When people think of cybersecurity they often envision hackers sitting in dark basements, wearing black hoodies, glued to their computer screens trying to infiltrate some niche computer system they've never heard of before. What they rarely think of is the smartphone in their pockets, the smart appliances in their homes, the medical devices they are treated with in hospitals or the power grid we all need to keep our lives running as they are.
Daniel dos Santos, Research Manager at Forescout Technologies.
Cybersecurity is no longer the fringe discipline of IT that it might have been 30 years ago. It now touches every aspect of our lives, every single day. Some estimate that by 2025, there will be up to 72 billion connected devices - almost ten times the number of people on the planet. Every one of those devices is a potential target that can be compromised for personal, political or financial gain by bad actors. It is therefore no surprise that, according to scholars, a cyberattack nowadays happens every 38 seconds.
The only way to protect ourselves against bad actors that are trying to use these attacks to cause havoc is to get ahead of the game and anticipate their next move. This is what frontline cybersecurity research aims to do. With the frequency, intensity and scale of cyberattacks continuously increasing, it is now more important than ever before.
Not all vulnerabilities are created equal
The truth about cyberattacks is that they aren't always as sophisticated as they may sound at first. The recent Verkada connected cameras hack that affected Tesla, as well as many schools and hospitals, was the result of bad actors accessing and using credentials stored on a cloud server. The SolarWinds breach happened because of an easily-guessable password that was found on the public internet, while the WannaCry ransomware exploited a known vulnerability in an outdated operating system. Every one of these attacks was easily preventable.
Bad actors are often looking for the easiest, most effective and efficient way to compromise a device - and that usually involves exploiting existing vulnerabilities. Fundamentally, most vulnerabilities are the same. We might be giving them different names and group them into different categories, but at their most basic level, they are all very similar to each other. One big noticeable difference is what they let bad actors do, which usually depends on the device in question.
The reason for this is that the software - be that the operating system or specific applications - in use on most of today's devices is usually open source or repurposed. In order to keep up with market expectations, devices need to be developed and rolled out at record speed, which means manufacturers are often using existing code to fast track product development. While this approach might provide many benefits, it creates a real challenge in the long term, namely, if a vulnerability is found in the software of one device, it likely applies to billions of devices too.
In fact, a cybersecurity research project called "Project Memoria" that I am currently involved in has discovered a range of such critical vulnerabilities affecting millions of devices across all industries as a result of flaws in communication stacks being used by manufacturers around the world. Some of these vulnerabilities are decades old and were believed to have been fixed a long time ago. Yet, 30 years on from when they were first discovered, we found that they were still present in millions of devices today.
With the right tools, bad actors could exploit these vulnerabilities to manipulate industrial devices to cause wide-spread power outages and blackouts, or jeopardize the physical safety of residents by disabling smart home alarms and smoke detectors. They could access and manipulate temperature monitors in storage spaces to spoil medications and vaccines - including the COVID vaccine - as well as disable security cameras and physical access control devices to allow unauthorized individuals access to restricted areas. The frightening thing is that some of this might already be happening today.
Knowledge is power
As cybersecurity researchers we often get asked why we are publicly disclosing vulnerabilities. Aren't we helping bad actors by doing so? The reality is that someone somewhere is probably already aware of these vulnerabilities and using them to their advantage. It would be unethical to discover a backdoor into critical devices and then keep that information to ourselves. Furthermore, as experts in our field, we have a moral duty to educate others and help protect them from bad actors with malicious intentions. That means, sometimes speaking an uncomfortable but necessary truth.
To properly protect ourselves in the future, we need to radically rethink how we perceive the world around us. We need to understand that everything is a device nowadays. Modern cars are nothing but computers on wheels. Planes are computers that fly, mostly autonomously. Even when we open our taps or switch on our lights there are connected devices somewhere along the supply chain that make all of it possible. As our world becomes increasingly interconnected, cybersecurity research will continue to be one of our most potent and indispensable tools in our global fight against bad actors wanting to cause chaos and disruption.
- We've featured the best forensic and pentesting Linux distros.
