Technology vendors continuously develop well-intentioned, purpose-built functionality, and features intended to enhance our digital experience. They are diligently responding to business and consumer demands for more and faster features to make their lives more convenient and work more cost-efficient. However, new technology is all too often rushed into production with insufficient regard for security and privacy. New features that make things more connected, convenient, efficient, and faster might also empower threat actors to quickly and not so quietly find ways to misuse those features and benefits, making them flaws.
Examples of innovation creating security fails
This manipulation is a different trend than the malware-based attacks that fill the media with bad headlines of one organization after another being compromised. Here are ten notable high-level examples from just the last five or so years. These features are/were exploited and imperiled us all.
- Generative artificial intelligence (AI): The hottest technology of 2023, generative AI burst onto the scene in November of 2022 with the public debut of OpenAI’s ChatGPT. The term broadly describes machine-learning systems capable of generating text, images, code, or other types of content in response to prompts entered by a user. Released with too little concern for security or privacy in the design and implementation, generative AI was almost immediately weaponized by threat actors. They used it to create disinformation, which exacerbated its other vulnerabilities like hallucinations. Generative AI has made deepfake creation readily available to almost anyone. On the dark web’s hacker forums, malevolent versions of generative AI-as-a-service are ready to generate malicious code, assist with sophisticating deepfake creations, and mass produce ever more clever and realistic business email compromise (BEC) campaigns.
- Zoom’s end-to-end encryption: Zoom, a popular video conferencing platform, introduced end-to-end encryption to enhance user privacy in 2020. However, security researchers found that Zoom’s implementation had significant vulnerabilities, potentially impacting millions of users who relied on the platform for secure communication.
- WhatsApp’s encryption backdoor: WhatsApp implemented end-to-end encryption to secure user messages in 2017. However, a vulnerability allowed attackers to exploit a backdoor.
- Intel’s Active Management Technology (AMT) vulnerability: Intel’s AMT, designed to facilitate remote management of devices, inadvertently had a critical vulnerability that allowed attackers to gain unauthorized access to systems.
- Google+ API Bug: Google+ introduced features to allow users to share information more selectively in 2018. However, a bug in the API exposed user data that wasn’t meant to be public, potentially impacting up to 500,000 users.
- Smart IoT devices: The surge in internet-of-things (IoT) devices like smart cameras and voice assistants introduced convenience but also vulnerabilities. Weak security measures allowed hackers to access devices remotely.
- Facebook’s friend permissions: In 2018, Facebook allowed users to grant third-party apps access to their friends’ data, inadvertently facilitating the Cambridge Analytica scandal.
- Biometric authentication on phones: Smartphone manufacturers introduced biometric authentication methods like facial recognition and fingerprint sensors. However, researchers demonstrated that these methods could be fooled using photographs or 3D models.
- Spectre and Meltdown CPU vulnerabilities: These vulnerabilities exploit by-design OEM features to enhance the performance of central processing units (CPUs) from multiple vendors to allow any program (including web apps and browsers) to view the contents of protected memory areas, which often contain passwords, logins, encryption keys, cached files, and other sensitive data.
- IoT botnets: In 2016, the Mirai botnet enabled a massive distributed denial-of-service (DDoS) assault. It was one of the worst hacking fears coming true as criminals exploit millions of IoT devices like internet-connected baby monitors, burglar alarms, cameras, thermostats, and printers to launch a successful attack, crippling individuals’ ability to the connect to the internet and the websites of major companies like Amazon, Netflix, and Twitter for hours at a time.
Why should any of us care? The cost to an organization that does not take proactive steps to protect itself and waits to react to an incident could be catastrophic to their reputation (bad headline) or bottom and top lines. While a reactive posture is costly, a proactive approach is also expensive and potentially disruptive to business. How costly? IDC’s Worldwide Security Spending Guide forecasts 2023 worldwide spending on security solutions and services to be $219 billion, an increase of 12.1% compared to 2022. These figures do not include incident or breach response expenses, which exponentially increase costs to the impacted organization. Factor in this trend where the threat actors’ goal appears to be disrupting business and these profit and growth-killing expenses can be expected to increase.
Basic security hygiene best bet against flaws in new tech
While only some of these flaws have become fully weaponized to steal valuable information or disrupt business, they all could play a part in a multi-fronted attack. So, organizations must act. Fortunately, you can take effective steps without making a huge investment in security solutions. Is your organization taking at least these precautions like (to name a few):
- Routinely patch and update systems and apps.
- Routinely and frequently test backups.
- Heightened system monitoring processes.
- Adopt a defense-in-depth approach.
- Fully vet business unit cross-functional incident response plans.
Many of the significant technology innovations and features we have come to enjoy could eventually be exploited as flaws. The actual “cure” is for OEMs and other technology innovators to adopt security and privacy by design with solid ethics driving those elements. Until that mindset is fully embraced and “baked in,” we will continue to see this trend and its associated damages.