Since it’s the Singapore International Cyber Week, I thought it apt to write a something about cybersecurity. It’s a really exciting field. Exciting is good, for cybersecurity professionals. Exciting isn’t so good, however, for end-users. They would prefer to go about their lives without having to deal with the complexities of cybersecurity.
Our lives are infused with so much technology. Ordinary people, at least for the most part, have been able to learn and cope with these technological advances. People have figured out how to work their VCRs, for example.
But I think the “information age” has brought new challenges, and perhaps technology has gotten ahead of us. Take cybersecurity, for example, it’s not something terribly easy for ordinary layperson to understand. That’s alright if they don’t need to know about cybersecurity. Unfortunately, they do.
Let’s just look at a few things that have happened in the last couple of days. The big news today is about CCCleaner, a tool that is supposed to clean away unwanted files and other problematic stuffs from your Windows PC. It turns out CCCleaner had been hijacked by hackers, and some two million users who installed CCCleaner had malware included with it. The very software that was meant to keep your Windows PC clean came with malware that messes it up.
It’s not likely that your grandpa or grandma will know about CCCleaner at all. Someone probably helped to put it in their computer for them, or it came with their new computer. Now, who’s going to help them sort out the CCCleaner mess? Do you expect the ordinary layperson to keep abreast of such security news? I know that Microsoft or Apple can push urgent security updates out quickly for their operating systems, though sometimes still not quickly enough, but this won’t always apply to every piece of software you might have installed in your PC. Microsoft’s Windows Store and Apple’s Mac App Store may be great, but there are so many other software you install outside of the store.
The window of opportunity, of the malware-rigged version of CCCleaner, is relatively short and recent, some time between 15 August and 12 September. Yet, that almost month-long period is relatively long in cybersecurity timeline.
Another headline cybersecurity item relates to D-Link routers. The vulnerabilities found in a number of D-Link products were so serious that even our Cyber Security Agency (CSA) and the Infocomm Media Development Authority (IMDA) issued a joint advisory.
Researchers at Embedi, a Berkeley, California-based security firm that focuses on hardware protection, found exploitable flaws in D-Link’s DIR-890L, DIR-885L and DIR-895L routers. To make matters worse, this comes after news earlier this month about 10 zero-day flaws found in the DIR-850L by a South Korean researcher.
D-Link did respond to say some of the vulnerabilities will be addressed.
Should you be worried about flaws in your home broadband router that might expose access to your home network? If you are, good; but getting a fix is another matter. What about other users who don’t know to be worried?
The vulnerability and exposure of your home network will be a serious matter, if it isn’t already right now. We are going to get more smart things. These smart things are going to have flaws in them. Did you hear that your Samsung Smart TV might be listening to you?
You’ve probably heard about the Internet of Things (IoT). IoT is invading our work and living spaces. In the next couple of years, if you don’t have one yet, you will likely be getting a whole bunch of smart stuffs. Not just Smart TVs and Amazon Echos and Google Home sort of smart things, but things you don’t know why needed to be smart: smart washing machines, smart fridges, smart coffee makers, smart toasters, etc.
Do you think the manufacturers of every one of them will bother to keep their software up-to-date?
Do you think a 5 year old washing machine will continue to get timely software updates, if any update at all? It’s tough to expect any of these to get fixed over their lifespan.
How are you even going to go about secure all those stuff? It’s good if you’re thinking about that question. What about other people who don’t even know to ask about those questions?
Not just our computers, but our smartphones also present a tough challenge to protect. About a week ago, news of BlueBorne, an exploit on the Bluetooth protocol stack, surfaced. While iOS devices running iOS 10 are fixed, as are Google’s directly supported devices (such as Pixel smartphones), you won’t get a fix to most Android smartphones fast enough. This is a big concern. Most people buy their smartphones for all sorts of reasons, least of it would be about the adequacy of manufacturer’s software support.
You’d think manufacturers like Samsung, Huawei, HTC, or Sony, would be very highly motivated to fix their smartphones. They might do that for their flagship, though maybe not fast enough. Good luck with their lower-end products.
If that’s how it is with smartphones, how much worse would it be with your smart things at home? The reality is that when a manufacturer makes a smart washing machine, they probably bought the component that made it smart from a third party, or they simply subcontracted out that part of the work to some third party. If you found a security flaw in the smart washing machine’s internal web server, it’s unlikely that the manufacturer knows what to do. If you manage to track down the third party and get them to fix the software, it’s not likely the device manufacturer themselves would bother to incorporate the update.
Basically, you’re stuck.
In a couple of years, you might not be able to buy a washing machine that is not smart, even if you wanted to.
BlueBorne, D-Link routers, and CCCleaner, these are just the top news in the last week or so. This is going downhill. We’re going to have all manner of smart things surround us with lousy software that won’t get fixed. I don’t know how we’re going to clean this up. Worse, there are many people around us who don’t know there’s a problem to be worried about.