CISO Update #49
The IoT, Once Again
This series of monthly updates has touched on the Internet of Things (IoT) many times. The IoT consists of all those non-computer devices, from smart speakers to thermostats, that exist on the internet. A few years ago we did a piece on how hackers in England had broken into the remote control systems of hot tubs to determine when homeowners were likely to be away. And, as much as we try to have fun with the world of cybersecurity (Remember the article we did about how hacking led to a cream cheese shortage?), sometimes we have to get serious, and this is one of those times.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week issued an advisory to warn of critical vulnerabilities in genetic analysis (DNA testing) devices that could allow a remote, unauthenticated attacker to take over an impacted product. What this boils down to is that sophisticated devices that are used to do genetic sequencing and analysis could allow attackers without credentials to get on the device and steal or manipulate data that could include such sensitive things as family relationships or genetic predisposition to diseases. The full details are here: https://www.securityweek.com/cisa-warns-critical-vulnerabilities-illumina-genetic-analysis-devices
The truly troublesome thing is that the vulnerabilities are not sophisticated. In one case the manufacturers simply left off authentication requirements as a default, and in another they just didn’t bother to implement secure web protocols (a secure site will have “https” in its URL; you see it on almost every website) that have been available for decades. This manufacturer is run by geneticists and microbiologists, so it’s unlikely that the basic cybersecurity was too complex for them.
The bottom line is that while some amount of cybersecurity is about geniuses at the intelligence agencies matching wits with master hackers, the vast majority is about us—companies, individuals, all of us—making a small amount of extra effort to make things safe.
What can you do?
You can’t fix a genetic sequencing device, but you can do some basic things to make your IoT devices safer:
Don’t put devices on the internet when there’s no good reason to do so. Do you really need remote control of your hot tub?
Don’t buy devices that don’t have passwords, ways to change default IDs, and methods to update software as needed. Demand more from the people who want to sell you things.
Once you’ve bought devices that allow you to change passwords and update software, do so. Subscribe to the vendor’s security update service so you get notified when software patches come out.
The IoT has changed our lives, from wonderful conveniences to life-saving medical devices. Let’s do what we can to make it cybersafe.