In years leading up to the domination of the world by the Internet we used to make fun of organizations and industries that seemed to be dragging their feet on getting modernized – the Navy’s old DOS-based, air-gapped systems seemed so antiquated (even with the Wargames movie sounding very prescient, if simplistic alarms) or local mom-and-pops using mechanical registers, or hospitals and clipboard paper charts. Now that everything has a network connection and is sending and receiving data via the internet, it would seem the Monkey’s Paw curled up all fingers except one and that one is flipping us “the bird.” This latest facepalm comes in the form of devices built by or containing components built by Siemens that use an operating system known as Nucleus, an OS that was written for devices used in industries that require stringent safety and security controls, such as the medical, automotive and aviation controls. Clearly this would mean that the OS must be safer than the usual swiss cheese we see from OS’s like Windows, right? Researchers have found 13 vulnerabilities in the networks stack of Nucleus, an OS that is used in an estimated 3 billion devices.
What this means for you
I won’t go into the gory details of the vulnerabilities as that would only be entertaining for security geeks and I know they aren’t reading my blogs for that sort of fun. Suffice it to say, so far as the researchers know, these vulnerabilities haven’t been exploited in the wild yet and Siemens has supposedly addressed these holes with updates. So why am I spending precious minutes telling you about something that (a) you have no direct control over and (b) might already be taken care of? Precisely because of those things. It’s convenient and comfortable for us to go about our daily lives while ignoring just how much of our surroundings are managed, monitored and controlled by devices that we have zero understanding of how they work, let alone what master to which they report.
We can be sure of two things in this current crazy timeline: if a device can gather and report data, it will do so because data = profit, and if the device was built, programmed or configured by a human, you can be certain that it is less than perfect. Most of the time, we can deal with something that is less than perfect. In fact we are surrounded by imperfections that are suitable, usable and safe. Most of us understand that perfection is an ideal to strive for and not objectively obtainable. Unfortunately for internet security, small imperfections, even when rare or obscure, can lead to massive problems. At the moment, as with the parallel analogy of the ratio of air disasters to safe flights, it feels like security breaches and vulnerabilities are everywhere, when in fact they only make up a very small percentage of the amount of the vast amount of digital transactions that occur every single second. Unfortunately, like plane crashes, though their occurrences may be statistically rare (for the moment), they can be catastrophic when they happen. Engineers strive to reduce the chances that a plane will crash or that an operating system will be vulnerable to attack, but in the end, they are subject to human error. No technology is infallible.
It would be paralyzing to try to anticipate everything that could go wrong – this is the textbook definition of anxiety. However, I think it’s useful to carefully moderate your expectations when it comes to relying on technology to protect you or care for you perfectly. Don’t take your technology and security for granted, and you will be less surprised and better prepared for when it shows its human side.
Image by Bruno /Germany from Pixabay