{"id":18046,"date":"2021-02-26T16:38:29","date_gmt":"2021-02-26T12:38:29","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/johnny-mnemonic-cybersecurity\/18046\/"},"modified":"2021-02-26T16:38:29","modified_gmt":"2021-02-26T12:38:29","slug":"johnny-mnemonic-cybersecurity","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/johnny-mnemonic-cybersecurity\/18046\/","title":{"rendered":"Johnny Mnemonic in terms of cybersecurity"},"content":{"rendered":"<p>The future that William Gibson imagines in the short story that inspired 1995\u2019s <em>Johnny Mnemonic<\/em> essentially epitomizes cyberpunk: edgy, dangerous, extremely advanced, highly technical. The movie being set in early 2021, we decided to analyze the cinematic version from the viewpoint of cybersecurity, comparing the fictional 2021 with our own.<\/p>\n<h2>The setting of the movie<\/h2>\n<p>The film plays out in a rather gloomy world, one controlled by megacorporations and plagued by a dangerous pandemic known as Nerve Attenuation Syndrome (NAS). The cause of the disease, in the words of one of the characters, is: \u201cInformation overload! All the electronics around you poisoning the airwaves.\u201d<\/p>\n<p>Megacorporations, pandemics, <a href=\"https:\/\/www.bbc.com\/news\/53191523\" target=\"_blank\" rel=\"nofollow noopener\">conspiracy theories<\/a> about new tech rollouts. Sound familiar? Well, it\u2019s only partially accurate: In this cinematic 2021, microchips holding gigabytes of information can be implanted into the human brain; in reality, despite Elon Musk\u2019s best efforts, we\u2019re not there yet. We won\u2019t bother dismantling the classic 1980s\/90s movie depiction of the Internet as a wacky VR universe. That\u2019s not the Internet, at least in 2021.<\/p>\n<h2>Pharmakom Industries<\/h2>\n<p>According to the movie\u2019s plot, a cure for NAS actually exists, but Big Pharma is keeping it quiet\u00a0\u2014 treating the symptoms is far more profitable than ridding humanity of the disease. Some Pharmakom employees disapprove and not only steal medical information, but also destroy the company\u2019s data.<\/p>\n<p>That reveals a number of major flaws in Pharmakom\u2019s security system:<\/p>\n<ul>\n<li>Its scientists\u2019 data access permissions are too generous. Sure, drug developers need access to read operational information, and even to write to the server. But why give them permission to permanently delete classified information?<\/li>\n<li>Pharmakom has no backups (at least, nothing offline). That means much of the rest of the plot\u00a0\u2014 involving the mad pursuit of the \u201cmnemonic courier\u201d (more about that below)\u00a0\u2014 rests on the company needing the data back. With backups in place, Pharmakom could simply have restored the data, then eliminated the leak and the courier. Instead, the plot demanded the company try to saw off his head without damaging the implant inside.<\/li>\n<\/ul>\n<p>It\u2019s also worth mentioning that the Pharmakom network contains a digital copy of the consciousness of the company\u2019s founder. The AI not only possesses free will and access to the entire Internet, but also tends to disagree with the way the corporation is developing into something monstrous.<\/p>\n<h2>Lo Teks<\/h2>\n<p>A group known as the Lo Teks represents the resistance. In the original story, the Lo Teks were antitechnology, but in the movie adaptation they seem quite up to date. Living with them is Jones, a cyborg dolphin whose hacking skills help him extract valuable information, which the Lo Teks then transmit using a hijacked TV signal. At the center of the group\u2019s shelter is a mountain of rubbish featuring wires and old cathode-ray-tube TVs.<\/p>\n<p>Despite the group\u2019s on-air antics, no one pays much attention to the Lo Teks (or even locates them) until they come into contact with Johnny.<\/p>\n<h2>Online communication<\/h2>\n<p>Partway through the movie, Johnny tries to contact an acquaintance. That\u2019s when we realize Pharmakom\u2019s experts, working with the Yakuza, are tracking his regular contacts \u2014 fantasy 2021 privacy is even worse than present-day reality.<\/p>\n<p>One might think a hacker-smuggler can manage online anonymity, but no, everyone knows Johnny\u2019s connections, and infosec experts immediately sniff him out (even though he goes online from a completely new, stolen computer and with some kind of stealth module) and pinpoint his location.<\/p>\n<p>Along the way, Pharmakom activates a \u201cvirus\u201d to interfere with Johnny\u2019s communication. As usual in movies, the terminology is rather loose, the virus seems more like some sort of <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/dos-denial-of-service-attack\/\" target=\"_blank\" rel=\"noopener\">DoS attack<\/a> tool than an actual <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/virus\/\" target=\"_blank\" rel=\"noopener\">virus<\/a>.<\/p>\n<h2>Mnemonic courier<\/h2>\n<p>At long last, let\u2019s get to the main theme of the movie, which is related directly to information security\u00a0\u2014 consider the title character\u2019s profession. As a mnemonic courier, Johnny\u2019s head is literally a data storage device. Such couriers are used to smuggle highly valuable information that cannot be entrusted to the Internet. The rebel scientists choose Johnny to convey the medical data they stole from Pharmakom to a team of doctors in Newark.