This changes everything | As we travel in autonomous cars or on electronic scooters, a trick involving a bit of malicious code may put our computer networks at risk
1 May 2019
BECAUSE I live in San Francisco, I have been subjected to a number of ill-fated experiments performed by short-lived tech companies. The most recent involves app-controlled electronic scooters. With little advance notice, a handful of companies blanketed cities in the San Francisco area with lavishly branded e-scooters. Anyone with the right app could ride one, then park it somewhere “properly”. Unfortunately, proper parking is really in the eyes of the beholder.
Scooters wound up blocking sidewalks, streets, gutters and doorways. City workers routinely had to dredge them out of a large, local lake. One company, Lime, posted pictures of its broken, waterlogged scooters on Twitter. San Franciscans complained at great length, and the city banned them for several months. And yet, so far, the experiment continues. Two new e-scooter companies recently signed a deal with the San Francisco city government, promising to do it right this time.
Debris from trashed e-scooters is one unexpected side effect of an idea that marketers and futurists call the “smart city”, a cosmopolitan utopia anchored to an eco-friendly power grid, saturated by high-speed internet and with conveniences like e-scooters on every corner or autonomous cars that will bring you takeout. The notion – a good one, to be sure – is that we can use software to make our cities more energy efficient and user-friendly. If an office building is empty in the evening, the smart city diverts power from it to a stadium full of sports fans. If there’s a traffic jam somewhere, grab an e-scooter. If a storm surge is coming, your fully automated home will batten down the hatches for you.
All these scenarios depend on people covering our old, dumb cities with devices that talk to each other over the internet. Those devices might be weather sensors, gas meters, drawbridge controllers, traffic monitors, sanitation systems, surveillance cameras… or e-scooters. They might be stuck to the side of buildings, or dangling from drones. The point is that the city becomes a kind of giant computer, gathering and crunching data from the real world.
The smart city is also programmable. I poke a button on my phone, and I can summon a car. Likewise, a police officer might watch CCTV footage on their phone, and a plumber might shut off a water valve with theirs. Scientists could monitor pollution levels from miles away.
“Renting an e-scooter might inadvertently help a thief break into key computer networks”
There’s just one problem. If everything is full of remotely accessible data, then so are you – and that’s how a new kind of street crime will emerge. Let’s think about those e-scooters again. When I use my app to get that scooter, I’m sending a lot of information to the company that rents it to me. There’s my credit card and email, of course, but more importantly there’s data about where I go. That information is very interesting to thieves with some technical savvy. To get it, a thief injects a little malicious code into an ad on the scooter app. When I click the ad, they start tracking me. Multiply that by thousands, and the thief can figure out, say, who spends time at fancy private clubs or government agencies.
In the smart city, searching for a good mark is that easy. Want a rich banker or a bureaucrat with security clearance? Our thief has a list of thousands of potential targets. Now they can send their chosen marks some phishing emails to gain access to their computer systems at work. It’s a tried and true method: a simple phishing scam led to the leak of Democratic Party emails during the 2016 US election.
And that’s how my choice to rent an e-scooter might inadvertently help a malicious person break into a sensitive computer network. Consider what would happen if someone with technical skills got onto the network that controls bridges or traffic lights. Or broke into your house by hacking your app-controlled heating system. When every object in the city is “smart”, criminals gain access to your valuables through digital keyholes you may not even realise are there.
That’s especially true when you consider the hodgepodge way smart cities are emerging. There is some centralised oversight for technologies used in infrastructure and policing. But services like e-scooters or even autonomous cars will probably be created ad hoc, without much regulation. In the smart city of tomorrow, we won’t just need to teach kids not to talk to strangers. We’ll have to teach them not to talk to hoverboards, too.
Annalee Newitz is a science journalist and author. Her novel Autonomous won the Lambda Literary Award and she is the co-host of the Hugo-nominated podcast Our Opinions Are Correct.
You can follow her @annaleen and her website is techsploitation.com
What are you watching?
I’m catching up on the final season of the post-apocalyptic martial arts/motorcycle/sword epic Into the Badlands.
What are you reading?
I have just finished Eve D’Ambra’s delightful Roman Women, an exhaustively researched introduction to ancient Roman culture that happens to be about the lives of women. I’m also reading Mike Chen’s gorgeous time travel novel Here and Now and Then.
What are you working on?
I’m writing a book about four ancient cities and why people decided to abandon them.
- This column will appear monthly. Coming next: botanist James Wong
More on these topics: