There are many bad things connected to your network either directly or indirectly. My old Apple iPad 3, equipped with WiFi, can’t upgrade to the latest version of iOS. While the tablet works great, it’s getting older by the minute. How long will Apple patch vulnerabilities? Not forever. While iOS is inherently pretty secure, because of the sandbox model that Apple uses to lock apps out of the operating system kernel, it’s not 100% bullet-proof. At some point, an iPad 3 user (maybe even me) might hit a malicious website that iOS 9.3.5 can’t handle.
The problem is worse with Android, due to fragmentation. It’s up to each device manufacturer to decide whether or not to push out a new version of Android to a WiFi-based device (i.e., like a tablet). If the device has a cellular modem (i.e., like a smartphone), the operating system upgrade might require the active participation of both the device maker and the provisioning carrier. What about the myriad Android-based Internet-of-Things devices, like cameras, stereos, smart watches? That’s a gray area. There’s no definitive word about who owns upgrades. If the product has been discontinued, nobody has much incentive. If the maker has gone bankrupt, nobody has any incentive.
According to Google, only about 31% of Android devices are running Marshmallow or Nougat, the latest versions of the platform. About 33% are running Lollipop, 23% are running KitKat, and a smattering are on even older, more vulnerable versions.
Obviously, this is not limited to just iOS and Android devices. Anything connected to the network can be subverted and attacked.
This is not hypothetical. The big Mirai-based malware attack in October 2016 was fueled, in part, by hacked IoT devices, including digital video recorders and Internet cameras that used components made by XiongMai Technologies. Those devices, which were made and sold by several companies under a variety of brand names, were then used to attack Dyn, a managed DNS service provider. Attacked! By DVRs and cameras!
The problem is deeper than operating systems. Users and devices are especially vulnerable to attacks if they are running old versions of Web browsers, or have old versions of plug-ins, add-ons and applications. Sure, zero-day exploits are a challenge, but unpatched known vulnerabilities are even worse because they are easily exploited – it’s not hard to scan for them across the network or by reading Internet headers. Once they see that someone has an out-of-date mail server, browser, or other application, hackers know exactly what to do.
That doesn’t explain why that’s our problem, though. If some VP gets his email hacked and loses some corporate financial statements, that’s his bad luck. Right? If a hospital administrator messes up with ransomware and ends up with an encrypted server that can’t be salvaged, and that loses six months’ of test results, it sucks to be a patient, but you can’t blame the ISP. Right?
I am not a lawyer, but I think this is exactly our problem to solve. Not only because we have a moral responsibility to our customers, but also because in many cases, we are the only ones who might be able to detect the problem in advance of an attack. And, of course, if there’s a major DDoS attack that hits one of our customers, or originates on our network, our throughput and performance and SLAs will be affected too. So, let us push for less insecure products, and encourage our customers to upgrade or replace vulnerable hardware and software.
Depending on your company, you may have more or less influence across the agency. Certainly Verizon and Vodafone have more pull than, say, regional or specialized carriers. If you have pull… use it. If you resell products to your customers, don’t resell them if they are not safe. If that means testing, then test. If that means partnering with independent labs, then do so.