Releasing unstable software harms cybersecurity for everyone, not just those who install the product.
Most consumers do not take the time to upgrade their devices simply because vendors want them to: there has to be something in it for me. Apple, on the other hand, has been an exception. Studies have repeatedly shown that Apple users do regularly upgrade their phones. Just one month after release, their latest version was installed on 52% of their devices. By comparison, summing all Android releases from 2015 to present gets you that same number, with the latest releases coming in around 20% of the total.
This becomes a Big Deal when we start talking about vulnerabilities, and zero-day exploits. If there is a bug in your device and it is running an older version of the code, and you do not update, then that device can be used to attack you or someone else. This is something that Microsoft learned the hard way in the last decade when it snuck in extra software in a security update, losing trust and confidence and willingness of their users.
In his review, Gordon Kelly has told his Forbes readers not to upgrade to the latest Apple iOS release precisely because it may be too risky, that the release itself was rushed. When considering release timing, any vendor always has to balance stability and testing against other feature availability and security. Apple may well have gotten the balance wrong this time. The review in and of itself harms cybersecurity, not because the reviewer is wrong, but because the result will be that fewer people will have corrected whatever vulnerabilities exist in the release (as of this writing information about what is fixed hasn’t been disclosed). Moreover, such reviews reinforce a bad behavior- to delay upgrading. I call it a bad behavior because it puts others at risk.
This isn’t something that can be fixed with a magic wand. We certainly cannot fault Mr. Kelly for publishing his analysis and recommendations. If we wait for perfect security, we will never see another feature release. On the other hand, if things get too rushed, we see such bad reviews. Perhaps this argues that O/S vendors like Apple and Google should continue to provide security-only releases that overlap their major releases, at least until they are stable, which is what other vendors such as Microsoft and Cisco do. It costs money and people to support multiple releases, but it might be the right thing to do for the billions of devices that are each and every one a point of attack.
If Apple can blow it, so too can the rest of us. That’s why a layered defensive approach is necessary.
When we talk about secure platforms, there is one name that has always risen to the top: Apple. Apple’s business model for iOS has been repeatedly demonstrated to provide superior security results over its competitors. In fact, Apple’s security model is so good that governments feel threatened enough by it that we have had repeated calls for some form of back door into their phones and tablets. CEO Tim Cook has repeatedly taken the stage to argue for such strong protection, and indeed I personally have friends who I know take this stuff so seriously that they lose sleep over some of the design choices that are made.
And yet this last week, we learned of a vulnerability that was as easy to exploit as to type “root” twice in order to gain privileged access.
Ain’t no perfect.
If the best and the brightest of the industry can occasionally have a flub like this, what about the rest of us? I recently installed a single sign-on package from Ping Identity, a company whose job it is to provide secure access. This simple application that generates cryptographically generated sequences of numbers to be used as passwords is over 70 megabytes, and includes a complex Java runtime environment (JRE). How many bugs remain hidden in those hundreds of thousands of lines of code?
Now enter the Internet of Things, where manufacturers of devices that have not traditionally been connected to the network have not been expert at security for decades. What sort of problems lurk in each and every one of those devices?
It is simply not possible to assure perfect security, and because computers are designed by imperfect humans, all these devices are imperfect. Even devices that we believe are secure today will have vulnerabilities exposed in the future. This is one of the reasons why the network needs to play a role.
The network stands between you and attackers, even when devices have vulnerabilities. The network is best in a position to protect your devices when it knows what sort of access a device needs to operate properly. That’s your washing machine. But even for your laptop, where you might want to access whatever you want to access, whenever you want to access it, through whatever system you wish to use, informing the network makes it possible to stop all communications that you don’t want. To be sure, endpoint manufacturers should not rely solely on network protection. Devices should be built with as much protection as is practicable and affordable. The network provides an additional layer of protection.
Endpoint manufacturers thus far have not done a good job in making use of the network for protection. That requires a serious rethink, and Apple is the posture child as to why. They are the best and the brightest, and they got it wrong this time.
Pew should evolve the questions they are asking and the advice they are giving based on how the threat environment is changing. But they should keep asking.
