I only wonder because, while I know no one could advise per se that people deliberately make bad security decisions, I don’t feel as a layman that the nature of the risk is adequately explained.
Specifically, if you use a really old OS or an old now unsupported phone. The explanations for why this is dangerous tend to focus on the mechanism by which it creates a security flaw (lack of patches, known hardware security flaws that can never be patched).
If we use an analogy of physical security whereby the goal is to prevent physical intrusion by thieves or various malicious actors, there’s a gradient of risk that’s going to depend a bit on things like who and where you are. If you live in a remote cabin in the woods and left your door open, that’s bad, but probably less bad than in a high crime area in a dense city. Similarly, if you’re a person of note or your house conspicuously demonstrates wealth, security would be more important than if it you’re not and it doesn’t.
I would think, where human beings are making conscious choices about targets for cybercrime some parralells would exist. If then, you turn on an old device that’s long obsolete for the first time in years and connect to the internet with it, while I know you are theoretically at great risk because your doors and windows are essentially wide open, how risky is that exactly? If you just connect, at home on your wifi and don’t do anything? Is someone inevitably going to immediately find and connect to this device and exploit it’s vulnerabilities? Or does there have to be a degree of bad luck involved?
I’ve brought up the idea of malicious actors who are human beings making conscious decisions, (hackers), but I was once told the concern is more to do with automated means of finding such devices when they’re exposed to the internet. This makes more sense since a theoretical hacker doesn’t have to sit around all day just hoping someone in the world will use an outdated device and that they’ll somehow see this activity and be able to exploit the situation, but I guess, it seems hard for me to imagine that such bots or automated means of scanning, even if running all day will somehow become aware the minute anyone, anywhere with an insecure device connects to the internet. Surely there has to be some degree coincidental happenstance where a bot is directed to scan for connections to a particular server, like a fake website posing as a bank or something? It just doesn’t seem it could be practical otherwise.
If I’m at all accurate in my assumptions, it sounds then like there’s a degree to which a random person, not well known enough to be a specific target, not running a website or online presence connecting an insecure device to the internet, while engaging in some risk for sure, isn’t immediately going to suffer consequences without some sort of inciting incident. Like falling for a phishing scam, or a person specifically aware of them with mal intent trying to target them in particular. Is that right?
You’re pretty well on the right track. It might help if I explain what the attack is doing more. So an attacker starting out knows nothing about you or even where you are. So they need to figure these things out. The most optimal way to do this is by scanning everything and I do mean everything. There are automated scans that get information on literally everything that is open on the web. An unconfigured device that’s capable of ssh can get hit with login attempts after just 30 seconds of being plugged in. So first they try to find someone and let’s say by random they get you, they don’t know who you are yet but they have an IP now. First they run scans to see what’s available, what services are internet capable and talking to anyone who asks. Once they know what services they will do banner grabbing to try to find out specifics about the service like version number. Once they have this information they can dig for more or look for vulnerabilities specific to that service and version. Metasploit will actually tell you which attacks work for the version numbers you’ve discovered, pretty handy. If they decide to proceed they send the correct exploit to you computer and bam they’re in to do whatever. If you’re running something out of date there are usually vulnerabilities that just will allow access to attackers, this is why updating is important.
Security through obscurity first relies on not being seen in the first place whether through not connecting to much or being something no one cares about hacking in the first place. Second it relies on being uncommon enough to not have a bunch of known vulnerabilities. A random GitHub program with 10k downloads is going to have a lot less known vulnerabilities than Microsoft office. Third it relies on being so little known that even if someone can figure out how to hack in they won’t know what to do. Imagine trying to find important documents on someone’s heavily customized Linux box as opposed to a Windows box.
Tldr: security through obscurity is first hoping you don’t get seen then hoping if you are seen that they don’t care. It’s not good security but it might work.
Is it quite hard even with an outdated android phone for example, to make use of the knowledge that it has connected to the internet. If the scans really are as broad as you say and actually scans the vastness of the entire visible internet, I wonder why it seemingly never was a problem for me on my last phone which I ran for many years after it stopped receiving security updates.
I gather I’m a small target, but then again, still plenty of gains to have been made from a person’s phone if thoroughly compromised. I should imagine there would have been millions just like mine connecting everyday that would have been detected by such scans
Once you detect a vulnerable device like that, is it expensive to capitalise on it? Does someone have to make careful choices of targets to maximise use of limited resources? Or does it require a lot of additional vulnerabilities beyond the few known ones you might pick up initially that would make a total catastrophe for owners of outdated devices unlikely? There were no obvious consequences to me after years and given how common this would be I can’t imagine that was some incredible fluke.
It takes less than 5 minutes to port scan the entire internet with the right tools. Your secret log cabin in the internet woods will be quickly found.
Hey thanks. I’m gathering this is the case. I am actually pretty surprised but I guess I don’t know what I expected. I’m confused by your reply in context though, coming in response to this comment reply rather than the original post.
In the 30s or less that it takes for a person using an old, insecure phone to connect to the internet, to be detected by every single scanning program out there, why is there not an immediate disastrous consequence to everyone who does this right away? Is it infeasible for a malicious actor to, on discovering an outdated OS or a known to be exploitable piece of hardware connecting to the internet, to make decent use of that opportunity in every case?
It’s just, a lot of people through ignorance or laziness don’t take cybersecurity seriously, and yet only a small subset suffer actual consequences and that must be down to some factors. The most obvious that comes to mind for laypersons like myself is, whether you’d be a target worth pursuing, but the trouble with that theory is that the reality seems to be that it’s rarely actual people deciding to commit crimes against you, and much more likely unthinking machines capable of looking for any target big or small all day and all night. Yet, despite that only some of the many available targets have anything bad happen to them? I’m wondering why that is?
In my comment reply, to which you replied, I was trying to figure out if mere detection of a vulnerable device is maybe not enough to establish likelihood of that device being victimised. Are the steps that come after detection, prohibitively expensive for cybercriminals to deploy on a scale equal to the number of available targets? Or are the most common known vulnerabilities not themselves sufficient for an attacker to gain much from without a bunch of additional vulnerabilities also needing to be present and which are also less likely?
Put it this way. In the physical realm, leaving your door open in one place is more dangerous than leaving it open in another even though theoretically it’s just as easy to enter a residence in either such place. The difference is relative expense and difficulty of reaching the residence in a remote location vs one in a densely populated area. If in the physical realm you could do what you can do in the digital realm and make a device that somehow becomes aware of any door left open in any building anywhere on the planet and you could also send little robot thieves that could travel instantaneously and inexpensively to any location on the planet, there’d theoretically be no reason to ever be selective in your targets, you might as well rob every building every time since it costs you nothing. Yet somehow that doesn’t seem to be what it looks like in the cybersecurity context.