HOUSE_OVERSIGHT_018334.jpg

result immediately as a warning to possibly affected victims, but the exploit hummed at such a basic level of the system that it proved impossible to fully patch. It was like trying to patch physics. Connection changes the nature of an object. This has a particular impact on the security of our systems, and by extension, our own safety. Computer researcher Nathaniel Husted has described a world of “emergent vulnerabilities” - wormholes in software and hardware, communications or finance, that pop up in the connected universe unbidden and unplanned. “The fundamental aspect of emergent vulnerabilities and attacks,” Husted writes, “are that they appear benign until certain criticality conditions are met, at which point they become malignant.” 142 These risks we don’t want sit right alongside all the things we do want from connectivity. In fact - and this is Hulsted’s point — they are the things we want from connectivity, perverted into danger. Paul Baran would have been impressed to see just how right he was, how connections between us now are like irresistible gravity waves - and how gravity always wins. In 2015, for instance, Israeli security developed an astonishing hack that proved that nearly spiritual claim that all objects were linked by connection- and demonstrated the way that slippery, hungry attacks can breach even the safest- looking arrangements. “It has been assumed that the physical separation of computers provides a reliable level of security,” Mordechai Guri and his team wrote in a paper describing how they had used one isolated machine to infect another. Physical separation is, in fact, one of the cardinal rules of safe computing, a kind of lemma to join Robert Morris Sr,’s “don’t connect” rule of network safety: Two machines, unconnected by a network, should not be able to affect each other. Imagine | put one kid with a flu in one classroom and a schoolmate of his in another building. The second kid should remain healthy. The Tel Aviv research team wanted to challenge this. They first placed two computers side by side on a desk, unconnected to each other by any wire or network. One machine was connected to the Internet. The other was completely isolated - it was “air gapped”, like the healthy kid in the distant building, a sort of digital “boy in the bubble,” in touch with only the air around it. Then, the researchers began their Houdini trick: Look! Watch us corrupt this completely unconnected machine! Running a set of programs on the network-connected machine, the Israeli team was able to warm the processor board of that computer like a revving car engine, eventually making it hot enough that the temperature changes were detected by sensors inside the secure, allegedly impregnable “boy in the bubble” machine sitting nearby. The heat wave triggered a fan system inside the clean machine, which in turn activated a piece of pre-installed malware that let the hot machine pwn the bubble machine through temperature variations. In a video demonstration of the exploit, you can watch the infecting machine glow ever hotter, issuing “thermal pings” as it sweats and then infects its 142 “The fundamental aspect”: Nathaniel Husted “Analysis techniques for exploring emergent vulnerabilities and attacks on mobile devices” PhD. Thesis (available online from Indiana University, 2013) p.v 102 HOUSE_OVERSIGHT_018334