TEDxMidAtlantic
Avi Rubin: All your devices can be hacked
阿维·鲁宾 (Avi Rubin): 你所拥有的设备都能被骇
Filmed:
Readability: 4.6
1,251,015 views
是不是有人可以骇入你的心脏起搏器?在 TEDxMidAtlantic, 阿维·鲁宾讲解了黑客是怎么入侵汽车,智慧型手机和医疗器械,并提醒我们这个可骇程度日益上升的世界的危险性。(TEDxMidAtlantic录制)
Avi Rubin - Computer security expert
Avi Rubin is a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University. His research is focused on the security of electronic records -- including medical and voting records. Full bio
Avi Rubin is a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University. His research is focused on the security of electronic records -- including medical and voting records. Full bio
Double-click the English transcript below to play the video.
00:12
I'm a computer science professor,
0
588
3031
我是一个计算机科学教授
00:15
and my area of expertise is
1
3619
2313
我的专业领域是
00:17
computer and information security.
2
5932
2199
计算机与信息安全
00:20
When I was in graduate school,
3
8131
2320
当我还在研究生院的时候
00:22
I had the opportunity to overhear my grandmother
4
10451
2601
我有次听见了我祖母
00:25
describing to one of her fellow senior citizens
5
13052
4134
向她的一位高龄同乡描述
00:29
what I did for a living.
6
17186
2369
我的工作。
00:31
Apparently, I was in charge of making sure that
7
19555
3562
没想到,她说我的工作是确保
00:35
no one stole the computers from the university. (Laughter)
8
23117
3900
学校的计算机不被小偷偷走
(笑声)
(笑声)
00:39
And, you know, that's a perfectly reasonable thing
9
27017
2744
但你也会觉得她这么想是完全合理的
00:41
for her to think, because I told her I was working
10
29761
1920
因为我告诉她我工作内容是
00:43
in computer security,
11
31681
1507
计算机安全,
00:45
and it was interesting to get her perspective.
12
33188
3597
但是能够得知她的观点真的很有趣。
00:48
But that's not the most ridiculous thing I've ever heard
13
36785
2617
但这并不是我所听过对我工作
00:51
anyone say about my work.
14
39402
2017
最离谱的叙述。
00:53
The most ridiculous thing I ever heard is,
15
41419
2284
我听过最谱奇的版本是,
00:55
I was at a dinner party, and a woman heard
16
43703
3134
我在一个晚宴上,然後有一位女士听说
00:58
that I work in computer security,
17
46837
1783
我是负责计算机安全的,
01:00
and she asked me if -- she said her computer had been
18
48620
3517
于是她问我如果-她的电脑
01:04
infected by a virus, and she was very concerned that she
19
52137
3436
感染了病毒,所以她十分担心自己
01:07
might get sick from it, that she could get this virus. (Laughter)
20
55573
3951
会因此而生病,会感染到这个病毒
(笑声)
(笑声)
01:11
And I'm not a doctor, but I reassured her
21
59524
2943
虽然我不是个医生,但我向她再三保证
01:14
that it was very, very unlikely that this would happen,
22
62467
3144
这种事不可能会发生
01:17
but if she felt more comfortable, she could be free to use
23
65611
2801
但如果她还是不放心,她或许可以考虑
01:20
latex gloves when she was on the computer,
24
68412
1848
在用电脑的时候带着橡胶手套,
01:22
and there would be no harm whatsoever in that.
25
70260
3392
而且这无论如何都是无害的。
01:25
I'm going to get back to this notion of being able to get
26
73652
2507
我一会儿会回过头来谈谈这种能够被
01:28
a virus from your computer, in a serious way.
27
76159
3508
自己电脑的病毒感染的想法,用一个更严肃的角度来谈
01:31
What I'm going to talk to you about today
28
79667
1640
今天我要讲的是
01:33
are some hacks, some real world cyberattacks that people
29
81307
4846
一些在我领域,学术研究界的人员
01:38
in my community, the academic research community,
30
86153
2554
所进行大多人所不知的
01:40
have performed, which I don't think
31
88707
2794
黑客活动
01:43
most people know about,
32
91501
1208
和一些真实世界的网络攻击,
01:44
and I think they're very interesting and scary,
33
92709
3028
我觉得它们既有意思又可怕,
01:47
and this talk is kind of a greatest hits
34
95737
2441
而这次的演说就有点像是
学术的安全共同体中的
学术的安全共同体中的
01:50
of the academic security community's hacks.
35
98178
2991
经典黑客案例
01:53
None of the work is my work. It's all work
36
101169
1987
这些都不是我个人的工作。这全部都是
01:55
that my colleagues have done, and I actually asked them
37
103156
2174
我同事做的,而我其实还向他们要了一些
01:57
for their slides and incorporated them into this talk.
38
105330
2557
幻灯片并把它们加到我的演讲里。
01:59
So the first one I'm going to talk about
39
107887
1742
那么,我要讲的第一个案例就是
02:01
are implanted medical devices.
40
109629
2674
植入性医疗器械。
02:04
Now medical devices have come a long way technologically.
41
112303
3040
当今的医疗器械是经历了
一段很长的科技发展。
一段很长的科技发展。
02:07
You can see in 1926 the first pacemaker was invented.
