Shulou(Shulou.com)06/02 Report--

Facial scan shopping, smart parking, smart attendance. Today, computer vision technology has penetrated into all aspects of daily life, so many people suffer from "camera anxiety."

Recently, from the technical and ethical issues caused by face recognition into the classroom, to the privacy controversy after the explosion of AI face-changing app ZAO, and the "sense of monitoring" locked by the ubiquitous urban surveillance network, it has been beating the public's sensitivity to over-exposure of personal data.

After the shock, it is inevitable and appropriate to discuss whether the technology companies are doing the right thing and where are the boundaries for collecting user data. In fact, whether it is the gradual strictness of privacy laws in various countries, the pressure of public opinion, or logical reasoning, technology companies are unlikely to actually use users' sensitive data to do something self-destructive and with serious consequences. Companies such as Facebook and Apple struggle to find compensation after being questioned by the public, which is a living example.

What should be more vigilant is those who are far beyond the scope of ordinary people's perception.

Invisible cockroach: black ash hidden behind the AI camera

You won't see only one cockroach in the kitchen-the famous cockroach theory (cockroach theory), which says that once there is a little negative news, more problems are often covered up. The issue of privacy is the same.

Take the most widely used computer vision, the front-end perceptual hardware intelligent camera has always been the new favorite of the market, low-power face capture, recognition, analysis and so on. It has been widely deployed to public areas such as airports, stations, commercial streets and tourist scenic spots. The real-time traffic control of the smart city is inseparable from the dense cameras, and the food and health department has already deployed high-definition cameras in the back kitchens of restaurants and hotels. Needless to say, even at home, many people have paid to install smart cameras for themselves.

But there is also a saying in the hacker circle-"if you don't know the attack, how can you know how to guard against it?" If we don't know how the data behind the camera is leaked or illegally occupied, how can we ensure security? However, with the blessing of AI and the prosperity of the Internet of things, intelligent cameras are becoming a new hotbed of black ash production.

We find that the private data collected by smart cameras are being illegally profited from several angles.

The lowest technical content is to break through some simple and inexpensive smart cameras.

The core demand of this kind of products is monitoring, which is used in shops, properties or families, carrying an AI chip and cloud storage services on the basis of traditional industrial hardware. Due to the low threshold, Internet enterprises, OEM manufacturers, security companies and other companies are seizing this market, and the result is to give hackers an opportunity.

In fact, many manufacturers of intelligent cameras do not have the security audit process under the background of cloud computing and AI, products lack of remote update mechanism, design defects that can control the system, and so on, hackers can intercept directly on the IP side through brute force cracking means, and have a glance at users' login keys, image content and other sensitive information. Then grab profits by selling private videos, hijacking cameras, "mining" and other ways.

At the 2018 MWC conference, Czech cyber security company Avast demonstrated the "mining" process of 15000 small networking devices in four days, mining cryptocurrency worth 1000 US dollars. The smart cameras all over the corners of the city are undoubtedly popular in the eyes of attackers.

After the data is on the cloud, will it be safe?

Of course, for this kind of routine, as long as we resist the temptation of low prices and choose some regular intelligent camera manufacturers and machine vision solution service providers, with basic firewalls, code audits, fuzzy testing of equipment security, transmission communication encryption, and so on, can play a certain role of prevention.

As computer vision technology begins to gain the favor of B-end organizations, hackers are also highly skilled and daring, and their wealth is gained from risks, turning their attention to more "valuable" targets. Began to invade the camera systems of schools, medical care and even police stations on a large scale.

In 2017, two hackers hacked into outdoor surveillance systems deployed by the Washington, D.C. Police, and 123 security cameras deployed in the closed-circuit TV system of the Washington D.C. Police Department (MPDC), which included real-time information on all the city's public spaces and demanded that the Washington police pay a ransom.

To this end, the police even had to shut down the system for four consecutive days two weeks before Trump's inauguration. Of course, this is not alone. Last year, China also saw hacking into routers and smart cameras, then encrypting files and requiring victims to pay fees for decryption through mobile phone transfers.

The attacks against large-scale organizations mentioned above cannot be resisted by traditional firewall + security software. Because of this kind of intelligent camera system network, it is difficult to meet the storage and computing needs locally, so we need to upload surveillance video to the cloud, automatically update software and so on, so we need to connect with the network all the time. Some solution vendors that do not have the capability of cloud services often choose to cooperate with third-party cloud services. Once the other party has a security breach, all related camera networks will be affected.

