Functionality and Connectivity
Long gone are the days where the world wide web was just a big library of plain text. While we are still standing strong on the Hyper-Text Transfer Protocol (HTTP), text-only sites have become obsolete. Web pages are being rapidly replaced with web applications— and instead of just reading the information, we interact with it thanks to HTML5 and a vast array of web framework back-ends available.
This makes our lives simple, as often we never have to download native applications. We turn to web clients for music and video streaming. We shop and pay our bills online. We even discuss our most private matters on social media. The web applications we depend on are lightweight, only needing a web browser and uniform across all mobile and desktop platforms. In general, web-based apps are observed as the way forward as technology progresses.
This shift is slowly taking over our hardware gadgets as well. Take the Chromebook laptop as an example: All your apps and data are stored on the cloud, so the device in essence only runs a browser engine behind the scenes. This is not an ideal situation if you are planning to be away from internet access for longer periods of time; however, the rise of 5G connectivity promises that we will soon forget what it is like to be "offline" in the first place.
The Chromebook made personal computers affordable by housing applications in the cloud to cut down on hardware, but keeping all of this personal data in the cloud invites more opportunities for hackers. Image courtesy of Google.
This shift to interconnectedness is also quite clear from the advent of the IoT (Internet of Things). Both software and hardware are experiencing the benefits of the “cloud” and nearly everything we use is getting connected to the World-Wide Web in one way or another. Which must be a good thing, right?
Complex Makes Complicated
Along with the convenience and functionality, interconnectivity brings a trade-off. It has been argued numerous times that absolute software security simply does not exist. Therefore, the more functionality authorized individuals are provided through online access, the more likely it is that there are the security flaws that will allow malicious parties to intercept data. One might think security flaws are instantly patched by most self-respecting institutions and only inexperienced developers leave mistakes, but that’s far from the truth.
Let’s have a look at a few recent events. “Mr. Robot” is a popular US TV show depicting realistic hacking scenes. It has been praised for being more accurate to real-world security than most other attempts in media. However, the show seems to have had a taste of its own medicine this month.
Even the promotional websites for TV shows about hackers are getting hacked. Image courtesy of USA Network.
It appears the Mr. Robot promotional website has been intercepted through a cross-side scripting (XSS) bug. Later that same week, another issue was brought to admin attention where another person found a classic SQL-injection flaw. It appears that even the advocates of computer security don’t always follow through with ensuring their online security.
One could argue that the Mr. Robot website being hacked is no big deal. But what about international banking institutions? Just last week, a number of Turkish hackers were able to compromise the security of banking institutions that include The City Bank, Trust Ban, Commercial Bank of Ceylon, Qatar National Bank, and InvestBank. The more than 7GB of data obtained by the hackers included website source code, annual bank reports, and financial statements. SQL-injection, an old but still prevalent security flaw, was again a part of the breach.
Hardware and everyday appliances are no exceptions to this ever-growing concern of online security. Smart home appliances are a good example of this: Smart locks rush to market and leave security flaws behind. Smart light bulbs advocate functionality, but then fail to address safety issues. As cars become autonomous and capable of self-driving, even our modes of transportation become a potential attack vector. It therefore quickly becomes clear that, to varying degrees, most inventions of today are prone to hacking— especially if you consider yourself to be an early-adopter of new technology. You can watch these smart lightbulbs get hacked in the video below.
Causes for Security Breaches
Often the developers and engineers of new tech products will be given functional specifications. For example, one has to ensure that the application or device is fast, responsive, scalable, easy to maintain, and at the same time reliable. Somewhere down this list of requirements will be security. Security cannot be easily measured, so it can often be overlooked. In the eyes of the everyday observer, if a product is functional, it can ship to customers.
So the issue here is that, while an insecure but seemingly functional solution sells, secure but functionally-limited applications do not. Therefore, it could be argued that implementing security is not a matter of difficulty but rather of resources and awareness. Good security cannot be measured simply and directly, and therefore, can appear invisible. Our duty as engineers and developers is not to make trade-offs regarding security. We also should understand that simple is not easy, and hence, we should avoid the latter as we might provoke security flaws we are not even aware of.
It appears that cyber security has become a very alarming issue nowadays. The amount of research going into this field for public-safety purposes can sometimes fail to outweigh the interest of less friendly, for-profit hacker groups who can sell data to other malicious parties. This can potentially be explained by the somewhat questionable attitudes of some companies towards allowing the community to contribute. Bounty programs that reward security researchers are completely ignored by most SMEs and only provided by the tech giants. Even then, the reward can often vary greatly compared to the severity of the flaw submitted.
Therefore, some people choose to sell multiple copies of the same exploit for $1k underground rather than submitting it once for $25k to the company legally. Some even claim that the flaws they find are not acknowledged, at times even ignored completely. If software projects continue to move open-source, this can become less of a problem as there will be people constantly checking for issues and patching them quicker.
But until then, large companies should make sure that they don’t under-sell people who want help, as well as try to cultivate relationships between their product developers and security researchers. Otherwise as we embrace the IoT and ever-increasing web presence, the repercussions can be fatal.