Just a few days ago, news began circulating on the internet of a strange problem with Cisco routers which was easy to identify as it caused complete failure. Shortly afterwards, Cisco issued a warning for specific products which may still be functioning normally but could fail after approximately 18 months of operation without warning. Meanwhile, a list of affected devices has now been published online. But that’s far from the full story.
Most IT devices have some form of remote access, whether via web browser or app. As long as devices are accessed by an authorized user from within an internal network, this isn’t a problem. Unfortunately, many devices, especially routers and smart home gateways are also accessible from the internet. And that’s where the problems begin. In fact, they have never stopped. Open remote access is among the greatest yet unfortunately inevitable threats of IT devices. Anybody who can access the management interface can control the device and usually the owner will not notice. Devices that are connected to the internet are constantly scanned and scrutinized for vulnerabilities. Open remote management interfaces should be treated as the digital equivalent of a loaded gun. It can be used but you need to know exactly what you are doing and take every possible precaution.
The research and analyst firm techconsult issued a summary of the five major security vulnerabilities in SMEs and public organizations in Germany at the start of 2017. Their annual study Security-Bilanz Deutschland reviews IT and information security based on a representative survey of more than 500 interviews in companies and non-profit organizations. The results are sadly not that surprising each year. Although the organizations surveyed are aware of the problems and have the resources to deal with them, unfortunately they either approach issues through the wrong channels, inconsistently or too late.
Internet of things products are small, networked and unfortunately have almost always little or no security. Sometimes this is down to a lack of willingness by the manufacturer but it is also partly due to the nature of the product – small and light also means that these devices have few resources for complex security features such as encryption and packet inspection. This leads to vulnerabilities, numerous attack vectors and ultimately to a bot device which can be abused by almost anyone. Following the latest large-scale attacks that primarily use IoT devices as a digital army there is a loud demand from those who want more legislation and governments to get involved. In a hearing before the Committee on Energy and Commerce of the US House of Representatives, the security guru Bruce Schneier stated that “catastrophic risks” would arise through the proliferation of insecure technology on the Internet.
The trend towards greater state surveillance has become even more obvious since Edward Snowden’s revelations. Governments frequently justify such invasions of their citizens’ privacy as counterterrorism or anti-pedophile measures. In recent weeks, two unmissable examples of state interference have been hurried through including an amendment to Rule 41 of the Federal Rules of Criminal Procedure in America and the Investigatory Powers Bill by Theresa May. Both laws permit or legalize massive invasions of privacy. Nobody is questioning the presence of a criminal threat – whatever it may be motivated by. However changes to legislation will weaken the security of many IT products which is already under heavy fire as demonstrated by current events such as the Google hack or attack on Telekom routers in Germany.