It isn’t just us who are warning about computer vulnerabilities. Now the Department of Homeland Security is getting in on the act too. On Friday it warned that more than 11 million computerized device controllers around the world are vulnerable to cyber-attack by hackers.
These units control all manner of different things, from elevators to medical equipment, from security systems to other ‘sensitive operations’ at DoD facilities. The common point of vulnerability they all share is a type of remote access/control system called the Niagara Framework.
This is a sophisticated type of universal access software that has over 4 million lines of code within it, and is used by devices in over 52 countries. With so much sophistication, it is unsurprising that there may be some overlooked subtle bugs and vulnerabilities.
It isn’t just a case of ‘may be some bugs/vulnerabilities’. It is a case of ‘yes, there definitely are known bugs and vulnerabilities’. Indeed, some of the known vulnerabilities were discovered over a year ago, and remain still vulnerable now.
Note in this earlier article the myopic view – attacks on Niagara connected devices were thought to be unlikely because it was thought hackers would not be interested in such devices, and a large part of the ‘security’ was simply making the devices ‘hard to find’ – a nonsense claim as you’ll appreciate when you understand about software that seeks out all known types of internet connected devices, such as we explain and discuss here. (Ironic note – when we wrote that article, barely a week ago, we were headlining the presence of 40,000 known vulnerable systems around the world – it seems that a week later, we need to increase that count from 40,000 to 11+ million!).
That concept of ‘security’ has been shown to be nonsense – one researcher managed to, single-handedly, discover thousands of Niagara connected devices on the internet. And a couple of amateur ‘good guy’ hackers, also working on their own, have managed to uncover 25 serious different vulnerabilities that exist on network attached controllers. After a day or so of research, it took them five minutes to be able to find a way to download details of all the usernames and passwords for any given Niagara connected system.
The Moral of the Story
The people who assure us of the security of the systems they design and sell have many times been shown to be making such claims based on ridiculous approaches to security. It is like they lock the front door, then hide the key under the door mat, on the basis that ‘no-one is likely to visit your house, and if they did, well, they’d never think of looking under the doormat for the key’.
This is a dismaying insight into how the people we trust to protect the systems we both trust and rely upon in so many aspects of our regular lives, actually define ‘security’. Unfortunately, as has been proven many times, people who seek to unlawfully access and exploit computer systems are massively more creative than the people we have charged with protecting and securing the systems.
The internet potentially allows anyone, anywhere, to access 11+ million different devices that apparently have somewhere between weak and no security at all protecting them from being taken over by unauthorized users. What would happen if a coordinated cyber-attack simultaneously took over all 11+ million devices, and instructed them to misbehave?
Or, in a more subtle manner, what would happen if attackers took over the control systems for some of the DoD security monitoring systems, so as to gain physical access to installations that might well contain our own stockpiles of ‘weapons of mass destruction’ in some form or another.