It seems to be an artifact of how technology is designed and developed that “new and improved” also frequently means “less secure.” In my experience, being an early adopter also makes you a de facto beta tester for security bugs. A quick scan of recent security news items brings up multiple cases in point.
Recent Security Breaches
Among the scariest examples is the embarrassing login bug in the latest version of Apple’s new High Sierra operating system. Anyone with physical access to an affected system could gain admin level control of it just by typing “root” in the user name field, with no password. Fortunately, an update was quickly available and automatically installed on all affected systems.
Are you an Uber user? More and more people are saving money on cab fare with Uber’s “disruptive” business model. But you may also be putting your personal information at risk. The company covered up a major 2016 data breach, in which hackers made off with 57 million driver and rider account records from a third-party server. Then Uber actually paid the hackers $100,000 to delete their copy of the stolen data. They even went so far as to track down the hackers and get them to sign nondisclosure agreements. To help conceal the breach, Uber execs made it look like the exfiltration was part of a “bug bounty.” Then they fired their CSO.
Or maybe you have a new smart phone from the manufacturer One Plus? Turns out the latest firmware update has a a debugging app accidentally left on it that gives hackers root access to the device if they had physical control of it.
Another significant vulnerability cropped up in the latest TeamViewer remote software support tool. This bug allows an attacker to illegitimately gain control of the either the presenter’s session or the viewer’s session in a shared desktop session. It’s expected hackers perpetrating tech support scams will move quickly to leverage this exploit ahead of patching in the user community.
What This Means for Users
Both as consumers and as business people, we generally think first about whether a new, web-connected product will meet our current needs, not about whether the manufacturer built in adequate security. As a result, we often don’t know what security risks we’re setting ourselves up for.
Security is universally recognized to be a “mission-critical” requirement for users, and that it must be built into systems upfront in order to be effective. But sellers of products are most interested in getting them to market quickly, not on holding them up with security testing.
And why not, given that there are few security regulations for manufacturers to worry about? There’s also little likelihood vendors would be held accountable for the damage inflicted on their customers due to security flaws.
If you’ve recently purchased new technology, you may have inadvertently introduced new risks to the security of your sensitive data. To talk about how best to integrate new solutions into your current security posture, contact Pivot Point Security.