Welcome to Codebook, the overtired cybersecurity newsletter that's now home from Las Vegas.
Tips? Please reply to this email.
Illustration: Sarah Grillo/Axios
The ways we secure all the internet-connected devices that litter our homes and offices — the so-called internet of things (IoT) — won't work for very long.
Those devices are often built with flimsy defenses, leaving concerned owners to rely on external security tools and network scanning. And one expert warns that even those tools can't work with the next generation of technology that uses 5G connections rather than local networks,
The warning comes from Mikko Hyppönen, chief research officer for F-Secure, a company that makes one of the security products he says may soon be outdated.
"5G is coming," said Hyppönen. "Then 6G is coming."
Unsecured connected devices are scary for a variety of reasons. They can be a foothold for a hacker to enter the rest of a network. They can be creepy surveillance tools — a smart TV is also an internet-connected camera and microphone a hacker might reach. Whole armadas of connected devices can be reprogrammed to simultaneously contact a particular server, flooding it with so much traffic it crashes. And cheaply manufactured brands often have the least built-in security.
Why it matters: If Hyppönen is right, as homes and offices become more connected than they have every been, they will become more difficult to secure than they have ever been.
This is not hypothetical. All of these attacks are currently seen in the wild — from hackers talking to children over baby monitors to crashing huge swaths of the internet. IoT security is widely regarded as pretty bad, which makes some sense. When was the last time you bought a refrigerator based on its security?
The current solution: Consumers can currently buy beefed-up WiFi routers built to provide the security that devices don't have. F-Secure makes one of these. More elaborate solutions exist for corporate networks, but all the commercial solutions boil down to monitoring the network traffic in and out of devices.
Too many Gs. "All the answers we have will only last a couple of years," said Hyppönen. As mobile technology gets faster and cheaper, devices will turn to cell networks to access the internet directly, rather than through owners' WiFi networks. Customers will want to place internet connected security cameras where their WiFi doesn't reach. Whatever protections users' networks may use will no longer apply.
The back-up plans: There are currently a variety of efforts in place to pressure IoT makers to provide more security, including plans for more regulation or increasing civil liability for devices. But none of those solutions are perfect.
DEF CON ended Sunday night. Here are some of the more surprising things researchers hacked we hadn't covered before.
Remember, with these sorts of projects, by the time researchers have announced the security flaws, manufacturers have usually fixed them.
The Amazon Echo
Photo: Vipin Kumar/Hindustan Times via Getty Images
The FBI warned banks Friday that a criminal group would imminently try to make massive, fraudulent withdrawals from ATMs, according to reporter Brian Krebs.
What they're saying: “The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach," the FBI wrote to banks, according to Krebs.
The U.S. Marines launched a new bug bounty program in conjunction with HackerOne, a company that facilitates such programs.
Semper Fi: Bug bounty programs reward independent researchers with cash prizes to find security flaws. It's a way to crowdsource penetration testing.
The big launch: The program was announced Monday, one day after the Marines and HackerOne hosted a live bug bounty meet in Las Vegas. The services paid out $80,000 in bounties during that event.
Codebook will return Thursday after a nap.