What do you get when you combine hacking tools that are easy to access, a treasure trove of stolen user credentials, user authentication that's so complex it practically begs to be bypassed and companies that make connected devices with little understanding of what they're doing and even less or an idea of how to fix the mess they've made?
That's what Troy Hunt, cybersecurity expert and creator of haveibeenpwned.com, answered during the closing keynote on Day 1 of the AusCERT 2019 conference.
TalkTalk is a major telco in the United Kingdom. It was breached in 2015 with the resulting damage costing the company £77M. Initially, the company blamed "Russian Islamic Cyber Jihadists" for the attack before it was found that a 17-year old youth was responsible. And while the attack was costly for the telco, it was executed using easily available SQL injection software. There are even videos on YouTube that demonstrate how to execute similar attacks 'for educational purposes' according the publishers.
Complex password rules are also a problem said Hunt. We have so complicated the process of choosing a password and then forcing users to change them that it's no surprise that users try and find ways to circumvent the complexity. And tools that help strengthen user security such as 2FA are often avoided by security teams who say they are too complex for users - even though the same users have 2FA on their social media, banking and other personal accounts.
The rapid rise of connected devices, often developed and deployed by people with a limited understanding of the risks they put customers under, is also a major factor in today's breach pipeline. Hunt's work in revealing the security weaknesses of Cloud Pets is well known in the security industry. These toys were WiFi-connected soft toys equipped with cameras and microphones that could be used by parents to communicate with their kids.
Unfortunately, the creator of these toys, who has since gone bankrupt, didn't properly secure the communications between the app parent's used and the toys resulting in the ability for an attacker to communicate with children.
In a similar case, a 'smartwatch' for children called the TikTocTrack which was meant to let parent keep track of where their kids are and communicate with them was poorly secured, allowing an attacker to not only track a child, but to also communicate with them and obscure their real location.
Connected cars aren't immune from these oversights. Hunt mentioned that the Nissan Leaf could be controlled using an app. For example, the app could be used to turn the car's heating on remotely on a cold day. An investigation revealed that the app determined which car it was linked to using the car's unique VIN (Vehicle Identification Number). That makes sense given each car's VIN is a unique identifier. It makes less sense when you realise the VIN is printed on the windscreen of every car.
So, an attacker could simply walk down a street and collect VINs and then easily create an app that allowed them to take over the car.
In each of those cases, the manufacturers were not only oblivious to the risks they created but weren't equipped to deal with the issues.
The combination of easily accessed tools for breaking into systems, access to vast libraries of stolen user credentials, complex security processes for users and a poor understanding by some manufacturers of the risks that come with connectivity has created a new pipeline that allows more breaches to occur.
For security professionals, the advice is clear. Make it easy for users to adopt sound security practices and ensure that systems are protected from known vulnerabilities.
The creators of new products and those adding connectivity to old products need to think carefully about the new risks they face and have appropriate processes and expertise on hand to deal with issues when they arise.