As simple as ABC
It’s bedtime. You check all the windows in your house: locked. You check the front and the side door: locked. You turn on the alarm and go to bed. What about the back door… did you check it? Did you know you had one? Wait… what do you mean – do I have a back door? Actually, I don’t.
Surprise! You do have a back door. Unfortunately, you can’t see it and it happens to be right next to your alarm control. Anyone coming in through the back door can shut off the alarm. Worse, you can’t see the back door when you look for it. Perhaps worst of all, you paid for that door to be installed when you bought your refrigerator.
By now you’re sure I’m crazy. Set that assessment aside for the moment and say that this is obviously an illustration of a situation that happens when you install an untrusted piece of software on your computer, phone, tablet, smartwatch or any other device. In fact, any item that has any programming in it – from your toaster to your car – is essentially untrusted. I’m using a definition of trust from a presentation by Ken Thompson from 1984 “You can’t trust code that you did not totally create yourself.”
We Must Trust Others
Obviously, we don’t write the code for anything we buy, at least most of us don’t. That means we need to trust that the code we install on our phones will not rob us blind or allow someone to do so. If you follow the news about phone apps, you know that Google is constantly dumping hundreds of apps from the store that have malware (or a backdoor) in them. While the app store for Apple seems to be less affected, Apple products still get viruses and suffer the ill effects of malware.
Ken Thompson’s presentation is still relevant today as we read about all the issues with supply chain security. His presentation discussed how compromises closer to the start of programming (and by extension manufacturing) are harder to detect. At various points in the manufacturing process, a product can be compromised. It can start at the chip level and happen anywhere along the process up to shipment. One example was the interception of Cisco routers bound for Syria with tools implanted in them to gather information. This was state-sponsored. It certainly is not a stretch to imagine criminals doing the same thing. Apps on the internet can be compromised after completion. Detection of these compromised apps can be difficult, as shown by the fact that some of them get downloaded millions of times before discovery.
Security Isn’t Easy
Security can be a pain. In an ideal world, you could trust what you bought would not hurt you. Since that world does not exist, it means the burden falls on us to be security-minded. As the number of internet touching devices we use on a daily basis increases, the security issues multiply exponentially.
One approach, an effort-intensive one, unfortunately, is one suggested by a Huawei executive. Huawei is in the hot seat with respect to supply chain security. He suggests an approach to security using ABC to guide you.
• Assume nothing
• Believe nobody
• Check everything
ASSUMPTION: We have little choice but to ‘assume’ that software and software-driven products are ok.
FALSE. It takes time, but research apps and devices. Let others find out if there’s a back door or a vulnerability that will expose your information. Research how to set up security on the security camera, the baby monitor or the video doorbell. If you can’t find the information, you probably don’t want the product if you cannot secure it.
BELIEF: Don’t believe everything the manufacturer states – especially the typical advertising hype such as ‘Best ever’, ‘Effortless set up’ or ‘Great security’. Do your homework and find the proof.
CHECK EVERYTHING: Anytime you connect to the internet, security shoud be your number one concern. Check the manufacturer’s reputation – especially in regards to security. Read news feeds about your intended purchase and the company that makes it. If you can’t find anything about the manufacturer, it’s probably not worth the risk that it could send your personal information to anyone who asks for it!