I only wonder because, while I know no one could advise per se that people deliberately make bad security decisions, I don’t feel as a layman that the nature of the risk is adequately explained.
Specifically, if you use a really old OS or an old now unsupported phone. The explanations for why this is dangerous tend to focus on the mechanism by which it creates a security flaw (lack of patches, known hardware security flaws that can never be patched).
If we use an analogy of physical security whereby the goal is to prevent physical intrusion by thieves or various malicious actors, there’s a gradient of risk that’s going to depend a bit on things like who and where you are. If you live in a remote cabin in the woods and left your door open, that’s bad, but probably less bad than in a high crime area in a dense city. Similarly, if you’re a person of note or your house conspicuously demonstrates wealth, security would be more important than if it you’re not and it doesn’t.
I would think, where human beings are making conscious choices about targets for cybercrime some parralells would exist. If then, you turn on an old device that’s long obsolete for the first time in years and connect to the internet with it, while I know you are theoretically at great risk because your doors and windows are essentially wide open, how risky is that exactly? If you just connect, at home on your wifi and don’t do anything? Is someone inevitably going to immediately find and connect to this device and exploit it’s vulnerabilities? Or does there have to be a degree of bad luck involved?
I’ve brought up the idea of malicious actors who are human beings making conscious decisions, (hackers), but I was once told the concern is more to do with automated means of finding such devices when they’re exposed to the internet. This makes more sense since a theoretical hacker doesn’t have to sit around all day just hoping someone in the world will use an outdated device and that they’ll somehow see this activity and be able to exploit the situation, but I guess, it seems hard for me to imagine that such bots or automated means of scanning, even if running all day will somehow become aware the minute anyone, anywhere with an insecure device connects to the internet. Surely there has to be some degree coincidental happenstance where a bot is directed to scan for connections to a particular server, like a fake website posing as a bank or something? It just doesn’t seem it could be practical otherwise.
If I’m at all accurate in my assumptions, it sounds then like there’s a degree to which a random person, not well known enough to be a specific target, not running a website or online presence connecting an insecure device to the internet, while engaging in some risk for sure, isn’t immediately going to suffer consequences without some sort of inciting incident. Like falling for a phishing scam, or a person specifically aware of them with mal intent trying to target them in particular. Is that right?
You’re pretty well on the right track. It might help if I explain what the attack is doing more. So an attacker starting out knows nothing about you or even where you are. So they need to figure these things out. The most optimal way to do this is by scanning everything and I do mean everything. There are automated scans that get information on literally everything that is open on the web. An unconfigured device that’s capable of ssh can get hit with login attempts after just 30 seconds of being plugged in. So first they try to find someone and let’s say by random they get you, they don’t know who you are yet but they have an IP now. First they run scans to see what’s available, what services are internet capable and talking to anyone who asks. Once they know what services they will do banner grabbing to try to find out specifics about the service like version number. Once they have this information they can dig for more or look for vulnerabilities specific to that service and version. Metasploit will actually tell you which attacks work for the version numbers you’ve discovered, pretty handy. If they decide to proceed they send the correct exploit to you computer and bam they’re in to do whatever. If you’re running something out of date there are usually vulnerabilities that just will allow access to attackers, this is why updating is important.
Security through obscurity first relies on not being seen in the first place whether through not connecting to much or being something no one cares about hacking in the first place. Second it relies on being uncommon enough to not have a bunch of known vulnerabilities. A random GitHub program with 10k downloads is going to have a lot less known vulnerabilities than Microsoft office. Third it relies on being so little known that even if someone can figure out how to hack in they won’t know what to do. Imagine trying to find important documents on someone’s heavily customized Linux box as opposed to a Windows box.
Tldr: security through obscurity is first hoping you don’t get seen then hoping if you are seen that they don’t care. It’s not good security but it might work.
Is it quite hard even with an outdated android phone for example, to make use of the knowledge that it has connected to the internet. If the scans really are as broad as you say and actually scans the vastness of the entire visible internet, I wonder why it seemingly never was a problem for me on my last phone which I ran for many years after it stopped receiving security updates.
I gather I’m a small target, but then again, still plenty of gains to have been made from a person’s phone if thoroughly compromised. I should imagine there would have been millions just like mine connecting everyday that would have been detected by such scans
Once you detect a vulnerable device like that, is it expensive to capitalise on it? Does someone have to make careful choices of targets to maximise use of limited resources? Or does it require a lot of additional vulnerabilities beyond the few known ones you might pick up initially that would make a total catastrophe for owners of outdated devices unlikely? There were no obvious consequences to me after years and given how common this would be I can’t imagine that was some incredible fluke.
