尼(Terrell McSweeny)表示她支持就數(shù)據(jù)安全進行全面立法，從而可以對整個行業(yè)采取“監(jiān)管模式”。

The FTC has been putting more resources into prosecuting connected device makers and improving its in-house tech capabilities. It is also working on international co-operation for privacy enforcement as devices are often exported from other countries, and looking at whether manufacturers have an obligation to still secure a device once they have stopped making it.

美國聯(lián)邦貿(mào)易委員會已投入更多資源去起訴聯(lián)網(wǎng)設備制造商，并提高自身技術能力。該委員會還在推動國際聯(lián)合隱私執(zhí)法——因為這些設備常常從外國進口——同時還在考慮制造商是否有義務在停產(chǎn)后依然維護設備安全。

US regulators are also taking an interest: the National Highway Traffic Safety Administration has created best practices for the car industry, and the Food and Drug Administration has issued guidelines for making medical devices secure. Other organisations are playing a role. The Mayo Clinic, a non-profit medical group, has written specific security measures into its contracts with medical device makers.

美國監(jiān)管機構也對此產(chǎn)生興趣，國家公路交通安全管理局(National Highway Traffic Safety Administration)已為汽車行業(yè)規(guī)定最佳實踐，食品藥品監(jiān)督管理局(FDA)也發(fā)布了醫(yī)療設備安全指引。其他機構也發(fā)揮了作用。非營利醫(yī)療組織梅奧診所(Mayo Clinic)已將具體安全措施寫進與醫(yī)療設備制造商的合同里。

The European Commission is pushing for a system of certification for devices and has set up a group called the Alliance for Internet of Things Innovation. In the US, the President’s Commission on enhancing cyber security, which reported in December 2016, said consumers should be informed about the security capabilities of devices.

歐盟委員會(European Commission)正在推動設備認證體系，并成立了一個名為“物聯(lián)網(wǎng)創(chuàng)新聯(lián)盟”(Alliance for Internet of Things Innovation)的組織。直屬美國總統(tǒng)的國家網(wǎng)絡安全促進委員會去年12月發(fā)布報告表示，消費者應被告知設備的安全功能。

Beau Woods, deputy director of the cyber statecraft initiative at the Atlantic Council, says he hopes the commission’s work will lead to products coming with security labels or information sheets, which will in turn deter retailers from selling vulnerable goods.

美國大西洋理事會(Atlantic Council)網(wǎng)絡問題國策倡議副主任博•伍茲(Beau Woods)表示，他希望該委員會的工作將讓產(chǎn)品附上安全標簽或信息表，從而阻止零售商銷售存在安全漏洞的商品。

Consumers may be able to better protect themselves from everyday hackers demanding ransoms, but the manufacturers of internet-connected devices may never outrun the CIA.

消費者或許還能加強對自身的保護，免遭黑客日常索要贖金，但聯(lián)網(wǎng)設備的制造商可能永遠都躲不開中情局。

“My advice for people concerned is update everything and unplug things when they are not in use, if you don’t want them to have a surveillance capacity,” Mr Woods says.

伍茲說：“我對聯(lián)網(wǎng)設備用戶的建議是，更新一切設備，不用設備時要拔掉插頭，如果你不希望它們有監(jiān)視能力的話。”