Security Costs Too Much for Manufacturers

Fatal Attraction (1)

As CTO (Chief Technology Officer) for MegaTech, Fred was used to getting tech gadgets in the mail. It was a perk of the position and he loved tech gadgets. Sometimes they were pitiful, sometimes interesting, some were wildly impractical.  Most of the time they were not worth pursuing and for the most part useless. Sometimes they were a subtle or outright bribe for one thing or another. This one was different. It was what appeared to be a well-made helmet for skiing. This was interesting since he was an avid skier and was, in fact, getting ready to go out west for a couple of days of skiing and relaxation. He had just posted online about the upcoming trip. He was careful not to give any specifics as to the destination or time of the trip. Ever cautious, he passed the helmet over to his team to do a quick once over and make sure it wasn’t bugged since they had had some incidents in the past with attempted industrial espionage. They sent it back with a clean bill of health. It was a helmet with a GPS locator and a walkie-talkie, nothing more.

He really felt the need for the trip since the last 6 weeks had been non-stop 18 hour days trying to get the new satellite phone ready for the market debut. This phone promised to put a lot of competitors way behind the curve and possibly out of business due to some innovations his team had developed. Unfortunately, they were hit with two technical snags that threatened the project. He hoped the weekend trip would give him a chance to let his subconscious work on the problem while he recharged physically, and that he could come back to the project with renewed vigor. He took the helmet along on the trip and the next day hit the slopes.

The contract was for some tech guy at MegaTech. He never asked why contracts were put on people, he just carried them out. The target had been sent a ski helmet that had some glaring vulnerabilities, not the least of which was the ability to hack in with little effort and get GPS coordinates (real time) of anyone using the helmet. He had the location of the target and he was actually making this quite easy. He was skiing some black diamond runs. It wouldn’t take much to arrange a fatal ‘accident’.

The next day the news headline read “Leading technologist killed in an avalanche.” The article went on to detail how the death would put some critical projects on hold and would affect the future projects that were due to enter the market and give the company a leading position.

Fatal Attraction (2)

On his way to board the cargo ship Oriental Queen, Mitch noticed a USB drive laying on the pier by the gangplank. He picked it up, looked it over, and didn’t see anything that would identify the owner. Well, he could look at it once he got on board and got to his station.

All the cargo was loaded and the ship was ready to depart from Los Angeles harbor. Mitch didn’t have much to do until they got out of the harbor so he decided to check out the USB drive. He plugged it into the workstation and once it was recognized, he started examining the contents. Mitch fancied himself a bit of a computer geek with a slight flair for programming and understanding how things worked when it came to computer code. Hence his job as the IT resource on the ship. One of his gripes was the outdated operating systems in use on the ship. It was Windows XP,  for goodness sake, with a couple of NT workstations thrown in for good measure!! Sure the upgrade meant some cash outlay, but these systems were ridiculously out of date. Oh, well, that was a fight for another day. Let’s see what is on this USB drive.

Back at the docks in a second-floor office of a warehouse, a terminal came to life indicating the USB stick had been inserted and taken over the target computer. As planned, it had found the shipboard wifi and phoned home. This would only be effective until the ship moved out of the harbor but it would be enough. The person at the keyboard knew exactly what had to be done to compromise helm and ballast control. In just a few minutes, it was done. As the ship left the harbor, it would be making a gradual turn to head out to sea. A command to ballast control started all the ballast moving to one side of the ship causing it to list. By the time anyone noticed, it would be accompanied by a helm command to make a very tight turn. The combination would cause the ship to capsize. The loss would be significant and the harbor would be out of commission for quite a while. A few keystrokes more and all record of the attack was erased.

So what do we learn?

Both accounts are fictional, obviously. They are, however, based on known vulnerabilities that have been publicly disclosed. It is a somewhat scary exercise to read the Pen Test Partners website and see the wide variety of items that have serious security issues, and also to realize this is just the efforts of one group of people to uncover these issues. Who knows how many IoT devices and other appliances have similar weaknesses that have yet to be discovered?

As the push for ‘smart homes’ goes forward and people connect all sorts of things to the internet, consumers need to be aware that cost, not security is a driving principle in manufacturing. Unfortunately, the burden falls on you to make sure things are secure. As connected devices become more pervasive, this will take more effort and more education. Hopefully, at some point, manufacturers will take security more seriously and provide devices that really can be helpful and not harmful.