The Emergence of Superbugs in the Cyber Security Landscape

What do the cyber security and banana-growing industries have in common? Homogeneity is a challenge for them both.

As I write this, a story has just broken about a cyber threat named VPNFilter, which has infected an estimated 500,000 home network routers. The FBI has strongly encouraged owners of infected routers to reboot them. Experts have predicted that disinfection of all devices will take years.

In 2016, a similar bug afflicted 1.2 million IoT devices (mostly DVRs and IP cameras), and formed the Bashlight and Mirai botnets. These botnets were responsible for some of the world’s largest DDoS cyber attacks to date. They successfully, temporarily, interrupted the DynDNS service, rendering many popular websites inaccessible. Yikes!

Why are we falling victim to superbugs?

To understand why this is happening we can look to a biology example. Geneticists divide populations into two camps: homogeneous and heterogeneous. Homogeneous populations create opportunities for spreading devastating diseases (superbugs).

Humanity learned a hard lesson in the 1950s when it was common practice to produce genetic near-clones of perfect banana plants. Fungus spread easily because every plant’s defenses were practically identical, and almost no infected plants recovered. As a result, Panama disease wiped out most South American banana plantations.

Despite biosecurity best efforts, history is repeating itself. Panama disease is adapting, and is now threatening today’s popular Cavendish banana plant populations around the world. The race is on to breed hybrid banana plants and beat the fungus. This is no monkey business.

While biosecurity struggles to keep the fungus at bay, cyber security needs to keep pace with the superbugs afflicting its industry. There is similarly low diversity in computing device populations. Computer processors, memory, mobile chipsets, components, servers, and software are not highly diverse. Just like banana plants, homogeneity in computing opens the door for superbugs. Superbugs are contagion that impact hundreds of thousands of devices. The bugs spread easily because devices’ core hardware or software defenses are practically identical. A lack of cyber diversity enables superbugs.

Computer processors

We all thought crazy processor bugs were a thing of the past. In 1997, the F00F bug was discovered. Processors vulnerable to F00F allowed a specific instruction sequence to cause a halt-and-catch-fire. Then 20 years with relatively no processor chaos: fast forward to 2017.

In 2017, we met a new wave of superbugs for processors — Spectre, Meltdown, and later their cousins Total Meltdown and Spectre-NG. Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple’s A-series chips. These bugs abuse a processor feature called speculative execution to gain unauthorized access to protected memory.

Thanks to the ubiquity of general-purpose computing, at the time these bugs were discovered almost every computer system was affected by Spectre and/or Meltdown, including cloud, servers, desktops, laptops, and mobile devices. And these bugs affected most popular operating systems: iOS, Linux, Mac, and Windows. Only a subset of ARM-based devices, Android, and Raspberry Pi, were spared. Spectre and Meltdown are superbugs.

The implications of these superbugs are so catastrophic security researchers initially believed them to be impossible. Because most computing devices have common architecture, the population is low diversity. The lack of diversity turns security flaws into catastrophes. Bugs become superbugs. Like Panama disease afflicted fields of bananas, processor superbugs afflict flocks of devices.

Mobile superbugs

2017 also brought us some interesting mobile bugs named Broadpwn and BlueBorne.

Broadpwn is a Wi-Fi bug which allows an attacker to remotely exploit a target. It exploits a flaw in Broadcom chips. Because Android and iPhone devices use similar underlying Broadcom hardware, both brands of smartphones are pwned. At the time of discovery, Broadpwn was estimated to affect around 1 billion devices. Broadpwn is a superbug.

The BlueBorne bug allows a nearby attacker to silently exploit Linux, Windows, iOS, and Android devices. Cyber security firm Armis estimates up to 8.2 billion devices were vulnerable to BlueBorne at the time of discovery. The bug is enabled by billions of devices that have nearly identical Bluetooth hardware and software. BlueBorne is a superbug.

While the smartphones in our pockets seem diverse, their underlying core components like Wi-Fi chips and Bluetooth chips are not. The homogeneity and low diversity of these chips makes their vulnerabilities especially dangerous. Mobile components’ lack of diversity enables superbugs.

Server software

In 2014, the Heartbleed vulnerability was disclosed. Heartbleed exploits a flaw in a software library named OpenSSL. OpenSSL’s flawed implementation of the TLS protocol allowed an attacker to leak sensitive information, possibly including passwords and private keys. At the time of Heartbleed’s discovery, around a half million servers were vulnerable to this bug. Multiple experts deemed Heartbleed to be catastrophic: it was a superbug.

Heartbleed was catastrophic because 17 percent of the internet’s secure webservers used the same OpenSSL software library. This lack of diversity, like we saw for processors and mobile components, enables superbugs.

How we can defend against superbugs

Symantec is well equipped to defend diverse hardware and software populations.

The most effective cyber security strategy is defense-in-depth. Protect the endpoint hardware, hypervisor, operating system, applications, and network, email, and cloud infrastructure. One layer of defense may let an attack through, but another layer will stop the attack. Each defense layer complements the others and they work together to achieve unrivaled resilience. All layers of defense come together in Symantec’s Integrated Cyber Defense Platform.

Special thanks to a few people who helped make this article possible: Joe Chen, Tommy Dong, Costin Ionescu.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.