TEDxMidAtlantic
Avi Rubin: All your devices can be hacked
Avi Rubin: 你所有的設備都能被黑客入侵
Filmed:
Readability: 4.6
1,251,015 views
他人能入侵你的心臟起搏器嗎?在 TEDxMidAtlantic 上,Avi Rubin 解釋了駭客們如何使我們的汽車、智慧手機和醫療設備淪陷,並警告在駭客所能接觸的領域中,我們日益增長的危險。(錄製於 TEDxMidAtlantic)
Avi Rubin - Computer security expert
Avi Rubin is a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University. His research is focused on the security of electronic records -- including medical and voting records. Full bio
Avi Rubin is a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University. His research is focused on the security of electronic records -- including medical and voting records. Full bio
Double-click the English transcript below to play the video.
00:12
I'm a computer science professor,
0
588
3031
我是一名計算機科學教授,
00:15
and my area of expertise is
1
3619
2313
我的專業領域是
00:17
computer and information security.
2
5932
2199
計算機與資訊安全。
00:20
When I was in graduate school,
3
8131
2320
我在研究所的時候,
00:22
I had the opportunity to overhear my grandmother
4
10451
2601
有一次碰巧聽到我的祖母
00:25
describing to one of her fellow senior citizens
5
13052
4134
跟她一位年長的朋友
00:29
what I did for a living.
6
17186
2369
聊到我的工作。
00:31
Apparently, I was in charge of making sure that
7
19555
3562
我的工作顯然是在確保
00:35
no one stole the computers from the university. (Laughter)
8
23117
3900
大學裡面的電腦不會被人偷走。(笑聲)
00:39
And, you know, that's a perfectly reasonable thing
9
27017
2744
她會這麼想也不讓人意外,
00:41
for her to think, because I told her I was working
10
29761
1920
因為我告訴她
00:43
in computer security,
11
31681
1507
我的工作是關於計算機安全,
00:45
and it was interesting to get her perspective.
12
33188
3597
她的聯想力真的很有意思。
00:48
But that's not the most ridiculous thing I've ever heard
13
36785
2617
但是,這還不是別人對我的工作的解釋
00:51
anyone say about my work.
14
39402
2017
最好笑的一個。
00:53
The most ridiculous thing I ever heard is,
15
41419
2284
我聽過最好笑的一次是,
00:55
I was at a dinner party, and a woman heard
16
43703
3134
在一次晚宴上,
00:58
that I work in computer security,
17
46837
1783
一位女士聽到我是從事計算機安全的,
01:00
and she asked me if -- she said her computer had been
18
48620
3517
於是她向我諮詢,她說她的電腦中毒了,
01:04
infected by a virus, and she was very concerned that she
19
52137
3436
她非常擔心她可能會生病,
01:07
might get sick from it, that she could get this virus. (Laughter)
20
55573
3951
因為她可能會感染同樣的病毒。(笑聲)
01:11
And I'm not a doctor, but I reassured her
21
59524
2943
我不是醫生,但是我向她保證
01:14
that it was very, very unlikely that this would happen,
22
62467
3144
這個可能性微乎其微,
01:17
but if she felt more comfortable, she could be free to use
23
65611
2801
但是如果她還是不放心,
01:20
latex gloves when she was on the computer,
24
68412
1848
可以在使用電腦的時候戴上橡膠手套,
01:22
and there would be no harm whatsoever in that.
25
70260
3392
這樣就肯定萬無一失了。
01:25
I'm going to get back to this notion of being able to get
26
73652
2507
言歸正傳,接下來我要認真地
01:28
a virus from your computer, in a serious way.
27
76159
3508
談談如何避免電腦病毒。
01:31
What I'm going to talk to you about today
28
79667
1640
我今天要跟你們聊的是有關
01:33
are some hacks, some real world cyberattacks that people
29
81307
4846
在我所從事的研究領域中
01:38
in my community, the academic research community,
30
86153
2554
發生的一些駭客及網路攻擊問題,
01:40
have performed, which I don't think
31
88707
2794
我相信這些是
01:43
most people know about,
32
91501
1208
大部分人都不了解的,
01:44
and I think they're very interesting and scary,
33
92709
3028
並且我認為這些是既有意思又讓人害怕的,
01:47
and this talk is kind of a greatest hits
34
95737
2441
而這次談話的內容
01:50
of the academic security community's hacks.
35
98178
2991
就是關於安全領域的經典案例。
01:53
None of the work is my work. It's all work
36
101169
1987
這些事情不是發生在我身上。
01:55
that my colleagues have done, and I actually asked them
37
103156
2174
這些都是我同事做的研究,而我請他們
01:57
for their slides and incorporated them into this talk.
38
105330
2557
提供一些資料加到這次談話中。
01:59
So the first one I'm going to talk about
39
107887
1742
接下來首先我要講的是
02:01
are implanted medical devices.
40
109629
2674
體內植入醫療設備。
02:04
Now medical devices have come a long way technologically.
41
112303
3040
現在的醫療設備已經在技術方面發展了很多年。
02:07
You can see in 1926 the first pacemaker was invented.
42
115343
3856
大家從螢幕上可以看到
在1926年,第一個外置心臟起搏器被發明。
在1926年,第一個外置心臟起搏器被發明。
02:11
1960, the first internal pacemaker was implanted,
43
119199
3552
1960年第一個內置起搏器被植入人體,
02:14
hopefully a little smaller than that one that you see there,
44
122751
2552
如大家所願這個東西體積減少了很多,
02:17
and the technology has continued to move forward.