<\/p>\n<h3>How the implant works<\/h3>\n<p>The technology here is incomprehensible: The data is stored directly in the brain, and to make room, Johnny has had to sacrifice most of his childhood memories. The nominal capacity is 80 GB, expandable to 160 GB by briefly connecting to an external box, but in fact it is possible to upload twice that amount, boosting capacity up to 320 GB. That squeezes the brain, causing the courier to suffer from seizures and nose bleeds, and the information can be damaged as well.<\/p>\n<p>In the movie, the implant is not hard to detect. For example, when crossing a border, people are scanned and the device appears in those scans. But the scans seem rather superficial; the system falsely reports the brain implant as a device for counteracting dyslexia. Why the device arouses no suspicion among the border guards is not clear.<\/p>\n<h3>Data protection<\/h3>\n<p>The data protection method is nothing if not original. During upload, the client randomly takes three TV screenshots. The images \u201cdissolve in the data\u201d and serve as the \u201cdownload key.\u201d Without them, it is impossible not only to download the data, but even to delete it, so the same screenshots must be sent to the recipient. By the look of it, then, this safeguard has to do with encrypting the actual data, but it\u2019s also an implant-access mechanism.<\/p>\n<p>As soon as they upload the data, the scientists are attacked by Yakuza operatives working for Pharmakom. One screenshot for the key is destroyed in the ensuing firefight, Johnny keeps one, and one goes to the attackers.<\/p>\n<h3>Sending the key<\/h3>\n<p>The \u201ckey\u201d is sent by fax. That\u2019s not as funny as it sounds; although the technology is outdated in the real 2021 faxing the key makes some sense because it makes direct use of the telephone network, which can, in theory, be safer than using the Internet. Unfortunately, faxing tends to degrade image quality. Also, in the movie, all fax machines are available from the Internet, so there goes that.<\/p>\n<p>After escaping from the Yakuza, Johnny tries to recover the missing screenshots. He finds the originating fax machine and its logs in a hotel\u2019s information systems, the password for which he brute-forces on his third attempt. The password can\u2019t have been very strong. That, it must be said, corresponds perfectly with our 2021:\u00a0For many hotels, security still means a guard at the door. In any case, Johnny manages to get the recipient\u2019s fax machine address.<\/p>\n<p>Connecting to the fax requires no authentication. Moreover, by connecting remotely, anyone can read data from the buffer, thus rendering this communication channel totally unsuitable for confidential data.<\/p>\n<h3>Extracting the data without the key<\/h3>\n<p>The situation seems hopeless.\u00a0Without the key, Johnny can neither download nor delete data from his head, and with the maximum allowable capacity twice exceeded, he will soon die and the cure for the pandemic will be lost.<\/p>\n<p>But wait, there are, in fact, many ways to extract information without the key (leading to consequences of varying severity):<\/p>\n<ul>\n<li>The Yakuza try to saw off Johnny\u2019s head so they can take it to a \u201cquantum interference detector\u201d to extract the data.<\/li>\n<li>A doctor who specializes in implants has some \u201cdecryption codes\u201d that, with a little luck, should enable data retrieval. It doesn\u2019t work in this case, but everything seems to suggest that sometimes it does, which raises a ton of questions about the reliability of the encryption algorithm.<\/li>\n<li>Next, the same doctor proposes extracting the data and the implant surgically, though that carries a considerable risk to the life of\u00a0the patient (not to mention guaranteed health problems).<\/li>\n<li>Having been trained by the US Navy to hack enemy submarines remotely, Jones the cyborg dolphin can try the technique on Johnny\u2019s skull.<\/li>\n<li>A Yakuza operative mentions that even after download and deletion, \u201cmnemonic sensors\u201d can still recover residual traces of the data.<\/li>\n<\/ul>\n<h3>Bottom line<\/h3>\n<p>Using mnemonic couriers seems pointless. The scheme apparently uses <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/symmetric-encryption\/\" target=\"_blank\" rel=\"noopener\">symmetric encryption<\/a> (no matter how complex the key is, it still has to be transferred to the recipient), the key transfer occurs over unprotected channels, and the implant\u2019s overload capability violates all safety regulations, jeopardizing both the courier\u2019s health and the integrity of the data. But the method\u2019s main weakness is that it leaves a plethora of ways to get the data without the key.<\/p>\n<p>Moreover, with only two of the screenshots, Johnny, with the help of his aquatic sidekick, hacks into his own brain and extracts the third.\u00a0That means the key is stored with the encrypted information, a highly insecure practice.