News | Oct. 31, 2019

There Are Zombies in Our Midst

By Alison Pavan, NSA/CSS Communications Officer NSA

Graphic of two Zombie faces
Graphic of two Zombie faces
Photo By: NSA
VIRIN: 191030-D-IM742-2001
You’ve probably encountered a zombie in your life. Several, in fact. Zombie devices, that is.

As smart devices replace static devices, complications arise when it comes to security. For instance, a smart phone has a lifecycle of about two years, in part because companies stop supporting older devices in lieu of updated operating systems, hardware, and new technology developments. Companies are also perpetually looking to sell customers upgraded options with more capabilities. 

Now imagine the same lifecycle for a common household object or appliance. Do you really need to replace that refrigerator, security camera, or lightbulb every two years? For many of these items, they are expected to last years or even decades, yet often the manufacturers have the same short lifecycle in mind for the software of that particular item. This leaves them vulnerable to cyberattacks as their underlying software grows older and is left unpatched – creating “zombie” devices who execute their overall function correctly, but whose technology component is neither supported nor receiving critical security patches nor updates. 

The question now is whether manufacturers will provide the necessary associated security and software updates for the extended lifetime of the item. Manufacturers are advancing the functionality of their products as quickly as possible; while some are advertising 10 year limited warranties, that isn’t the same as providing software and security updates and committing to address critical security flaws for 10 years. Comparing this to traditional computer operating systems, most major computer operating systems have an average 10 year support lifetime, while the mobile ecosystem is dramatically shorter. If a company whose primary focus is developing computer operating systems is only providing software and security support for 10 years, we have to ask ourselves how likely it is for other manufacturers, whose focus is not software development, to provide the same level of support for the same amount of time. 

Eventually, it’s likely smart or connected technologies will become integrated into all areas of both our personal and professional lives. For example, while there may not be smart lighting systems in the buildings you work in today, there likely will be in the near future. Smart lighting systems offer a variety of energy savings measures and can lessen the resources necessary to manage and maintain lighting across a large or distributed facility footprint. Just like the smart appliances above, though, these smart lighting systems now require regular software and security updates in order to have a reasonable cybersecurity posture. Building owners, facilities managers, and any others who purchase, install, or manage lighting systems will expect these systems to last for years, like the current lifetime of traditional lighting systems.

For a real-world example of vulnerable zombie devices, we can look to the Mirai botnet in 2016, which unexpectedly created an army of zombie Internet of Things (IoT) devices and used them to deliver an enormous distributed denial of service (DDOS) attack. Because so many IoT devices were left unpatched, they were vulnerable to compromise and were then used as part of the attack. In this instance, once infected, a compromised device would monitor a command-and-control server which indicated the target of the attack. This left many high profile websites down for hours – and much of the east coast unable to access the Internet. 

As the Internet of Things grows larger and more pervasive, personal “smart” devices such as connected refrigerators, slow-cookers, and shoes as well as commercial systems like HVACs, building infrastructure, and hospital services are becoming an accepted part of our lives. It is estimated that by 2025, there will be tens of billions of items in the IoT – which translates to multiple devices per person on this planet. This leaves more and more devices vulnerable to lax security updates which have the potential to turn into “zombie” devices, creating potential breaks in the chain. This is why whole-network security is essential, and we encourage you to be aware of old or nonexistent software updates which could leave your entire network defenseless.