45
125303
2968
並且技術還在不斷的進步。
02:20
In 2006, we hit an important milestone from the perspective
46
128271
4633
到2006年,從電腦安全角度來說
02:24
of computer security.
47
132904
3167
我們達到了一個重要的里程碑
02:28
And why do I say that?
48
136071
1341
為什麼為這麼說?
02:29
Because that's when implanted devices inside of people
49
137412
2890
因為這時候人體內置的設備
02:32
started to have networking capabilities.
50
140302
2745
開始具備聯網功能。
02:35
One thing that brings us close to home is we look
51
143047
1880
Dick Cheney的設備可以讓我們更好的理解這一點,
02:36
at Dick Cheney's device, he had a device that
52
144927
2705
Dick Cheney的設備可以讓我們更好的理解這一點,
02:39
pumped blood from an aorta to another part of the heart,
53
147632
3869
這個設備負責將血液從一個大動脈
輸送到心臟的另一個腔體,
輸送到心臟的另一個腔體,
02:43
and as you can see at the bottom there,
54
151501
1183
就像你看到的,圖中的底部,
02:44
it was controlled by a computer controller,
55
152684
3009
一個電腦控制器控制著整個設備,
02:47
and if you ever thought that software liability
56
155693
2517
如果你認爲這個軟體控制很重要
02:50
was very important, get one of these inside of you.
57
158210
3589
你可以自己裝一個。
02:53
Now what a research team did was they got their hands
58
161799
3695
現在一個研究小組手頭上的工作
02:57
on what's called an ICD.
59
165494
1420
是研究一個稱為ICD的設備。
(ICD,植入式心臟去顫器)
(ICD,植入式心臟去顫器)
02:58
This is a defibrillator, and this is a device
60
166914
2070
這是一個心律去顫器,植入人體後
03:00
that goes into a person to control their heart rhythm,
61
168984
4336
控制自己的心臟節律,
03:05
and these have saved many lives.
62
173320
2338
已經挽救了許多人的生命。
03:07
Well, in order to not have to open up the person
63
175658
2472
為了不對人進行重新手術
03:10
every time you want to reprogram their device
64
178130
2194
就可以每次重新設定他們的設備,
03:12
or do some diagnostics on it, they made the thing be able
65
180324
2455
或者做一些診斷,這個設備能夠進行無線通訊,
03:14
to communicate wirelessly, and what this research team did
66
182779
3102
而這個研究小組所做的是
03:17
is they reverse engineered the wireless protocol,
67
185881
2610
他們逆向工程無線協定,
03:20
and they built the device you see pictured here,
68
188491
1872
做了個小設備,你在這裏看得到,
03:22
with a little antenna, that could talk the protocol
69
190363
2760
帶一個小的天線,會使用協定和ICD通信,
03:25
to the device, and thus control it.
70
193123
4475
從而控制它。
03:29
In order to make their experience real -- they were unable
71
197598
2689
為了使他們的實驗更真實
03:32
to find any volunteers, and so they went
72
200287
2472
-由於他們無法找到任何的志願者-於是他們找到了一些
03:34
and they got some ground beef and some bacon
73
202759
2144
碎牛肉和一些臘肉,
03:36
and they wrapped it all up to about the size
74
204903
1788
包成該設備將去的人體部位的大小,
03:38
of a human being's area where the device would go,
75
206691
2798
包成該設備將去的人體部位的大小,
03:41
and they stuck the device inside it
76
209489
1454
然後把設備塞進去來做實驗,
03:42
to perform their experiment somewhat realistically.
77
210943
3132
為了使實驗更加接近真實情況。
03:46
They launched many, many successful attacks.
78
214075
3020
他們完成了許多許多次成功的攻擊。
03:49
One that I'll highlight here is changing the patient's name.
79
217095
3056
在這裏我還是要強調的是改變病人的名字。
03:52
I don't know why you would want to do that,
80
220151
993
我不知道你為什麼會想這樣做,
03:53
but I sure wouldn't want that done to me.
81
221144
2104
但我肯定不會想,這樣的事發生在我身上。
03:55
And they were able to change therapies,
82
223248
2331
他們能夠改變的治療方法,
03:57
including disabling the device -- and this is with a real,
83
225579
2495
包括停用此設備 --這是一個真正的,
04:00
commercial, off-the-shelf device --
84
228074
1896
商業的,現成的設備
04:01
simply by performing reverse engineering and sending
85
229970
2046
只需通過執行逆向工程和發送
04:04
wireless signals to it.
86
232016
2989
無線信號就能控制它。可怕吧?
04:07
There was a piece on NPR that some of these ICDs
87
235005
3580
NPR上有個片段講的是有些ICD
04:10
could actually have their performance disrupted
88
238585
2422
的功能竟然會被干擾,
04:13
simply by holding a pair of headphones onto them.
89
241007
3651
只要簡單地把一對耳機放到它上面就發生了。
04:16
Now, wireless and the Internet
90
244658
1409
現在,無線和網路可以
04:18
can improve health care greatly.
