You know that little device that you pull out of your pocket, your jacket or your handbag every few minutes. The one that you access with your finger print or pin number to check on your latest emails, txts or social media posts. What is it? Yes, I’m simply asking you what it is. Not a difficult question, just imagine that I have never seen one before you and I’m asking you what it is. I’m sure your answer would be ‘It’s my phone’. It’s a phone is it? Really are you sure? I don’t think it is. In fact, I think it’s actually a tiny but highly powerful computer that is suffering an identity crisis.
Your ‘phone’ is packed full with all the fundamental elements that make it a computer. It has a microprocessor, storage, a screen, an input device – in fact it has multiple input devices if you include speech recognition – it runs software, so it’s actually a computer. A computer that just has the ability to make phone calls as one of its many, many functions.
For most people when you say the term ‘computer’ it conjures up an image similar to the one at the top of this page. Usually a desk based device, with a large screen, a keyboard and a peripheral or two. In order to work with a computer there is a formality of sitting at it, typing away and looking at the results on a screen. This style of computer is a traditional ‘personal computer’ (PC) but it’s actually only one form of computer, there are many, many more and all are subject to threats from cyber security. The challenge is that if you don’t know that it’s actually a computer then how can you possibly protect it and the data that it has access to, from attack?
When Intel introduced the Intel 4004 processor back in 1971 it ushered in, as they stated ‘A New Era In Integrated Electronics’, this new building block enabled engineers, through the use of software, to perform different functions in a wide variety of electronic devices. Devices that prior to the age of the microprocessor had just one or two functions could now have many more. The classic example is that of a washing machine. In the past they may have had 3 differing wash cycles – whites, darks, colours – nowadays they have dozens. This is all down to a microprocessor. So is your washing machine actually a computer? In a way, yes it is. Does that mean it’s subject to cyber-attacks? Only if it is also ‘connected’.
Once a computer is running software and then is also connected to a network, be that a corporate network or the internet, then it is at risk from cyber-attack. So if your latest coffee machine is hooked up to your WiFi network at home so it can connect to the supplier, then it is potentially vulnerable and may give a cyber-criminal just enough access to use it as a gateway into your network and access data of greater interest than how many espressos you are getting through in a day.
Of course this is the basis of the much hyped Internet of Things (IoT) where all forms of computing devices, from security cameras, fridges, cars, set top boxes, printers and more are connected and communicating. This may still seem like science fiction to many, but it’s actually happening and was predicted to occur as long ago as 1991 by the team at Xerox PARC. At that time, they coined the term “Ubiquitous Computing” where computing can occur using any device, in any location, and in any form. It’s computing alright but not as many have come to know it.
This inability to recognise computers, even in their IoT forms, their mobile forms or their domestic appliance forms, is a major headache for anybody formulating a cyber security strategy, after all how do you secure an internet connected coffee machine? It was possibly this flaw in identification and its associated risks, that led to the successful cyber-attack on the major US retail TARGET. The investigation into this attack concluded that the perpetrators got in via a flaw in the air conditioning system, which was a microprocessor based system running software and connected to the network. This is not an unusual system as many such building management systems (BMS) connect to corporate networks for the remote monitoring purposes. But in this case I have to assume that it was not recoginsed as a computing device and therefore not deemed a significant cyber risk.
The prediction of Xerox PARC that computers would be everywhere, that their presence and use would be ubiquitous is true, but even then it was identified that privacy may be an issue in this new world. So they were right again. So can you identify all the computers you have at home, in your office? Can you then determine how many are connected to your network and how they are secured, if at all? Chances are there are a lot more out there than you ever realised, they just didn’t look like computers.