42
115343
3856
你可以看到,第一款心脏起搏器发明于1926年。
02:11
1960, the first internal pacemaker was implanted,
43
119199
3552
1960年,第一个体内心脏起搏器被植入,
02:14
hopefully a little smaller than that one that you see there,
44
122751
2552
希望是比大家在这看到的要小一些,
02:17
and the technology has continued to move forward.
45
125303
2968
之后,这方面的技术一直在不断地发展。
02:20
In 2006, we hit an important milestone from the perspective
46
128271
4633
到了2006年,我们迎来了一个重要的里程碑,
02:24
of computer security.
47
132904
3167
对于电脑安全而言。
02:28
And why do I say that?
48
136071
1341
那我为什么这么说呢?
02:29
Because that's when implanted devices inside of people
49
137412
2890
那是因为这正是植入人体的器械
02:32
started to have networking capabilities.
50
140302
2745
开始具备联网能力的时候。
02:35
One thing that brings us close to home is we look
51
143047
1880
一件带我们回主题的事就是当我们
02:36
at Dick Cheney's device, he had a device that
52
144927
2705
看到迪克·切尼的仪器,他拥有一可以
02:39
pumped blood from an aorta to another part of the heart,
53
147632
3869
将血液从一个大动脉输送到
心脏的另一个部分的仪器,
心脏的另一个部分的仪器,
02:43
and as you can see at the bottom there,
54
151501
1183
就如你在底部所看到的,
02:44
it was controlled by a computer controller,
55
152684
3009
它是被一个电脑控制器所控制的,
02:47
and if you ever thought that software liability
56
155693
2517
如果你认为软件责任
02:50
was very important, get one of these inside of you.
57
158210
3589
非常重大的话,你可以给自己装一个这个。
02:53
Now what a research team did was they got their hands
58
161799
3695
现在有一支研究团队所做的就是得到了一个
02:57
on what's called an ICD.
59
165494
1420
被称作 ICD 的器件。
(植入型心律转复除颤器)
(植入型心律转复除颤器)
02:58
This is a defibrillator, and this is a device
60
166914
2070
这是一个复除颤器,而且这是个
03:00
that goes into a person to control their heart rhythm,
61
168984
4336
用在人体体内来控制他们心率的仪器,
03:05
and these have saved many lives.
62
173320
2338
而且这仪器还救过不少人的命。
03:07
Well, in order to not have to open up the person
63
175658
2472
那麽,为了不用每次给装置重新编程
03:10
every time you want to reprogram their device
64
178130
2194
或者进行某些其他的检测的时候
03:12
or do some diagnostics on it, they made the thing be able
65
180324
2455
都要剖开病人的胸腔,他们让这个装置
03:14
to communicate wirelessly, and what this research team did
66
182779
3102
可以无线通讯,而这个研究团队所做的
03:17
is they reverse engineered the wireless protocol,
67
185881
2610
就是对无线协议做逆向工程,
03:20
and they built the device you see pictured here,
68
188491
1872
并制作出你现在所看到的图中所显示的仪器,
03:22
with a little antenna, that could talk the protocol
69
190363
2760
它还有一个小天线用于与设备
03:25
to the device, and thus control it.
70
193123
4475
进行交流,从而进行操控。
03:29
In order to make their experience real -- they were unable
71
197598
2689
为了让他们的试验更真实-他们无法
03:32
to find any volunteers, and so they went
72
200287
2472
找到任何志愿者,所以他们找来
03:34
and they got some ground beef and some bacon
73
202759
2144
一些牛肉馅儿和培根肉
03:36
and they wrapped it all up to about the size
74
204903
1788
弄成一个大小和人体内
03:38
of a human being's area where the device would go,
75
206691
2798
安放这个装置差不多大小的区域,
03:41
and they stuck the device inside it
76
209489
1454
然后他们把这个装置放了进去
03:42
to perform their experiment somewhat realistically.
77
210943
3132
从而使他们的实验近乎真实。
03:46
They launched many, many successful attacks.
78
214075
3020
他们进行了很多很多成功的攻击。
03:49
One that I'll highlight here is changing the patient's name.
79
217095
3056
我特别想重点讲一下的是他们成功地修改了病人的姓名信息。
03:52
I don't know why you would want to do that,
80
220151
993
我不清楚为什么有人要这么做 ,
03:53
but I sure wouldn't want that done to me.
81
221144
2104
但是我肯定不愿意有人对我这么做。
03:55
And they were able to change therapies,
82
223248
2331
他们还能够更改治疗方案,
03:57
including disabling the device -- and this is with a real,
83
225579
2495
包括使设备失效-而这些都发生在一个真的
04:00
commercial, off-the-shelf device --
84
228074
1896
营利的、市场上能买到的心率仪上 --
04:01
simply by performing reverse engineering and sending
85
229970
2046
仅仅是通过反向破解以及向其
04:04
wireless signals to it.
86
232016
2989
发送无线指令就能实现。
04:07
There was a piece on NPR that some of these ICDs
87
235005
3580
NPR 上曾经有过一则新闻报到了
(美国国家公共广播电台)
(美国国家公共广播电台)
04:10
could actually have their performance disrupted
88
238585
2422
一些ICD的运行甚至可以被
04:13
simply by holding a pair of headphones onto them.
89
241007
3651
放在其上面的一副耳机扰乱
04:16
Now, wireless and the Internet
90
244658
1409
如今,无线技术和互联网
04:18
can improve health care greatly.