91
246067
1652
大大提高醫療水準。
04:19
There's several examples up on the screen
92
247719
2087
在螢幕上有幾個例子,
04:21
of situations where doctors are looking to implant devices
93
249806
3107
醫生正在植入設備到人體,
04:24
inside of people, and all of these devices now,
94
252913
2865
而其所有的這些設備現在
04:27
it's standard that they communicate wirelessly,
95
255778
3125
標準化了,之間可以互相進行無線通訊,
04:30
and I think this is great,
96
258903
1412
我認為這是很好的,
04:32
but without a full understanding of trustworthy computing,
97
260315
3105
但沒有一個對可信任計算的完全理解,
04:35
and without understanding what attackers can do
98
263420
2407
沒有意識到攻擊者可以做什麼
04:37
and the security risks from the beginning,
99
265827
2147
和安全風險從一開始就存在的話,
04:39
there's a lot of danger in this.
100
267974
2390
這就有很多危險了。
04:42
Okay, let me shift gears and show you another target.
101
270364
1477
好吧,讓我換個話題,告訴你另一個目標
04:43
I'm going to show you a few different targets like this,
102
271841
2088
接下來我要告訴你幾個不同的目標,
04:45
and that's my talk. So we'll look at automobiles.
103
273929
2917
這就是我的談話。所以,我們來看看汽車吧。
04:48
This is a car, and it has a lot of components,
104
276846
2896
這是一輛汽車,現在它有很多零部件,
04:51
a lot of electronics in it today.
105
279742
1620
很多的電子產品。
04:53
In fact, it's got many, many different computers inside of it,
106
281362
4377
事實上,它有很多,很多不同的電腦在裏面,
04:57
more Pentiums than my lab did when I was in college,
107
285739
3155
比我當年在大學的實驗室更多的處理器,
05:00
and they're connected by a wired network.
108
288894
3639
他們通過有線網路連接。
05:04
There's also a wireless network in the car,
109
292533
3431
而且在車上還有一個無線網路,
05:07
which can be reached from many different ways.
110
295964
3233
它可以從許多不同的方式接入。
05:11
So there's Bluetooth, there's the FM and XM radio,
111
299197
3701
有藍牙, FM和XM廣播,
05:14
there's actually wi-fi, there's sensors in the wheels
112
302898
2820
有的竟然還有Wi-Fi ,輪胎上的感測器
05:17
that wirelessly communicate the tire pressure
113
305718
2153
通過無線通信將氣壓值傳送給
05:19
to a controller on board.
114
307871
1806
主板上的控制器。
05:21
The modern car is a sophisticated multi-computer device.
115
309677
4918
當今的汽車是一個複雜的多電腦設備。
05:26
And what happens if somebody wanted to attack this?
116
314595
3322
那麼如果有人想攻擊它會發生什麼呢?
05:29
Well, that's what the researchers
117
317917
1317
嗯,這就是我今天要談的
05:31
that I'm going to talk about today did.
118
319234
1871
研究人員已經實現了什麼。
05:33
They basically stuck an attacker on the wired network
119
321105
2977
他們在有線網路和無線網路上放置了
05:36
and on the wireless network.
120
324082
2322
攻擊設備。
05:38
Now, they have two areas they can attack.
121
326404
2699
現在,他們有兩個區域可以攻擊。
05:41
One is short-range wireless, where you can actually
122
329103
2038
一個是短距離無線通訊,
05:43
communicate with the device from nearby,
123
331141
1781
在這裏你可以與附近的設備進行通信,
05:44
either through Bluetooth or wi-fi,
124
332922
2137
通過藍牙或Wi-Fi。
05:47
and the other is long-range, where you can communicate
125
335059
2174
另一種是遠距離無線通訊,
05:49
with the car through the cellular network,
126
337233
1782
通過蜂窩網路
05:51
or through one of the radio stations.
127
339015
1960
或通過一個廣播電臺。
05:52
Think about it. When a car receives a radio signal,
128
340975
3049
想像一下,當一輛車接收無線電信號時,
05:56
it's processed by software.
129
344024
2201
信號交給軟體處理。
05:58
That software has to receive and decode the radio signal,
130
346225
3061
該軟體接收和解碼無線電信號,
06:01
and then figure out what to do with it,
131
349286
1119
然後確定如何處理,
06:02
even if it's just music that it needs to play on the radio,
132
350405
3024
即使它只是音樂信號,也要交給收音機去播放,
06:05
and that software that does that decoding,
133
353429
2268
如果這個解碼軟體有
06:07
if it has any bugs in it, could create a vulnerability
134
355697
3093
任何的漏洞,那麼就成為有人破解車的
06:10
for somebody to hack the car.
135
358790
3035
攻擊點。
06:13
The way that the researchers did this work is,
136
361825
2952
研究人員做這項工作的方式是
06:16
they read the software in the computer chips
137
364777
4223
他們從車載電腦中讀出軟體,
06:21
that were in the car, and then they used sophisticated
138
369000
3193
然後他們用先進
06:24
reverse engineering tools
139
372193
1414
的逆向工程工具
06:25
to figure out what that software did,
140
373607
2055
弄清楚軟體做了什麼,
06:27
and then they found vulnerabilities in that software,
141
375662
3041
然後他們發現該軟體中的漏洞,
06:30
and then they built exploits to exploit those.
142
378703
3346
然後他們利用這些漏洞建立了一些開拓工具。
06:34
They actually carried out their attack in real life.
143
382049
2382
他們在實際環境下進行他們的攻擊實驗。
06:36
They bought two cars, and I guess
144
384431
1350
他們買了兩輛車,我想
06:37
they have better budgets than I do.
