Source code for the sophisticated Stuxnet worm has reportedly made it onto underground forums where it is been offered up for sale at some unspecified price. This not entirely unexpected development, first reported by Sky News, has prompted the satellite TV channel to get for broke with a loosely substantiated story …
I assume then, from the same people who bring you Faux news, that my dishwasher and washing machine will soon be controlled from Iran/Iraq/China/Israel etc. etc. and they will subvert the toaster and microwave in turn.
Never again will I be able to go to the kitchen at night unarmed.
The central heating will either be on full or nothing and I fear for the safety and sanity of the DECT phones.
Private Fraser was right, Sky News(?) is right - we're all doomed!
Your are not far off
Your dishawasher will be controlled by your smart house controller.
IMO, there is nothing inherently wrong with that idea if I control it and control it via a device which is mine for which they supply information. I am slowly building something along the same lines myself in my house and I am not the only to reduce my power bills.
That however is not how a lot of players in this field see it. If you read most of the proposals for the Government Smart Metering consultations as well as the pre-consultation work by the Energy retailers association it is EDF, British Gas or the comms supplier like Vodafone who wants to do that and insist on _OWNING_ the equipment which controls it.
That would still have been fine (or kind'a fine) if the equipment was designed by the usual Internet, comms or even mass market retail players. That however is not the case - it is being design by the same people who design SCADA and industrial telemetry systems.
I have been saying this for years long before this Stuxnet affair - they are utterly clueless and oblivious to the way the real world functions. SCADA security is a joke. They think that by jacking up access control to crazy levels they have secured the system.
Wrong, the hacker's job is to circumvent access control and Stuxnet has show just how easy it is to do it with a SCADA system. We, who do real Internet work of any kind have know this for years.
The energy sector is yet to learn that. If it did it would not have tried designing smart meters running Windows XP embedded. Which is what it does now.
So, coming back to your question. How do you feel about _ALL_ appliances in your house _AND_ _THE_ _MAIN_ _OFF_ _SWITCH_ (that is what a smart meter is) being under control of a Windows XP appliance with userland code written by a someone who have never ever had to write any code exposed to a real Internet security threat. How do you feel knowing that this is connected to both a local network to talk to a display using a commoditity protocol, to a WAN and probably even to your local network to give you a daily dose of greenwash?
Are you feeling fine? I bet you do :)
Its not just making these items secure for the present thats a problem...
...what about the future?
My electric meter was fitted in the 80s and still works fine.
Imagine a computer doing that job thats just 10 years old? Windows of that age is not supported anymore. You can't remote install a new version because the hardware won't take it.
You are left with meters that need to be changed out every few years to make sure they are fully patched and supported.
If these smart meters are supposed to lower your carbon footprint, it will be offset in the wrong direction with all this extra waste of equipment.
Not to mention all the people hacking into the boxes to get cheep electricity (and if they are on the same street as you, hacking into yours and increasing your use so all the sums add up)
There's a good point to be made that a meter based around a small SoC or MCU is, really, about all that is required. Or am I missing something in thinking that a computer capable of running any version of Windows is complete overkill for an electricity metering system, and something of an awfully ironic joke if this is being done to increase efficiency.
Very true, all you need is a small controller. Smart but not too smart. Should run till the chips wear out.
Trouble is, the powers that be want more and more out of things, so there is a danger of a windows CE device (or what ever its called now) being used
Argh! my eyes!
That Sky article and especially the comments at the bottom really make for painful reading! These people have NO CLUE!
Welcome to the Real!
You will like it here...
I did want to post a comment
I did want to post a comment on the Sky News website, but where do you start...?
Tell me about it
There's no way to argue with pious stupidity.
Also, it was difficult to tell where the article ended and the comments began, what with all the random red text and capitalisation.
Its not just stupidity
TV news is just as bad as the tabloids for blowing a story out of proportion just to sell their news product.
Gilpin goes on to conclude...
that the government should really pay him a lot more money to protect us from these deadly cyber-terrorists!
Considering emergency services control rooms/dispatch centres don't even use Siemens industrial control hardware (certainly the one I'm in right now doesn't, and why would they anyway?) I'll be sticking this one squarely on the "alarmist bullshit" pile, along with everything else that comes out of Fox "News".
Shutting down the transport network across the UK
A bit like snow but without the snowmen and snowball fights?
What is quite funny about the comments on the Sky news site is that many have commented as if they are true experts in computer security but their comments indicate the opposite.
Viruses in the hands of bad guys.
And there's me thinking that Stuxnet was developed by totally above-board professional programmers.
Virus is in the hands of bad guys
You took the words right out of my mouth. And, um, "bad guys"? Well, I suppose calling them "bad guys" is a step closer to reality than the usual "HACKERS did it", but I'm sure that was in there too...
