Tag Archives: Siemens AG

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

This week’s column – My Mobile, My Master

This week’s Loose Wire column is about mobiles phones:

WE ALL KNOW THAT mobile phones, cellphones, hand-phones, whatever we want to call them (and shouldn’t we all be calling them the same thing?) are changing our lives. But it takes a good old-fashioned survey to wake us up to the glaring reality: They have changed who we are.

If someone had said to you 10 years ago that, in 2004, the majority of people would consider their mobile to be an “extension of their personality,” you would have been forgiven for looking sceptical and saying: “What’s a mobile?” And yet that’s exactly what German electronics giant Siemens found in a recent survey: Across Asia, sizeable percentages of folk believe their cellphone and its contents–music, games, contacts and messages–form an extension of themselves. Heaven only knows what we’ll be saying in five more years. Perhaps we’ll be sending cellphones to represent us in meetings, on dates, and make speeches on our behalf at the United Nations General Assembly.

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

HandyMan.Com, Coming Your Way

Here’s something for U.S. readers only: Find a computer repair guy online.

For individuals and companies that can’t afford IT support personnel, ComputerRepair.com offers access to more than 3,000 technicians in all 50 states, and counting. It’s a kind of eBay of tech support: Users are encouraged to post their feedback and rate those computer repair technicians they use.

Full roll-out of the site, their PR guy tells me, is planned to take place within the next couple weeks. “Once that happens, people can open an account…put some funds in that they think will cover their work…and then manage the entire process electronically in an online desk. And they only pay once the work is done to their satisfaction.” For more on how this may work, check out the FAQ question on it. The company has filed a patent on this system.

Intriguing. I’ve always felt this kind of market-place for services makes sense, and it’s good to see something like this done imaginatively. The PR says that a number of larger service providers, such as EDS, IBM and Siemens, “have been using the platform to find techs to meet their service level agreement requirements in remote areas….where it’s not worth them having people.”

I guess my worry is whether people are going to be willing to put the money in up front, even before a suitable technician is found. What happens if a customer decides they can’t find a suitable technician on the site? Do they get their money back (probably, but the customer may feel it’s a bit of a hassle paying in advance.)

Minor quibbles. It’ll be interesting to see how this site fares. The PR guy says that despite being in beta — i.e., not completely ready for launch — the site gets about 27,000 hits a day.  He also says that further down the road the company is considering expanding globally (they’ve gotten interest from vendors in a number of countries from Africa to Asia to Europe).

Who’s In Charge? The Machines, Or Us?

Are we liberated by technology, or its captive?

I love my handphone and I congratulate myself, as I’m checking my email in the middle of some dusty Indonesian kampung, that I have harnessed technology and not the other way round. But sometimes I wonder.

A recent poll by Siemens callled the Mobile Lifestyle Survey (no URL available, I’m afraid) indicated that more than half of the people in Indonesia confessed that if they forgot their mobile phone at home, they would go back for them. If you’ve seen Jakarta traffic you’ll know that’s no small chore. Two thirds of Indonesian men and women see their mobile phone as an extension of their personality, directly reflecting their moods (whatever that means).

And just in case you think it’s just handphones that we can’t live without, the British Press Association quotes a survey by pollsters MORI that one in three adults and 44% of youngsters class their machine as a “trusted friend”, while 16% of adults and 13% of 11 to 16-year-olds said: “I often talk to my computer.” And I don’t think they’re using dictation software.

News: Nokia Confirms N-Gage Cracked

 Nokia has confirmed a story doing the rounds yesterday: that hackers have cracked the copy-protection codes for its newly launched N-Gage gaming device, allowing copied games to be downloaded over the Web, according to Reuters.
 
 
Nokia has high hopes for N-Gage, aiming to challenge market leader Nintendo’s Gameboy Advance. A vital part of the revenue from N-Gage will come from games, which are sold separately, but Nokia said it did not expect the illegal downloads to become widespread. The cracked versions of the games can in principle be installed and played on any phone that uses the same basic operating software, Series 60, used in N-Gage. Other models include Siemens’s SX1.

Loose Wire: Excuse Me, My

Loose Wire: Excuse Me, My Ego’s Ringing

[ this appeared in FEER, 01/31/2002]

Few of us stop to think just how revolutionary the mobile phone is. It enables us to be always on call and always in touch with those important to us, it frees us from the confines of office and home, but perhaps most importantly it gives us something to fiddle with during awkward moments at meetings, parties, funerals, etc. And the revolution is only just beginning.

Mobile phones have redefined the concept of personal space, of what is meant by communication, as well as allowing us to send messages to each other — mostly consisting of such vital data as smiley icons, jokes and “you owe me rent.”

Mobile phones, in short, have altered the way we behave. The phone has become an extension of our bodies, and we feel lost without it. It’s the first thing we park on the table at restaurants, bars, desks, pulpits, etc. As cultural observer Sadie Plant, in her entertaining treatise On The Mobile, has observed, whether we have one, how we use it, how many names we have stored in its memory, all define what kind of person we are, indeed, whether we are anybody at all.

As mobile phones change us, so in turn we feel compelled to ensure they say as many good things about us as possible, short of hanging a placard around one’s neck saying “really nice guy, cool but not aloof, interesting job but even more interesting hobbies involving water, rocks and rugged footwear.” We buy the latest model and parade it until another model comes along, after which we sheepishly stuff it in our pocket. I was mortified when my Nokia Communicator, a bulky but state-of-the-art number incorporating keyboard, big screen, tumble-dryer, etc., was mistaken for one of those brick-sized monstrosities of yore.

Smaller phones don’t necessarily mean less intrusive: In fact the fancier the phone is, the smaller it is, which means the more prominent it should be. To assist visibility, buy a snap-on cover sporting designs from Snoopy-esque to racing cars. The next stage, of course, will be for the phones to actually be shaped like a Disney character or a packet of cigarettes, which might well mark the end of civilization as we know it. In the meantime, Nokia this month unveiled a subsidiary called Vertu to produce handphones encrusted in precious gems and sporting luxurious metal finishes. Sadly, tackiness and handphones seem a good fit.

As if that wasn’t enough, ring tones show no sign of getting tasteful. A new generation of palm-sized devices which double as phones will use ordinary sound files as ring tones. In the future, expect to hear more melodious stuff or, more ominously, recorded voices of Hollywood characters uttering personalized messages along the lines of: “Sebastian, you have a call from your mother.”

Of course, handphones have wrought broader change. The overthrow of Philippine President Joseph Estrada is an oft-cited example of the broadcasting power of short messaging, or SMS, but protests have been coordinated by mobile phone for much longer. Many middle-class students involved in the anti-military uprising in Thailand in 1992 had the bulky units of the day stuffed into their jeans, which must have been painful when their soldier captors forced them to crouch or crawl.

But more importantly, it’s no longer a revolution confined to the elite. In poverty-stricken Indonesia, for example, mobile phones will out-number land lines this year. Transvestite prostitutes wandering the streets near where I live all seem to be sporting the latest silver-plated Nokia, and when the shoeless busker who accosts your car at a junction pauses in his rendering of “Ole Ole Ole” to answer his Siemens you know the mobile phone has broken out of its traditional socioeconomic limits. This is no bad thing. The more of us have these dang things, the quicker we can agree on how they are used and, most importantly, what to do to people who use overly glitzy phones with annoying ring tones. Make them eat the precious gems, I say.

(Copyright (c) 2002, Dow Jones & Company, Inc.)