145
385781
2918
他們有比我更好的預算。
06:40
The first threat model was to see what someone could do
146
388699
2590
第一個威脅模型是看
06:43
if an attacker actually got access
147
391289
2144
如果一個攻擊者獲得到
06:45
to the internal network on the car.
148
393433
2053
內部網路的連接,他可以做什麼
06:47
Okay, so think of that as, someone gets to go to your car,
149
395486
2603
嗯,大家這樣想一下,有人進到你的車裏,
06:50
they get to mess around with it, and then they leave,
150
398089
2904
把裏面的設備搞得一團糟,然後他們離開,
06:52
and now, what kind of trouble are you in?
151
400993
2368
而現在,你陷入了什麼樣的麻煩?
06:55
The other threat model is that they contact you
152
403361
2792
另一個威脅模型是,
06:58
in real time over one of the wireless networks
153
406153
2457
他們通過無線網路,
07:00
like the cellular, or something like that,
154
408610
2055
如蜂窩電話,或類似的東西,即時地與您和車搭上線,
07:02
never having actually gotten physical access to your car.
155
410665
4000
但從來沒有通過物理方式接觸你的車。
07:06
This is what their setup looks like for the first model,
156
414665
2824
這就是看起來像第一種模式的設備,
07:09
where you get to have access to the car.
157
417489
1683
需要進入車內。
07:11
They put a laptop, and they connected to the diagnostic unit
158
419172
3387
他們放置一台筆記本電腦,
並連接車內網路的診斷模組,
並連接車內網路的診斷模組,
07:14
on the in-car network, and they did all kinds of silly things,
159
422559
2939
然後他們做了各種愚蠢的事情,
07:17
like here's a picture of the speedometer
160
425498
2783
就像這張圖片,車速里程表
07:20
showing 140 miles an hour when the car's in park.
161
428281
2816
顯示140公里的時速,但是汽車實際上是在駐車狀態。
07:23
Once you have control of the car's computers,
162
431097
2373
一旦你擁有汽車電腦的控制,
07:25
you can do anything.
163
433470
919
你可以做任何事情。
07:26
Now you might say, "Okay, that's silly."
164
434389
1616
現在,你可能會說: “噢,這太愚蠢了。”
07:28
Well, what if you make the car always say
165
436005
1659
那麼,如果您的車總顯示20英里的時速,
07:29
it's going 20 miles an hour slower than it's actually going?
166
437664
2741
比它實際的速度低,這會怎麼樣?
07:32
You might produce a lot of speeding tickets.
167
440405
2542
您可能會產生大量超速行駛的罰單。
07:34
Then they went out to an abandoned airstrip with two cars,
168
442947
3856
然後,他們帶了兩輛車去了一個廢棄的飛機跑道,
07:38
the target victim car and the chase car,
169
446803
2745
目標受害車和主動攻擊車,
07:41
and they launched a bunch of other attacks.
170
449548
2746
然後他們實施了一堆其他的攻擊。
07:44
One of the things they were able to do from the chase car
171
452294
2766
從攻擊車裏他們能夠做到的事情之一
07:47
is apply the brakes on the other car,
172
455060
1974
是操作另一輛汽車的刹車,
07:49
simply by hacking the computer.
173
457034
1560
只需通過入侵該車的電腦。
07:50
They were able to disable the brakes.
174
458594
2431
他們可以禁用制動器。
07:53
They also were able to install malware that wouldn't kick in
175
461025
3178
他們還能夠安裝惡意軟體,
07:56
and wouldn't trigger until the car was doing something like
176
464203
2425
通常情況下這個軟體不會被觸發,直至如車輛
07:58
going over 20 miles an hour, or something like that.
177
466628
3746
時速超過每小時20英里,或類似的情況。
08:02
The results are astonishing, and when they gave this talk,
178
470374
2758
結果是驚人的,而當他們進行公開講座時,
08:05
even though they gave this talk at a conference
179
473132
1716
即使他們的講座的觀眾是
08:06
to a bunch of computer security researchers,
180
474848
1726
一堆的電腦安全研究人員,
08:08
everybody was gasping.
181
476574
1700
每個人都倒抽一口涼氣。
08:10
They were able to take over a bunch of critical computers
182
478274
3699
他們能夠接管車內一堆的關鍵電腦:
08:13
inside the car: the brakes computer, the lighting computer,
183
481973
3761
如刹車電腦,照明電腦,
08:17
the engine, the dash, the radio, etc.,
184
485734
2827
發動機電腦,儀錶電腦,無線電電腦等,
08:20
and they were able to perform these on real commercial
185
488561
2293
他們是能夠執行這些惡意程式
在他們購買的市場上
在他們購買的市場上
08:22
cars that they purchased using the radio network.
186
490854
3027
已有的商用汽車上,通過使用無線網路。
08:25
They were able to compromise every single one of the
187
493881
3003
他們能夠攻擊車上每一個
08:28
pieces of software that controlled every single one
188
496884
2466
帶有無線功能的模組軟體
08:31
of the wireless capabilities of the car.
189
499350
3015
的任何一部分。
08:34
All of these were implemented successfully.
190
502365
2513
所有這些都已成功實施。
08:36
How would you steal a car in this model?
191
504878
2352
在這個模型中,你會如何偷一輛車?
08:39
Well, you compromise the car by a buffer overflow
192
507230
3680
好了,你可以通過車載軟體的緩衝區溢出漏洞
08:42
of vulnerability in the software, something like that.
