Crypto-Health of Your Device: Should You Care?
Have you ever been locked out of your house with squatters inside, commanding a ransom for returning your possessions?
A friend of mine lost their vacation rentals website in a cyberattack because the ransom amount was beyond their means. Their hosting provider explained later that the attack on the server exploited a critical cryptographic vulnerability. Sadly, the server and the rental business have never recovered.
Before 2016, I was an advanced office computer user, comfortable in dealing with my professional applications, and even basic administration tasks. Keeping my computer protected from viruses has always been a crucial duty: I had three antivirus programs installed and would run regular scans. Whenever my virus scouts would fetch any red lines listing infected files, I would mercilessly click on Neutralize. The computer would eventually test clean, and I enjoyed that feeling of accomplishment and security. How little did I know!
Since then, I have spent four incredible years in the Research and Development department of a custom cryptography software developer. One of my tasks was creating a knowledge base of so-called cryptographic artifacts. If you are like how I used to be five years ago, you will be awed by the fact that thousands of cryptographic objects potentially reside on your devices, be it a PC, a laptop, a smart-phone, or even an IoT device. And any of them might become a potential attack penetration point.
As far as you know, you are neither maintaining a secret encrypted channel to communicate with intelligence agencies, nor mining or storing any cryptocurrencies. So, what gives?
Even if you don’t engage in any intended encryption-decryption activities, computer technology does it for you every second. Numerous cryptographic artifacts are an integral part of the fabric of your device’s operating system and installed software. If you work from home and connect to your office via that VPN icon on your desktop, you are working through an encrypted channel. If you are web browsing and spot a lock icon in front of the website address, there is a cryptography exchange between you and the website’s server. If you install a software package or an app, you have just adopted another cohort of cryptographic algorithms, hashes, or certificates. Without them, it would not be possible to communicate securely, digitally sign documents, verify passwords, run applications, even protect against computer viruses.
Cryptography weakens over time.
I can compare this cryptographic zoo on your system to membrane proteins in biological organisms or to cement mortar holding together bricks in a wall. Why? Because this is what happens to cryptography: it starts as novel and robust and eventually becomes obsolete and vulnerable. New types of attacks evolve, available computing power increases, and, once safe, cryptographic algorithms yield their positions and fall prey to adversaries. The protective armor weakens over time and needs replacement. But because it takes time and effort, even clean installs of operating systems or software packages may contain already expired or self-signed certificates, poorly implemented or broken cryptographic algorithms and hashes. These are examples of weak cryptography.
What is Crypto-Health?
Let’s coin the definition of crypto-health of a device: it is a degree of strength of cryptography that can be accessed by an intruder. Together with network security, crypto-health is part of the overall cryptosecurity of your device. In an ideal world, all cryptography in your device’s system would be strong. Unfortunately, our world is not the case, as there is a certain lag in patching or rewriting operation systems and applications to replace weakened or obsolete cryptography. And even if one company moves its apps to a higher security standard, there might be compatibility issues with other software products that can’t operate at a new level. Often, there is a trade-off between functionality and relative security as of here and now. Good crypto-health means that strong cryptography is properly implemented to guard the boundary of your device’s system, the way toughened skin protects living organisms. The sturdy brick walls must guard all perimeters, but inside the safe bubbles, you may still be fine with straw and paper.
If the cryptography on your device is in poor health, it will expose the pain points for cyberattacks and viruses. Especially now, when many people work from home and might become targets for computer attackers, who aim to hack into your company’s network through vulnerabilities discovered in your environment. Who does not have a Wi-Fi network these days? It is so convenient to have all this connected technology: gaming stations, smart chargers, smart bathroom scales, or a robot vacuum that maps your apartment while pretending to clean it! If your wireless devices use weak authentication and encryption protocols, their passwords can be brute-forced or cracked in minutes by automated cracking tools. Within moments, your network and data are at the mercy of the intruder.
- Cryptography is present on all your devices.
- Cryptography weakens over time.
- Your smart home devices are smarter than you think.
- Crypto-health of a device reflects the strength of cryptography that can be accessed by an adversary.
- Good crypto-health of your devices means that your device has strong cryptography at the potential attack perimeters and points.
I am waiting for your question, ‘So what? Is not there an app for that?’ Stay tuned for my next article!