91
246067
1652
能够大大改善医疗服务
04:19
There's several examples up on the screen
92
247719
2087
屏幕上显示的几个例子是一些
04:21
of situations where doctors are looking to implant devices
93
249806
3107
医生要为病人体内植入医疗装置
04:24
inside of people, and all of these devices now,
94
252913
2865
的情况,而现今所有这方面的仪器,
04:27
it's standard that they communicate wirelessly,
95
255778
3125
无线联网已经成为了标准配备,
04:30
and I think this is great,
96
258903
1412
我认为这很了不起,
04:32
but without a full understanding of trustworthy computing,
97
260315
3105
但是如果没有全面的了解和可靠的计算,
04:35
and without understanding what attackers can do
98
263420
2407
和没有认识到攻击行为所造成的影响
04:37
and the security risks from the beginning,
99
265827
2147
以及固有的安全隐患,
04:39
there's a lot of danger in this.
100
267974
2390
这就会带来很多危险。
04:42
Okay, let me shift gears and show you another target.
101
270364
1477
好的,让我换个机械向你们展示另外一个攻击对象。
04:43
I'm going to show you a few different targets like this,
102
271841
2088
我将向你们展示几个类似的攻击对象,
04:45
and that's my talk. So we'll look at automobiles.
103
273929
2917
它们是我演讲的主要部分。我们接下来看看汽车。
04:48
This is a car, and it has a lot of components,
104
276846
2896
这是一辆车,它拥有很多组成部分,
04:51
a lot of electronics in it today.
105
279742
1620
如今还拥有许多的电子零件。
04:53
In fact, it's got many, many different computers inside of it,
106
281362
4377
事实上,它里面有很多很多台不同的电脑,
04:57
more Pentiums than my lab did when I was in college,
107
285739
3155
它所拥有的奔腾处理器比我大学时期的实验室里的还多,
05:00
and they're connected by a wired network.
108
288894
3639
而且这些电脑之间是由内部线路相连。
05:04
There's also a wireless network in the car,
109
292533
3431
车内也有一个无线网络,
05:07
which can be reached from many different ways.
110
295964
3233
它可以通过不同的方式与外界相连。
05:11
So there's Bluetooth, there's the FM and XM radio,
111
299197
3701
包含了蓝牙,有FM广播和XM广播,
05:14
there's actually wi-fi, there's sensors in the wheels
112
302898
2820
甚至还有wi-fi,车轮里面有传感器
05:17
that wirelessly communicate the tire pressure
113
305718
2153
可以通过无线网络监测轮胎气压
05:19
to a controller on board.
114
307871
1806
并传输给控制板。
05:21
The modern car is a sophisticated multi-computer device.
115
309677
4918
现代汽车是非常复杂的多电脑设备
05:26
And what happens if somebody wanted to attack this?
116
314595
3322
那如果有人想攻击这台设备的话
会发生什么呢?
会发生什么呢?
05:29
Well, that's what the researchers
117
317917
1317
这就是今天我演讲中的
05:31
that I'm going to talk about today did.
118
319234
1871
研究者们所做的。
05:33
They basically stuck an attacker on the wired network
119
321105
2977
他们很根本地在汽车的有线和无线网络上
05:36
and on the wireless network.
120
324082
2322
都安装了攻击装置。
05:38
Now, they have two areas they can attack.
121
326404
2699
现在,他们可以通过两种方式进行攻击。
05:41
One is short-range wireless, where you can actually
122
329103
2038
一种是短程无线网络,这样你可以直接
05:43
communicate with the device from nearby,
123
331141
1781
和附近的装置进行通信,
05:44
either through Bluetooth or wi-fi,
124
332922
2137
比如通过蓝牙或 wi-fi,
05:47
and the other is long-range, where you can communicate
125
335059
2174
另一个是远程网络,让你可以
05:49
with the car through the cellular network,
126
337233
1782
通过移动网络
05:51
or through one of the radio stations.
127
339015
1960
或者通过某个无线电电台与车进行通信。
05:52
Think about it. When a car receives a radio signal,
128
340975
3049
想想看。当一辆汽车接收到无线电信号,
05:56
it's processed by software.
129
344024
2201
软件会对这信号进行处理。
05:58
That software has to receive and decode the radio signal,
130
346225
3061
这软件必需对信号进行接收和解码
06:01
and then figure out what to do with it,
131
349286
1119
从而弄明白如何进行处理,
06:02
even if it's just music that it needs to play on the radio,
132
350405
3024
即便那只是电台音乐,
06:05
and that software that does that decoding,
133
353429
2268
而那进行解码的软件,
06:07
if it has any bugs in it, could create a vulnerability
134
355697
3093
如果存有任何漏洞,就有机会
06:10
for somebody to hack the car.
135
358790
3035
让他人入侵汽车的电脑系统中。
06:13
The way that the researchers did this work is,
136
361825
2952
研究人员试验的方法就是,
06:16
they read the software in the computer chips
137
364777
4223
他们读取了车内电脑芯片中的软件
06:21
that were in the car, and then they used sophisticated
138
369000
3193
之后他们运用复杂的
06:24
reverse engineering tools
139
372193
1414
反向破解工具
06:25
to figure out what that software did,
140
373607
2055
来弄明白了这个软件的功能,
06:27
and then they found vulnerabilities in that software,
141
375662
3041
并且找到了软休的漏洞,
06:30
and then they built exploits to exploit those.
