No Safety

Does it seem like there has been an unusually large number of highly-publicized security issues lately?

In the past couple of weeks, I’ve seen two different “Take over or destroy an Android phone” vulnerabilities. With, of course, the obligatory notation that the majority of vulnerable systems will never be patched because carriers don’t want to test and deploy OS updates for hundreds of models of phones they don’t sell anymore.

So then we get the mandatory calls for everyone to switch to iOS*. Because of course, Apple doesn’t release OSes that can crash when they receive a text message. Or stop supporting older devices. (For anyone who has trouble detecting sarcasm in print, yes, a couple of months ago, a bug that allowed many iOS+hardware combinations to be crashed via SMS was widely discussed. And the forthcoming iOS 9 will be the first release in quite some time that doesn’t orphan any Apple hardware.

* Not, I’m pleased to see, from mainstream media, only from the most vocal, least thoughtful Apple fans. Maybe there’s hope for the press.

Then there’s the widely-reported story that recent model Fiat Chrysler vehicles are hackable over the Internet. And Chrysler’s decision to distribute the fix by mailing USB drives to car owners. (Colin Neagle has a nice piece in NetworkWorld on why this is such a bad idea*.) Realistically, Fiat Chrysler can’t be the only automaker distributing vulnerable software. Remember: Internet connections are two-way. If your car stereo supports Pandora or your GPS downloads live traffic data, you had better hope the manufacturer has included good defenses against attack.

* Although Mr. Neagle missed one scenario. After decades of being told to reinstall software (and even operating systems–yes, I’m looking at you, Microsoft) to fix problems, how many of those Jeep owners are going to decide their car isn’t running right, and reinstall the patch? I don’t think it would do much harm to reinstall it over itself–though I can imagine scenarios where that could cause a problem–but what about six months or a year down the road, after the dealer has upgraded the car’s software. Does Chrysler’s software update system guard against downgrades?)

And the vulnerabilities keep coming. Ars Technica has a couple of security-related stories on the front page today. Another automotive issue: a security researcher has found a way to hijack the remote starting capability in GM’s OnStar-equipped cars. It’s not a vulnerability in the car’s software; the problem is in the smartphone apps. Until GM releases a fix, they’re advising car owners not to use the remote start capability.

And it’s not just cars and phones that have vulnerabilities. An easy-to-exploit crash in Bind* was just patched. Of course, just because it’s been patched doesn’t mean the fixed version has been deployed on all–or even most–servers. Or that all of the related bugs have been found and fixed.

* Bind is the most commonly used DNS software–the tool that translates easy to remember names like, say, koiscribblings.com into the numeric codes that computers use to locate each other. The ability to easily crash Bind is the ability to disable large chunks of the Internet by making it impossible for individual computers to talk together.

I could go on, but I’ll spare you.

So are there more vulnerabilities being reported than in the past? Or are they just getting more publicity?

I’m not trying to suggest that we’re all doomed. But it’s clear that the people creating all of our spiffy new gadgets are thinking “spiffy” first and “secure” much further down the priority list. That means it’s up to us, the consumers, to think about security. If you decide a bluetooth-enabled door lock is too risky, don’t buy it–and send the company that makes it an e-mail explaining why. Same thing for your next car, burglar alarm, or refrigerator purchase. Make your own safety and privacy one of your criteria, and tell the losers where they fell short. The only way to move security up the priority list is to make the connection between poor security and lost sales explicit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s