Now that OEMs have had time to digest the news about WikiLeaks’ disclosure of the CIA’s alleged massive malware project, their worst fears have been confirmed: OEMs have been shipping Internet of Things (IoT) products with gaping security holes for a long time.
Many, if not most, OEMs’ supply chains remain exposed, even after WikiLeaks’ Vault 7 clearly details how they are at risk and what they need to do to protect themselves. More recently, Vault 7 revealed ways the CIA has used to hide its embedded malware called Marble, which in turn, could be used by bad guys to mask their exploitive attacks.
What can OEMs do to protect their supply chains against the threat? Actually, a lot.
Why? In this case, WikiLeaks has handed OEMs a tutorial on how their Internet of Things (IoT) electronics devices are vulnerable. On a very basic level, they can use this information to their advantage by making their devices more secure.
However, as far as many of these vulnerabilities go, security experts, of course, have known about these kinds of threats for a long time. Any network security professional or black hat hacker who steals data for personal gain could hardly be stunned by the development.
For a black hat or state-sponsored privateer hacker who feigned surprise to learn state-sponsored malware from WikiLeaks’ Vault 7 existed was like the disbelief of the corrupt French police commissioner in the classic film “Casablanca.” In that famous scene, the police commissioner, played by Claude Rains, tells Rick, played by the iconic actor Humphrey Bogart; he was “shocked” to see gambling taking place at Rick’s Café--just before receiving his winnings for the night.
Many security experts and consultants have sounded the alarm about how inherently insecure IoT and other electronics devices are. For them, the WikiLeaks’ disclosure about the alleged CIA-created malware serves as a day of reckoning in many ways. While it has not been fully established that the CIA has been using its Zero Day exploits to steal intellectual property (the CIA will not comment), other foreign governments, and especially, privateer hackers, have been developing and using similar tools to steal intellectual property and compromise networks for a long time, security analysts say. In many ways, the WikiLeaks’ CIA story is just additional proof to back what security experts have been saying for a long time.
Now, with such blatant evidence of what they risk before them, OEMs have some very good reasons for why they should invest more resources to protect their supply chains and intellectual property from data theft.
“OEMs have been shipping flawed and vulnerable devices for years, and thereby burdening consumers with unrequested security risk, because manufacturers lack accountability and incentives to incorporate security-by-design,” James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), told EBN.