142
378703
3346
之后他们利用这些漏洞建造后门。
06:34
They actually carried out their attack in real life.
143
382049
2382
他们真的在现实生活中试验了这些攻击。
06:36
They bought two cars, and I guess
144
384431
1350
他们买了两辆车,
06:37
they have better budgets than I do.
145
385781
2918
我猜他们的经费比我要宽裕一些。
06:40
The first threat model was to see what someone could do
146
388699
2590
第一个攻击计划是想看看一个人能在
06:43
if an attacker actually got access
147
391289
2144
攻击者得到许可进入汽车的
06:45
to the internal network on the car.
148
393433
2053
内部网络时做些什麽。
06:47
Okay, so think of that as, someone gets to go to your car,
149
395486
2603
好的,假设有一个人可以接近你的车,
06:50
they get to mess around with it, and then they leave,
150
398089
2904
在车中做了一些手脚,然后离开,
06:52
and now, what kind of trouble are you in?
151
400993
2368
那现在,你会遇到些什么麻烦呢?
06:55
The other threat model is that they contact you
152
403361
2792
另一个计划是他们通过
06:58
in real time over one of the wireless networks
153
406153
2457
无线网络进行实时交流
07:00
like the cellular, or something like that,
154
408610
2055
就像手机或是其他类似的方式,
07:02
never having actually gotten physical access to your car.
155
410665
4000
根本不需要跟你的车有任何的物理上的接触。
07:06
This is what their setup looks like for the first model,
156
414665
2824
这是他们第一个模型设置的样子,
07:09
where you get to have access to the car.
157
417489
1683
在这他们可以接触到车。
07:11
They put a laptop, and they connected to the diagnostic unit
158
419172
3387
他们放了一个笔记本电脑,
并把它连接到车内部网络的
并把它连接到车内部网络的
07:14
on the in-car network, and they did all kinds of silly things,
159
422559
2939
诊断单元,他们利用这些做了各种各样好玩的把戏,
07:17
like here's a picture of the speedometer
160
425498
2783
像这张车速表的照片
07:20
showing 140 miles an hour when the car's in park.
161
428281
2816
在车静止的情况下显示每小时140英里。
07:23
Once you have control of the car's computers,
162
431097
2373
当你控制住车内电脑系统,
07:25
you can do anything.
163
433470
919
你可以做任何事。
07:26
Now you might say, "Okay, that's silly."
164
434389
1616
你也许会觉得,“这只是搞笑而已。”
07:28
Well, what if you make the car always say
165
436005
1659
那如果你让车总是显示
07:29
it's going 20 miles an hour slower than it's actually going?
166
437664
2741
比真正的速度慢了20英里每小时呢?
07:32
You might produce a lot of speeding tickets.
167
440405
2542
这样会拿到很多超速罚单。
07:34
Then they went out to an abandoned airstrip with two cars,
168
442947
3856
之后他们开了两辆车到一个废弃的简易机场,
07:38
the target victim car and the chase car,
169
446803
2745
一辆目标车,一辆追踪车,
07:41
and they launched a bunch of other attacks.
170
449548
2746
他们并进行了更多其他的攻击。
07:44
One of the things they were able to do from the chase car
171
452294
2766
其中一件可以从追踪车里做到的是
07:47
is apply the brakes on the other car,
172
455060
1974
在目标车中进行刹车,
07:49
simply by hacking the computer.
173
457034
1560
这只需要侵入目标车的电脑就可以了。
07:50
They were able to disable the brakes.
174
458594
2431
他们可以废掉刹车系统。
07:53
They also were able to install malware that wouldn't kick in
175
461025
3178
他们还可以安装一些恶意软件要在车子
07:56
and wouldn't trigger until the car was doing something like
176
464203
2425
做出特定的指令下,比方说车速在20英里每小时
07:58
going over 20 miles an hour, or something like that.
177
466628
3746
或类似的指令才会启动。
08:02
The results are astonishing, and when they gave this talk,
178
470374
2758
这个结果非常的震撼,而当他们做这个演讲时,
08:05
even though they gave this talk at a conference
179
473132
1716
即使是在一个充满
08:06
to a bunch of computer security researchers,
180
474848
1726
电脑安全研究人员的会议,
08:08
everybody was gasping.
181
476574
1700
所有人都难以之信。
08:10
They were able to take over a bunch of critical computers
182
478274
3699
他们成功的控制了车内很多
08:13
inside the car: the brakes computer, the lighting computer,
183
481973
3761
重要的电脑系统:刹车系统,照明系统,
08:17
the engine, the dash, the radio, etc.,
184
485734
2827
发动机,仪表盘,无线电台,等等,
08:20
and they were able to perform these on real commercial
185
488561
2293
而且他们可以在他们所购买的商务车中
08:22
cars that they purchased using the radio network.
186
490854
3027
利用无线网络来做这些事情。
08:25
They were able to compromise every single one of the
187
493881
3003
他们可以妥協每一个
08:28
pieces of software that controlled every single one
188
496884
2466
操控每一项
08:31
of the wireless capabilities of the car.
189
499350
3015
车内无线功能的软件。
08:34
All of these were implemented successfully.
190
502365
2513
所有的实验都成功的实施了。
08:36
How would you steal a car in this model?
191
504878
2352
你要怎样去偷这类型的车呢?
08:39
Well, you compromise the car by a buffer overflow
192
507230
3680
首先你从内部软件缓冲区溢出的
08:42
of vulnerability in the software, something like that.
