Suppose that somebody ran an automated scan of your network for vulnerabilities, and reported that this web server had an outdated version of PHP, and that one an outdated version of JQuery. You would know to deal with this: if in a hurry, you would upgrade the packages at once, and trust in the developers to have maintained compatibility. If cautious, you might clone the servers, upgrade, and test carefully before upgrading the production servers. Either way, the path to the upgrade would be clear.
Now suppose that the outdated version warnings came attached to addresses that you did not recognize, and that on checking you found that they belonged to televisions and security cameras. Documentation on maintaining web servers is an internet search away, but not necessarily when those web servers simply provide the management interface for a device. A friend remarks that such servers could be implemented in firmware and essentially impossible for the owner to upgrade.
What can happen if someone uses a vulnerability in PHP or JQuery to take over a television or camera? Perhaps they could bore us by showing bad movies, or stream live video of our yards in Pyongyang. More likely, I suppose, intruders could set up the device as a base from which to try to break into more interesting systems. I would think that the facilities offered by a camera would be substantially less than those of a general-purpose computer, but I don't know.
Do "smart" devices with network interfaces--refrigerators, washing machines, etc.--make one's home less secure? I suspect that they do, but not substantially so, mostly because so much of the home is likely to be insecure already--routers with weak passwords, PCs without anti-virus software, users careless about clicking on links. Still, I wish that we didn't have to worry about the security of computers in devices that don't appear to have them.
One more thing to worry about at 3 am. Thank you. When you are next in Europe, please come to visit - not just because it would be nice to see you but so that I can beg you for a free security check.
ReplyDelete