Skip to content

Trending tags

Hypponen’s Law: If it’s smart, it’s vulnerable

Jason Sattler

08.11.18 3 min. read

“Everything is becoming a computer,” Mikko Hypponen, F-Secure’s Chief Research Officer, said in his October 2018 keynote address at the Les Assises security conference. And this matters because “If it’s smart, it’s vulnerable”—this is Hypponen’s Law.

So what’s vulnerable under Hypponen’s Law?

“All these connected devices, all these ‘smart’ devices in our networks. And I should know because I am the father of the Hypponen Law, which tells you that whenever something is described to you as ‘smart’ what you should be hearing is… it’s vulnerable.”

Mikko first tweeted his law, which triggers over 60,000 search results on Google, almost two years ago, in December of 2016. And it seems to become truer every day.

Even the FBI and Interpol have tried to make the case to internet users that they should not assume these connected devices are safe just because they don’t have a keyboard.

Download Poster

“So here’s a smart phone—vulnerable phone,” he said. “Here’s a smart watch—vulnerable watch. Smart car, smart city, smart grid… You get my point.”

How smart is smart?

For consumers, there are already “smart” condoms, luggage, hairbrushes. Almost half the homes in America have a “smart TV” and new F-Secure research confirms that the only thing preventing even faster adopting of “smart” devices that connect to the internet is the privacy and security concerns of the people who are most excited about this technology.

For businesses, the move to connecting almost everything has been happening since before this decade began. To get a sense of how far along we are in the computerization of the world, Mikko advises visiting a factory, where companies rely on Industrial Control Systems for billions if not trillions of dollars of commerce.

“And when everything is becoming a computer, companies get hacked in surprising ways,” he said.

For an example, he pointed to one of the largest credit card breaches in history—the Target hack from 2014.

“In this case, the actual credit numbers were lost as customers were paying at the cashier desks… The shop’s own credit card terminals were stealing the credit card numbers.”

How did this happen?

“Well, it turns out that the attackers got in through the ventilation system,” Mikko said. “And no, I don’t mean Bruce Willis or Tom Cruise crawling in through the ventilation system.”

He means the computers controlling the ventilation systems.

“Because everything is becoming a computer,” these ICS systems “control the world around us,” he said.

And if they are computers, they can be hacked. Check out this story of a targeted attack in the manufacturing industry to get a sense of how vulnerable we’ve become.

When everything is connected, everything must be protected

This is the essence of Hypponen’s Law: Anything that can be programmed can be hacked, and it may be hacked to get to something else that’s far more interesting than just the ventilation system.

“They are not hacking your washing machine or your fridges to gain access to your washing machine or to your fridge,” Mikko told Nasdaq’s Tomorrow’s Capital. “They are hacking those devices to gain access to your network…the weakest link in the network is an IoT device, and we have seen this multiple times. Company networks get breached because of ventilation-automation systems which have nothing to do with your laptops or your servers, but they are computers because everything is becoming a computer.”

To repeat, everything is becoming a computer so everything is vulnerable. This is already true for our businesses and soon it will become truer for our homes.

And if we’re going to start securing for the future, we have to begin by attempting to come to grips what it’s going to be like to live in a future governed by Hypponen’s Law.

Jason Sattler

08.11.18 3 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.