193
510910
2527
來攻擊,或者類似的東西。
08:45
You use the GPS in the car to locate it.
194
513437
2203
您使用車裏的GPS來定位它。
08:47
You remotely unlock the doors through the computer
195
515640
2195
您通過電腦控制遠端解鎖,
08:49
that controls that, start the engine, bypass anti-theft,
196
517835
3138
啟動引擎,繞過防盜系統,
08:52
and you've got yourself a car.
197
520973
1668
然後你就為自己搞到一輛車。
08:54
Surveillance was really interesting.
198
522641
2487
監控這個過程是非常有趣的。
08:57
The authors of the study have a video where they show
199
525128
3209
這項研究的作者有一個視頻在那裏展示
09:00
themselves taking over a car and then turning on
200
528337
2549
他們自己入侵了汽車,
09:02
the microphone in the car, and listening in on the car
201
530886
2761
然後打開車裏的麥克風,並進行監聽,
09:05
while tracking it via GPS on a map,
202
533647
3351
同時通過GPS在地圖上跟蹤它
09:08
and so that's something that the drivers of the car
203
536998
1713
還做了一些類似的事情,但汽車裏的駕駛員
09:10
would never know was happening.
204
538711
2168
永遠也不會知道發生了什麼。
09:12
Am I scaring you yet?
205
540879
2134
我嚇著你了嗎?
09:15
I've got a few more of these interesting ones.
206
543013
1943
我還有有幾個這些有趣的例子。
09:16
These are ones where I went to a conference,
207
544956
1833
我有一次去參加一個會議,
09:18
and my mind was just blown, and I said,
208
546789
1933
然後我完全被驚呆了,
09:20
"I have to share this with other people."
209
548722
1826
然後我說:“我要與其他人分享這些事情。
09:22
This was Fabian Monrose's lab
210
550548
1623
這是Fabian Monrose
09:24
at the University of North Carolina, and what they did was
211
552171
3456
在北卡羅萊納大學的實驗室,
09:27
something intuitive once you see it,
212
555627
2075
他們研究的是你看到的直觀的普通事物,
09:29
but kind of surprising.
213
557702
1714
但結果是令人驚訝的。
09:31
They videotaped people on a bus,
214
559416
2259
他們在公共汽車上對人進行錄影,
09:33
and then they post-processed the video.
215
561675
2840
然後進行後期處理。
09:36
What you see here in number one is a
216
564515
2463
你在這裏看到的第一個圖是在某個人
09:38
reflection in somebody's glasses of the smartphone
217
566978
4383
的眼鏡中反射的智慧手機在
09:43
that they're typing in.
218
571361
1425
打字的圖像
09:44
They wrote software to stabilize --
219
572786
1975
他們用軟體以穩定
09:46
even though they were on a bus
220
574761
1365
- 即使他們是在公共汽車上(來回晃動),
09:48
and maybe someone's holding their phone at an angle --
221
576126
3211
或者有人在一個角度拿著自己的手機
09:51
to stabilize the phone, process it, and
222
579337
2370
穩定電話圖像,處理圖像,然
09:53
you may know on your smartphone, when you type
223
581707
1885
後你可能知道了,在您的智慧手機上,
09:55
a password, the keys pop out a little bit, and they were able
224
583592
2939
當你輸入一個密碼,字母會彈出一會兒,
09:58
to use that to reconstruct what the person was typing,
225
586531
2840
然後他們就能用它來重建剛才輸入的資訊。
10:01
and had a language model for detecting typing.
226
589371
4321
並且他們有一個語言模型。
10:05
What was interesting is, by videotaping on a bus,
227
593692
2335
很有趣的是,通過在公共汽車上錄影,
10:08
they were able to produce exactly what people
228
596027
2129
他們能夠精確地得知人們在他們的
10:10
on their smartphones were typing,
229
598156
2151
智慧手機打的字,
10:12
and then they had a surprising result, which is that
230
600307
2260
然後他們有一個驚人的結果,
10:14
their software had not only done it for their target,
231
602567
2764
軟體不僅完成對目標的監控分析,
10:17
but other people who accidentally happened
232
605331
1403
而且也把碰巧出現在
10:18
to be in the picture, they were able to produce
233
606734
2086
圖像中的其他人
10:20
what those people had been typing, and that was kind of
234
608820
2727
的打字輸入也分析出來了,
10:23
an accidental artifact of what their software was doing.
235
611547
3617
這是他們的軟體的一個意外的收穫。
10:27
I'll show you two more. One is P25 radios.
236
615164
4303
我再給展示兩個例子。一個是P25無線電通話機。
10:31
P25 radios are used by law enforcement
237
619467
2800
P25無線電通話機用於執法機構、
10:34
and all kinds of government agencies
238
622267
3407
各種政府機構
10:37
and people in combat to communicate,
239
625674
1736
和民眾在戰鬥中的通話,
10:39
and there's an encryption option on these phones.
240
627410
2833
而且這些手機有個加密選項。
10:42
This is what the phone looks like. It's not really a phone.
241
630243
2728
這是就是P25無線電通話機,這不是一個真正的電話。
10:44
It's more of a two-way radio.
242
632971
1206
這是一個雙向無線電。
10:46
Motorola makes the most widely used one, and you can see
243
634177
3322
使用得最廣泛的是由摩托羅拉所製造的,你可以看到,
10:49
that they're used by Secret Service, they're used in combat,
244
637499
2649
特勤組織在使用它,他們在戰鬥中使用它,
10:52
it's a very, very common standard in the U.S. and elsewhere.