<\/p>\n<p>In the real 2021, sending the data over the Web using a reliable <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/asymmetric-algorithm-cryptography\/\" target=\"_blank\" rel=\"noopener\">asymmetric encryption algorithm<\/a> would be easy. Even if the fact of a data transfer cannot be hidden, the strategy would guarantee delivery to the addressee. And 320 GB is not such a large volume by our 2021 standards.<\/p>\n<h2>What came true and what didn\u2019t?<\/h2>\n<p>The real 2021 is not as bleak as the filmmakers imagined \u2014 or, at least, it\u2019s not as bleak in the same ways as the filmmakers imagined. Cybersecurity has come a long way. So, which of the above could actually happen?<\/p>\n<ul>\n<li>In the real 2021, multiterabyte archives of confidential information, including <a href=\"https:\/\/www.reuters.com\/article\/uk-ema-cyber\/hackers-steal-pfizer-biontech-covid-19-vaccine-data-in-europe-companies-say-idUKKBN28J1VF\" target=\"_blank\" rel=\"nofollow noopener\">vaccine data<\/a>, are leaked almost regularly. The Pharmakom data leak is plausible and very possible.<\/li>\n<li>Insider attacks and sabotage are similarly not at all unusual. This <a href=\"https:\/\/www.kaspersky.com\/blog\/fired-insider\/38381\/\" target=\"_blank\" rel=\"noopener nofollow\">recent incident<\/a> also related to healthcare, for example.<\/li>\n<li>Artificial intelligence, self-aware and living online, does not (as far as we know) exist yet.<\/li>\n<li>A cyborg dolphin with hacking skills is a little far-fetched. Contra many sci-fi predictions, dolphins have not yet learned to perceive human information and use electronics.<\/li>\n<li>Broadcast signal intrusion, on the other hand, is <a href=\"https:\/\/en.wikipedia.org\/wiki\/Broadcast_signal_intrusion\" target=\"_blank\" rel=\"nofollow noopener\">real<\/a>. But it is usually done on a small scale, and the intruders are quickly identified.<\/li>\n<li>Identifying a person online based on a connection to a certain address is a real thing, but it requires extensive groundwork.<\/li>\n<li>A DoS attack on the link between two network clients is real, but done not with a virus, but rather by disabling the communication channel.<\/li>\n<li>Implanting a chip into a person\u2019s brain is not yet reality. Current <a href=\"https:\/\/www.newscientist.com\/article\/2253274-elon-musk-demonstrated-a-neuralink-brain-implant-in-a-live-pig\/\" target=\"_blank\" rel=\"nofollow noopener\">experiments<\/a> focus on creating a neural interface for communication with a computer, not on data storage.<\/li>\n<li>Here\u2019s the big one: Transferring data by pumping information directly into a human courier\u2019s brain is not only unrealistic but nonsensical. Thanks to encryption, we can easily and securely transmit data over the Internet.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"earth-2050\">\n","protected":false},"excerpt":{"rendered":"<p>Would Johnny Mnemonic\u2019s cybersecurity be plausible in the real 2021?<\/p>\n","protected":false},"author":700,"featured_media":18047,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[2368,2047],"class_list":{"0":"post-18046","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-movies","10":"tag-truth"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/johnny-mnemonic-cybersecurity\/18046\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/johnny-mnemonic-cybersecurity\/22551\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/johnny-mnemonic-cybersecurity\/24269\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/johnny-mnemonic-cybersecurity\/22338\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/johnny-mnemonic-cybersecurity\/21139\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/johnny-mnemonic-cybersecurity\/24796\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/johnny-mnemonic-cybersecurity\/24002\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/johnny-mnemonic-cybersecurity\/30173\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/johnny-mnemonic-cybersecurity\/9376\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/johnny-mnemonic-cybersecurity\/38849\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/johnny-mnemonic-cybersecurity\/16444\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/johnny-mnemonic-cybersecurity\/17006\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/johnny-mnemonic-cybersecurity\/14521\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/johnny-mnemonic-cybersecurity\/26277\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/johnny-mnemonic-cybersecurity\/30105\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/johnny-mnemonic-cybersecurity\/26738\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/johnny-mnemonic-cybersecurity\/23600\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/johnny-mnemonic-cybersecurity\/28930\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/johnny-mnemonic-cybersecurity\/28738\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/truth\/","name":"truth"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18046"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18046\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18047"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}