Email this Article Email   

CHIPS Articles: There Are Zombies in Our Midst – and you thought Halloween was over

There Are Zombies in Our Midst – and you thought Halloween was over
NSA cautions of unpatched software in IoT networks and devices
By Alison Pavan, NSA/CSS Communications Officer NSA - November 4, 2019
FORT MEADE, Md. — You’ve probably encountered a zombie in your life. Several, in fact. Zombie devices, that is.

As smart devices replace static devices, complications arise when it comes to security. For instance, a smart phone has a lifecycle of about two years, in part because companies stop supporting older devices in lieu of updated operating systems, hardware, and new technology developments. Companies are also perpetually looking to sell customers upgraded options with more capabilities.

Now imagine the same lifecycle for a common household object or appliance. Do you really need to replace your refrigerator, security camera, or lightbulb every two years? For many of these items are expected to last years, even decades, yet often the manufacturers have the same short lifecycle in mind for the software in these items. This leaves them vulnerable to cyberattacks as their underlying software grows older and remains unpatched – creating “zombie” devices who execute their overall function correctly, but whose technology component is neither supported nor receiving critical security patches nor updates.

The question now is whether manufacturers will provide the necessary associated security and software updates for the extended lifetime of the item. Manufacturers are advancing the functionality of their products as quickly as possible; while some are advertising 10-year limited warranties, that isn’t the same as providing software and security updates and committing to address critical security flaws for 10 years.

Comparing this to traditional computer operating systems, most major computer operating systems have an average 10-year support lifetime, while the mobile ecosystem is dramatically shorter. If a company whose primary focus is developing computer operating systems is only providing software and security support for 10 years, we have to ask: How likely it is for other manufacturers, whose focus is not software development, to provide the same level of support for the same amount of time?

Eventually, it’s likely smart or connected technologies will become integrated into all areas of both our personal and professional lives. For example, while there may not be smart lighting systems in the buildings you work in today, there likely will be in the near future. Smart lighting systems offer a variety of energy savings measures and can lessen the resources necessary to manage and maintain lighting across a large or distributed facility footprint. Just like smart appliances, though, these smart lighting systems now require regular software and security updates to have a reasonable cybersecurity posture. Building owners, facilities managers, and any others who purchase, install, or manage lighting systems will expect these systems to last for years, like the current lifetime of traditional lighting systems — but they will be wrong!

For a real-world example of vulnerable zombie devices, we can look to the Mirai botnet in 2016, which unexpectedly created an army of zombie internet of things (IoT) devices and used them to deliver an enormous distributed denial of service (DDOS) attack. Because so many IoT devices were unpatched, they were vulnerable to compromise and were used as part of the attack. In this instance, once infected, a compromised device would monitor a command-and-control server, which indicated the target of the attack. This left many high profile websites down for hours – and much of the U.S. East Coast unable to access the internet.

As the internet of things grows larger and more pervasive, personal smart devices, such as connected refrigerators, slow-cookers, and shoes, as well as commercial systems like HVACs, building infrastructure, and hospital services, are becoming an accepted part of our lives. Estimates are that by 2025, there will be tens of billions of items in the IoT – which translates to multiple devices per person. This means that more and more devices will be vulnerable due to lax security updates. The potential is high they could turn into “zombie” devices, creating potential breaks in the chain. This is why whole-network security is essential, and we encourage you to be aware of old or nonexistent software updates — which could leave your entire network defenseless.

Additional editing by CHIPS Magazine.

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both signals intelligence (SIGINT) and information assurance (now referred to as cybersecurity) products and services, and enables computer network operations (CNO) to gain a decision advantage for the Nation and our allies under all circumstances.

For cybersecurity tips and advisories, visit the NSA website

NSA graphic of two Zombie faces
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer