First The Attack

In the news today, a new type of botnet has figured out how to spread to connected devices in a peer-to-peer manner.  This means that gaining access anywhere on a network will rapidly compromise the entire system.  This is a huge issue for hospitals that have more exploitable devices than windows; factories that can be shut down from the outside and critical infrastructure which is based on millions of device directly communicating in the same peer manner.

Then The Fix

The discovery of this rapidly spreading botnet was made by people attempting to overcome the exploit.  These companies are good at what they do and they will eventually overcome this iteration of attack.  Of course, the bad guys are also incredibly smart and will, in turn, launch something even more sophisticated in the near future.

That’s When The Nightmare Begins

GDPR clearly states that any known compromises with known solutions have to be addressed.  It is no longer sufficient to throw one’s hands in the air and cry out in dismay.

As effective as that has been.

This exploit is a unique departure from other compromises in that it is completely self-sufficient, can spread at any time and cannot be overcome with a fancy firewall; better antivirus software or any other external-to-the-device effort.

Instead, the “fix” will end up being something that needs to change on the device itself (we suggest actual communication rules)…and that is a Huge Problem.

The only recourse for a device manufacturer or reseller is to perform an expensive recall or send technicians to perform onsite maintenance.  Solution providers will be forced to overcome these issues and, given the GDPR exposure, customers will no longer be willing to pay for that work.  Note that we are talking MILLIONS of devices and THOUSANDS of person-hours to counter a single attack.

Unfortunately, right now there is no way around these inevitable costs – indeed this botnet might be the first big GDPR expenditure.  The question is not if there will be a huge cost, the question is if these connected device providers will pay that cost one-time and implement a policy-based solution like Bear, or pay it over and over again.  Just look at Intel and their failed patches to see how ineffective one-time patches have become.

What are you going to do?