The Strategy is “Wait to get Hacked and then Panic”
As millions upon millions of IoT and Industrial IoT devices get deployed every month, we seem to have forgotten what we learned the hard way about our computers: if we don’t patch them, the hackers will invade.
#1: A set of bugs called Urgent/11 affected a network module that has been around since the 90s and is in use by a couple hundred million IoT and IIoT devices. No important devices, just ones that control factories and hospitals. While the vendor released a patch for the bugs, this software is buried deep in systems where the hospitals and factories have no clue it even exists and the vendor that they bought the system from stopped patching it – if they ever did – years or decades ago. As a result, millions of devices – possibly as many as 97% of the affected devices – are still not patched and likely never will be. Credit: Threatpost
#2: Amnesia 33 is another set of bugs, again in networking software. This time the software is open source meaning there is no vendor to go to for patches. The researchers have already identified over 150 vendors who used the software at some time. Again this affects millions and millions of devices like cameras, badge readers and factory equipment. And again, most of these devices will never be patched. Credit: ZDNet
#3 is the Ripple20 family of bugs. This family of 19 bugs discovered earlier this year. It affects, again, a networking software module that is used in IoT and IIoT devices. Again, the vendor has released patches but most devices will never be patched. The number of impacted devices is estimated to be “in the hundreds of millions”. Credit: ZDNet
The number of devices affected by these bugs is not much of a surprise given the estimate of 75 billion connected devices by 2025.
Given that software licenses provide a “get out of jail free” card to software companies, there is no reason to expect this is going to change any time soon.
Unless, maybe, if we have an attack similar to this week’s Solar Winds announcement which may have compromised the information of as many as 18,000 businesses and government agencies (I can just hear the class action attorneys jumping for joy).
In this case, a lot of sensitive information will be analyzed in Moscow and used against us for decades. The good news is that these organizations will close the hole. Granted it is after the horse is out of the barn and the barn burned down, but it will get closed.
But what if North Korea decides to use these IoT bugs to say, blow up factories. After all, the Russians blew up an oil pipeline in the Ukraine a few years ago because they were made at the Ukraine government. This is not so far fetched.
Or maybe the Chinese will decide to say, turn off all of the ventilation in hundreds of hospitals. Or worse. Certainly possible.
That probably (hopefully? maybe?) keeps the folks that run these businesses up at night and may cause them to do something about it.
But when it comes to consumers, to be honest, all they care about is the price and does it do what I want it to do.
Until it damages their home or apartment or car. By the way, insurance likely does not cover this sort of damage – ask your agent. So if a nation state decides to launch an attack on the consumer base and it damages your car or home or apartment, you may be facing a large bill.
There is no simple answer, but making sure that your vendor is going to patch your device FOR AS LONG AS YOU PLAN TO OWN IT (note that a one year warranty is not terribly useful for an appliance that you plan to keep for say ten years).
Something to consider before falling in love with that bright, shiny new IoT thingee. I just bought a new washing machine. It comes with an app for my phone. So that I can start the washer remotely. Really? Do I need that? Nope, not going to connect it.