SAN FRANCISCO — The near future may see widespread internet blackouts, mass breaches of biometric data, and “drone swarms” of malicious buzzing devices honing on a target, former FBI cybersecurity analyst Jason Truppi told the BSides SF hacker conference.
Drones on the Attack
The migration of technology from large, expensive devices to numerous small, cheap ones is changing the nature of aerial filming, aerial surveillance — and aerial attack.
“You guys saw the Super Bowl, right?” Truppi, who now works in the private sector, asked the audience, referring to the Intel-sponsored swarms of drones that rearranged themselves to form aerial messages and brand logos during Lady Gaga’s halftime performance at Super Bowl LI earlier this month.
“I am a prepper, and I was looking up how to create my own EMP [electromagnetic pulse] devices” to knock them out of the sky.
The Super Bowl drone swarm was prerecorded and digitally pasted in behind Lady Gaga’s live performance, due to federal regulations against operating large numbers of drones above large numbers of people.
But such rules wouldn’t apply during wartime. Last month, the Air Force last month showed it had tested its own swarm of tiny drones, which had been dropped out of two F/A-18 fighter-bombers, as potential warfighting technology.
“Right now, the battery technology isn’t that good, and these things will fall out of the sky after 20 minutes,” Truppi said. “But what about when the batteries get better?”
Internet of (Very Dangerous) Things
Smart-home devices, otherwise known as the Internet of Things, will pose just as much danger, as the Mirai botnet demonstrated during the East Coast internet disruptions this past October, Truppi said.
As with drone swarms, neither government nor the private sector currently know how to prevent attacks from so many small devices focusing their fire on single targets at the same time. And an increasing reliance on biometric data, such as fingerprints, iris scans or DNA, will create its own problems as those records get stolen and millions of people discover their own bodily functions can’t be relied upon.
“Not many ISPs [internet service providers] can handle terabit-per-second attacks,” Truppi said. “I predict we are going to have massive internet outages that are bigger than anything we’ve seen, as long as we continue to put out vulnerable IoT devices.”
The Mirai Internet-of-Things botnet attacks saw KrebsOnSecurity, the blog run by independent security reporter Brian Krebs, taken offline for four days in late September 2016 after his service provider could no longer withstand the massive DDoS attack. A week or so later, the Mirai source code was posted online, virtually guaranteeing further attacks.
On Oct. 21, websites and internet-based services ranging from Netflix to Spotify to Reddit became unreachable as Dyn, a domain-name-service provider based in New Hampshire, came under attack from thousands of commercial security-camera systems that had been infected by Mirai.
Stolen Fingerprints, Stolen DNA
Government, the private sector and the general public have been led to believe that biometric authentication is the gold standard, because it’s supposedly hard to fake a fingerprint or DNA.
But what about when such records get stolen, as they were in the massive theft of data from the federal Office of Personnel Management (OPM) in 2015?
“What if your fingerprint or your DNA gets stolen? How do you authenticate yourself then?” Truppi asked.
“The OPM hack was one of the most devastating of my [FBI] career,” he said. “My own data was in there, and it wasn’t protected. My friends and my family were affected. Until now, I didn’t know my own information was guarded by OPM. But from now on, for the rest of my life, I can’t trust my own fingerprint on any biometric device.”