Streaming media giant Netflix recently produced the film Leave the World Behind, based on the novel by Rumaan Alam. The premise of the story begins with an impromptu family getaway in response to an advertisement promising the alluring offer to leave the world behind by visiting a charming rental property near a quaint coastal community. The film’s title foreshadows unfathomable events that will forever change the world. Almost from the start, horrific global incidents conspire to ruin the vacation getaway and all of modern society as they know it.
Spoiler alert. Stop reading and go watch the film or read the book before proceeding. Throughout the story, the author realistically plays out a variety of apocalyptic cyber warfare plots, ranging from the destruction of satellite geolocation and communications to the collapse of cellular, television and Internet capabilities and even the malicious takeover of self-driving vehicles. Although intentionally vague on many details, the story seems to imply the United States and possibly other global superpowers were attacked in an attempt to sow chaos and breakdown social order, making easy targets for more traditional attacks from rogue nation-state actors.
Although most would probably classify the events portrayed in the film as science fiction or even dystopian fantasy, recent trends in the cybersecurity world demonstrate we’re not as far off from these types of catastrophic events as many would like to believe.
Truth Is Stranger Than Fiction
For the naysayers in the crowd, I present several real-world scenarios that parallel events from the movie.
In the telecommunications and infrastructure sector, I point to a recent FBI report stating Chinese Hackers are preparing to attack US Communications Infrastructure. This particular campaign conducted by a group calling itself “Volt Typhoon,” is known to be sponsored by the People’s Republic of China (PRC) despite denials by the Chinese government. Reports indicate evidence of successful hacks on US infrastructure dating back to 2021.
With respect to satellite communications and geolocation, I point to the Viasat compromise backed by Russia on the eve of the Ukraine war. Russian forces intentionally disabled satellite communications in order to gain a strategic advantage during their initial assault. The attack was multi-faceted and complex, indicating a significant amount of planning and prework took place long before being executed.
Similarly, the National Counterintelligence and Security Center (NCSC) recently issued a bulletin warning of foreign intelligence attacks against US space related capabilities. In a related thread, the US Airforce sponsored a “Hack-A-Sat” competition in conjunction with last fall’s DEF CON conference. Multiple teams were able to successfully compromise an actual satellite that was setup specifically for the competition.
And last, but not surprisingly I want to highlight a recent hack called MadRadar, targeting self-driving vehicles. Thankfully, this was not an exploit in the wild, but rather research conducted and shared ethically by engineers from Duke University. But, the exploit demonstrates how easy it is to fool current “smart” vehicles into misbehaving. This exploit wasn’t just theoretical. Researchers actually tested it in a controlled environment against multiple vehicles. All attack vectors were successful in compromising the radar systems and fooling each vehicle into behaving contrary to its intended programming.
A Measured Response
I offer these examples not to sow fear, uncertainty and doubt (FUD), but rather to serve as a wake-up call to the deniers out there that we must do better with cybersecurity. These scenarios have become all too plausible in recent days. The time for action is now in order to prevent a major world altering incident.
A significant portion of the burden, by design, must fall on manufacturers of these products and services. Security needs to be designed in from the start. Bolting it on afterward is clearly not working. We, as consumers of these products and services, must start holding organizations more accountable for the lack of security, with penalties being swift and severe for those that demonstrate utter disregard in their products.
That said, it’s not realistic to expect the resources of a single company to be able to compete with those of the nation states that are backing these highly capable threat actors. Companies are going to need to pool their resources in order to improve cybersecurity as a whole. Moreover, governments need to do more in this arena, sponsoring more security research and freely sharing results to benefit all.
In addition, although industry may rail against it, more regulation may be required. Sadly, we’ve proven when left to their own devices, companies are not choosing to make security a priority. Data shows ongoing increases in the number of attacks, with 2024 on pace to be yet another record-breaking year of incidents.
Practical Steps to Take
For those producing network connected products and services, the following are simple practical steps that can be taken to protect against unwanted intrusions and compromises.
Most compromises begin with the seizure of a highly privileged account (HPA). By using long and highly complex randomized passwords, and eliminating the use of default passwords, manufacturers and developers can quickly shut down a common attack vector. Threat actors frequently seek out publicly available documentation to find a default username and password that is known good against many devices of a certain make and model, simply because users don’t bother to change it during initial setup. By either randomizing these credentials or requiring them to be changed during initialization, we can quickly close down this common attack vector.
Another easy to fix avenue often exploited by hackers is a lack of updates and patches. This one requires a two-pronged approach. Not only should producers of IT products and services be providing their own regular security updates, but they should also be monitoring any embedded libraries and third-party utilities for updates and passing those along in a timely manner. By closing known gaps quickly, we can make it significantly harder for threat actors to operate.
One more common attack vector is through network compromise because critical devices are exposed to the public Internet. This one has to fall to consumers to fix. We must stop putting devices that control critical services on the Internet without any security. In most cases, it’s not appropriate for control devices to be exposed to the Internet. Instead, they belong on private networks with multiple layers of security. In the rare instances that a device must be exposed directly to the Internet, care must be given to ensure the appropriate security controls have been layer around the device to both monitor the connection and prevent unauthorized access.
Lastly, I’d like to end with a call for more security testing of IT products and services. Many of the exploits we see threat actors utilizing are what we in the industry refer to as garden variety exploits. This means an attacker is able to use basic, well-known techniques to infiltrate a device or service. This low bar of entry is partly to blame for the ever-increasing number of attacks in the wild. Tools are readily available for both static and dynamic code analysis as well as external penetration testing. Simply performing these scans and remediating any findings before releasing to production would go a long way toward improving overall security posture.
About Black Kilt Security
Black Kilt Security is a boutique security firm in Ann Arbor, Michigan providing cybersecurity services to mid and large sized global businesses. Staff are highly skilled, averaging more than 20 years of technical experience in the Fortune 100 space. We are active in the cyber community, sharing knowledge and tirelessly working to educate the public about both the dangers of cyber threats as well as easy steps to help prevent them.
Contact Black Kilt Security for a free consultation to review your product security or exposure for your organization as a result of third-party products and services.
