If you are anything like me, when you hear "Hacking in the Year 2030" you immediately visualize hacking robot armies and UFOs to take them down with lazers and ultrasonic USB attachments via your PlayStation 10 using only changes in pupil dilation to read mental instructions of what hacking tools to launch.
Well this technology may very well be around in 2030, but unfortunately most of you are more likely to still be exploiting Cross Site Scripting (XSS) vulnerabilities in the web interface of the killer robots.
So to paint a picture of what we may be doing, lets get an idea of the threat landscape in 2030 by having a look at how things have progressed in recent years.
Over the last 10 years we have seen a series of what I am calling "Hacking Revolutions", as listed below;
- Infrastructure Hacking Revolution
- Web Application Hacking Revolution
- Client-Side Software Hacking Revolution
- Social Networking Hacking Revolution
- The Hacktivism Revolution
- Mobile Hacking Revolution
The "Infrastructure Hacking Revolution" was the first where most attacks were targeting infrastructure. This was because coding within operating systems and services seemed to be lacking a small thing called security. This forced software vendors (primarily Microsoft) to realise that security was pretty important in their long term vision, which led to a dramatic drop in remotely exploitable infrastructure related vulnerabiltiies.
This drop in exploitable vulnerabilities then led into the "Web Application Hacking Revolution". Development was now being undertaken by inexperienced developers with restricted timeframes, budgets, and insecure frameworks, which meant that security was pretty much out of scope. On the up side, this has kept most penetration testers in jobs for many years and will continue to for years to come.
Although the Web Application Hacking Revolution is like that odor in the car that just won't go away, the "Client-Side Software Hacking Revolution" forced itself into the spotlight of hackers. This phase included email Phishing attacks containing exploit code to trigger vulnerabilities in web browsers, office programs, Adobe Flash, Adobe Reader, Java, and so on. This continues today with the ongoing release of 0-day exploits.
One noteable attack technique known as "DLL Hijacking" was identified during this period, which basically revealed a vulnerability that existed in what seemed to be every piece of client-side software that existed on the planet and had to be addressed independently in each piece of software.
The "Social Networking Hacking Revolution" was then born. This provided attackers with not only a vast number of access control flaws to exploit to harvest our private information, but also a new avenue to bypass Spam and Phishing filters allowing malware and web-worms to be propogated more effectively.
The Hacktivism Revolution then began where it seemed that every day was a bright new day for companies being breached and corporate data being published on Pastebin. Hundreds of millions of accounts were compromised during this era and many executives were realising that the Fear, Uncertainty and Doubt (FUD) that their security officers were spreading is actually an every day occurrance.
For a period during The Hacktivism Revolution, it appeared that Anonymous was going to be the next superpower as they forced multi-national corporations to shake at the knees by simply mentioning them in a two minute YouTube video. Although things are relatively quiet after a number of Anonymous members were arrested, it is only a matter of time until the fear wears off and Hacktivists continue their rampage.
The "Mobile Hacking Revolution" came of age where companies were dropped into an area that they have never been before whilst sitting in the middle of an environment where major security breaches and data theft occur regularly. This shift has forced both developers and companies into upskilling and investing in security. Unfortunately access control flaws are rampant and security breaches occur at a larger scale as more individuals trust the app developers with their usernames, passwords and personal data. The most recent breach gaining access to over 50,000,000 accounts.
This Hacking History Lesson reveals one key concept;
As new technologies are developed, the risk to our systems and data increases, and the impact of security breaches increases exponentially.
So what will "Hacking in the Year 2030" look like?
To start with, the number of techniques to perform financial theft will only be limited to hackers' imaginations. Country-based currencies will be left behind as virtual currencies gain popularity. Virtual currencies will therefore become a primary target, and we have seen the conception of this already where financial scams are occurring within virtual online-worlds. These scams are then able to convert their stolen virtual currencies to real world dollars and cents.
This leads into the loss of control that world governments will experience as they begin to lose their enforcement capabilities since country-based laws are no longer enforcable within virtual online-worlds. This is because virtual online-worlds are distributed on systems that are hosted in countries throughout the world with different cyber-crime laws - that is if they have any cyber-crime laws.
Combining the excessive amounts of data collected on each of us, the massively advanced analysis techniques, and extreme processing power developed by 2030, artificial intelligence systems will have the capability to accurately predict what you will do before you do it. Currently we see compromised online accounts being sold in underground markets for use in identity theft and various other attacks for financial gain. The value of today's online accounts pale into insignificance compared to what malicious and profitable exploits can be implemented, by both criminals and organisations, if our actions can be determined before they happen.
The future also requires massive power demands to run the excessive amount of technology, from our wireless Coke can coolers through to our driverless cars and transport systems. Energy suppliers will become even more critical and therefore even more valuable targets for hackers. This may range from extortion attempts by shutting down transport systems through to industrial espionage to steal secrets of how to generate energy more efficiently and in a more cost-effective manner.
"Hacking for Physical Harm" has been used a couple of times in the past, with one example being an epilepsy website that was defaced with flashing coloured squares to trigger epileptic fits. When we eventually lose the need to talk with our mouths and start ordering our coffees using direct interfaces to our brains, a major terrorist threat is introduced where mass murder can be performed in high-tech drive-bys. This situation may seem unrealistic, but is actually already a reality. A security researcher has already identified a technique where pacemakers can be hacked from 50-feet away to deliver a deadly shock to their owner.
Luckily for pacemaker owners, farming of replacement organs will also be a reality. Unfortunately if the Organ Farm is hacked and the thermostats in the Growth Centres are modified, millions of replacement organs become useless leading to major sections of the population dropping off.
As we have seen through the Hacking History Lesson earlier, companies will struggle find the budgets to maintain their security as technology continues to advance at a rapid pace. This will lead to companies existing completely in the cloud and relying on third party companies protecting their assets. This simply leads to a central cloud that hackers need to compromise; however, this means that they have everyone's data rather than just a single company.
If you made it this far, I trust you enjoyed the read,
CTO, Pure Hacking