245
640148
3102
在美國和其他地方,這是一個非常普遍的標準裝備。
10:55
So one question the researchers asked themselves is,
246
643250
2305
因此,一個研究人員問自己的問題是,
10:57
could you block this thing, right?
247
645555
2704
你能否遮罩這個東西,對不對呢?
11:00
Could you run a denial-of-service,
248
648259
1583
你可以運行一個拒絕服務,
11:01
because these are first responders?
249
649842
1824
因為這個東西採用第一反應機制?
11:03
So, would a terrorist organization want to black out the
250
651666
1801
所以,在緊急情況下,一個恐怖組織會不糊黑掉
11:05
ability of police and fire to communicate at an emergency?
251
653467
4488
員警和消防的通訊能力?
11:09
They found that there's this GirlTech device used for texting
252
657955
3072
他們發現有一個GirlTech公司的玩具可以用來發短信,
11:13
that happens to operate at the same exact frequency
253
661027
2718
工作頻率和P25完全相同,
11:15
as the P25, and they built what they called
254
663745
2271
於是他們就用這個東西建立了他們所稱的
11:18
My First Jammer. (Laughter)
255
666016
4334
“我的第一個干擾器”。(笑聲)
11:22
If you look closely at this device,
256
670350
2378
如果你仔細觀察此設備
11:24
it's got a switch for encryption or cleartext.
257
672728
3630
它有一個開關,用於設定加密發送或明文發送。
11:28
Let me advance the slide, and now I'll go back.
258
676358
3050
讓我前進一下幻燈片,現在我回去。
11:31
You see the difference?
259
679408
2547
你看到其中的差別嗎?
11:33
This is plain text. This is encrypted.
260
681955
2557
這是純文本。這是加密的。
11:36
There's one little dot that shows up on the screen,
261
684512
2557
有一個小點,顯示在螢幕上,
11:39
and one little tiny turn of the switch.
262
687069
2085
和一個小的轉換開關。
11:41
And so the researchers asked themselves, "I wonder how
263
689154
1904
因此,研究人員問自己,
11:43
many times very secure, important, sensitive conversations
264
691058
4257
“我不知道有多少次,非常機密的、重要的、敏感的對話
11:47
are happening on these two-way radios where they forget
265
695315
1623
發生在這些雙向無線電設備上,他們忘了加密
11:48
to encrypt and they don't notice that they didn't encrypt?"
266
696938
2910
並且他們沒有注意到在進行未加密的通話嗎?”
11:51
So they bought a scanner. These are perfectly legal
267
699848
3339
於是,他們買了一台無線電掃描設備。這是完全合法的,
11:55
and they run at the frequency of the P25,
268
703187
3458
然後他們運行在P25的頻段上,
11:58
and what they did is they hopped around frequencies
269
706645
1767
然後他們在附近的頻段上跳來跳去的掃描,
12:00
and they wrote software to listen in.
270
708412
2510
他們寫軟體監聽,
12:02
If they found encrypted communication, they stayed
271
710922
2634
如果他們發現加密的通信
12:05
on that channel and they wrote down, that's a channel
272
713556
1686
他們停留在該頻道上,記下來,這是一個
12:07
that these people communicate in,
273
715242
1788
執法機構的人們在通話的頻道,
12:09
these law enforcement agencies,
274
717030
1622
執法機構的人們在通話的頻道,
12:10
and they went to 20 metropolitan areas and listened in
275
718652
3391
然後他們去了20個大都市地區,在這些頻率上監聽。
12:14
on conversations that were happening at those frequencies.
276
722043
3475
在這些頻率上監聽。
12:17
They found that in every metropolitan area,
277
725518
3239
他們發現,在每一個大都市區,
12:20
they would capture over 20 minutes a day
278
728757
2154
每天他們將捕獲超過20分鐘
12:22
of cleartext communication.
279
730911
2375
明文通信。
12:25
And what kind of things were people talking about?
280
733286
2000
人們在談論什麼樣的東西呢?
12:27
Well, they found the names and information
281
735286
1484
嗯,他們發現了需要保密的報案人的名字和資訊。
12:28
about confidential informants. They found information
282
736770
2852
的名字和資訊。
12:31
that was being recorded in wiretaps,
283
739622
2202
在監聽設備中記錄的資訊,
12:33
a bunch of crimes that were being discussed,
284
741824
2710
包括對一堆的犯罪進行的討論和
12:36
sensitive information.
285
744534
1162
其他敏感資訊。
12:37
It was mostly law enforcement and criminal.
286
745696
3363
這主要是執法和刑事方面的。
12:41
They went and reported this to the law enforcement
287
749059
1834
他們匿名了這些資訊後報給
12:42
agencies, after anonymizing it,
288
750893
2023
了執法機構,
12:44
and the vulnerability here is simply the user interface
289
752916
3000
這裏的脆弱性簡單來說在於用戶介面
12:47
wasn't good enough. If you're talking
290
755916
1394
還不夠好。如果你在談論
12:49
about something really secure and sensitive, it should
291
757310
2816
什麼真正的安全和敏感的,
12:52
be really clear to you that this conversation is encrypted.
292
760126
3293
那麼這種談話必須是要加密的。
12:55
That one's pretty easy to fix.