193
510910
2527
漏洞开始侵入,就像这样。
08:45
You use the GPS in the car to locate it.
194
513437
2203
你再用车内置的导航器确定它的位置。
08:47
You remotely unlock the doors through the computer
195
515640
2195
再用电脑遥控打开车门,
08:49
that controls that, start the engine, bypass anti-theft,
196
517835
3138
启动发动机,绕过防盗系统,
08:52
and you've got yourself a car.
197
520973
1668
这样你就弄到了一辆车。
08:54
Surveillance was really interesting.
198
522641
2487
监控是很有意思的。
08:57
The authors of the study have a video where they show
199
525128
3209
这个研究的作者们有一个影像显示
09:00
themselves taking over a car and then turning on
200
528337
2549
他们侵入一辆车,然后打开
09:02
the microphone in the car, and listening in on the car
201
530886
2761
车内的话筒,听著车内的声音
09:05
while tracking it via GPS on a map,
202
533647
3351
并同时用导航器跟踪车的位置,
09:08
and so that's something that the drivers of the car
203
536998
1713
而这些是车的司机
09:10
would never know was happening.
204
538711
2168
绝对不会知道的。
09:12
Am I scaring you yet?
205
540879
2134
我吓到你们了吗?
09:15
I've got a few more of these interesting ones.
206
543013
1943
我还有几个很有趣的实验。
09:16
These are ones where I went to a conference,
207
544956
1833
这些是我从一个我去过的会议所知道的,
09:18
and my mind was just blown, and I said,
208
546789
1933
我当时惊呆了,我说
09:20
"I have to share this with other people."
209
548722
1826
“我得跟其他人分享这个信息。”
09:22
This was Fabian Monrose's lab
210
550548
1623
这是北卡大学 Fabian Monrose 教授的实验室,
09:24
at the University of North Carolina, and what they did was
211
552171
3456
他们做的实验
09:27
something intuitive once you see it,
212
555627
2075
是一个当你看了之后会觉得很直观,
09:29
but kind of surprising.
213
557702
1714
但也会很惊讶的实验。
09:31
They videotaped people on a bus,
214
559416
2259
他们录下了在公车上的人们,
09:33
and then they post-processed the video.
215
561675
2840
然后后期处理这些视频。
09:36
What you see here in number one is a
216
564515
2463
你在一号所看到的是
09:38
reflection in somebody's glasses of the smartphone
217
566978
4383
在输入手机的某人的眼镜中所反射
09:43
that they're typing in.
218
571361
1425
出来的智慧型手机映像。
09:44
They wrote software to stabilize --
219
572786
1975
他们编了一个软件来稳定 --
09:46
even though they were on a bus
220
574761
1365
即使他们在公车上
09:48
and maybe someone's holding their phone at an angle --
221
576126
3211
或是有人会把手机摆在一个特殊的角度 --
09:51
to stabilize the phone, process it, and
222
579337
2370
来稳定这个手机,处理它,
09:53
you may know on your smartphone, when you type
223
581707
1885
你也许知道,当你在智慧型手机上输入
09:55
a password, the keys pop out a little bit, and they were able
224
583592
2939
密码时,对应键会放大一点,因此他们可以
09:58
to use that to reconstruct what the person was typing,
225
586531
2840
利用这一点去重组那个人所输入的东西,
10:01
and had a language model for detecting typing.
226
589371
4321
还有一个语言模型去检测输入行为。
10:05
What was interesting is, by videotaping on a bus,
227
593692
2335
有意思的是,利用公车上的录像
10:08
they were able to produce exactly what people
228
596027
2129
他们可以准确无误的得到他人在
10:10
on their smartphones were typing,
229
598156
2151
手机上输入什么,
10:12
and then they had a surprising result, which is that
230
600307
2260
之后他们还发现了一个意外结果,就是
10:14
their software had not only done it for their target,
231
602567
2764
他们的软件不但会对他们的目标进行处理,
10:17
but other people who accidentally happened
232
605331
1403
也可以对那些意外入镜的
10:18
to be in the picture, they were able to produce
233
606734
2086
人进行分析出
10:20
what those people had been typing, and that was kind of
234
608820
2727
那些人都输入了什么,而这些
10:23
an accidental artifact of what their software was doing.
235
611547
3617
是这软件进行中所得到的意外收获。
10:27
I'll show you two more. One is P25 radios.
236
615164
4303
我再给你们看两个例子。一个是P25无线电。
10:31
P25 radios are used by law enforcement
237
619467
2800
P25无线电是执法部门
10:34
and all kinds of government agencies
238
622267
3407
和种种政府机构
10:37
and people in combat to communicate,
239
625674
1736
以及战场上的人们交流所使用的,
10:39
and there's an encryption option on these phones.
240
627410
2833
而这些电话里都会有加密选项。
10:42
This is what the phone looks like. It's not really a phone.
241
630243
2728
这电话就是长这个样子。这不是真正的电话。
10:44
It's more of a two-way radio.
242
632971
1206
它比较像是双向无线电。
10:46
Motorola makes the most widely used one, and you can see
243
634177
3322
摩托罗拉是这电话的最大生产商,你也会看到
10:49
that they're used by Secret Service, they're used in combat,
244
637499
2649
它们是被秘密机构以及战场上所使用,
10:52
it's a very, very common standard in the U.S. and elsewhere.