For example, the exposure of the security camera network in Washington was caused by the breach of the "specialized computer installed next to the camera" and the MPDC network. Earlier, hackers stole 400GB's internal data from Hacking Team, an Italian security company that specializes in surveillance technology. Overseas Threat Stack network security teams have also found that the complexity of attacks by hackers using AWS (Amazon cloud service) has increased sharply since 2016.

Hackers take advantage of the features of cloud services, such as stealing AWS keys to obtain resource paths in open S3 containers, or launching new Amazon Elastic Compute Cloud (EC2) to dig mines, creating several sensitive information disclosure incidents. Although Amazon soon launched Macie to protect AWS S3 data and provide free container checks through Trusted Advisor, such incidents still occur frequently. The secure "star-picking trip" is still on its way.

Internet of things era of cyber attacks: self-redemption of AI

In 1999, MIT put forward "everything can be interconnected through the Internet", and the concept of Internet of things came out. The arrival of intelligent perception not only adds the wings of "perception" and "computing" to the Internet of things, but also puts forward new challenges to security issues. According to the 2018 threat report by CenturyLink of the United States, there are 195000 cases a day worldwide, and regions with strong or fast-growing IT networks and infrastructure are the main sources of cyber violations.

It is more likely to be hijacked or attacked for the following reasons:

First of all, from the attacks faced by the intelligent camera network, the traditional security strategy of end-to-end encryption does not meet the objective needs of the society to collect and utilize data legally and intelligently. The introduction of encryption technologies such as hash locks to protect privacy will bring longer computing delay, higher computational complexity will also increase the additional consumption of users, and so on. These tradeoffs are intertwined. It is also the reason why the boundary of the whole industry on the issue of privacy and security is blurred and it is difficult to completely "revolution".

At the same time, the coexistence of public cloud, private cloud and hybrid cloud, the unclear standard of hardware industrial deployment, the diversity of local and cloud storage, and so on, lead to the complex security situation of computer visual Internet of things system with camera as the core. Leaving hidden "empty doors" to hackers, once the use of distributed attacks to trigger a chain reaction of large-scale networks, the consequences are often incalculable.

In addition, deploying and connecting the Internet of things system in the enterprise or consumer environment is essentially the interconnection of devices, software, networks, personnel and other endpoints, and dynamic risk has become the weakness of the security of the Internet of things system. Because in the face of threats, we need to consider not only the technical components, but also the people and partners within the system. The security strategy of each link is different, and it is often the "shortest plank" that determines the overall security of the system.

Lack of security training, lack of employee awareness, simple human errors, etc., may cause even if the loophole is repaired on the technical side, it is difficult to quickly update comprehensively and delay the best time to recover the loss.

More importantly, the Internet of things system, represented by the camera network, has become an ecosystem of intelligent data aggregation, which is directly related to the information and property security of individuals and institutions, which means that the risk cost of the system being breached is higher.

Just imagine, if the hacker breaks through the intelligent camera on the private car, it is likely to cause a chain reaction of the car networking system and public safety hazards; fake faces to deceive the company's access control system, resulting in the leakage of important data; if the public camera network of the smart city is hacked, the important data of all citizens and management systems will be handed over.

Obviously, in the construction of AIoT of the Internet of things in full swing, it is far from enough to blame technology companies to protect users' privacy. The fishy smell of money can always attract illegal people to take risks, and there is no way out except to keep fighting technically. Fortunately, while the Internet of things is using data to support intelligent systems, AI is also protecting it.

For example, "edge computing" to avoid sending sensitive data to the cloud is becoming a rigid requirement. At the embedded Electronics and Industrial computer Application Exhibition Embedded World, processing more data through edge devices (edge device), as well as related chips, processors and other industry chains, has been the focus in the past two years.

At the same time, security protection also began to closely integrate with AI, through the automatic processing of vulnerability reports and program code, to achieve automatic research on security vulnerabilities, so as to avoid some multiple new attacks as soon as possible. In the process of introducing machine learning algorithm into intrusion detection, we can effectively deal with the information obtained by real-time detection, and judge the possibility of attack, give an alarm in time, so that the small actions of the attacker have nowhere to hide. Splunk, Gurucul, Symantec, IBM, 360and other security vendors are already AI fans.

Generally speaking, AI and the Internet of things are becoming the general trend of smart city construction. Internet companies, smart equipment manufacturers, security manufacturers are in "cross-border" transformation, AIoT is accompanied by technology explosion and fission, infiltrating into thousands of industries.

But at the same time, its privacy and security environment has also ushered in great changes. Every individual, every hardware, every transmission, may become a "fat sheep" under the knife of the hacker.

When we worry about the privacy of technology manufacturers, don't forget to put the first lock for the most basic data security.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.