Taking Insecure Cyber Infastructure to Our Homes
2017-06-10 -  3:22
I remember going to a friend's house when I was younger and they had a computer to play the Pokemon Trading Card game on, but no internet connection. We had an old IBM MS-DOS computer at home when I was really little that we'd play 5.25in floppy disk games off of 5.25in, but no internet connection. Computers with internet access was just something schools, companies, and enthusiasts who spent all of their hard earned money on computing devices had. Of course BBSs, IRC, and even HTTP/1.1 websites were available at the time, but computers were still generally meant for the education sector, businesses, and enthusiasts to innovate further.
As the dot com bubble came and popped, more businesses and people started getting computers and connecting them to the internet. They had access to the world, but the world also now had access to them. Attackers could now remotely break into your things.
Fast forward to 2017. We have tens of billions of devices connected to the internet, much of the world's infrastructure is managed by processes and machines that need an internet connection and even some Government services require the internet to sign up for. When was the last time you found a job and applied to it in person? The internet went from being an education tool, a business tool, and a "fad" in the 90s to being essentially a required human right today. We have smartphones, laptops, desktops, locks, toasters, lightbulbs, even intimate sex toys connected to the internet and more importantly... the internet is connected to those devices.
Defensive security for devices has always been difficult. You have to plan for all of the edge cases an attacker might leverage, only to learn that you forgot an edge case... and another... and another... Internet of Things (IoT) devices rarely are built with security in mind, often times having hard-coded usernames and passwords that you cannot change. Many of these devices are running a full Linux operating system that can act like any other computer on your network and connect to other devices on your network. An attacker can leverage your internet connected smart toaster to get past your firewall to hack into your personal machine that you keep private and important information on.
As time goes on, more devices will be connected to the internet. We took security problems to our homes and deviced to rely on it and will continue to do so in the future. This reliance will extend (as it is already starting to do) to medical and safety devices, making it easier for attackers to actually effect the physical lives of others.
The problem with smart people creating infrastructure is that smarter people will take it over. The infrastructure is functional as a tool, but not secure. If I use a smart lock, I can generally expect that my smartphone can lock and unlock the door over the internet, but I can't expect an attacker to not be able to be able to hack into that lock. When an attacker can control the action of locking and unlocking my door, is my door really mine anymore? When my toaster gets hacked and logs into my network router with the default (and sometimes hard coded) username and password, is my network really mine anymore? When an attacker hacks into the pacemaker of someone... is that person's heart really theirs anymore?