Security experts within an organisation, or even as contractors or advisors, are often though of as the team who say no. We squeeze the fun out of everything, don’t we. Times are changing quickly though. New working practices like DevSecOps make security everyone’s responsibility, but why do we still have to say no sometimes? What can be so scary that sometimes we just have to do without something, or think of another solution? This is the reason we can’t have nice things.
It Isn’t If, It’s When.
We’re not into clickbait, so here’s the punchline. The reason we can’t have nice things is because we will be compromised at some time or other. We can take every possible step currently conceivable can to stop that from happening, and it still could.
The reason is because you or your team cannot control every part of the stacks you look after. If you did, you could keep a keen eye on the security of each part.
You might write the Java code running on the platform, but you don’t write the Java Virtual Machine code – so there could be a compromise there.
Let’s say you did write a custom Java runtime environment – what about the hooks you use for the operating system?
Okay, so let’s write an opperating system – but what about the code used in the UEFI or BIOS used to boot the computer? What if there’s a security vulnerability there?
And after all of that, let’s say we have written our own custom boot code. Well we’re still vulnerable to processor microarchitectural bugs like Spector and Meltdown.
And that’s even before we have look at the client’s stack.
Low Hanging Fruit
We’re all lazy aren’t we? If you’re a cat burglar and you want to steal the crown jewels, you’re going to try the door handle to the vault before you hatch a dastardly plan to break in aren’t you. Cyber security is just the same – if you make something an easy target, it will be compromised.
If we think about what might be considdered an easy target, we might look towards Internet of Things (IoT) appliances. The reason for looking there first is easy – they’re the things we have the least control over. We don’t control when they are patched. We don’t control what they make outbound connections to, and we often can’t control what connects to them.
You might say you don’t care. Who gives a monkeys if someone can connect to your smart speaker and starts playing S Club 7? But an attacker wouldn’t just play guilty-pleasure 2000’s pop using these devices – they would use them to pivot into your network.
I hope I’m not the only one who imagines Ross from Friends shouting at his pals helping him get a sofa up the stairs at their appartment block when I read the work PIVOT! But we’re not talking about interior decoration or 90’s sitcoms today. In this context, a pivot means to move from one place in a network to another. If an attacker gains access to an IoT device, we call that a “beach-head”, and from there, they pivot to other places in the network.
Attackers often chain several exploits together to pull off a compromise on an asset they really want. So a smart speaker vulnerability might let them access the internal side of your router. From there, they might exploint the router, installing malicious software, and carry on their chain of exploits. This is also why we have to patch even the smallest security vulnerability; because the small exploits are chained together to form a big exploit.
What’s The Answer?
We started off by making the assersion that we can’t have nice things. Let’s assume you aren’t quite as technologically terrified as me, and you would actually like some creature comforts, but you would like to secure them as best you can.
More and more home routers are coming with functionality to allow for guest WiFi access, and this can be great for keeping IoT devices away from your main network too. Usually, the guest network has no access to your other WiFi network, where your computer, tablet and smartphones connect to. So we can think of our sensitive data living in one bubble, and the IoT devices living in another. If the IoT devices are compromised, they cannot get to your other devices, and crucially, your data.
Make sure all of your devices are running current, supported software. If a device is no longer supported, you should seriously consider whether or not you want to keep that device. It’s a really poor situation that you might be forced to create more e-waste just because the manufacturer won’t support that device anymore, but these are the real decissions consumers are faced with today. When you select your smart home equipment, it might be worth checking out how long it will be supported for, or you might be left in hot water, rather like Sonos were recently.
Okay, I said times are changing and that we aren’t just the department of “no” anymore, then I go and say no. But seriously, now we understand a little more about Internet of Things devices, which ones do you really need or want in your life?
Personally, I will not have a smart speaker with microphones in our house. They represent too big an attack surface compared with how much risk I am prepared to accept. Amazon, Apple and Google spend literally millions on securing their technologies, and they do a superb job for the most part. But, what about when something is compromised? Will it mean someone is listening to me at home? It can’t be ruled out.
It’s like driving with a spike mounted to the steering wheel of your car. It’s probably fine because nobody intends to have a crash. But now the consequences of having a crash have been dramatically raised, and that’s how I feel about home automation devices.
And that is why we can’t have nice things.