The Wikileaks disclosure earlier this month about CIA hacking tools illustrates a harsh truth in today’s technology world: For all of the advances and convenience delivered by the so-called Internet of Things, mobile devices are especially vulnerable to attacks.
There are any number of reasons for this. Probably the biggest one is that security was not a front-burner concern when creating these devices, opening the door for the CIA to potentially exploit products that included iPhones and Androids, Microsoft Windows, and Samsung television sets.
In other words, as an official of the consumer advocacy group PIRG put it, “The security systems in most ‘internet of things’ products are actually dumb, not smart.”
All of which would appear to raise a question: Should you be worried? My answer, and this isn't a dodge, is that the question is probably moot. It’s pretty unlikely that any of us who is tethered to technology (pretty much anyone) is going to stop using a smartphone or computer.
But that doesn't mean we can’t do something to protect our devices from hackers. One step, and it’s as obvious as it is important, is to keep your software and security patches updated.
It was interesting to note that the Wikileaks disclosure found that Android devices targeted in the attacks were generally running Android 4.0; according to Google, about 30 percent of all Android users – 420 million people or so – are using some variation of 4.0 (the current version is Nougat 7.0). Although the iPhone numbers are not quite so big, 50 million users are still running outdated systems.
For its part, Apple has said that many of the vulnerabilities cited by Wikileaks have been patched in its most recent operating system. Google, meanwhile, has said it is “confident that security updates and protections…in Android already shield users from many of the alleged vulnerabilities.”
Another interesting takeaway from the Wikileaks disclosure is that encryption apps appear to work. Although some have raised concerns that the CIA could compromise chat apps like Whatsapp, Telegram, or Signal, those fears have largely been rejected.
Why? Because the end-to-end encryption on the apps scrambles data as it passes from one device to another. It is impossible for anyone to actually steal the information when it is in transit. This has forced hackers to move “away from undetected and unfettered mass surveillance to where they use high-risk and targeted attacks,” said Moxie Marlinspike, who created Signal.
Still, while encryption may frustrate spy agencies, even having the best apps won't matter if a hacker can break into your device. It’s the IOS and the device, not the app, that is vulnerable. So, once again, that argues for maintaining the most current operating systems and security patches.
As noted above, companies like Apple and Google say they have already addressed some of the exploits highlighted in the Wikileaks disclosures. And it’s also important to remember that the documents related to the CIA hacking efforts covered 2013 to 2016, so we can’t know for sure if what was vulnerable then is vulnerable now.
Given all that, let me go back to something I’ve said a couple of times above: The best defense against attacks on Internet of Things devices is to keep up to date on patches and operating systems. And if you are concerned that office technologies – especially laptops and desktops – are at risk, use programs that can identify and delete known and unknown attacks (“zero day threats”) in real time. Basic anti-virus software isn't going to do that.
In may not be the flashiest strategy. But in uncertain times dealing with uncertain actors of uncertain intentions, it may be the best we have.
ABOUT THE AUTHOR
Mark Elliott is a Best-Selling Author and CEO. His company, 3i International, helps you apply technology to improve performance and compliance. For over 25 years, Mark has been helping startups to Fortune 500 companies overcome the technology challenges they face. He develops strategies to analyze, manage, and adapt to the ever-changing technology landscape. A central focus has been security and compliance. His experience includes preventing, detecting, and responding to hackers and threats. This keeps your organization safe from invasions while simultaneously meeting regulatory compliance.