293
763419
1886
這是很容易解決。
12:57
The last one I thought was really, really cool,
294
765305
1669
最後一個,我想是真的、真的很酷,
12:58
and I just had to show it to you, it's probably not something
295
766974
2813
我這就把它展示給你,它可能不是那種
13:01
that you're going to lose sleep over
296
769787
1005
會讓你會失眠的東西,
13:02
like the cars or the defibrillators,
297
770792
1791
比如類似汽車電腦或心臟除顫器,
13:04
but it's stealing keystrokes.
298
772583
3023
但它可以偷按鍵資訊。
13:07
Now, we've all looked at smartphones upside down.
299
775606
2747
現在,我們上下顛倒著看一下智慧手機。
13:10
Every security expert wants to hack a smartphone,
300
778353
2190
每個安全專家想要攻擊一個智慧手機,
13:12
and we tend to look at the USB port, the GPS for tracking,
301
780543
4612
都傾向於從USB埠、GPS跟蹤、
13:17
the camera, the microphone, but no one up till this point
302
785155
3208
相機、麥克風,但沒有一個到現在為止
13:20
had looked at the accelerometer.
303
788363
1580
看過加速計。
13:21
The accelerometer is the thing that determines
304
789943
1647
加速度計的決定了智慧手機
13:23
the vertical orientation of the smartphone.
305
791590
3494
在垂直方向的角度。
13:27
And so they had a simple setup.
306
795084
1417
因此,他們做了一個簡單的設置。
13:28
They put a smartphone next to a keyboard,
307
796501
2758
他們把智慧手機放到鍵盤的旁邊,
13:31
and they had people type, and then their goal was
308
799259
2712
然後有人打字,然後他們的目標是
13:33
to use the vibrations that were created by typing
309
801971
2856
通過使用加速度計
13:36
to measure the change in the accelerometer reading
310
804827
4240
測量打字產生的振動的讀數的變化,
13:41
to determine what the person had been typing.
311
809067
3176
以確定打字內容。
13:44
Now, when they tried this on an iPhone 3GS,
312
812243
2576
現在,當他們用iPhone 3GS嘗試這種方法時,
13:46
this is a graph of the perturbations that were created
313
814819
2769
打字會產生一個圖形的擾動,
13:49
by the typing, and you can see that it's very difficult
314
817588
3241
你可以看到,很難
13:52
to tell when somebody was typing or what they were typing,
315
820829
3078
確認什麼時候人在打字和打字內容,
13:55
but the iPhone 4 greatly improved the accelerometer,
316
823907
3090
但在iPhone 4大大改善了加速度計,
13:58
and so the same measurement
317
826997
3480
所以相同的測量動作
14:02
produced this graph.
318
830477
1832
產生了這個曲線圖。
14:04
Now that gave you a lot of information while someone
319
832309
2486
現在這個圖給你了大量資訊,
14:06
was typing, and what they did then is used advanced
320
834795
3241
當有人打字的時候。接下來他們採用
14:10
artificial intelligence techniques called machine learning
321
838036
3007
先進的人工智慧技術稱為機器學習
14:13
to have a training phase,
322
841043
1431
來進行訓練階段,
14:14
and so they got most likely grad students
323
842474
2236
所以他們叫來潛在的研究生們,
14:16
to type in a whole lot of things, and to learn,
324
844710
3789
輸入了一大堆的東西,去學習,
14:20
to have the system use the machine learning tools that
325
848499
2768
使系統運用機器學習的工具,
14:23
were available to learn what it is that the people were typing
326
851267
2863
瞭解人們輸入的內容,
14:26
and to match that up
327
854130
2827
然後去匹配
14:28
with the measurements in the accelerometer.
328
856957
2477
加速度計的測量資料。
14:31
And then there's the attack phase, where you get
329
859434
1635
再有就是攻擊階段,
14:33
somebody to type something in, you don't know what it was,
330
861069
2811
一個人在那裏打字,你不知道他打的是什麼東西,
14:35
but you use your model that you created
331
863880
1297
但你用你在訓練階段時的模型進行匹配,
14:37
in the training phase to figure out what they were typing.
332
865177
3442
就可以弄清楚他們輸入內容。
14:40
They had pretty good success. This is an article from the USA Today.
333
868619
3484
他們有相當高的成功率。
這是從“今日美國”的一篇文章。
這是從“今日美國”的一篇文章。
14:44
They typed in, "The Illinois Supreme Court has ruled
334
872103
2609
他們鍵入“伊利諾州最高法院裁定,
14:46
that Rahm Emanuel is eligible to run for Mayor of Chicago"
335
874712
2962
伊曼紐爾符合競選芝加哥市長的條件”
14:49
— see, I tied it in to the last talk —
336
877674
1354
看,我把它綁在最後一次談話
14:51
"and ordered him to stay on the ballot."
337
879028
2118
“並命令他繼續競選”。
14:53
Now, the system is interesting, because it produced
338
881146
2771
現在,該系統很有趣,因為它生成了
14:55
"Illinois Supreme" and then it wasn't sure.
339
883917
2886
“伊利諾州最高法院” ,然後他就不確定了。
14:58
The model produced a bunch of options,
340
886803
1950
該模型產生了一堆的選項,
15:00
and this is the beauty of some of the A.I. techniques,
341
888753
2709
這是AI技術的美妙之處,
15:03
is that computers are good at some things,
342
891462
2250
電腦在一些方面擅長,
15:05
humans are good at other things,
343
893712
1534
人類在其他方面擅長,
15:07
take the best of both and let the humans solve this one.
