26 May 2019

The Internet Security Apocalypse You Probably Missed

By Charlie Warzel and Sarah Jeong

Instead of my usual monologue, this week I’ve invited my colleague, the editorial writer Sarah Jeong, to have a conversation about the biggest story from last week that you probably missed.

Charlie: Sarah, Welcome to Privacy Project ThunderDome! We had a rather apocalyptic week in the security world. Not one or even two but three sprawling security flaws were announced in some major products and pieces of hardware. There was a WhatsApp hack, an Intel chip vulnerability and a Cisco router bug (with the fun name Thrangrycat, which isn’t fun at all but actually super alarming). How wild was last week?

Sarah: Part of me has to wonder if the sheer number of Bad Security Disaster stories have exhausted both the media and its audiences. These stories are way worse than “Facebook made a mistake and now you need to change your password,” because they concern the security of the web’s infrastructure. Imagine finding out that there’s something ever-so-slightly wrong with 50 percent of all the steel beams manufactured since 2013.


Charlie: That sounds … bad! But you just hit on something very important — this idea that our software, hardware and web infrastructure are hopelessly vulnerable and that the internet is held together with duct tape and bailing wire. Let’s focus on the Cisco Router bug, a.k.a. Thrangrycat a.k.a. ๐Ÿ˜พ๐Ÿ˜พ๐Ÿ˜พ . (Yep, the bug’s name is three angry cat emojis.)


On Monday, we called Red Balloon Security and spoke to the team that discovered (and named) Thrangrycat. We had Red Balloon founder, Ang Cui, explain the problem to us like we were 5 years old. Let me attempt to summarize his summary: Cisco makes a ton of the hardware that connects the world. If you access the internet, chances are that you pass through a Cisco router in some way, shape or form. And most of those devices, 150 or so different varieties of routers, have been compromised. And it’s not just something that a software update or patch can fix in a jiffy. This is structural. Which means that if things are compromised by attackers, they can’t be easily uncompromised.

I still have questions. Give it to me straight: How bad is this?

Sarah: Look, if your I.T. team is doing everything correctly and they promptly apply every patch that comes out and your workplace keeps your I.T. systems up-to-date and the North Koreans aren’t out to get you, the Cisco disaster probably won’t affect you. Probably. Maybe. That said, Thrangrycat is very, very, very bad. I’d rate it as Less Bad than the Intel disaster (which is very catchily named ZombieLoad) and More Bad than the WhatsApp hack.

Thrangrycat is awful for two reasons. First, if a hacker exploits this weakness, they can do whatever they want to your routers. Second, the attack can happen remotely — it’s a software vulnerability. But the fix can only be applied at the hardware level. Like, physical router by physical router. In person. Yeesh.

That said, Thrangrycat only works once you have administrative access to the device. You need a two-step attack in order to get Thrangrycat working. Attack #1 gets you remote administrative access, Attack #2 is Thrangrycat. Attack #2 can’t happen without Attack #1. Cisco can protect you from Attack #1 by sending out a software update. If your I.T. people have your systems well secured and are applying updates and patches consistently and you’re not a regular target of nation-state actors, you’re relatively safe from Attack #1, and therefore, pretty safe from Thrangrycat.

Unfortunately, Attack #1 is a garden variety vulnerability. Many systems don’t even have administrative access configured correctly. There’s opportunity for Thrangrycat to be exploited.

Charlie: [Screams internally] What has me most rattled about this is how ubiquitous Cisco’s technology is. And how there are plenty of juicy targets that some bad actors would, I’m sure, love to gain access to — government systems, stock exchanges, energy grids or power plants. And, like you said, even if the odds are slim, the I.T. business is messy. What is the nightmare scenario here and how worried should we be?

Sarah: The Red Balloon team told us that an attacker could get into some routers and then take down, say, the entire New York Stock Exchange. I think that’s probably the nightmare scenario here.

Thrangrycat is a “low level” attack — and when computer people say “low level,” they don’t mean inconsequential, they mean it reaches deep inside the infrastructure, it’s getting close to the bones of computing itself. In the case of Thrangrycat, we’re talking about the placement of pins on circuit boards.

The problem with low-level nightmare scenarios is that they’re highly theoretical. What’s possible depends on the state of everything that’s layered on top — hardware and software. I asked the Red Balloon folks whether data could be intercepted — like, say, my chats with you over the internet, right at this moment. And they said if end-to-end encryption were implemented correctly, probably not. The extent of the spying that’s possible through Thrangrycat is, at the moment, largely theoretical.

Charlie: But a theoretical security apocalypse just sitting out there is still quite bad, no?

Sarah: To go back to my steel beams metaphor, imagine if someone told you that the steel beams in your building are insecure but also they’re probably O.K. if the building is built under a certain height and the builders use a very specific brand of concrete. But also maybe the beams could give out if the wind starts blowing at a certain speed or if it’s really hot for 10 days in a row. Also, who knows if your building will actually fall over? Maybe it’ll just sway a lot or something and your floor will tilt? Who can say? Even if you’re probably safe in the long run, I’d say this kind of risk is just unacceptable.

Charlie: Your steel beams metaphor is going to haunt my dreams, mostly because it echoes what smart people who know how the internet is built tell me: Everything is hastily built, frequently out of date and vulnerable to bad actors who’re exploiting broken systems quicker than they can be fixed. And that some of our most critical infrastructure is quite unsophisticated. This, from Red Balloon’s founder, stuck with me: “The money that comes out of A.T.M.s, the gas out that comes out of the ground, it’s all run on code going back potentially more than a decade and is often as unsecure as an unpatched Windows XP computer from 2006. We have far more security in our iPhone and laptops than in our power plants. There are a lot of reasons for that, not one of them is good.”

I want to bring things home though with a question some might have while reading this: What does this have to do with me — or my privacy? Red Balloon’s founder also said that, while it’s highly unlikely your computer or hardware is going to be affected, “this has privacy consequences for basically anyone who uses the internet.” That all our cameras on embedded devices, all the surveillance tools used by the government and basically anything that’s sucking up data about us — those tools could end up used against us or, at the very least, the information those devices receive could fall into the wrong hands. Right?

Seems like more evidence that we’re in over our heads. While we’re out here arguing with our aunts and uncles to use password managers and two factor authentication and pointing fingers over Facebook’s latest blunder, there’s a cyber war (mostly a cold one, for now?) happening out of view.

Are there reasons to be hopeful?

Sarah: The takeaway here is that we have to start thinking about privacy as a collective, environmental problem, not something that hits individual people, and certainly not something where the onus is on the individual to protect themselves. Privacy is starting to look like a problem similar to climate change — and in past eras, something similar to food safety. Like, yes, check the sell-by date on your chicken breasts, but we need a system that makes sure those sell-by dates get printed in the first place. A system that sends inspectors around to the meatpacking factories, that penalizes sellers, distributors and farmers if a lot of people end up getting sick.

Maybe you’re never going to get sick from eating bad chicken, but the risk still means we’ve adopted food inspection standards.

You’re probably never going to be personally attacked via Thrangrycat. You may never be hacked, via any method, period. But people you know and services you use will be.

The security of our cyber infrastructure is a collective problem, and it goes hand-in-hand with privacy. Privacy is part and parcel with the health of our society, the health of our civil liberties, and the health of the digital infrastructure that we depend on daily.

Charlie: Amen. If you need me, I’ll be in my bunker here in Montana prepping ready-to-eat meals for the day the lights go out. Sarah, it’s been a pleasure!

No comments: