Understanding my take on smart devices.
I hope to make this the definitive article on why I'm not afraid of security and IoT/Smart Devices/etc... at the present moment.
Going forward I'd like to describe all exploits as viruses, even where they are not technically computer viruses. And the reason for that is, just as computer viruses share a lot in common with real viruses the same is true of all exploits.
For a virus (computer or otherwise) to succeed, it needs to carry out one or more of its objectives before it is rendered useless. Generally, this means infecting stealthily and being difficult to remove once detected. None of these are requirements. It depends on the delivery mechanism, function and purpose of the exploit.
Let's take a fictitious virus which affects humans, spreads by contact with saliva and kills. If the virus happens to kill the human immediately, the host dies before it can spread to another human and that viral strain goes extinct. The same is true with computer viruses. If I release a virus out into the wild and it takes down the first machines it infects before it can propagate, or is detected too early the virus could end right there. Unless the objective was to take down that one system, the virus wouldn't be considered successful.
Similarly, if find an exploit I want to use, I need to use it to achieve my ends before the security vulnerability is patched and affected systems are fixed.
The key to success here is the same as it is for a biological virus. You generally want to avoid detection until you've either propagated to where you want to be or have achieved your objective. And, if your exploit is difficult enough to undo, you might be able to stick around indefinitely in previously infected systems.
There are some appreciable differences between biological viruses and computer ones. Namely, we design and can redesign the host. The is generally, to some degree, expendable. And the creator of the virus can target it as they see fit. Ultimately, there is no vulnerability which cannot be patched, at least for the sake of safe guarding future devices.
So, as a hacker, knowing that whatever exploit I use can, and probably will eventually be fixed, I also know that there is no guarantee how long my attack will last or how widespread it will be. Since a hacker has control over the viruses they create, they will tend to choose targets most likely to yield something of value and which provide the greatest means of covering my tracks.
If you're truly worried about your security... what are you reading this blog on? A smart phone or a computer most likely. A device you've entered passwords in for email and social networks containing troves of personal information. You've probably done online banking on it. You've probably got pictures and documents and other files of some degree of sentimental value to you. It is also likely running on an operating system and software riddled with open source libraries with known vulnerabilities. An operating system and software which allow you to visit any web site you want, regardless of whether or not it is safe.
My Google Home Mini has no pictures or files of any sort on it. So, ransomware won't work there. I don't speak my passwords or bank accounts out loud. I rarely speak useful personal information out loud as well for that matter. It is also a homogenous device, there aren't tons of vendor specific modifications where I can "hide" my virus. It is hard coded to talk to specific servers.
Now. Tell me. Which device would you, as a hacker, choose to target? On a phone or a computer data is persisted. Laptops and phones are often on insecure public Wi-Fi. Their users visit all sorts of untrusted sites in addition to ones easy to compromise. You're phone and computer are thousands of times more valuable to a hacker than a smart speaker. Add on top, that they are also typically easier to hack and it is a no brainer.
I might need to listen to a thousand speakers for a thousand hours to get one piece of useful information which I could sell or use for blackmail or to infiltrate an account. But, if I get some software running on your phone, I can simply have it look for files with common names like "Passwords.txt" or install a key-logger which kicks any time you visit a web-site known to be for a bank. Or I can encrypt all of your data and make you pay to get it back. And I can make the code do all of those things for me. Once the code is deployed, if it is ransomware, I wait for the money to roll in. If I'm logging key strokes, I wait for the virus to send me data it thinks is useful. If it finds files with common names with useful information I wait for it to send me those.
Most of these smart devices aren't persisting useful information. Most smart devices need to have someone locally to make of the fact that the device has been compromised. Most smart devices are difficult to hack remotely because they have very limited hard coded usages.
I am by no means saying that they are totally safe. But, compared to devices you likely already own and use daily, they are orders of magnitude more secure AND less desirable to attack on average. If you're a millionaire or have a lot of political power or powerful enemies... sure, it wouldn't hurt to look for something more secure or some redundancies in your security.
When you stop using your smartphone and computer/tablet, THEN you can come back and complain about the smart devices. Or, if smart devices become prolific enough and valuable enough to be regular targets of hacks. Until then though...
