The Internet of Things is coming. People will be carrying or wearing many of those things about their bodies. In the not-too-distant future a common person may have four or five digitally-connected devices on his person – perhaps a smartphone, a smartwatch, smart-eyeglasses, smart-shoelaces, smart-body-modifications.
At the same time, our physical environment will bristle with computing things. Sensors will monitor what is happening at this location or that. The Internet of Things will be deployed to secure sensitive environments.
No computer is perfectly secure. It is possible to exploit that insecurity to pursue an important social need.
Sometimes a person is arguably justified in pranking, manipulating or taking control of a computer, even though that person does not own the computer. The justification is arguably proportionate to the urgency of the situation.
For example, when a metal thief jumps the fence at an electrical substation, a serious emergency arises.
To avoid disaster, the power company may be justified at that moment to trick or manipulate the devices in the possession of the thief. The power company may be justified in causing the thief’s on-person devices to buzz and sound alarm: “STOP. YOU ARE BEING MONITORED. YOU ARE IN SERIOUS DANGER. GO BACK.”
To help establish that the power company is within the boundaries of law and ethics as it causes the thief’s devices to sound and vibrate, the company might post a notice like this on the fence of the substation:
Warning. Danger. If you enter this area, you give us permission to do these things to each of your electronic devices . . . as appropriate to stop you and to bring you to justice:
* take control of the device
* cause the device to warn you away
* track the device
* damage the device
The written warning provides permission to damage devices. That does not necessarily mean the power company would intentionally act to damage the devices or needs to damage the devices. Depending on the circumstances, the act of damaging devices may not serve to deter the trespasser . . . although the threat to damage devices might serve that purpose.
It's now 2016. A system known as Falcon-Shield proposes to detect, track and even hijack small drones that threaten precious targets, such as a nuclear power plant or a packed sports stadium. (SANS Institute held a hijack-the-drone contest in 2015.)
What is the legality of Falcon-Shield hacking into and taking control of a malicious drone? The operators of Falcon-Shield might enhance their legal standing by publishing terms like this around protected airspace:
Those terms might be posted, for example, on fences, around the protected space.
What do you think?
--Benjamin Wright
Benjamin Wright teaches "The Law of Data Security and Investigations" at the SANS Institute.
Postscript: A smart defense system may not need to "hack" or "trick" the devices belonging to a trespassing thief. As the thief enters a restricted area, a defense system may be able to identify the owner and location of trespassing devices by monitoring geolocation data posted publicly, in real time on social networks like Instagram.
Further, a bluetooth shopping beacon on the trespasser's phone may be saying, "I'm here. I'm here. Send me a discount coupon." The beacon would be saying that to merchants that participate in the shopping beacon system . . . as well as anyone like a power company that registers to be a "participating merchant."
Then, the defense system may quickly be able to ascertain from public profiles or retail shopping systems how to send a barrage of communications to the trespasser: beeps, text messages, telephone calls and shopping coupons that say "GO BACK. NO TRESPASSING. DANGER!" and the like.
An example of bluetooth beacons are "nearables." An example of a nearable is a Bluetooth location Tile.
Latest on Offensive Countermeasrues.
See also Active Defense for Internet of Things.
At the same time, our physical environment will bristle with computing things. Sensors will monitor what is happening at this location or that. The Internet of Things will be deployed to secure sensitive environments.
Deliver an Unconventional Warning to An Intruder.
No computer is perfectly secure. It is possible to exploit that insecurity to pursue an important social need.
Sometimes a person is arguably justified in pranking, manipulating or taking control of a computer, even though that person does not own the computer. The justification is arguably proportionate to the urgency of the situation.
For example, when a metal thief jumps the fence at an electrical substation, a serious emergency arises.
 |
| Urgent Message |
Get Written Consent to Unconventional Countermeasures
To help establish that the power company is within the boundaries of law and ethics as it causes the thief’s devices to sound and vibrate, the company might post a notice like this on the fence of the substation:
Warning. Danger. If you enter this area, you give us permission to do these things to each of your electronic devices . . . as appropriate to stop you and to bring you to justice:
* take control of the device
* cause the device to warn you away
* track the device
* damage the device
Permission Compared to Action and Threat
The written warning provides permission to damage devices. That does not necessarily mean the power company would intentionally act to damage the devices or needs to damage the devices. Depending on the circumstances, the act of damaging devices may not serve to deter the trespasser . . . although the threat to damage devices might serve that purpose.
Hijack a Rogue Drone?
It's now 2016. A system known as Falcon-Shield proposes to detect, track and even hijack small drones that threaten precious targets, such as a nuclear power plant or a packed sports stadium. (SANS Institute held a hijack-the-drone contest in 2015.)
What is the legality of Falcon-Shield hacking into and taking control of a malicious drone? The operators of Falcon-Shield might enhance their legal standing by publishing terms like this around protected airspace:
"If you send an aircraft such as a drone into this airspace, you consent to us hacking into it, taking control of it and possibly damaging it."
Those terms might be posted, for example, on fences, around the protected space.
What do you think?
--Benjamin Wright
Benjamin Wright teaches "The Law of Data Security and Investigations" at the SANS Institute.
Postscript: A smart defense system may not need to "hack" or "trick" the devices belonging to a trespassing thief. As the thief enters a restricted area, a defense system may be able to identify the owner and location of trespassing devices by monitoring geolocation data posted publicly, in real time on social networks like Instagram.
Further, a bluetooth shopping beacon on the trespasser's phone may be saying, "I'm here. I'm here. Send me a discount coupon." The beacon would be saying that to merchants that participate in the shopping beacon system . . . as well as anyone like a power company that registers to be a "participating merchant."
Then, the defense system may quickly be able to ascertain from public profiles or retail shopping systems how to send a barrage of communications to the trespasser: beeps, text messages, telephone calls and shopping coupons that say "GO BACK. NO TRESPASSING. DANGER!" and the like.
An example of bluetooth beacons are "nearables." An example of a nearable is a Bluetooth location Tile.
Latest on Offensive Countermeasrues.
See also Active Defense for Internet of Things.
No comments:
Post a Comment