Cassandra’s curse was to know the future truly, but when she spoke, no one would believe her. Those of us who write about security and privacy know the feeling. Worse than those who ignored Cassandra are those who believed her and were swept away by the tides of fate. These last few weeks have had aspects of both being heard and being brushed off.
On February 17, Germany’s Federal Network Agency banned My Friend Cayla, a doll with voice-recognition technology, by declaring it an espionage device, because the manufacturer didn’t meet the country’s requirements for disclose and security for recording conversations. “Dangers arise directly from toys being used as espionage devices: with the awareness of parents, childrens’ speech and that of other people can be recorded and forwarded,” the agency wrote.
On February 23, SHA-1, one of the fundamental building blocks of the Internet’s ability to avoid forgery, was broken. This is both more and less serious than it sounds, as it was anticipated, but it has a large impact for the future of outdated and impossible-to-update devices and software.
On February 24, security researchers at Google revealed that a major firm involved in mitigating the distributed denial of service (DDoS) attacks that bring down websites, companies, and governments large and small had a flaw in its caching software that pushed semi-garbled private information into randomly served pages, some of which were indexed by search engines.
On February 27, it emerged that a maker of an Internet of Things (IoT) teddy bear that could send and receive “voicemail” messages between kids and their parents/guardians had not just improperly secured their databases of user data and audio messages, but that hackers had copied and erased those databases and were holding the data for ransom. The teddy bears could, à la the Cayla allegation, be hacked and turned into tiny spies, too.
This drumbeat of news may be overwhelming and hard to process, but it includes some foresight, some good news, and some cautionary tales that will ultimately lead to change.
Let’s start with the breaking of SHA-1, which I’ve written about in anticipation of those moment many times over the last few years, as SHA-1 remained until just recently the primary way that browsers validated https communications to make sure the server on the other end wasn’t being spoofed. You can read the nitty-gritty details in my Dec. 24, 2015, column.
With SHA-1 broken, it doesn’t mean the floodgates have opened up for every secure website having its digital certificate spoofed by malicious parties or government actors. Rather, there’s no longer the certainty that it’s too expensive or technically impossible. That uncertainty changes the equation, which also ties into the Cloudflare leakage.
Fortunately, browser makers led a charge starting a few years ago to get certificate authorities (CAs) to stop issuing SHA-1-signed certificates. CA are the hundreds of parties worldwide that countersign web server security documents, allowing browsers and OSes to make sure a connection is legit. (Or at least that the current possessor of the certificate matches its internal technical details.)
Apple didn’t get in front of this, nor has it communicated much about it to its users, but it has kept up. While CAs weren’t supposed to issue new SHA-1 certs starting January 1, 2016, and all of them should have expired by January 1, 2017, Venafi found 35 percent of all secured sites in November 2016 still used SHA-1. Only a handful of the top million most popular sites did.
Browser makers are now shifting into a final stage, in which public sites that use SHA-1 won’t be directly reachable without a warning or a firm block message. Apple says that as of spring 2017, it won’t support publicly issued SHA-1 certificates in Safari or its WebKit framework used by developers for embedded browsers. (SHA-1 certs may still be used, dangerously, inside companies and for private purposes.) Windows 10, Microsoft Edge, and Internet Explorer 11 are all moving towards blocking public SHA-1 connections. Chrome version 56 (January 26) and Firefox 52 (February 23) already block them.
This is a rare case of getting out just in front of a problem before it’s fully exploitable. While it costs hundreds of thousands of dollars of cloud server time to duplicate the SHA-1 breakage today, it will drop to tens of thousands of dollars and then to an affordable professional computer system loaded with GPU cards over as little as two to three years on the current trajectory.
The good news: you didn’t have to do anything to take advantage of browser makers’ multi-year push to upgrade web security from SHA-1 (unless you run a website). The bad news: SHA-1 lingers in IoT and other embedded hardware, old mobile systems, early Windows XP releases, and industrial equipment that may never get updated.
The Cloudflare leaks are unrelated to SHA-1, but they invoke the same feeling of uneasiness. Because Cloudflare doesn’t precisely know what was leaked, just that very little was and only some of it cached publicly, the odds of any determined hacker also being aware is very, very low. But because passwords and other information encrypted by https could have been disclosed, anyone using affected sites and services can’t know whether their data was snarfed by another party.
The one bright lining? AgileBits’ 1Password.com hosted sharing system for secure data had some of its customers’ information found in caches, but because it employs two additional layers of encryption, this release doesn’t compromise user data. That kind of system design will be more important, and is one of the ways to guide your choices.
When it comes to IoT devices, as I and other people have railed about for years, it’s impossible to determine in most cases whether any security is properly being applied, even when it’s promised by the maker—to judge by lawsuits, security researchers, and even admissions by the companies themselves.
These latest doll-based examples just make it clear that Arthur Weasley of the Harry Potter world was correct when he chided his daughter, Ginny: “Haven’t I taught you anything? What have I always told you? Never trust anything that can think for itself if you can’t see where it keeps its brain?” (A bear of little brain keeps its thoughts outside its physical device’s body, clearly.)
The way to partially avoid compromised IoT devices is to select those from established companies with clear privacy policies that keep information stored locally and only send anonymized or user-resettable identifiers with data that leaves your device or home for remote processing. Also watch for how they respond to security reports and how quickly and for how many versions back services and hardware can be updated to fix flaws.
While Apple’s HomeKit ecosystem has been critiqued for how slowly it’s been adopted by hardware makers, that’s apparently in part because of Apple’s stringent security and privacy policies, which include some custom components. That doesn’t sound so bad right now.
Keep your wits about you
This was a particularly bad rash of security breaches, not in scope of but in variety and nature, from little to big, in what went wrong. While the SHA-1 transition for Web security wasn’t handled perfectly or quickly, it proceeded so that browser users are now protected ahead of the full SHA-1 crash yet to come. Cloudflare acted quickly when informed to fix its problems, the extent of which are small and which people (good and ill intentioned) will be watching for across similar services in the future.
But a majority of IoT hardware makers continue the race to the bottom to fail users in countries in which no regulation exists to enforce standards. As many believe, one or more trade groups needs to arise with a seal of approval and strict security, privacy, and encryption certification, or the future is all teddy bears staring at us forever, transmitting our data far beyond the Hundred Acre Wood.