Skip to content

The Future of Infosec

   

With the spread of Internet connectivity to everything from smartphones to refrigerators and toaster ovens, the security implications are out of this world.

Let’s be honest: hardly anyone thinks about Internet security, and it’s a tale as old as technology. We want things that are convenient, easy to use, and don’t stand in the way of us doing what we want. When I pull out my phone, I don’t want to type a password every time I go to access my email. As much as possible, we like to use shortcuts, break down barriers. We rely on PINs, biometrics like thumbprints and facial recognition, or just leave the door wide open for our own convenience.

This is not to cast judgment, but to admit the simple fact that we always go for the easiest, most direct route possible. While efforts are made to include reasonable levels of security–portable devices often encrypt any locally-stored passwords, for instance–it’s not always enough. Beyond the security of passwords, there are many other vulnerabilities. Sometimes they’re in specific applications, and other times they’re in the underlying operating system itself.

Say there’s a bug that lets an attacker take complete control of your phone and all the data within it just by having you visit a website. This is a very serious problem, isn’t it? Surely you could rely on your phone’s manufacturer, operating system vendor, or service carrier to fix it quickly? Not so fast! Severe flaws like Android’s Stagefright bug have demonstrated that, even in an ecosystem that favors rapid, frequent updates, rolling out a critical operating system fix isn’t easy or fast. And a company like Google, given how important the Android platform is to their business, is going to be a lot more responsive than most.

Indeed, Google tends to get their fixes out quickly, but it’s everyone downstream–the phone vendors and service carriers–who often slow up the process, having their own vetting and testing procedures and needing extra time because they have their own custom operating system versions. It can take months for a critical fix to finally reach customers, and that’s if your phone is still being supported. There have been phones less than two years old which have seen support, even for critical fixes, removed because that specific model didn’t sell enough units. This leaves those customers permanently exposed–at least until they get a replacement device that’s still being supported.

What I have presented above is what amounts to our current best case scenario. The reality is that most security flaws and incidents are not in the best case. Think of all the credit card and other data breaches that have happened over the last several years. Some are the result of human engineering–that is, tricking people into handing over information they shouldn’t–but many are the result of poor security practices, and creaky, old software that doesn’t get updated nor evaluated for security flaws. There are still companies where it’s common practice not to immediately apply operating system updates as they become available, even when they are critical fixes. This isn’t because companies want to be derelict about security, but because such fixes have often contained flaws of their own, breaking certain programs and otherwise causing unexpected behavior. But this also means that critical vulnerabilities go unpatched for weeks or months longer than they should, potentially leaving all of the company’s computers open to attack.

Microsoft is trying to change the game here with their approach to Windows 10 updates. As of the Anniversary Update, which was released a couple months ago, Windows 10 automatically updates itself on a routine basis and there is no supported way for users to turn this off. Windows has had automatic updates since at least XP, but it always came with tools for turning those updates off or choosing which specific updates to install. Windows 10 doesn’t give you a choice–it’s going to install the updates whether you want them or not.

This has caused some pain for many Windows 10 users as such updates are often poorly tested and end up breaking compatibility or even trashing whole systems. This doesn’t do much to inspire confidence, to say the least. But the basic idea of this approach is sound: updates are rolled out quickly and applied automatically, making sure vulnerabilities can be patched swiftly before exploits become widespread.

The above is meant to set the stage for what is turning out to be a security nightmare: Internet-enabled devices that never (or rarely) receive security fixes at all. People may not realize that plenty of devices which don’t look like computers actually run full-blown operating systems with unfettered Internet access. You probably have a router at home that you use to access the Internet. Guess what? It’s probably running a Linux operating system, and likely an old version, at that. The constellation of “smart devices” like smart TVs, smart refrigerators, and others are all running genuine operating systems, as well, meaning they almost certainly come with numerous built-in flaws that are just waiting to be discovered.

Recently, there have been some high-profile attacks involving networks of security cameras. Each of these cameras is connected to the Internet and runs a real operating system, which means it can be reprogrammed for almost any purpose. Lately, they’ve been turned into botnets designed to inflict distributed denial-of-service (DDoS) attacks on various websites. The purpose of a DDoS is to flood a website (or other server) with so much traffic it is forced offline, at least until the server’s owner can take steps to thwart it, and this could take hours or days.

The problem with many of these devices is that they’re loaded with operating system firmware that wasn’t designed to be updated easily. They rarely update themselves, and to update such a device manually is often a tedious, cumbersome, or unfriendly process. Even when it’s an easy process, home users obviously aren’t trained or accustomed to managing updates on their myriad smart devices. If the devices don’t automatically update themselves, they probably just won’t be updated at all. Ever.

All this does not bode well as we surround ourselves with growing webs of network-connected devices. Companies and governments will come to rely on them more and more, as well, and there aren’t a lot of accountability processes in place to make sure that these devices operate safely and securely, and that they receive critical updates in a timely manner. The day may not be far off when we have to have legislation and regulatory enforcement to ensure some kind of due diligence about such updates, with penalties for firms that do not provide automatic mechanisms for updating the products they sell. Otherwise, we’re looking at a future in which more and more devices are compromised and turned to nefarious purposes, siphoning off useful Internet bandwidth and attacking legitimate services. This is to say nothing of the significance of massive data breaches–which just keep happening–and the large black market where ransomware and identity theft thrive.

If we don’t get these problems under control, we’re in for a pretty lousy digital future.

Photo by timo_w2s