Unfortunately, Attack #1 is a garden variety vulnerability. Many systems don’t even have administrative access configured correctly. There’s opportunity for Thrangrycat to be exploited.
Charlie: [Screams internally] What has me most rattled about this is how ubiquitous Cisco’s technology is. And how there are plenty of juicy targets that some bad actors would, I’m sure, love to gain access to — government systems, stock exchanges, energy grids or power plants. And, like you said, even if the odds are slim, the I.T. business is messy. What is the nightmare scenario here and how worried should we be?
Sarah: The Red Balloon team told us that an attacker could get into some routers and then take down, say, the entire New York Stock Exchange. I think that’s probably the nightmare scenario here.
Thrangrycat is a “low level” attack — and when computer people say “low level,” they don’t mean inconsequential, they mean it reaches deep inside the infrastructure, it’s getting close to the bones of computing itself. In the case of Thrangrycat, we’re talking about the placement of pins on circuit boards.
The problem with low-level nightmare scenarios is that they’re highly theoretical. What’s possible depends on the state of everything that’s layered on top — hardware and software. I asked the Red Balloon folks whether data could be intercepted — like, say, my chats with you over the internet, right at this moment. And they said if end-to-end encryption were implemented correctly, probably not. The extent of the spying that’s possible through Thrangrycat is, at the moment, largely theoretical.
Charlie: But a theoretical security apocalypse just sitting out there is still quite bad, no?
Sarah: To go back to my steel beams metaphor, imagine if someone told you that the steel beams in your building are insecure but also they’re probably O.K. if the building is built under a certain height and the builders use a very specific brand of concrete. But also maybe the beams could give out if the wind starts blowing at a certain speed or if it’s really hot for 10 days in a row. Also, who knows if your building will actually fall over? Maybe it’ll just sway a lot or something and your floor will tilt? Who can say? Even if you’re probably safe in the long run, I’d say this kind of risk is just unacceptable.
Charlie: Your steel beams metaphor is going to haunt my dreams, mostly because it echoes what smart people who know how the internet is built tell me: Everything is hastily built, frequently out of date and vulnerable to bad actors who’re exploiting broken systems quicker than they can be fixed. And that some of our most critical infrastructure is quite unsophisticated. This, from Red Balloon’s founder, stuck with me: “The money that comes out of A.T.M.s, the gas out that comes out of the ground, it’s all run on code going back potentially more than a decade and is often as unsecure as an unpatched Windows XP computer from 2006. We have far more security in our iPhone and laptops than in our power plants. There are a lot of reasons for that, not one of them is good.”