344
895246
1931
結合兩者的最優,讓人類解決這個問題。
15:09
Don't waste computer cycles.
345
897177
1382
不要浪費電腦的運算。
15:10
A human's not going to think it's the Supreme might.
346
898559
2136
一個人不會認為這是最高法院的威力。
15:12
It's the Supreme Court, right?
347
900695
1740
這是最高法院,對不對?
15:14
And so, together we're able to reproduce typing
348
902435
2530
所以,我們一起能夠簡單地
15:16
simply by measuring the accelerometer.
349
904965
2949
通過測量加速度計來重現輸入。
15:19
Why does this matter? Well, in the Android platform,
350
907914
3502
為什麼這個事情很重要呢?在Android平臺上,
15:23
for example, the developers have a manifest
351
911416
4133
例如,開發人員有一個設備清單,
15:27
where every device on there, the microphone, etc.,
352
915564
2584
每個設備都在上面,麥克風等,
15:30
has to register if you're going to use it
353
918148
1956
如果你要使用它就必須註冊,
15:32
so that hackers can't take over it,
354
920104
2316
這樣駭客無法接管,
15:34
but nobody controls the accelerometer.
355
922420
3108
但沒有人控制加速度計。
15:37
So what's the point? You can leave your iPhone next to
356
925528
2216
那麼,這有什麼意義呢?你可以留下
你的iPhone到其他人的鍵盤旁邊,
你的iPhone到其他人的鍵盤旁邊,
15:39
someone's keyboard, and just leave the room,
357
927744
2106
然後離開房間,
15:41
and then later recover what they did,
358
929850
1639
過一會回來就知道他們做了什麼,
15:43
even without using the microphone.
359
931489
1711
甚至不使用麥克風
15:45
If someone is able to put malware on your iPhone,
360
933200
2174
如果有人能夠在你的iPhone上安裝惡意軟體,
15:47
they could then maybe get the typing that you do
361
935374
2848
那麼也許他們可以得到你的打字內容,
15:50
whenever you put your iPhone next to your keyboard.
362
938222
2321
當你打字時把iPhone放到鍵盤旁邊。
15:52
There's several other notable attacks that unfortunately
363
940543
2271
還有其他幾個著名的攻擊,不過遺憾的是
15:54
I don't have time to go into, but the one that I wanted
364
942814
2131
我沒有時間給大家一一提到,但是,我想指出的是,
15:56
to point out was a group from the University of Michigan
365
944945
2277
美國密西根大學的一個小組已經能
15:59
which was able to take voting machines,
366
947222
2441
夠搞定投票機了,
16:01
the Sequoia AVC Edge DREs that
367
949663
2498
Sequoia AVC Edge DRE,
16:04
were going to be used in New Jersey in the election
368
952161
1555
就是那種使用在新澤西州的選舉
16:05
that were left in a hallway, and put Pac-Man on it.
369
953716
2161
留在走廊裏的機器。他們可以把Pac-Man遊戲機放上去。
16:07
So they ran the Pac-Man game.
370
955877
3623
他們運行Pac-Man遊戲。
16:11
What does this all mean?
371
959500
1747
這一切意味著什麼?
16:13
Well, I think that society tends to adopt technology
372
961247
3647
嗯,我認為社會趨向於快速採用新技術。
16:16
really quickly. I love the next coolest gadget.
373
964894
2824
我愛最新最酷的小工具。
16:19
But it's very important, and these researchers are showing,
374
967718
2614
但非常重要的是,在這些研究人員展示的例子中,
16:22
that the developers of these things
375
970332
1360
這些東西的開發人員
16:23
need to take security into account from the very beginning,
376
971692
2865
從一開始就要將安全因素考慮進去,
16:26
and need to realize that they may have a threat model,
377
974557
2785
並意識到,即使他們設計時
考慮到可能有一個威脅模型,
考慮到可能有一個威脅模型,
16:29
but the attackers may not be nice enough
378
977342
2462
但攻擊者可能沒有友善到
16:31
to limit themselves to that threat model,
379
979804
1777
將自己的行為限制在這個威脅模型中,
16:33
and so you need to think outside of the box.
380
981581
2537
所以你需要考慮出了這一個模型之外的所有威脅。
16:36
What we can do is be aware
381
984118
1578
我們所能做的是請注意
16:37
that devices can be compromised,
382
985696
2479
設備可能會受到攻擊和損害,
16:40
and anything that has software in it
383
988175
1699
只要是含有軟體
16:41
is going to be vulnerable. It's going to have bugs.
384
989874
2649
它就容易受到攻擊, 它就會有缺陷。
16:44
Thank you very much. (Applause)
385
992523
3497
非常感謝你。 (掌聲)
ABOUT THE SPEAKER
Avi Rubin - Computer security expertAvi Rubin is a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University. His research is focused on the security of electronic records -- including medical and voting records.
Why you should listen
Along with running the Health and Medical Security Lab, Avi Rubin is also the technical director of the JHU Information Security Institute. From 1997 to 2002, Avi was a researcher in AT&T’s Secure Systems Department, where he focused on cryptography and network security. He is also the founder of Harbor Labs, which provides expert testimony and review in legal cases related to high tech security. Avi has authored several books related to electronic security, including Brave New Ballot, published in 2006.
Avi Rubin | Speaker | TED.com