Freakout of the day: It's time to fear your "Internet of Things" devices

At least this one’s not about a virus. Or is it? Technically speaking, the massive vulnerability in play is a programming flaw rather than a computer virus, but the end result could be the same. It’s a back door in Java scripting that leaves hundreds of millions of “everyday gadgets” vulnerable to malefactors, including ransomware rings.

Advertisement

CBS News offers this segment today, which has all of the freakout value with almost nothing of substance about mitigation:

There may not be much mitigation to accomplish, at least not by users. The Associated Press reports that manufacturers and software developers have to start fixing and updating their platforms to deal with the threat, but no one’s sure how fast that can happen:

Detected in an extensively used utility called Log4j, the flaw lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems use the utility is a challenge; it is often hidden under layers of other software.

The top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call Monday with state and local officials and partners in the private sector. Publicly disclosed last Thursday, it’s catnip for cybercriminals and digital spies because it allows easy, password-free entry.

The Cybersecurity and Infrastructure Security Agency, or CISA, which Easterly runs, stood up a resource page Tuesday to help erase a flaw it says is present in hundreds of millions of devices. Other heavily computerized countries were taking it just as seriously, with Germany activating its national IT crisis center. …

The affected software, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers. It runs across many platforms — Windows, Linux, Apple’s macOS — powering everything from web cams to car navigation systems and medical devices, according to the security firm Bitdefender.

Advertisement

The vulnerability was kept under wraps for a few weeks in an attempt at a quiet fix, apparently. However, the Log4j flaw has already been widely exploited for at least one purpose, but it’s a rather surprising one:

The cybersecurity firm Check Point said Tuesday it detected more than half a million attempts by known malicious actors to identify the flaw on corporate networks across the globe. It said the flaw was exploited to plant cryptocurrency mining malware — which uses computer cycles to mine digital money surreptitiously — in five countries.

As yet, no successful ransomware infections leveraging the flaw have been detected. But experts say that’s probably just a matter of time.

How did this one vulnerability make its way into so many devices and platforms? In a word, laziness. It’s easier for developers to borrow open-source code for specific functions than it is to build those from scratch, the AP article explains. It’s even easier to use the code without looking at its potential security risks, even when building systems with remote management capabilities where those risks are even higher.

So what are we supposed to do while the manufacturers figure this out? There isn’t much to do except freak out, and update our systems as soon as updates become available. Since I’m suffering from freak-out burnout, I plan to live my life as though it’s going on like normal. (But I’m keeping my eye on my oven, just in case it’s bitcoin mining and getting richer than I will ever be.) In the meantime, maybe we should all think about whether the “Internet of things” is such a great idea in the first place.

Advertisement

Join the conversation as a VIP Member

Trending on HotAir Videos

Advertisement
Advertisement
Advertisement
Ed Morrissey 10:00 PM | November 22, 2024
Advertisement