245
640148
3102
它在美国和其他地方都非常~非常的常见的标准。
10:55
So one question the researchers asked themselves is,
246
643250
2305
所以研究员们自问的一个问题就是
10:57
could you block this thing, right?
247
645555
2704
可以阻止这个东西~~~吧?
11:00
Could you run a denial-of-service,
248
648259
1583
可以执行拒绝服务吗?
11:01
because these are first responders?
249
649842
1824
因为这些都是抢险救生员。
11:03
So, would a terrorist organization want to black out the
250
651666
1801
那么,恐怖组织会想要阻断
11:05
ability of police and fire to communicate at an emergency?
251
653467
4488
警察和火警的紧急联系功能吗?
11:09
They found that there's this GirlTech device used for texting
252
657955
3072
他们发现有个叫GirlTech的信息设备
11:13
that happens to operate at the same exact frequency
253
661027
2718
所使用的频道和 P25 是一样的,
11:15
as the P25, and they built what they called
254
663745
2271
然後他们建造了一个叫
11:18
My First Jammer. (Laughter)
255
666016
4334
"我的第一干扰"。(笑声)
11:22
If you look closely at this device,
256
670350
2378
如果你仔细看这个设备,
11:24
it's got a switch for encryption or cleartext.
257
672728
3630
这里有个开关可以切换加密或是明文。
11:28
Let me advance the slide, and now I'll go back.
258
676358
3050
让我先到下一页,然後现在我再回去。
11:31
You see the difference?
259
679408
2547
你看到那差异了吗?
11:33
This is plain text. This is encrypted.
260
681955
2557
这是明文,这是加密。
11:36
There's one little dot that shows up on the screen,
261
684512
2557
屏幕上出现一个小点,
11:39
and one little tiny turn of the switch.
262
687069
2085
而开关也转了一点点。
11:41
And so the researchers asked themselves, "I wonder how
263
689154
1904
那些研究员们就自问,“我猜想
11:43
many times very secure, important, sensitive conversations
264
691058
4257
有多少非常保密的,重要的,敏感的谈话
11:47
are happening on these two-way radios where they forget
265
695315
1623
是在这些他们忘记加密
11:48
to encrypt and they don't notice that they didn't encrypt?"
266
696938
2910
而且没有注意到这回事的双向无线电的情况下进行呢?
11:51
So they bought a scanner. These are perfectly legal
267
699848
3339
他们买了一个扫描仪。这些都是完全合法的
11:55
and they run at the frequency of the P25,
268
703187
3458
他们并在P25的频率下运行这扫描仪,
11:58
and what they did is they hopped around frequencies
269
706645
1767
之後他们在这个频率周围不停地转动
12:00
and they wrote software to listen in.
270
708412
2510
然後用他们所写的软件来监听。
12:02
If they found encrypted communication, they stayed
271
710922
2634
如果他们找到了加密的对话,他们就停留
12:05
on that channel and they wrote down, that's a channel
272
713556
1686
在那个频道,然后写下这是
12:07
that these people communicate in,
273
715242
1788
那些人交流的频道,
12:09
these law enforcement agencies,
274
717030
1622
那些执法机构,
12:10
and they went to 20 metropolitan areas and listened in
275
718652
3391
他们去了20个大都市区监听
12:14
on conversations that were happening at those frequencies.
276
722043
3475
这些频道上的所进行的对话。
12:17
They found that in every metropolitan area,
277
725518
3239
他们发现在每一个大都会区
12:20
they would capture over 20 minutes a day
278
728757
2154
他们每天都能捕捉到至少20分钟的
12:22
of cleartext communication.
279
730911
2375
明文交流。
12:25
And what kind of things were people talking about?
280
733286
2000
那他们都交流些什么呢?
12:27
Well, they found the names and information
281
735286
1484
他们得到了秘密举报人的
12:28
about confidential informants. They found information
282
736770
2852
名字和信息。他们得到了
12:31
that was being recorded in wiretaps,
283
739622
2202
正在被窃听的信息,
12:33
a bunch of crimes that were being discussed,
284
741824
2710
一堆正在被讨论的犯罪案件,
12:36
sensitive information.
285
744534
1162
敏感的消息。
12:37
It was mostly law enforcement and criminal.
286
745696
3363
大多数都是执法和犯罪类的。
12:41
They went and reported this to the law enforcement
287
749059
1834
他们向执法机构说明了这件事,
12:42
agencies, after anonymizing it,
288
750893
2023
当然是在匿名之后,
12:44
and the vulnerability here is simply the user interface
289
752916
3000
而当中的漏洞很纯粹的只是用户界面
12:47
wasn't good enough. If you're talking
290
755916
1394
不够好。如果你是在讨论
12:49
about something really secure and sensitive, it should
291
757310
2816
一些非常保密或者敏感话题,你应该
12:52
be really clear to you that this conversation is encrypted.
292
760126
3293
清楚的知道这个谈话是被加密的。
12:55
That one's pretty easy to fix.
293
763419
1886
这个很容易修正。
12:57
The last one I thought was really, really cool,
294
765305
1669
最后一例子我认为是非常,非常的牛,
12:58
and I just had to show it to you, it's probably not something
295
766974
2813
所以我必须得给你们看这个,这可能不是一些
13:01
that you're going to lose sleep over
296
769787
1005
会使你们失眠的东西,
13:02
like the cars or the defibrillators,
297
770792
1791
像是汽车实验和心脏去颤器那样,
13:04
but it's stealing keystrokes.
