What do printers, connected cars and airliners have in common?
These are playgrounds for the ingenuity of cybercriminals, who exploit the slightest security loophole to infiltrate networks or take control of our most critical systems. Just as a drug lord like El Chapo escapes from his high-security prison through the least secure place: the toilet, a hacker will always try to find the most vulnerable part to attack you. As these attacks can be dramatic for the person or company that falls victim to them, it’s essential to think carefully about the subject.
In this article, we will mention a few stories of surprising computer attacks. This will enable us to question our choices when it comes to implementing new features. These misadventures all have a common cause: an increase in the attack surface.
The multiplication of access points is a risk factor
In recent years, we’ve all seen objects that communicate with the outside world appear in our living rooms. From connected voice assistants to smart thermostats, these objects provide more or less useful services. The business world is no exception to this rule. Whether as part of the Industry 4.0 vision, or simply to facilitate remote communication, these connected systems are playing an increasingly important role.
Unfortunately, some devices pose major risks. Combining a low level of security with a connection to a company’s internal network, connected objects are a goldmine for malicious individuals. And they don’t hold back.
In its article, 01net shows how a group of Russian hackers is attacking connected objects to target businesses: https://www.01net.com/actualites/un-groupe-de-hackers-russes-cible-les-objets-connectes-pour-s-attaquer-aux-entreprises-1743886.html
What’s more, these connected objects often have access to private data. Imagine someone turning on your webcam remotely, or accessing the microphone on your soup mixer. Worse still, imagine a malicious individual taking control of a child’s toy and using it to contact him or her: https://www.france24.com/fr/20170228-hackers-ont-pirate-peluches-connectees-fait-fuiter-messages-denfants-a-leurs-parents
The proliferation of these objects poses a real social problem that we cannot ignore.
From an environmental point of view, the distribution of these systems also has significant impacts. From mineral extraction to distribution, the production of IT systems generates significant CO2 emissions, not to mention other impacts such as soil pollution and the erosion of biodiversity.
For all these reasons, the purchase of a new connected device should not be taken lightly. The question is: do we really need it?
How can an ancillary feature turn into a Trojan horse?
New connected objects aren’t the only systems that can be attacked: existing software can be as well.
Nor is it just a question of resources. Aviation, one of the world’s most financially powerful industries, which has invested considerable resources in security, has also been the victim of criminal acts.
In this article, we won’t be discussing the impacts of flying, but rather the specific subject of in-flight entertainment.
The many films and series available bring undeniable benefits for users: boredom reduction, keeping children occupied, forgetting about stress (and the fact that you’re in an aircraft that burns thousands of liters of fuel per hour) …
Nevertheless, the screen is not a system totally isolated from the rest of the world. For example, cutting video during a staff call necessarily implies communication between the box and at least part of the rest of the device.
And this link can be used to support an attack.
Chris Roberts, a cybersecurity specialist, has demonstrated this by successfully modifying the power of a reactor using the entertainment system: https://www.01net.com/actualites/un-hacker-aurait-pris-le-controle-d-un-avion-en-vol-grace-a-son-systeme-de-divertissement-654810.html
In reality, it’s extremely difficult to totally isolate one system from another.
This story is just one example:
- Connected cars: https://securite.developpez.com/actu/334250/Une-faille-dans-les-voitures-Tesla-permet-aux-voleurs-d-avoir-leur-propre-cle-et-de-s-emparer-de-la-voiture-en-seulement-130-secondes-l-exploit-tire-parti-du-lecteur-de-carte-NFC-des-voitures-Tesla/
- Facebook ancillary functionality : https://tech.hindustantimes.com/tech/news/facebook-data-breach-what-is-view-as-feature-and-why-it-s-been-disabled-story-vpL6KmzapfYxZVwQBumNyI.html
This last attack is an interesting one. It illustrates the issue of a well-known developer philosophy: “Why do it? Because we can.”
Hackers have taken advantage of a security flaw in a service of Meta’s flagship social network. The functionality in question allowed users to see how their profile was viewed by another user. Admittedly, this is of interest to the user, but it is not essential to the smooth operation of the social network. On the other hand, the consequences of an attack are extremely damaging, both for users and for the company, whose image is tarnished.
When the group became aware of the flaw, they immediately removed the service. The question then arises: did users notice the disappearance of the functionality?
From a general point of view, we can list a few disadvantages of the multiplication of possibilities offered by a digital service:
- dispersion of resources that could have been allocated to securing key application or website services
- implementation of little-used functionalities that receive little attention from the development team and are therefore more vulnerable
- the need to reduce compatibility with older versions of Android or iOS. And consequently reduce the number of potential users
- increase the weight of an application due to the development of more code or embedded media. Increasing the application’s environmental impact.
Taking into account the associated risks, we must always ask ourselves: is the comfort it brings really worth the impact it causes?
It’s also worth remembering that cybersecurity is an integral part of digital sustainability. As a designer of digital services, it is therefore our duty to protect users. Implementing security mechanisms is an important part of this, but we also need to think globally, encompassing all functionalities.
Malicious individuals will try to get into every nook and cranny of your system. By increasing the number of functions, you are giving them new doors that they will be happy to open.
Finally, all these attacks show us that digital sufficiency is not only a useful tool in the context of the ecological transition, but is also of interest in the fight against cybercrime.
In short, digital sufficiency is proving to be our unexpected ally in the daily battle for IT security. Before rushing off to buy the latest gadget or design a new feature, let’s ask ourselves the following 2 questions:
- Is that useful ?
- Is the risk worth the benefit?
In some cases, the answer is obviously yes. The seatbelt makes the car heavier and therefore increases fuel consumption, but it considerably reduces the number of deaths on the roads. The reduction in comfort was worth it.
In many cases, the answer is the opposite. Today’s cars can reach speeds well in excess of 150km/h. Yet it is forbidden to exceed 130km/h. This measure, taken in France in 1974 to combat the 1973 oil crisis, was the result of a balancing act between individual freedoms on the one hand, and the collective effort needed to counter the consequences of the oil crisis on the other. It wasn’t worth the risk.
This central consideration in any decision must be at the heart of a development team’s questioning.
Today, only the advantage part of a feature is highlighted. But that’s forgotten:
- User security
- The financial cost of a computer attack
- Damage to the image of the company that suffers a computer attack
- The environmental impact of this functionality
- Loss of compatibility with certain users
- And many more…
33 years after the introduction of compulsory rear seat belts, the question of discomfort versus safety is no longer an issue in the automotive world. It must also become a reflex for digital service design teams in the IT world.
After working as a mobile application developer, Julien Gilbert became a digital sustainability consultant at Greenspector. A keen football fan, he is actively involved in promoting sustainable practices to ensure a sustainable future for sport.