IT consultant to the goverment..
If that's his grasp on reality, it certainly explains most of the recent goverment IT projects.
Sky News Video
The video made me laugh, "guys were making a section about the sale of the source code for a virus, we need some code to slide across the screen to make it look 'cool'"
So he just copies and paste's the HTML for sky news homepage....
Sky News can be sensationalist and inaccurate?
This is the same Sky News brought to us by the Murdoch empire, who also provide us with the sizzling soaraway Sun, right?
My level-of-surprise-o-meter has stayed firmly at zero throughout this one......
Fair and unbiased....
Remember their US sister station is FOX news. Who would never use alarmist stories to push their news agenda....
A man who has worked in Information Assurance for 8 months (and that at the Youth Justuce Board, hardly part of the High Threat Club) considers himself authorititative enough a source to comment to the media.
What a gobsh1te.
CLAS consultants may not all be god's gift but I hope most are better that this fool.
Sod Sky News
Sod Sky News, the Daily Mail should get on the case - I want to know if Stuxnet causes (or maybe cures) cancer!
Stuxnet does not cause cancer.
But it will lower your house value.
Worse than that
It will download swan-roasting immigrant homosexuals directly into YOUR CHILD's bedroom.
Be afraid. Be VERY afraid. And vote Tory.
With Whom do you Battle, and Do Battle With in CyberSpace? The Enemy is Within for Withering Fire
""The problem with inaccurate, inflammatory and irresponsible stories about Stuxnet - good though they may be for page impressions and video views - is that they make cybercriminality sound like a second-rate problem when it is positioned against a news backdrop alleging cyberwar," Ducklin writes."
You think there is presently cyberpeace and virtual harmony, amfM writes Mr Ducklin?
God, it's good to hear the voice of reason again.
@AC 10:58 "You are not far off"
Have you read the paper from Professor Ross Anderson (Cambridge - if readers have been paying attention they'll know that name from his well known work on IT security) on Smart Meters?
Readers who haven't already read it should start at
It expresses (in more detail) the same basic concerns that AC 10:58 expresses. Now who's looking silly?
Maybe a few folks ought to think (and better still, read) before downvoting next time?
Have a secure weekend.
Just run everything important on Solaris (or at least a flavour of *nix) with a decent O/S hardening security toolkit enabled across all systems. What do you expect if you run mission critical systems on windows platforms (not that i'm biased or anything)?
Nice idea, but the malware writers target the the most popular O/S. As OSX gets more traction I fully expect it to come into the sights of the bad guys as a useful target. If we were to use *nix as the global desktop of choice, the bad guys would invest all the efforts into finding holes and gaining access. Despite *nix supporting some huge datastores with some seriously useful information, they want simple easy targets and fast bucks, *nix is not worth the effort right now.
Watch this space though....
@Your are not far off
Well said Sir, well said indeed.
"My level-of-surprise-o-meter has stayed firmly at zero throughout this one......"
it's a sign of stuxnet infestation ...
The Sky's falling.... (pun)
I saw the broadcast,
looked at the BBc on-line by mistake - no mentio of it, did a googly search.
McAfee Labs rate it at low /low as a threat and it was blocked by the A.V programs as early as July,
BUT it infiltrated an Iranian nuclear reactor - so we better invade the country just to be sure.
Was this an actual Sky news piece or was it a piece lifted from their US Operations
Welcome to the State of Fear.
you could shut down the transport network across the United Kingdom
That comment made me laugh, where I'm from the local transport network cannot even manage regular transport on only one route every 30 minutes (it's more of an hourly service, give or take another 10-20mins on top of that).
Some of the comments on the Sky article are hilarious especially the one about planes falling from the sky, life support machines turning off, and EVERTHING failing (their capitals not mine), almost tempted to go trolling :D
News Corporation stuns Establishment with Underground Trailer
You might like to consider that Rupert and Schloss Murdoch has called it right ....... and Stuxnets are Novel Danegeld Warriors and Virtual Terrain Team Players of First Class Order.
Quote "Some of the comments on the Sky article are hilarious especially the one about planes falling from the sky, life support machines turning off, and EVERTHING failing (their capitals not mine), almost tempted to go trolling."
Hey, wasn't this just the scenario we were cautioned with when 2K was approaching?
Still got a 2K update kit in one pocket, in case I survive till 3K.
Best thing that's ever happened...
Now industrial computing can start taking security seriously. Firm that up now and "CyberWar" will be less effective or nonexistent later when someone attempts it.
Personally, I filed it among all those "End of the Internet" predictions we've been receiving since 1995.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft refuses to nip 'Windows 9' unzip lip slip
- Netflix swallows yet another bitter pill, inks peering deal with TWC
- Special Report Roll up for El Reg's 3G/4G MONOPOLY DATA PUB CRAWL