Friday, February 6, 2015

Black boxes can cut both ways

In just a few years, the widespread use of the cloud has changed a lot of things: well connected people have seen their social lives change completely. Privacy has all but disappeared, We are constantly under the eye of big data black boxes that monitor, more and more invasively, every aspect of our lives. Users are usually on the receiving end of the abuse and, the sad reality is that most of them don't care. But this isn't where the "fun" ends.

Black boxes can cut both ways...

Let's imagine that company A wants to collect usage and results data from a device they just put on the market in order to demonstrate the benefits of that device, which could be useful to get the product approved by the relevant agencies. The product would be released in limited test markets and the data collection could be as discreet as possible. A very cheap large scale test. And also a mild case of "security by obscurity"

Let's imagine that company B, a competitor of company A, enjoying a near monopoly in the device category that company A is trying to enter, is extremely annoyed by that new arrival on the market. A typical delaying tactic would be to launch a bunch of lawsuits, for example for patent violation, and drag the cases for years. But that is so visible and so 20th century... (See Sanofi and the Lantus saga for example)

In our fictitious 21th century world, there could be more subtle ways to derail or delay an unwelcome competitor. Company B would, most certainly, have had a very close look at its future competitor's device. They might notice the discreet data transfer.

And decide to exploit it.

They could, for example, upload totally plausible but bogus data into the big black box and skew the results in a negative way. That would be a very smooth and subtle attack. It could apply not only to devices, but to drug trials. Company C could be sending patients home with a new class of antiantiarrhythmics and continuous ECG monitors. Blood pressure monitors could automatically upload the phase III results of a new renin inhibitor...

If they were more aggressive, they could eventually contract some unethical party just to grab the data cache and run away.

Then, if anything goes wrong, one can always blame the Chinese...

Important note: the above is absolutely fictitious. It is just one of the dozens of possible exploitation scenarios in a world where big data collides with poor or even decent IT security practices. The possibilities are endless and we don't know where we are going.

No comments:

Post a Comment