Going forward I'd like to describe all exploits as viruses, even where they are not technically computer viruses. And the reason for that is, just as computer viruses share a lot in common with real viruses the same is true of all exploits.
For a virus (computer or otherwise) to succeed, it needs to carry out one or more of its objectives before it is rendered useless. Generally, this means infecting stealthily and being difficult to remove once detected. None of these are requirements. It depends on the delivery mechanism, function and purpose of the exploit.
Let's take a fictitious virus which affects humans, spreads by contact with saliva and kills. If the virus happens to kill the human immediately, the host dies before it can spread to another human and that viral strain goes extinct. The same is true with computer viruses. If I release a virus out into the wild and it takes down the first machines it infects before it can propagate, or is detected too early the virus could end right there. Unless the objective was to take down that one system, the virus wouldn't be considered successful.
Similarly, if find an exploit I want to use, I need to use it to achieve my ends before the security vulnerability is patched and affected systems are fixed.
The key to success here is the same as it is for a biological virus. You generally want to avoid detection until you've either propagated to where you want to be or have achieved your objective. And, if your exploit is difficult enough to undo, you might be able to stick around indefinitely in previously infected systems.
There are some appreciable differences between biological viruses and computer ones. Namely, we design and can redesign the host. The is generally, to some degree, expendable. And the creator of the virus can target it as they see fit. Ultimately, there is no vulnerability which cannot be patched, at least for the sake of safe guarding future devices.
So, as a hacker, knowing that whatever exploit I use can, and probably will eventually be fixed, I also know that there is no guarantee how long my attack will last or how widespread it will be. Since a hacker has control over the viruses they create, they will tend to choose targets most likely to yield something of value and which provide the greatest means of covering my tracks.
If you're truly worried about your security... what are you reading this blog on? A smart phone or a computer most likely. A device you've entered passwords in for email and social networks containing troves of personal information. You've probably done online banking on it. You've probably got pictures and documents and other files of some degree of sentimental value to you. It is also likely running on an operating system and software riddled with open source libraries with known vulnerabilities. An operating system and software which allow you to visit any web site you want, regardless of whether or not it is safe.
My Google Home Mini has no pictures or files of any sort on it. So, ransomware won't work there. I don't speak my passwords or bank accounts out loud. I rarely speak useful personal information out loud as well for that matter. It is also a homogenous device, there aren't tons of vendor specific modifications where I can "hide" my virus. It is hard coded to talk to specific servers.
Now. Tell me. Which device would you, as a hacker, choose to target? On a phone or a computer data is persisted. Laptops and phones are often on insecure public Wi-Fi. Their users visit all sorts of untrusted sites in addition to ones easy to compromise. You're phone and computer are thousands of times more valuable to a hacker than a smart speaker. Add on top, that they are also typically easier to hack and it is a no brainer.
I might need to listen to a thousand speakers for a thousand hours to get one piece of useful information which I could sell or use for blackmail or to infiltrate an account. But, if I get some software running on your phone, I can simply have it look for files with common names like "Passwords.txt" or install a key-logger which kicks any time you visit a web-site known to be for a bank. Or I can encrypt all of your data and make you pay to get it back. And I can make the code do all of those things for me. Once the code is deployed, if it is ransomware, I wait for the money to roll in. If I'm logging key strokes, I wait for the virus to send me data it thinks is useful. If it finds files with common names with useful information I wait for it to send me those.
Most of these smart devices aren't persisting useful information. Most smart devices need to have someone locally to make of the fact that the device has been compromised. Most smart devices are difficult to hack remotely because they have very limited hard coded usages.
I am by no means saying that they are totally safe. But, compared to devices you likely already own and use daily, they are orders of magnitude more secure AND less desirable to attack on average. If you're a millionaire or have a lot of political power or powerful enemies... sure, it wouldn't hurt to look for something more secure or some redundancies in your security.
When you stop using your smartphone and computer/tablet, THEN you can come back and complain about the smart devices. Or, if smart devices become prolific enough and valuable enough to be regular targets of hacks. Until then though...
Comments
Post a Comment