I want to tell a story. Hang in there with me for a bit. Almost 2 years ago, I bought a home in Mariposa California, which sits in the Sierra Nevada mountains, and is the home county for the spectacular Yosemite National Park. I fell in love with the area on my first visit over a decade ago, and longed for my own place in the serene setting for years.
Mariposa County is a very old county in California. In fact, it is the oldest county in California, once comprising a land mass that now includes Fresno, Inyo, Kern, Kings, Los Angeles, Madera, Merced, Mono, San Benito, San Bernardino, San Luis Obispo, and Tulare counties. It houses the oldest courthouse west of the Rockies, built in 1854 and still in use today. In fact, it is the only original courthouse in California. The inhabitants in Mariposa do not like change very much at all. When you travel there, it is like going back at least 100 years in time, when California was the Old West. If you see someone there wearing a cowboy hat and boots, chances are they are a real cowboy and regularly rope steer and ride horses. The town of Mariposa is about the size of a postage stamp and has 1 grocery store, 2 gun stores, and 3 hardware stores. The men and women of Mariposa are all very rugged. Most of the young men either work construction or tree removal.
Being there is a big departure from my "big city" San Francisco Bay Area life as a cybersecurity expert. You slow down there and realise that you are very far from the world of digital domination, and focus on the basics.
Yet we do have the Internet...
I need to have my Internet. Besides the fact that about 90 percent of my job requires the Internet, I do enjoy having the distant connectivity to the "uncivilised" world of the big city. Everyone seems to have Internet connectivity out there, provided by Sierra Telephone, the sole provider of service in the entire county (at least that I am aware of). When I get to my place every weekend I make sure to switch my phone to Wi-Fi calling, so I can make and receive calls from the remote wilderness. I usually do this right after I get inside my house, once I have taken a few breaths of the delicious smelling mountain air.
This past Friday it was not working. I could not get an Internet connection. This happens a lot, but usually I just reset the router by cycling the power and it comes back up. Not so this time. Frustrated, I called Sierra Telephone and was told that I had to bring my modem in to get the firmware refreshed because it had been hacked. It is a Zyxel modem and apparently, the model was attacked by the same worm that had affected nearly a million Deutsche Telekom customers in late 2016.
I stood there a bit dumbfounded for a moment, and realised that small town America was no place to escape the very hostile world of IoT. The worm had made its way over to the Sierra Nevada mountain range, and, as the young lady behind the desk told me at the Sierra Telephone local office, as she took my modem back to the IT room for fixing, it had affected over 2000 customers locally. She also told me they had discovered this on Monday (5 days earlier), and they tried to fix it by resetting the modems over the Internet, but as soon as they were fixed they immediately got infected again. On Tuesday, she told me there were lines out the door and down the street of people waiting to get their modems patched, and it was a real pain in the butt to deal with.
I sat in the waiting room with the locals who also had their modems. One was an old lady on a scooter who just did not understand how a "virus" could affect her, since she used antivirus on her computer. Another person with bib overalls and a trucker cap said he heard that it was a conspiracy for Sierra Telephone to get us to buy new equipment (which made the lady behind the counter shake her head). Miss Scooter and Mister Bib Overalls traded conspiracy theories for a while, and I hesitated to dive into the discussion, but finally had enough, and exclaimed "It is not a virus...it's a worm, and you can do nothing to stop it, unless the modem is patched. It has affected nearly a million people worldwide." The lady behind the counter exclaimed "Yup! He's right. That's what we heard too." I was very happy for the support as I stood there unabashedly correcting the locals.
Mr. Bib Overalls and Miss Scooter stared at me, somewhat transfixed for a moment. Mr. Bib Overalls then asked me "Well does this fix prevent this from happening again?" to which I replied that it should fix this particular problem, but there are likely many more vulnerabilities that can be exploited.
"Well am I going to have to come back here to get my modem fixed again." said Miss Scooter.
"I don't know, maybe. It depends on if someone writes another worm to exploit something else." I replied.
"Why are they doing this worm thing?" asked Mr. Bib Overalls.
"Because they can." I replied.
"Well why don't they fix those other bugs?" asked Mr. Bib Overalls.
"Because they don't know about them." I replied, as I left with my newly flashed modem.
As I made my way back home I realised that this is an enormous issue. Having to refresh several thousand modems is no small task, and certainly not something a little service provider is prepared for. In a world where problems are dealt with through chainsaws and guns, a hidden "varmint" in the form of a Botnet simply leaves people confused and frustrated. It occurred to me that this may very well be what it takes to get companies to start taking a more proactive stance towards addressing security vulnerabilities. After all, how many service providers are likely to want to buy devices that are prone to such attacks, especially if they can choose competing devices that are less likely to fall under such circumstances?
I returned home somewhat saddened by the dose of reality hitting home. There is simply no escape from the hostile and insecure world of IoT, and I am not sure what it's going to take to take down these new varmints. For now, the only effective thing to do is have a strategy for continuous and comprehensive security risk identification and mitigation.