Security researchers are still not taken as seriously as they should be
Everyone who uses the Internet knows by now that websites can be hacked. However, over the past period, security researchers have demonstrated that any device or machine that’s powered by a piece of software can also be hacked.Researchers have demonstrated that routers, set-top boxes, security cameras, TVs, and even fridges can be hijacked and abused by cybercriminals for various purposes, including sending spam, mining for crypto-currencies, and spreading malware. Medical devices can also be hijacked, and the consequences can be deadly.
On the other hand, experts have also demonstrated that cars, ships, airplanes, satellites and even the sensors used for traffic control systems can be hacked.
So far, we’ve seen the damage that cybercriminals can cause by hacking a website or a company’s networks. We’ve also heard some “spooky” stories about industrial control systems. A perfect example is the Stuxnet worm which reportedly caused serious damage to Iran’s nuclear centrifuges.
As far as hacking cars, ships, airplanes, satellites and medical devices are concerned, there haven’t been any serious incidents so far. We’ve seen such scenarios in movies, but that’s it.
While many manufacturers have come to realize that securing their products against cyber threats is important, for many companies, it’s far from being a priority.
So how long will it take until someone decides that a keyboard is an effective way to commit a serious crime and get away with it? I’m referring to committing murder or causing serious physical damage, because we’ve already seen that cyberattacks against a company’s networks are already considered a serious crime (e.g. the breach suffered by US retailer Target).
I think that 2020, the recent mini-series by security company Trend Micro, shows pretty accurately where we’re heading. One day in the near future, everything will be dependent on the Internet, and as that period draws near, we’ll probably start witnessing all sorts of serious incidents involving cyberattacks.
Currently, while many manufacturers have departments whose goal is to ensure that a product is secure, most are still experiencing difficulties in communicating with external security researchers.
The contribution of external researchers is critical, because the vulnerabilities they find are the ones missed by internal security teams. The flaws they find are likely the ones that will be exploited by cybercriminals.
The attack methods presented by researchers against cars, airplanes, satellites and traffic control systems are mostly theoretical, and they require a lot of resources to be applied in a real-life scenario. However, as technology evolves, so do hacking methods.
When they’re informed of security vulnerabilities in their products, many companies say “this attack is too difficult to pull off” or “our products are more secure than they appear.”
This is the point where everyone should start making sure that their products – whether it’s software for cars, airplanes, or medical devices – are not vulnerable.
Security should become a top priority in the development cycle so that we avoid waking up one day to find out that cybercriminals are actively exploiting software vulnerabilities to (directly or indirectly) kill or hurt people.