Last year, Pew Research surveyed just over 1,000 people to try to get a feel for how informed they are about cybersecurity. That’s a great idea because it informs us as a society as to how well consumers are able to defend themselves against common attacks. Let’s consider some ways that this survey could be evolved, and how consumers can mitigate certain common risks. Keep in mind that Pew conducted the survey in June of last year in a fast changing world.
Several of the questions related to phishing, Wifi access points and VPNs. VPNs have been in the news recently because of the Trump administration’s and Congress’ backtracking on privacy protections. While privacy invasion by service providers is a serious problem, accessing one’s bank at an open access point is probably considerably less so. There are two reasons for this. First, banks almost all make use of TLS to protect communications. Attempts to fake bank sites by intercepting communications will, at the very least produce a warning that browser manufacturers have made increasingly difficult to bypass. Second, many financial institutions make use of apps in mobile devices that take some care to validate that the user is actually talking to their service. In this way, these apps actually mark a significant reduction in phishing risk. Yes, the implication is that using a laptop with a web browser is a slightly riskier means to access your bank than the app it likely provides, and yes, there’s a question hiding there for Pew in its survey.
Another question on the survey refers to password quality. While this is something of a problem, there are two bigger problems hiding that consumers should understand:
- Reuse of passwords. Consumers will often reuse passwords simply because it’s hard to remember many of them. Worse, many password managers themselves have had vulnerabilities. Why not? It’s like the apocryphal Willie Sutton quote about robbing banks because that’s where the money is. Still, with numerous break-ins, such as those that occurred with Yahoo! last year*, and the others that have surely gone unreported or unnoticed, re-use of passwords is a very dangerous practice.
- Aggregation of trust in smart phones. As recent articles about American Customs and Border Patrol demanding access to smart phones demonstrate, access to many services such as Facebook, Twitter, and email can be gained just by gaining access to the phone. Worse, because SMS and email are often used to reset user passwords, access to the phone itself typically means easy access to most consumer services.
One final area that requires coverage: as the two followers of my blog are keenly aware, IoT presents a whole new class of risk that Pew has yet to address in its survey.
The risks I mention were not well understood as early as five years ago. But now they are, and they have been for at least the last several years. Pew should keep surveying, and keep informing everyone, but they should also evolve the questions they are asking and the advice they are giving.
* Those who show disdain toward Yahoo! may find they themselves live in an enormous glass house.
Your chance to try and chime in on Manufacturer Usage Descriptions, a way to protect IoT devices.
You may recall that I am working on a mechanism known as Manufacturer Usage Descriptions (MUD). This is the system by which manufacturers can inform the network about how best to protect their products. The draft for this work is now about to enter “working group last call” at the IETF. This means that now would be a very good time for people to chime in with their views on the subject.
In the meantime, MUD Maker has also been coming along. This is a tool that generates manufacturer usage descriptions. You can find the tool here.
MUD isn’t meant to be the whole enchilada of IoT security. Other tools are needed to authenticate devices onto the network, and to securely update them. And manufacturers have to take seriously not only their customers’ needs, but what risk they may impose on others, as Mirai reminded us. Had MUD been around at the time, it’s possible that Mirai would not have happened.
When Edward Snowden disclosed the NSA’s activities, many people came to realize that network systems can be misused, even though this was always the case. People just realized what was possible. What happened next was a concerted effort to protect protect data from what has become known as “pervasive surveillance”. This included development of a new version of HTTP that is always encrypted and an easy way to get certificates.
However, when end nodes hide everything from the network, not only can the network not be used by the bad guys, but it can no longer be used by the good guys to either authorize appropriate communications or identify attacks. A example is spam. Your mail server sits in front of you and can reject messages when they contain malware or are just garbage. It does that by examining both the source of the message and the message itself. Similarly, anyone who has read my writing about Things knows that the network needs just a little bit of information from the device in order to stop unwanted communications.
I have written an Internet Draft that begins to establish a framework for when and how information should be shared, with the idea being that information should be carefully shared with a purpose, understanding that there are risks involved in doing so. The attacks on Twitter and on krebsonsecurity.com are preventable, but it requires us to recognize that end nodes are not infallible, and they never will be. Neither, by the way, are network devices. So long as all of these systems are designed and built by humans, that will be the case. Each can help each other in good measure to protect the system as a whole.
Photo of Edward Swowden By Laura Poitras / Praxis Films, CC BY 3.0