298
772583
3023
但这个是窃取击键。
13:07
Now, we've all looked at smartphones upside down.
299
775606
2747
至今,我们都彻底的观察过智慧型手机。
13:10
Every security expert wants to hack a smartphone,
300
778353
2190
每个安全专家都想要侵入这样的手机系统,
13:12
and we tend to look at the USB port, the GPS for tracking,
301
780543
4612
而我们一般都会去看USB插头,跟踪GPS,
13:17
the camera, the microphone, but no one up till this point
302
785155
3208
相机,话筒,但目前为止没有人
13:20
had looked at the accelerometer.
303
788363
1580
看过加速规。
13:21
The accelerometer is the thing that determines
304
789943
1647
加速规是那个决定
13:23
the vertical orientation of the smartphone.
305
791590
3494
手机垂直方向的东西。
13:27
And so they had a simple setup.
306
795084
1417
因此他们有个很简单的设置。
13:28
They put a smartphone next to a keyboard,
307
796501
2758
他们把手机放在键盘旁边,
13:31
and they had people type, and then their goal was
308
799259
2712
然後他们让人们去打字,
而他们的目标是
而他们的目标是
13:33
to use the vibrations that were created by typing
309
801971
2856
利用打字而产生的震动
13:36
to measure the change in the accelerometer reading
310
804827
4240
去测量加速规的数据的变化
13:41
to determine what the person had been typing.
311
809067
3176
由此来判断这个人输入的是什么。
13:44
Now, when they tried this on an iPhone 3GS,
312
812243
2576
那么当他们在用iPhone 3GS做这实验时,
13:46
this is a graph of the perturbations that were created
313
814819
2769
这是他们从打字所得到的
13:49
by the typing, and you can see that it's very difficult
314
817588
3241
扰动图,而你可以了解到这是很难
13:52
to tell when somebody was typing or what they were typing,
315
820829
3078
判断什么时候有人在打字
或者他们打过了什么字,
或者他们打过了什么字,
13:55
but the iPhone 4 greatly improved the accelerometer,
316
823907
3090
但是iPhone 4在加速规上有很大的提高,
13:58
and so the same measurement
317
826997
3480
因此同样的测量
14:02
produced this graph.
318
830477
1832
所得到的图是这样的。
14:04
Now that gave you a lot of information while someone
319
832309
2486
这么现在有人在打字时
就会给出更多的信息了,
就会给出更多的信息了,
14:06
was typing, and what they did then is used advanced
320
834795
3241
那他们接下来用了一个先进的
14:10
artificial intelligence techniques called machine learning
321
838036
3007
人工智能技术,称作"机器学习"
14:13
to have a training phase,
322
841043
1431
来进行一个培训阶段,
14:14
and so they got most likely grad students
323
842474
2236
然后他们极有可能是找了一些研究生
14:16
to type in a whole lot of things, and to learn,
324
844710
3789
去输入一大堆的东西,然后去学习,
14:20
to have the system use the machine learning tools that
325
848499
2768
让这个系统利用已有的机器学习工具去
14:23
were available to learn what it is that the people were typing
326
851267
2863
了解这些人输入的是什么
14:26
and to match that up
327
854130
2827
并结合了
14:28
with the measurements in the accelerometer.
328
856957
2477
加速规所测量的数据。
14:31
And then there's the attack phase, where you get
329
859434
1635
接下来就是攻击阶段了,你找
14:33
somebody to type something in, you don't know what it was,
330
861069
2811
一些人来输入一些东西,
但是你不知道输入的是什麽
但是你不知道输入的是什麽
14:35
but you use your model that you created
331
863880
1297
但你利用之前在培训中
14:37
in the training phase to figure out what they were typing.
332
865177
3442
所编写的模式来得出输入的内容。
14:40
They had pretty good success. This is an article from the USA Today.
333
868619
3484
他们有很好的成功几率。
这是一篇出至《今日美国》的文章。
这是一篇出至《今日美国》的文章。
14:44
They typed in, "The Illinois Supreme Court has ruled
334
872103
2609
他们输入了“伊利诺伊州最高法院裁定
14:46
that Rahm Emanuel is eligible to run for Mayor of Chicago"
335
874712
2962
伊曼纽尔拥有参加芝加哥市长竞选的资格”
14:49
— see, I tied it in to the last talk —
336
877674
1354
-看,我结合了上一个演讲-
14:51
"and ordered him to stay on the ballot."
337
879028
2118
“并且命令他必需留在选票上”。
14:53
Now, the system is interesting, because it produced
338
881146
2771
这个系统很有趣,因为它分析出了
14:55
"Illinois Supreme" and then it wasn't sure.
339
883917
2886
“伊利诺伊州最高”
而之后的它就不确定了。
而之后的它就不确定了。
14:58
The model produced a bunch of options,
340
886803
1950
这个模式给了一堆的选择,
15:00
and this is the beauty of some of the A.I. techniques,
341
888753
2709
这也就是人工智能技术厉害的地方,
15:03
is that computers are good at some things,
342
891462
2250
也就是电脑在某方面很在行,
15:05
humans are good at other things,
343
893712
1534
而人类则是在别的方面很强,
15:07
take the best of both and let the humans solve this one.