It takes less than 5 minutes to port scan the entire internet with the right tools. Your secret log cabin in the internet woods will be quickly found.
Hey thanks. I’m gathering this is the case. I am actually pretty surprised but I guess I don’t know what I expected. I’m confused by your reply in context though, coming in response to this comment reply rather than the original post.
In the 30s or less that it takes for a person using an old, insecure phone to connect to the internet, to be detected by every single scanning program out there, why is there not an immediate disastrous consequence to everyone who does this right away? Is it infeasible for a malicious actor to, on discovering an outdated OS or a known to be exploitable piece of hardware connecting to the internet, to make decent use of that opportunity in every case?
It’s just, a lot of people through ignorance or laziness don’t take cybersecurity seriously, and yet only a small subset suffer actual consequences and that must be down to some factors. The most obvious that comes to mind for laypersons like myself is, whether you’d be a target worth pursuing, but the trouble with that theory is that the reality seems to be that it’s rarely actual people deciding to commit crimes against you, and much more likely unthinking machines capable of looking for any target big or small all day and all night. Yet, despite that only some of the many available targets have anything bad happen to them? I’m wondering why that is?
In my comment reply, to which you replied, I was trying to figure out if mere detection of a vulnerable device is maybe not enough to establish likelihood of that device being victimised. Are the steps that come after detection, prohibitively expensive for cybercriminals to deploy on a scale equal to the number of available targets? Or are the most common known vulnerabilities not themselves sufficient for an attacker to gain much from without a bunch of additional vulnerabilities also needing to be present and which are also less likely?
Put it this way. In the physical realm, leaving your door open in one place is more dangerous than leaving it open in another even though theoretically it’s just as easy to enter a residence in either such place. The difference is relative expense and difficulty of reaching the residence in a remote location vs one in a densely populated area. If in the physical realm you could do what you can do in the digital realm and make a device that somehow becomes aware of any door left open in any building anywhere on the planet and you could also send little robot thieves that could travel instantaneously and inexpensively to any location on the planet, there’d theoretically be no reason to ever be selective in your targets, you might as well rob every building every time since it costs you nothing. Yet somehow that doesn’t seem to be what it looks like in the cybersecurity context.
You’ve mentioned a phone as an example a couple times now. What kind of phone are you referring to, a smart phone? Because I should mention that if you connect an old smartphone, or even a Windows XP laptop to your home WiFI you will not get a public IP on the internet. Your home router is acting as a NAT gateway and translating an internal IP into an external one. It would be the device being scanned, not your phone/laptop.
So connecting a Windows XP laptop to your WiFI is not going to open you up to the attacks that have been discussed here so far. The risk now is likely the web browser and software on the laptop that could b exploited by browsing to a malicious website.
I guess I ended up zeroing in on phones (smartphones) unintentionally just because my already long winded replies become even more so if I have to try to keep my terms generic but still meaningful. It’s a good an interesting point you raise though about a home router being a form of barrier between a device and would be attackers. However the phone then accidentally becomes a good example because one will often use such a device out and about with its own mobile internet connection. They also are a particularly rich target because of the fact that people have their most intimate and sensitive information on there. Contacts, apps that facilitate banking, payment systems, photos, emails.
Almost everyone using a smartphone uses it for these highly sensitive purposes and a great many don’t but a new phone just because the old one lost support or don’t update because they don’t want to. Again though, without specific numbers, it sure doesn’t seem like a similarly large number have their identities stolen or the bank account drained, or random items bought that they themselves never purchased.
It happens often enough to enough people that it’s far from unheard of, but then again it certainly doesn’t seem like a good chunk of the people one knows have had something like that happen to them even with the relatively high likelihood that a sizeable portion of them have theoretically been vulnerable to it at once time or another.
Does that include devices on a home network network behind a consumer off-the-shelf modem/router?
Wait how? That’s around 4 billion times 65k you have to try and make connections? I would assume it will at least take a day or two if you do it from scratch
Something also to consider is if this is a targeted attack, i.e. going after you\your company or is this some random script kiddy just poking around? An attached that has targeted you is going to be a much different attack than one of opportunity. This is also true with physical security as well.
