Welcome to our modern world.
Any app that doesn’t protect its code—small, big, stupid, pointless—is vulnerable. Unprotected code doesn’t play favorites; it could be a banking app or an app that allows you to draw mustaches on cats. If it contains code, it has the potential to be hacked.
Every device and system is hackable—it’s just a matter of time and hacker motivation.
Observer recently connected with Asaf Ashkenazi, chief strategy officer at Verimatrix, who warned that the security of every connected device matters. And Ashkenazi knows; he’s been a cybersecurity industry veteran for more than 15 years and is a renowned thought leader on the topic of IoT (“Internet of Things“) device security. For Ashkenazi, good cybersecurity can be the difference between a hacker spending few days to find vulnerability, or spending months, or even years, without much progress.
“Almost every device these days run some kind of software,” Ashkenazi said. “From our cars that run millions of lines of code to our home appliances and smart speakers that have lately invaded our homes. And of course, our smartphones, which host tons of applications that help us interact with almost every aspect of our lives.”
Ashkenazi explained that all code contains an expected rate of error, or a bug rate. Not to send waves of fear to anyone, but the more code associated with an app or device, the more risk of cybersecurity threats. And it gets better, since the amount of code and automation concealed in everyday items is expected to continue to grow exponentially, the risk of cyberattacks will also continue to increase.
We read about hacking all the time. So what is currently being done wrong in the stratosphere of cybersecurity?
“Both consumers and companies don’t always give cybersecurity risks the right attention,” said Ashkenazi. “Consumers are concerned when they read about security breaches in the news, but when it comes to buying decisions, security is quite lower in consumers’ buying habits that prioritize product features, performance and price.”
According to Ashkenazi, these buying habits lead many device/app developers to pay less attention to security, as well as to spend less of their R&D (research and development) budget to secure their product.
“Fortunately, this is changing, and more companies are paying attention to security,” Ashkenazi added. “But even for the companies that take security seriously, it’s more of a necessity than a differentiator consumers appreciate.”
As consumers we wouldn’t consider buying a car if it had a poor safety rating, right? So, why do we still buy devices that have been noted to have poor security?
Answer: Lower prices. But there’s a larger price to be paid.
We already covered how hackers can infiltrate such everyday devices as baby monitors (in order to shout obscenities) and dating apps (to gather all of our data). So, what other everyday devices does Ashkenazi find as a security threat?
“Hair straighteners, refrigerators, HVAC systems, among others, are at risk,” he stated. “All devices, applications and appliances that have code and network connectivity are at risk of being hacked.”
Now that most devices are connected via Wi-Fi, consumers generally have a naïve view of the security damage that could be done if someone hacked into these bland gadgets.
“Take for an example a Wi-Fi controlled light bulb, or a home printer,” Ashkenazi explained. “The average consumer wouldn’t be as worried about the hack of these devices: ‘At the end of the day, what is the worst that can happen? A hacker will remotely turn off the light?’ What they don’t always realize is that these devices are just a gateway to attack other devices connected to the home network.”
Through a compromised light bulb, a hacker could easily access the home network and any additional connected devices, including network drives, home PCs, etc.
Another gateway to vulnerability is that most of us can’t be bothered to update the software on our devices, despite the fact that such updates help prevent security breaches.
“As time passes and we continue to have unpatched connected devices in our homes with dated software full of known bugs, we are just waiting to be exploited by hackers,” said Ashkenazi.
The consequences can sometimes even have life-threatening results.
Hacking into a Wi-Fi controlled light bulb is one thing, but take an app connected to an insulin pump and the effects could mean… death.
Further, if an app has access to a phone’s camera, microphone or GPS, it can severely compromise our privacy. If it’s an app that connects to our bank, it can drain our life savings. Scared yet?
“If an app is compromised, whatever function that is available to the user, is now also available to a remote hacker,” Ashkenazi said. “Whatever data the app has access to, a remote hacker also has access to the data, and in most cases, without the user knowing.”
We are talking to you, Tinder—where we dumbly fill out a profile that trumpets and exposes all corners of our personal information, from where we work to the city we currently live in.
All hackings start by reverse engineering the app in order to understand how it works and finding vulnerabilities that can be exploited. Hackers can download any app available on, say, Apple’s App Store or Google Play, reverse engineer it, and add their malicious code.
“They then trick users to install the modified app as if it was the original app,” Ashkenazi explained. “Since the modified compromised app is based on the code of the original app, it will be trusted by the attached service or devices connected to it. The added malicious code will let a remote hacker access all data the app has access to and any functions of the app.”
For example, a hacker who compromises a chat app can see all messages sent and received, and can even spoof messages sent to other users.
Ashkenazi said there are multiple reasons why some companies lack in the cybersecurity arena. Budget and priority are factors. Sometimes, the companies might not provide any software updates, because with the budgets they face, they cannot afford to do so; security solutions tend to be quite pricey and complicated to deploy. Other times, companies are simply unaware of certain security risks.
“Many companies cannot afford the time it will take to integrate proper security solutions,” said Ashkenazi. “Add to this the big shortage of security technical workforce, and you have a real problem. It’s the responsibility of security providers to help with the security crisis by providing more friendly and easy to use security solutions, and by scaling their costs to companies of all sizes.”
For Ashkenazi, the biggest security challenges are always the same: how to build an effective security solution without hurting the device, or the system’s original function, and without ruining the user’s experience. Along with that, educating users on having the freedom of using their device but also making sure they do not abuse it.
Still, car systems are starting to be designed with security in mind. Why can’t this protection be employed to other companies?
“Car manufacturers are creating firewalls between different subsystems of the vehicle,” Ashkenazi explained. “If one is compromised, the hacker can’t move on to other parts of the vehicle.” However, “as cars become smarter and continue to be connected in the IoT, the risks of cars being hacked increases.”
Case in point: At a recent hacker contest, a Tesla was hacked through its infotainment system.
So, are we basically just screwed as a secure society the more technologically advanced we get and dependent on our devices? Ashkenazi sees some solutions.
“The first step is making it extremely difficult for hackers to reverse engineer the app, so that even if the app has vulnerabilities left unintentionally by the programmer, they will never be discovered by the hacker,” he said. “The second stage is to make it difficult for hackers to use hacking tools to crack the app security. The app code can detect if such tools are being used and stop running, preventing the hackers from utilizing their tools.”
Lastly, Ashkenazi concludes, “If a hacker found a vulnerability that allows them to run their code, the app code detects the attempt to execute unauthorized code and stops working.”
OK everyone, go about your day and have fun with all of those vulnerable apps on your trusty phone, as you think of the implications of what will happen the next time your light bulb gets hacked.
Harmon Leon’s latest book is ‘Tribespotting: Undercover Cult(ure) Stories.’