Having worked in the cybersecurity realm for almost 30 years, Mikko Hyppönen, Chief Research Officer at F-Secure, admits the industry has a history of repeating itself.
Whether it’s a symptom of being human, the age-old formula of crime, or the cyclical characteristics of technology, Mikko recounted dozens of cyber offences and mistakes that have and are still recurring during his keynote presentation at the AusCERT 2019 Cyber Security Conference, held on the Gold Coast in May.
The most prominent instance of this happening in the world of cybersecurity for Mikko is ransomware, which today comes in a myriad of forms but still resembles its first incarnation — the AIDS Trojan virus (aka PC Cyborg) of 1989.
— Carlos R. Muñoz (@crmunoz27) May 18, 2017
— WIRED UK (@WiredUK) July 1, 2017
The similarities between AIDS Trojan virus and recent Petya virus are pretty plain to see.
Another is the repurposing of Telnet for remote access/administration of IoT devices — a protocol that was abandoned decades ago for SSH because of the security risks it posed. A report by IBM Security revealed the Telnet port is swept by 79% of cybercriminals as part of gathering information on potential targets. Once attackers find an open Telnet port, they can: determine what information is shared between connected devices; test common user name / password combinations, which has been the undoing of many Internet of Things devices; and/or send a syn-flood attack causing a denial of service.
These instances aside, Mikko’s greatest concern of “everything old becoming new again” lies in the unknown of the approaching tsunami of the Internet of Things (IoT), which is already displaying infamous characteristics — technological and sociological — from the past.
The first of his concerns is the unknown multi-connectivity of IoT devices, by which more and more devices are, unknowingly to customers, able to connect to the Internet, sometimes by multiple avenues. Currently, we’re being sold ‘smart’ devices, which we know can connect but there will be a time that ‘smart’ will come to be expected (or rather what manufacturers expect of their users).
“In the future, stupid devices will [connect] to the Internet and you have no idea they are [connecting]. Because they won’t be [connecting] to provide new features and services to consumers, they will be [connecting] to the Internet to provide benefits to the manufacturer,” said Mikko.
The issues associated with this have already become apparent with what are thought to be privately accessible devices being hijacked – think nanny cams. Multi-connectivity will only worsen the situation, making safe-guarding against hijackings even more difficult than it is. Simply blocking or disconnecting your local router will not be enough to stop your devices connecting to the Internet whether it be via public Wi-Fi or 5G.
Perhaps the most worrying aspect of the IoT revolution according to Mikko is the compounding effects of the unknown, comparing it to that of asbestos 50 years earlier.
“Sometimes we are developing new technology… falling in love with it… and deploy and implement it everywhere, only to realize decades later it was a horribly bad idea,” said Mikko.
“Asbestos was a revolutionary material, with great benefits [but] turned out to be a horribly bad idea. What’s happening now could turn out to be IT asbestos.”
The telltale signs of this happening are already apparent for Mikko, pointing to car manufactures being able to push updates and patches wirelessly in realtime, as well as the growing propensity to manufacture and deploy ‘stupid’ devices.
The long lifetime of connected cars creates another question; how long should the manufacturers provide security patches for their cars?
— @mikko (@mikko) January 10, 2019
From a poll of more than 1,200 Twitter followers, more than 70% said manufacturers should be providing patches for cars for more than 25 years.
Some of these connected devices, such as cars, have very long lifecycles and we have no idea if and how they will be maintained and protected when they are 20 to 30 years old, with Mikko adding “nobody is providing security patches for anything for more than 15 years, typically more than 5 years.”
“What we are creating could be the next big headache that we have to worry about for the upcoming decades.”
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.