Always on, always connected…and therein lies the danger. We have always known that the road to always-on would give hackers a wide attack surface. Little did we know exactly just how wide that surface is.
Having computers, phones, tablets, wearables, the Internet of Anything/Everything (IoX) devices, autonomous vehicles, unlicensed networks, private networks, and more has created a hacker’s universe of opportunity.
And, security is not moving along as fast as connectivity. There is some progress, but the security industry still has not come to the point required to secure many devices and networks. And, advancements in technology, such as AI, have made hacking much easier.
There is also the plethora of cheap products where security is an overhead manufacturers try to minimize, as well as the users’ lack of both understanding and disbelief that security is a critical metric.
Thus far, this year there have been a significant number of data hacks and breaches of varying in magnitude. This tell us that we are still not doing enough to lock down our portals.
But our industry has been trying – and succeeding – at least at the chip level. My contacts at NXP, Rambus, Kaspersky, Chaologix, Arteris, Infineon, Chipworks, and so many others that are the top of the cryptography class, give me tons of data on what they are doing to secure chips and peripheral segments. Cryptography has come a long way, and, in reality, there should not be a single device out there that is vulnerable – but there is. In fact, most of these devices are, so it should not be a surprise that hacks are an everyday occurrence.
That is sad. The cost of the few extra dimes to dollars to lock down, at the hardware level, all but the cheapest devices is nothing when compared to the cost of such breaches.
In the competitive space where manufacturers rush to get products on the market, they still do not get that locking down their devices, against even the most basic kinds of attacks, is no longer an option. So why do they not get it?
They do. It is not about knowledge; it is about the bottom line – and repercussions. To be fair, there are a smattering of companies that place a high priority on security. Most of them, however, are protecting high-value assets where the custodians realize the gravity of a breach – and the fact that a breach can cost them billions.
But in many cases, device vendors and manufacturers have little fallout from poor security. It is the end-user that has to deal with that. Of all the breaches that have occurred in the major players like Target, Home Depot, Chase, yada, yada, none of them have ever paid up a dime to any consumer whose identity has been stolen. Nor has any device vendor had to pony up any compensation for a router, thermostat, toaster, or refrigerator being hacked. It is always the aggrieved that has to fix it and themselves.
There is the argument that the end-user should be smart enough to provide their own security. And with devices such as smartphones tablets, computers, and the like, that argument has some credibility. But for a smart toaster, oven, toothbrush, washer, dryer, toilet, Fitbit, pacemaker, socks, whatever, the average consumer should be confident that such devices have a decent level of security, out of the box. The end-user should only have to plug it in and, at a minimum, be forced to change the password.
By now, no vendor should be using 123456 as a stock password. Even for me, who is well versed in cryptography, that is not what I want to worry about day in and day out. If I go out and buy a IoX camera I want to be able to change its security parameters with ease and not have to dig around for the methods.
So…playing this forward, the more things change, the more they seem to stay the same. Proof of that is the hacks this year of Twitter, Marriott, Zoom, MGM, Nintendo, Magellan Healthcare, even the Small Business Administration! They all, likely, would not have occurred had the players listened to their security architects.
The argument that comes back, once a breach has occurred, is that “we did all we could.” No, you did not. Chances are that there is legacy hardware and software in your digital environment. Or perhaps there are outdated procedures. Or even you decided to chance a lower level of security. It is also probable there are security leaks in employee networks.
There is no doubt that securing the perimeter, whatever or wherever it is, is a daunting task – expensive too. There is also no doubt that staying on top of it is just as daunting, especially with AI behind the attacks. But some manage to do it. The problem is that until they all do it, the hacker’s universe will be alive and well.
Will we ever be able to lock it down completely? Unlikely. Even the Starship Enterprise, several hundred years in the future, has had their digital environment attacked by evil aliens, or even on-board spies (Wolf in the Fold, Contagion, For the Uniform, and more).
There is a certain amount of due diligence required by the responsible keepers of our data. It is incumbent upon them to secure that data, regardless of the cost. For the rest of us lowly end users, the level of due diligence is not set to quite as high of a standard but we still have the onus.
However, those that supply us with devices have, at a minimum, a measure of responsibility to secure our systems and our data, at least to more than a universal password, like 123456. Across all devices.