344
895246
1931
结合双方的优势,
并让人类去解决这一个问题。
并让人类去解决这一个问题。
15:09
Don't waste computer cycles.
345
897177
1382
不去浪费电脑的周期。
15:10
A human's not going to think it's the Supreme might.
346
898559
2136
一个人是不会认为那会是 "最高可能" 。
15:12
It's the Supreme Court, right?
347
900695
1740
当然是"最高法院",对吧?
15:14
And so, together we're able to reproduce typing
348
902435
2530
也因此,人们和机器一起
可以只测量加速规的
可以只测量加速规的
15:16
simply by measuring the accelerometer.
349
904965
2949
数据来得出打出来的内容。
15:19
Why does this matter? Well, in the Android platform,
350
907914
3502
这有什么重要的呢?好吧,用安卓平台来
15:23
for example, the developers have a manifest
351
911416
4133
举个例子,开发者们有一个清单,
15:27
where every device on there, the microphone, etc.,
352
915564
2584
当中的每一个设备,像是麦克风等等,
15:30
has to register if you're going to use it
353
918148
1956
都需要注册,如果有你要用它
15:32
so that hackers can't take over it,
354
920104
2316
好让黑客无法侵入它的话,
15:34
but nobody controls the accelerometer.
355
922420
3108
但是没人控制加速规。
15:37
So what's the point? You can leave your iPhone next to
356
925528
2216
那重点在那呢?
你可以把你的iPhone放在
你可以把你的iPhone放在
15:39
someone's keyboard, and just leave the room,
357
927744
2106
某人的键盘旁边,然后就离开房间,
15:41
and then later recover what they did,
358
929850
1639
之后再回来复原他们所做过的事,
15:43
even without using the microphone.
359
931489
1711
就连麦克风都不需要。
15:45
If someone is able to put malware on your iPhone,
360
933200
2174
如果有人能够把入侵软件装入你的iPhone,
15:47
they could then maybe get the typing that you do
361
935374
2848
他们也就可能得到你所输入的内容,
15:50
whenever you put your iPhone next to your keyboard.
362
938222
2321
每当你把你的iPhone放在你的键盘旁边。
15:52
There's several other notable attacks that unfortunately
363
940543
2271
另外还有几个值得注意的攻击,但我很不幸的
15:54
I don't have time to go into, but the one that I wanted
364
942814
2131
没有时间去说,但有一个我想点出
15:56
to point out was a group from the University of Michigan
365
944945
2277
的是在密西根大学的一组人员,
15:59
which was able to take voting machines,
366
947222
2441
他们成功的侵入了投票机,
16:01
the Sequoia AVC Edge DREs that
367
949663
2498
这是 Sequoia AVC Edge DRE
(美国最大的电子投票机制造商之一)
(美国最大的电子投票机制造商之一)
16:04
were going to be used in New Jersey in the election
368
952161
1555
准备在新泽西州选举中用,
16:05
that were left in a hallway, and put Pac-Man on it.
369
953716
2161
它被留在了一个走廊里,
他们在里面安装了吃豆人游戏。
他们在里面安装了吃豆人游戏。
16:07
So they ran the Pac-Man game.
370
955877
3623
他们安装了吃豆人游戏,所以呢?
16:11
What does this all mean?
371
959500
1747
这些都有什么意义呢?
16:13
Well, I think that society tends to adopt technology
372
961247
3647
我觉得我们的社会往往很快的采用新技术
16:16
really quickly. I love the next coolest gadget.
373
964894
2824
我非常喜欢下一个最炫的小玩意儿。
16:19
But it's very important, and these researchers are showing,
374
967718
2614
但是更重要的是,这些研究人员所显示的,
16:22
that the developers of these things
375
970332
1360
这些东西的开发者
16:23
need to take security into account from the very beginning,
376
971692
2865
需要从一开始就把安全考虑在内,
16:26
and need to realize that they may have a threat model,
377
974557
2785
也需要意识到它们可能会有的威胁模型,
16:29
but the attackers may not be nice enough
378
977342
2462
但是那些攻击者也许不会好心到
16:31
to limit themselves to that threat model,
379
979804
1777
只把他们局限于这些威胁模型中,
16:33
and so you need to think outside of the box.
380
981581
2537
所以你需要跳脱传统思维。
16:36
What we can do is be aware
381
984118
1578
我们所能做得就是要意识到
16:37
that devices can be compromised,
382
985696
2479
设备是可以被妥协的,
16:40
and anything that has software in it
383
988175
1699
而任何有软件的东西
16:41
is going to be vulnerable. It's going to have bugs.
384
989874
2649
都是会有弱点的。它们是会有错误的。
16:44
Thank you very much. (Applause)
385
992523
3497
非常感谢。(掌声)
ABOUT THE SPEAKER
Avi Rubin - Computer security expertAvi Rubin is a professor of computer science and director of the Health and Medical Security Lab at Johns Hopkins University. His research is focused on the security of electronic records -- including medical and voting records.
Why you should listen
Along with running the Health and Medical Security Lab, Avi Rubin is also the technical director of the JHU Information Security Institute. From 1997 to 2002, Avi was a researcher in AT&T’s Secure Systems Department, where he focused on cryptography and network security. He is also the founder of Harbor Labs, which provides expert testimony and review in legal cases related to high tech security. Avi has authored several books related to electronic security, including Brave New Ballot, published in 2006.
Avi Rubin | Speaker | TED.com