As technology rapidly evolves, so does the potential for its exploitation. While there is always a new threat in the technology space, security experts stress that not every threat should incite an immediate sense of panic.
In 2016 alone, several malware threats with daunting names, such as Godless, Hummingbad and DroidJack drew considerable press attention. A more recent vulnerability called Googlian even got immediate attention from Google, with the director of Android security, Adrian Ludwig, addressing the issue on Google Plus.
Ludwig assured Android users Gooligan is not a serious threat on a broad scale, despite unsettling claims from the security agency Check Point. The firm stated Gooligan had the potential to infect more than one million Android devices worldwide. By gaining root access after an infected app is downloaded, the malware can take control of Google Services on a device and bypass authentication tokens, submit fake Google Play reviews and ratings and install adware to generate revenue. However, Gooligan and similar vulnerabilities typically have very few real-life cases of device infections, if any at all.
“The word vulnerability immediately triggers this visceral response: ‘Oh my God, something bad has happened,’” Alex Rice, chief technology officer of security firm HackerOne told IBTimes. “We assume it’s something bad, but it is far more common than we realize.”
Rice offered the example of a past Facebook vulnerability, which allowed users to block Group admins, take over the admin position and boot the old admins out of the group. The issue has since been fixed by Facebook engineers. Rice sees this vulnerability as an example of something annoying for those directly involved, but not a major issue in the grand scheme of web security.
“Both of those [Facebook features] are completely secure in their own way. The vulnerability comes from their unexpected interaction,” he added.
A security team can find dozens of different vulnerabilities on various software and hardware products each day, according to Alex Gantman, Qualcomm vice president of product security engineering. There were 54 zero-day vulnerabilities discovered in 2015; approximately one every week of the year, according to Security firm Symantec.
Zero-day refers to software security holes that developers aren’t aware of until they are exploited by hackers. In such situations, developers must quickly patch the vulnerability before it becomes a serious threat. Oftentimes, the issue is already resolved by the time security agencies learn of and report on the threat. This is just one kind of issue that can be uncovered through security research.
The news can be bombarded for days and sometimes weeks with warnings of web, computer or mobile attacks that have long since been addressed in the back-end. Meanwhile, developers, engineers and outside security teams are left to wonder whether more pressing security issues will get any spotlight.
“We get these cycles where we scare people and rile them up about something they really don’t need to be that worried about, while ignoring some of the more basic things they should be worried about,” Rice told IBTimes.
One such notorious vulnerability is Heartbleed, a bug discovered and patched by Google engineers in April 2014 before the security vendor Codenomicon got wind of it, gave it a name, created a bleeding heart logo and spearheaded months of mass hysteria about compromised bank and credit card accounts.
Observing which vulnerabilities get a lot of media coverage often comes as a surprise to security experts. Any vulnerability with a name likely has a marketing team behind it, and the root cause of its exposure is a security product being advertised, according to Gantman.
Most security teams, however, have a primary focus of fixing technical issues before they become of concern to consumers. Google’s monthly security update for December patches 39 vulnerabilities in the latest Android Nougat version. Such updates hit mobile devices wirelessly and require minimal effort from users.
The U.S. Computer Emergency Readiness Team observes device security across many platforms and discovered approximately 124 vulnerabilities with various degrees of severity in the week of Nov. 21 alone.
“When you have a mature security program you’re constantly finding vulnerabilities,” Gantman said. “That is what we’re trying to optimize for: To find as many as possible and address them.”
Advances in technology also advance the methods security teams use to uncover hidden issues. Such efforts have lead Qualcomm and HackerOne to collaborate on bounty program, which will employ white hat hackers and award up to $15,000 to those who can penetrate systems run by Qualcomm-based chipsets and modems to uncover vulnerabilities and report their findings.
With several headsets now on the market, virtual reality and augmented reality are expected to be among the top trends of 2017, and as a result could also represent the next frontier in cyber vulnerabilities. Security experts can’t yet say how these issues will unfold.
“We can say with certainty that there will be vulnerabilities that people haven’t thought of yet,” Rice said. “It’s important to continually approach it with that mindset of ‘there’s something here that we’ve overlooked, let’s be vigilant, let’s be ready for it.’”
If PR teams get involved, Rice and Gantman semi-seriously predict logos for branded VR- or AR-based vulnerabilities will be 3D.