Stuck on Stuxnet

By | November 22, 2011
0 Comment

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

Podcast: Afghanistan’s Mobile TV Culture

By | November 22, 2011
1 Comment

The BBC World Service Business Daily version of my column on  Afghan mobile users. (The Business Daily podcast is here.)

Loose Wireless 100928

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.

Australasia: Mon-Fri 0141*, 0741 
East Asia: Mon-Fri 0041, 1441 
South Asia: Tue-Fri 0141*, Mon-Fri 0741 
East Africa: Mon-Fri 1941 
West Africa: Mon-Fri 1541* 
Middle East: Mon-Fri 0141*, 1141* 
Europe: Mon-Fri 0741, 2132 
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.

Podcast: Google’s Missteps

By | November 22, 2011
2 Comments

The BBC World Service Business Daily version of my column on Google’s Missteps.  (The Business Daily podcast is here.)

Loose Wireless 100908

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.

Australasia: Mon-Fri 0141*, 0741 
East Asia: Mon-Fri 0041, 1441 
South Asia: Tue-Fri 0141*, Mon-Fri 0741 
East Africa: Mon-Fri 1941 
West Africa: Mon-Fri 1541* 
Middle East: Mon-Fri 0141*, 1141* 
Europe: Mon-Fri 0741, 2132 
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.

Afghanistan’s TV Phone Users Offer a Lesson

By | November 22, 2011
2 Comments

By Jeremy Wagstaff

IMG_20100831_202009-1

There’s something I notice amid all the dust, drudgery and danger of Kabul life: the cellphone TVs.

No guard booth—and there are lots of them—is complete without a little cellphone sitting on its side, pumping out some surprisingly clear picture of a TV show.

This evening at one hostelry the guard, AK-47 absent-mindedly askew on the bench, had plugged his into a TV. I don’t know why. Maybe the phone gave better reception.

All I know is that guys who a couple of years ago had no means of communication now have a computer in their hand. Not only that, it’s a television, itself a desirable device. (There are 740 TVs per 1,000 people in the U.S. In Afghanistan there are 3.)

But it doesn’t stop there. I’ve long harped on about how cellphones are the developing world population’s first computer and first Internet device. Indeed, the poorer the country, the more revolutionary the cellphone is. But in places like Afghanistan you see how crucial the cellphone is as well.

Electricity is unreliable. There’s no Internet except in a few cafes, hotels and offices willing to pay thousands of dollars a month. But you can get a sort of 3G service over your phone. The phone is an invisible umbilical cord in a world where nothing seems to be tied down.

Folk like Jan Chipchase, a former researcher at Nokia, are researching how mobile banking is beginning to take hold in Afghanistan. I topped up my cellphone in Kabul via PayPal and a service based in Massachusetts. This in a place where you don’t bat an eyelid to see a donkey in a side street next to a shiny SUV, and a guy in a smart suit brushing shoulders with a crumpled old man riding a bike selling a rainbow of balloons.

Of course this set me thinking. For one thing, this place is totally unwired. There are no drains, no power infrastructure, no fiber optic cables. The cellphone is perfectly suited to this environment that flirts with chaos.

But there’s something else. The cellphone is a computer, and it’s on the cusp of being so much more than what it is. Our phones contain all the necessary tools to turn them into ways to measure our health—the iStethoscope, for example, which enables doctors to check their patients’ heartbeats, or the iStroke, an iPhone application developed in Singapore to give brain surgeons a portable atlas of the inside of someone’s skull.

But it’s obvious it doesn’t have to stop there. iPhone users are wont to say “There’s an app for that” and this will soon be the refrain, not of nerdy narcissists, but of real people with real problems.

When we can use our cellphone to monitor air pollution levels, test water before we drink it, point it at food to see whether it’s gone bad or contains meat, or use them as metal detectors or passports or as wallets or air purifiers, then I’ll feel like we’re beginning to exploit their potential.

In short, the cellphone will become, has become, a sort of Swiss Army penknife for our lives. In Afghanistan that means a degree of connectivity no other medium can provide. Not just to family and friends, but to the possibility of a better life via the web, or at least to the escapism of television.

For the rest of us in the pampered West, we use it as a productivity device and a distraction, but we should be viewing it as a doorway onto a vastly different future.

When crime committed is not just saved on film—from Rodney King to the catwoman of Coventry—but beamed live thro to services that scan activity for signs of danger, the individual may be protected in a way they are presently not.

We may need less medical training if, during the golden hour after an accident, we can use a portable device to measure and transmit vital signs and receive instruction. Point the camera at the wound and an overlay points out the problem and what needs to be done. Point and click triage, anyone?

Small steps. But I can’t help wondering why I’m more inspired by the imaginative and enterprising use of cellphones in places like Afghanistan, and why I’m less than impressed by the vapid self-absorption of the average smart phone user in our First World.

Now I’m heading back to the guard hut to watch the late soap.

Podcast: The Lure of Flow

By | November 22, 2011
0 Comment

The BBC World Service Business Daily version of my column on reading on the cellphone (The Business Daily podcast is here.)

Loose Wireless 100901

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.

Australasia: Mon-Fri 0141*, 0741 
East Asia: Mon-Fri 0041, 1441 
South Asia: Tue-Fri 0141*, Mon-Fri 0741 
East Africa: Mon-Fri 1941 
West Africa: Mon-Fri 1541* 
Middle East: Mon-Fri 0141*, 1141* 
Europe: Mon-Fri 0741, 2132 
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.