If I’m honest, I think we got out of the whole WannaCry ransomware thing quite lightly. Yes, it made quite a mess of the National Health Service in the UK along with various other organisations both in Europe and beyond, but it wasn’t quite what we’d consider to be catastrophic. Whilst it looks like a 6-figure number of machines got infected, out of the several billion people connected to the web we’re really talking about a rounding error. It clearly wasn’t fun for those particular individuals, but it didn’t cause broad global outages or tear at the very fabric of the web.
But it makes you think about what could happen. I mean this was a bug in the implementation of a network protocol which fortunately, is not one broadly exposed to the web. Whilst SMB may be enabled by default on a Windows machine, once it sits within a private network and communicates back out to the web through whatever networking gear people are putting in their homes these days, it’s blocked from external access. Sure, you can find a bunch of exposed SMB via Shodan but again, these are relatively small numbers in the grander scale of the internet.
But what if it was, say, a bug in Apache’s implementation of TCP/IP? Let’s face it, this is a protocol that has its roots back in the 60’s and is being used for all sorts of things we never could have imagined back then. What if that allowed an RCE attack like we just saw with WannaCry? Now we’ve got a serious problem because half the web runs on Apache and it’s open to the world because that’s how we communicate with web servers! As much as the likelihood of this is low, that impact is off the chart and if one day there was a WannaCry style bug discovered in that stack…
Or even move to the client – we’ve got about half the folks on the web using Chrome these days, what about a glitch there? A rogue update, perhaps, or some other vulnerability that enables en mass breakout of the sandbox model it implements in an attempt to kept users safe. Now there are a lot of eyes on Chrome and certainly they incentivise people to do the right thing when bugs are found via their bounty program, but there were a lot of eyes on Windows too…
It’s all the other things we haven’t even thought of yet too. Late last year we had the Mirai botnet where we suddenly went “Hang on – our webcams and DVRs are taking out an essential DNS provider?!” and this genuinely was an attack on a pretty essential part of the internet backbone. Of course, we knew about the potential risks in devices like these, but seeing it effectively weaponised is something quite different.
When I woke up to news of WannaCry, it was a bit of a shock to see just what a mess it was making and that’s without even getting into all the ins and outs of things like it having already been patched months earlier or how much blame lay with the NSA for hoarding the vulnerability. When we look at the landscape now and how many moving parts the internet comprises of, you can’t help but think how much is at risk and how likely it is that at some time in the future, things may go spectacularly wrong in ways we can’t yet imagine.
