Stop hacking random stuff. It’s getting trivial.

Once we acknowledge nearly everything is insecure, we can engage in a more nuanced discussion about security.

Keep_Gate_Closed_mt2ri_FlickrI was gratified to read Dave Aitel’s rant about junk hacking last week [via Peter Lewis and abridged below]:

“Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called ‘Junk I found around my house and how I am going to scare you by hacking it.’ That stuff is always going to be hackable whetherornotyouarethecalvalry.org.

“Yes, there is Junk in your garage, and you can hack it, and if
you find someone else who happens to have that exact same Junk, you can probably hack that, too, but maybe not, because testing is hard.

“Cars are the pinnacle of junk hacking, because they are meant to be in your garage. Obviously there is no security on car computers. Nor (and I hate to break the suspense) *will there ever be*. Yes, you can connect a device to my midlife crisis car and update the CPU of the battery itself with malware, which can in theory explode my whole car on the way to BJJ. I personally hope you don’t. But I know it’s possible the same way I know it’s possible to secretly rewire my toaster oven to overcook my toast every time even when I put it on the lowest setting, driving me slowly but surely insane.

“So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk.”

Security is extraordinarily important when you start connecting things to networks that haven’t been connected before. Smart devices can create security risks by two means:

  1. Increasing the sheer number of devices connected to the Internet, and therefore the surface area vulnerable to an attack
  2. Enabling scalable attack methods through standardized, modular hardware and software. Heartbleed and Shellshock, for instance, rendered vulnerable millions of computers that run OpenSSL and Bash, respectively. A vulnerability in a single popular microcontroller could open anything from door locks to agricultural equipment to hackers.

These very legitimate security concerns have made the public receptive to a kind of paranoid, binary mentality in which everything is either secure or not, and the public is outraged when it turns out something is insecure. As Aitel points out, just about everything is insecure, and once we acknowledge that we can engage in a much more nuanced discussion about security.

Security is always a balance between cost and risk. If the security of your home were your absolute top priority, you’d put all of your resources into encasing it in a concrete bunker before you spent a cent on anything else. Likewise, a computer can be made secure by making sure it’s not connected to any other computer, whether by the Internet or a “sneakernet” of USB drives.

Of course, an islanded computer isn’t very useful for most things. Even in cases where it might be useful, as with industrial controls, connectivity can arguably improve safety, if not security — allowing remote monitoring and fast response.

I hope the public conversation on computer security will mature over the next few years, but we’ll hear a lot of noise in the meantime.

Image on article and category pages by mt2ri on Flickr, used under a Creative Commons license.

tags: , ,