    When George Orwell envisioned the “telescreen” — the TV that keeps constant tabs on its viewers — in 1984, he predicted that governments would use technology to cross the threshold into our private lives.

    当乔治•奥威尔(George Orwell)在《1984》里构想“电幕”(telescreen)——对观众进行持续监视的一种双向电视——时,他预言政府会使用技术手段闯入我们的私人生活。

    Confidential documents published by WikiLeaks this week purport to show that the Central Intelligence Agency created its own 21st century telescreen by hacking into smart TVs. You may be watching YouTube or Netflix, not forced military propaganda, but spies are still able to listen into your living room. Developers used vulnerabilities in Samsung TVs to ensure the products would capture conversations even when they appeared to be switched off.


    In what WikiLeaks describes as the first instalment of the “largest intelligence publication in history”, the CIA appears eager to exploit the new spying opportunities created by the internet of things — everyday objects that are connected to the web. Market research group Gartner forecasts there will be more than 20bn appliances, TVs and other devices connected to the internet by 2020.


    The CIA’s engineering development group had a “to do” list for the smart TV that included the ability to record video and break into its browser and apps. Other documents seemed to show it had explored infecting vehicle control systems used by connected cars.


    “This is the most troubling WikiLeaks ever. We’ve learned the CIA has all the tools to spy on American citizens,” said John McAfee, the antivirus pioneer who is now chief executive officer of MGT Capital Investments. “And now it is in the hands of some unknown hacker organisation or nation state.”

    杀毒软件McAfee创始人、现MGT Capital Investments首席执行官约翰•麦卡菲(John McAfee)表示:“这是迄今最令人不安的一次维基解密。我们了解到中情局有各种工具来监视美国公民。而现在这些工具掌握在一些未知的黑客组织或国家手中。”

    The CIA has refused to comment on the veracity of the documents. Samsung says it makes security a top priority and is looking into the matter.


    The basic vulnerabilities inherent in the internet of things — one of the biggest concepts being pursued in the technology industry — have been known for some time. Samsung even warned customers in 2015 that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition”.


    Cyber security researchers have highlighted holes in everything from cars to cameras, robots to refrigerators. It was revealed last month that children’s conversations with WiFi-enabled teddy bears from one toymaker had been leaked online.


    Law enforcement has become interested in using audio collected by devices such as Alexa, Amazon’s voice-controlled personal assistant. A prosecutor in an Arkansas murder case has requested the data from Alexa. Amazon resisted the request until the suspect said the recordings could be handed over.


    Cyber criminals are also targeting the internet of things, infecting systems with malicious software that demands a ransom, usually to be paid to an anonymous account in bitcoin. Hackers repeatedly struck a hotel in the Austrian Alps last year by attacking the electronic key card system. The hoteliers are returning to old-fashioned locks after being forced to pay €1,500 to allow guests back into their rooms. Last Christmas, one family in the US had their smart TV taken over by ransomware, disabling it for four days.


    Vulnerabilities in connected devices risk destabilising the entire web. A malicious network known as a botnet built from tens of millions of internet-connected cameras and DVR players was last year harnessed to attack Dyn, a domain-name services provider used by websites from the New York Times to Twitter. Millions in the US were unable to access services including Spotify and Airbnb as Dyn struggled to resist the distributed denial-of-service attack.

    联网设备的漏洞可能危及整个网络的稳定。去年,一个由数千万台联网摄像机和数字录像机组成的被称为僵尸网络(botnet)的恶意网络,被用来攻击纽约时报(New York Times)、Twitter等网站所使用的域名服务提供商Dyn。在Dyn努力对抗分布式拒绝服务攻击时,美国有数百万人无法访问Spotify和Airbnb等网站服务。

    Cesar Cerrudo, chief technology officer at cyber security company IOActive, says hackers from the CIA to less sophisticated cyber criminals will invest more in finding vulnerabilities in the internet of things.

    网络安全公司IOActive的首席技术官塞萨尔•塞鲁多(Cesar Cerrudo)表示,从技术精湛的中情局黑客到没那么厉害的网络犯罪分子,都将投入更多精力去寻找物联网的漏洞。

    “We are getting extremely dependent on technology. We need to start understanding that cyber security is important,” he says. “We suffer the consequences, are attacked, hacked, lose information. And it has a big impact on our daily lives.”


    The enthusiasm to connect everything to the internet shows no sign of letting up: there is a kettle that messages instead of whistling, a rice cooker controlled by smartphone and shoe insoles connected to a map app that vibrate to push you toward your destination.


    But cyber security has been sidelined in the rush. Security defences are often decades out of date — if they exist at all. Many lack passwords, or have a default password that cannot be changed. The signals that devices send to connect with a server are often barely encrypted.


    Mikko Hypponen, chief research officer of Finnish cyber security company F-Secure, says the attackers who created the botnet to target Dyn only tried 35 passwords before hitting on the right one. The lax security within the internet of things is repeating “the same mistakes we already fixed 20 years ago”, he warns. “It is a clear and present danger to the internet.”

