The recent WikiLeaks disclosures on the CIA, dubbed Vault 7, included the not so surprising revelation that the intelligence agency stockpiles hacking tools. Cyber criminals reportedly scoured these files to see if they could learn new ways to develop malware. However, WikiLeaks maintains that it withheld the source code for the hacking tools.
One might wonder though, what could happen if WikiLeaks did publish this code? Would it be a doomsday scenario or would the general public not even notice?
The nature of almost all cyber weapons is that they have countermeasures once discovered. Governments and criminals build secret stashes of unknown vulnerabilities that can be exploited for national and/or financial interests. Their value is in their unknown status and they are called zero-day exploits.
Once a zero-day exploit is publicly disclosed, the software or hardware vendors generally respond quickly with software patches. But in the real world, very few people keep their systems updated or take patches for vulnerabilities. Even with the freely available fixes, a large number of systems remain vulnerable to these disclosed hacking tools.
A zero-day exploit being used in a mass cyber attack is generally unlikely since they are used against high value assets. However, there are clear Pearl Harbor scenarios where a zero-day could be deployed against a massive number of systems to cause destruction and chaos. This scenario is generally well known. But even the most hostile country refrains from this type of behavior due to the expected response. The retaliation would likely be even more devastating.
There are a few scenarios where massive amounts of a country’s critical infrastructure could be seriously damaged by cyber attacks in a short amount of time. This would play out as users being inconvenienced by impaired access to the Internet. It would be like the recent Dyn DDOS attack, but with a longer outage period. In some cases, consumers may end up bringing their damaged (remotely bricked) phones, appliances, computers and routers to the vendor to be restored to a working state.
I personally (along with many others) woke up one morning to find my Lexus’ entertainment and navigation system bricked by a remote update. The solution was to wait weeks to bring the car into the dealer or pull the battery cable from the battery and reset the system to factory defaults. I chose the latter option; it took multiple tries. No apology from the car manufacturer, just a dead system and consumers left on their own.
This incident was a mistake. But what if an attacker purposefully did something to the cars that could not be reset? Since remote car telematics (satellite update of car software and Internet-connected cars) are a reality today, the release of an exploit could cripple a large part of the new car market.
For what it’s worth, I returned my Lexus at the end of the lease after cyber warfare was committed against it by a “friendly power”: the manufacturer. Such bricking of critical national infrastructure may very well happen. Not by an attacker, but by the carrier or manufacturer making a “simple” mistake.