‘Twas just the season when millions of unsuspecting consumers unwittingly courted disaster by gorging their digital appetites on gadgets, gizmos, and whiz bangs that delight kids of all ages with their digital magic.
Which is the point of this nearly bah-humbug introduction. Because Arthur C. Clarke was right when he formulated his three laws, the best known of which is as follows:
“Any sufficiently advanced technology is indistinguishable from magic.”
I can (and have, much to my nephew’s chagrin) explained with excruciating detail exactly what happens the moment your finger alights on the surface of your phone or table. From touch to translation to transport over the Internet. He was not impressed. To someone who doesn’t understand it, it’s just magic in the sense that it “just happens.” There’s no wonder, no awe, no breathtaking admiration for just where technology has gone in the past twenty or so years. To them it’s magic, but it’s not magical.
And that view of technology can lead consumers to simply accept without much thought the growing number of devices that communicate effortlessly with applications across the Internet that delight us by dimming our lights or playing our favorite song on command. Because a whole lot of folks don’t even realize these devices are accessible let alone vulnerable to attack.
Remember the story of the baby monitor? Longer story shorter: Internet-enabled baby monitor + default password = easy access. And there are others, of course, many of which contain the same sentiment from the unsuspecting victims: “I didn’t realize someone else could access it!”
It was on the Internet. The default password wasn’t changed because they didn’t realize someone else could access it.
This is technology illiteracy. It’s a lack of basic knowledge about how technology works. A lack of knowledge that inadvertently leads to harmless pranks like hijacking monitors or messing with the neighbor’s lights today but one day might have far-reaching and potentially dangerous consequences.
But not a lot of people know about those risks. According to a recent survey conducted by ReportLinker, most folks (in the US, at least) aren’t at all aware of the potential threat posed by smart devices, mentioning them only 31% of the time as being most vulnerable to attacks.
Recent surveys put the number of “smart devices” at 734 million in use today – an average of 7.8 per home. That’s twice as many as the average household size of 3.14 people in the US in 2015.
That number has likely gone up, of course, as we drag ourselves out of the 2016 holiday season. According to Deloitte’s Holiday Retail Sales Consumer Survey, 36% of consumers planned on purchasing electronics, which includes wearables and mobile devices, among other connected things for Christmas. Which means even more opportunities for bad guys to get their electronic hands on devices and sign them up to be used and abused in future attacks.
All these things – consoles, computers, phones, gadgets and the like – are connected in some way to the Internet. Anything promoting “remote control via an app” is almost certainly vulnerable to attack. Whether they are exploitable or not is another question, but they are vulnerable to attack and access. And too often that access is easily gained thanks to default credentials that never get changed. Mirai, anyone?
It’s a lack of basic technology literacy that in part contributes to the continuing trend of security professionals considering employees to be their biggest risk. Not just the technically literate insider threat, mind you, but the threat of employees that continue to not take seriously corporate security policies and employ its practices.
Now, I could propose some grand plan to rally the troops and formulate standards and committees to address the potential threat. We do need better security on the device side, but that’s not going to solve the problem of changing default passwords and encouraging folks to pay more attention to the devices in their homes. So, I think before we call out the Praetorian Internet Guard, we need to go back to the beginning and introduce the concept of technology literacy into the education system.
We certainly can’t abide children growing up without the ability to read words, and we should no longer tolerate our children growing up in a digital world without understanding the very basics of the technology on which they increasingly depend. Especially when it leads to (poor) conclusions about the potential threat such devices might pose. I’m not talking about teaching the use of productivity tools; I’m talking about basic Internet foundations and understanding how things inside your house connect to things outside.
Technology is magical, yes, but it isn’t magic, and we shouldn’t accept that those who rely on it remain indifferent to how it works. We should look to improve the overall technology literacy rate so that at a minimum, folks understand that “things that connect to the Internet can be (and probably will be) accessed by other people, too.”
Because maybe that will kick-start a ripple effect of at least changing default passwords on our 7.8 things and paying more attention to the security policies and practices in our workplaces.
About the Author: Lori MacVittie is responsible for evangelism across F5’s entire portfolio including a broad set of network and application security solutions. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine with a focus on applications and security. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.