    芬兰网络安全公司F-Secure首席研究官米科•许波宁(Mikko Hypponen)表示,创建僵尸网络攻击Dyn的黑客只试了35个密码,就碰到了对的。他警告说,物联网内安防的松懈正在重复“我们20年前已确定的错误。这是互联网当前一个显而易见的危险。”

    The most vulnerable products are produced by companies that specialise in making toasters or blood sugar monitors, not in software or security. The budding industry is fragmented, regulation has not kept pace and consumers either do not care or struggle to judge how secure a product is.


    Eric Ahlm, research director at Gartner specialising in security, says the these manufacturers have no incentive to spend time or money on security.

    高德纳安全问题研究主管埃里克•阿尔姆(Eric Ahlm)表示,这些制造商缺乏在安全方面投入时间或金钱的激励。

    “It is more of a question of economics than security,” he says. “A consumer buying a smart TV is probably going to buy the one with equivalent features at a lower price. It is almost a penalty for manufacturers of these smart consumer devices to go the extra mile.”


    Even if consumers wanted to, they could not buy additional protections because the devices are powered by tiny computers that security software makers cannot access, like those in fitness wristbands or vacuum cleaners.


    “You can’t put antivirus software on your Fitbit or Roomba,” Mr Ahlm says.


    Pedro Abreu is chief strategy officer of ForeScout, which helps businesses keep devices separate from their main corporate network. The idea is to prevent attacks like the data breach at US retailer Target in 2013, when hackers accessed the system through the air conditioning provider. He says it is a “myth” that manufacturers will be able to solve the security problem.

    ForeScout负责帮助企业将设备与公司主网分离,其想法是防止企业遭受2013年美国零售商塔吉特(Target)数据泄露那样的攻击,当时黑客通过空调提供商侵入塔吉特的系统。ForeScout首席战略官佩德罗•阿布雷乌(Pedro Abreu)表示,制造商如果能解决安全问题,将是一个“神话”。

    But there is a large industry built around protecting smartphones and PCs, which are made by more sophisticated companies than those creating devices for the internet of things, Mr Abreu says. “Even those with the best profit margins cannot secure their devices; imagine the guy building the device in the garage next door from parts built in China,” he says. “But that should not prevent us from demanding manufacturers have better standards.”


    But a push to tackle serious flaws in device security has begun. Vizio, a manufacturer of smart TVs, paid $2.2m last month in a settlement with the US Federal Trade Commission and the New Jersey attorney-general after it was caught collecting viewer data and selling the information to advertisers without their permission. Terrell McSweeny, FTC commissioner, says she supports comprehensive data security legislation that would allow a “regulatory approach” for the whole sector.

    但解决设备安全严重缺陷的行动已经开始。智能电视制造商Vizio上个月支付了220万美元,与美国联邦贸易委员会(Federal Trade Commission)和新泽西州总检察长达成和解协议。此前该公司被抓住在未经观众许可的情况下,收集他们的数据并将信息卖给广告客户。联邦贸易委员会委员特雷尔•麦克斯威尼(Terrell McSweeny)表示她支持就数据安全进行全面立法,从而可以对整个行业采取“监管模式”。

    The FTC has been putting more resources into prosecuting connected device makers and improving its in-house tech capabilities. It is also working on international co-operation for privacy enforcement as devices are often exported from other countries, and looking at whether manufacturers have an obligation to still secure a device once they have stopped making it.


    US regulators are also taking an interest: the National Highway Traffic Safety Administration has created best practices for the car industry, and the Food and Drug Administration has issued guidelines for making medical devices secure. Other organisations are playing a role. The Mayo Clinic, a non-profit medical group, has written specific security measures into its contracts with medical device makers.

    美国监管机构也对此产生兴趣,国家公路交通安全管理局(National Highway Traffic Safety Administration)已为汽车行业规定最佳实践,食品药品监督管理局(FDA)也发布了医疗设备安全指引。其他机构也发挥了作用。非营利医疗组织梅奥诊所(Mayo Clinic)已将具体安全措施写进与医疗设备制造商的合同里。

    The European Commission is pushing for a system of certification for devices and has set up a group called the Alliance for Internet of Things Innovation. In the US, the President’s Commission on enhancing cyber security, which reported in December 2016, said consumers should be informed about the security capabilities of devices.

    欧盟委员会(European Commission)正在推动设备认证体系,并成立了一个名为“物联网创新联盟”(Alliance for Internet of Things Innovation)的组织。直属美国总统的国家网络安全促进委员会去年12月发布报告表示,消费者应被告知设备的安全功能。

    Beau Woods, deputy director of the cyber statecraft initiative at the Atlantic Council, says he hopes the commission’s work will lead to products coming with security labels or information sheets, which will in turn deter retailers from selling vulnerable goods.

    美国大西洋理事会(Atlantic Council)网络问题国策倡议副主任博•伍兹(Beau Woods)表示,他希望该委员会的工作将让产品附上安全标签或信息表,从而阻止零售商销售存在安全漏洞的商品。

    Consumers may be able to better protect themselves from everyday hackers demanding ransoms, but the manufacturers of internet-connected devices may never outrun the CIA.


    “My advice for people concerned is update everything and unplug things when they are not in use, if you don’t want them to have a surveillance capacity,” Mr Woods says.


