A Brief History of Everything Wireless Blog: Baby steps towards online security

Baby steps towards online security

2019-07-11 [Petri]

As I explain in my book, the horror stories over online security too often follow the same path: some innocuous device has security flaws, like unauthorized “backdoors” for remote access, which are exploited by scrupulous hackers, resulting in various negative consequences to either the owners of the devices, or even complete bystanders.

And in the vast majority of cases, the owners haven't had any idea on what their devices have been covertly doing without the owners' authorization.

The outcomes of these hacks have consisted of Distributed Denial of Service (DDoS) attacks by an army of home security cameras working in unison, stealthy alterations of Domain Name Servers that then lead the home user to fraudulent lookalike websites stealing their password information, and even direct blackmails that use sensitive images taken by home webcams as a “collateral” that can be returned against a “reasonable” bitcoin payment.

All too often the root cause for these attacks has been utter mismanagement of security by the manufacturers of these devices, and as the competitive price pressure is only getting harder and more and more devices become “intelligent”, this trend is not going to see any respite soon: way too often the firmware of these devices is written by the lowest bidder, without any kind of security audit by the manufacturer.

The heart of today's “smart devices” is always just a very capable generic microprocessor, surrounded by custom-made hardware that optimizes it to perform some specific task. But the underlying computing power and the inherent connectivity can be used for anything, just like in case of any universal computing device, and the ample processing capacity makes is possible to perform these “side tasks” without any noticeable deterioration of the main task of the device.

To counteract this trend, the Federal Communications Commission (FCC) in the US is finally taking a tighter grip on the mismanagement of this area of personal security, which has been calculated to cause direct and indirect losses worth billions of dollars annually.

In their 2017 lawsuit against a well-known Taiwanese device manufacturer D-Link, the FCC claimed that "[D-Link] repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well known and easily preventable software security flaws. In truth and in fact, [D-Link] did not take reasonable steps to secure their products from unauthorized access."

What made the case even more severe was the fact that D-Link accidentally published the secret encryption keys that it used to sign its software updates, making it possible to create falsified updates that looked like they were legitimately coming from D-Link. These updates then brought along some unwanted side functionality that could be tapped in remotely by the hackers.

Therefore, even if the end-user was “enlightened” enough to secure her home network against external access, she may have inadvertently installed a fake update with malicious software.

In the last week's “amicable resolution” of the lawsuit, D-Link is required to have bi-annual audit of their security by a third party and follow proper security planning, threat modeling, vulnerability testing, and remediation before its products are released.

As I wrote in my book, the only way to improve security in this particular area is to make the manufacturers responsible for the consequences of their lax handling of security. Therefore this ruling, like the one done earlier against another company, ASUS, are baby steps to the right direction.

Being “amicable” is OK in the first phase, but if mishandling cases of security keep on piling up, heavy fines are the next obvious step. The industry has now been given a warning shot: hopefully they start cleaning up their act, and the regulatory branches of the governments all over the world should follow the FCC's tightening approach.

The number of “smart devices” is estimated to be over 180 million in the US alone already, and most end-users have no means or technical understanding needed to tackle issues like this.

Therefore the devices have to be secure to start with.

Permalink: https://bhoew.com/blog/en/86

Show latest Earlier entries