2022 UPDATE: “If It’s Smart, It’s Vulnerable” is now available as a new book. Visit https://www.ifitssmartitsvulnerable.com/ to learn more.
“Everything is becoming a computer,” Mikko Hypponen, F-Secure’s Chief Research Officer, said in his October 2018 keynote address at the Les Assises security conference. And this matters because “If it’s smart, it’s vulnerable”—this is Hypponen’s Law.
So what’s vulnerable under Hypponen’s Law?
“All these connected devices, all these ‘smart’ devices in our networks. And I should know because I am the father of the Hypponen Law, which tells you that whenever something is described to you as ‘smart’ what you should be hearing is… it’s vulnerable.”
Mikko first tweeted his law, which triggers over 60,000 search results on Google, almost two years ago, in December of 2016. And it seems to become truer every day.
Even the FBI and Interpol have tried to make the case to internet users that they should not assume these connected devices are safe just because they don’t have a keyboard.
“So here’s a smart phone—vulnerable phone,” he said. “Here’s a smart watch—vulnerable watch. Smart car, smart city, smart grid… You get my point.”
How smart is smart?
For consumers, there are already “smart” condoms, luggage, hairbrushes. Almost half the homes in America have a “smart TV” and new F-Secure research confirms that the only thing preventing even faster adopting of “smart” devices that connect to the internet is the privacy and security concerns of the people who are most excited about this technology.
For businesses, the move to connecting almost everything has been happening since before this decade began. To get a sense of how far along we are in the computerization of the world, Mikko advises visiting a factory, where companies rely on Industrial Control Systems for billions if not trillions of dollars of commerce.
“And when everything is becoming a computer, companies get hacked in surprising ways,” he said.
For an example, he pointed to one of the largest credit card breaches in history—the Target hack from 2014.
“In this case, the actual credit numbers were lost as customers were paying at the cashier desks… The shop’s own credit card terminals were stealing the credit card numbers.”
How did this happen?
“Well, it turns out that the attackers got in through the ventilation system,” Mikko said. “And no, I don’t mean Bruce Willis or Tom Cruise crawling in through the ventilation system.”
He means the computers controlling the ventilation systems.
“Because everything is becoming a computer,” these ICS systems “control the world around us,” he said.
And if they are computers, they can be hacked. Check out this story of a targeted attack in the manufacturing industry to get a sense of how vulnerable we’ve become.
When everything is connected, everything must be protected
This is the essence of Hypponen’s Law: Anything that can be programmed can be hacked, and it may be hacked to get to something else that’s far more interesting than just the ventilation system.
“They are not hacking your washing machine or your fridges to gain access to your washing machine or to your fridge,” Mikko told Nasdaq’s Tomorrow’s Capital. “They are hacking those devices to gain access to your network…the weakest link in the network is an IoT device, and we have seen this multiple times. Company networks get breached because of ventilation-automation systems which have nothing to do with your laptops or your servers, but they are computers because everything is becoming a computer.”
To repeat, everything is becoming a computer so everything is vulnerable. This is already true for our businesses and soon it will become truer for our homes.
And if we’re going to start securing for the future, we have to begin by attempting to come to grips what it’s going to be like to live in a future governed by Hypponen’s Law.