This article is part of a limited-run newsletter. You can sign up here.
Instead of my usual monologue, this week I’ve invited my colleague, the editorial writer Sarah Jeong, to have a conversation about the biggest story from last week that you probably missed.
Charlie: Sarah, Welcome to Privacy Project ThunderDome! We had a rather apocalyptic week in the security world. Not one or even two but three sprawling security flaws were announced in some major products and pieces of hardware. There was a WhatsApp hack, an Intel chip vulnerability and a Cisco router bug (with the fun name Thrangrycat, which isn’t fun at all but actually super alarming). How wild was last week?
Sarah: Part of me has to wonder if the sheer number of Bad Security Disaster stories have exhausted both the media and its audiences. These stories are way worse than “Facebook made a mistake and now you need to change your password,” because they concern the security of the web’s infrastructure. Imagine finding out that there’s something ever-so-slightly wrong with 50 percent of all the steel beams manufactured since 2013.
Charlie: That sounds … bad! But you just hit on something very important — this idea that our software, hardware and web infrastructure are hopelessly vulnerable and that the internet is held together with duct tape and bailing wire. Let’s focus on the Cisco Router bug, a.k.a. Thrangrycat a.k.a. 😾😾😾 . (Yep, the bug’s name is three angry cat emojis.)
On Monday, we called Red Balloon Security and spoke to the team that discovered (and named) Thrangrycat. We had Red Balloon founder, Ang Cui, explain the problem to us like we were 5 years old. Let me attempt to summarize his summary: Cisco makes a ton of the hardware that connects the world. If you access the internet, chances are that you pass through a Cisco router in some way, shape or form. And most of those devices, 150 or so different varieties of routers, have been compromised. And it’s not just something that a software update or patch can fix in a jiffy. This is structural. Which means that if things are compromised by attackers, they can’t be easily uncompromised.
I still have questions. Give it to me straight: How bad is this?
Sarah: Look, if your I.T. team is doing everything correctly and they promptly apply every patch that comes out and your workplace keeps your I.T. systems up-to-date and the North Koreans aren’t out to get you, the Cisco disaster probably won’t affect you. Probably. Maybe. That said, Thrangrycat is very, very, very bad. I’d rate it as Less Bad than the Intel disaster (which is very catchily named ZombieLoad) and More Bad than the WhatsApp hack.
Thrangrycat is awful for two reasons. First, if a hacker exploits this weakness, they can do whatever they want to your routers. Second, the attack can happen remotely — it’s a software vulnerability. But the fix can only be applied at the hardware level. Like, physical router by physical router. In person. Yeesh.
That said, Thrangrycat only works once you have administrative access to the device. You need a two-step attack in order to get Thrangrycat working. Attack #1 gets you remote administrative access, Attack #2 is Thrangrycat. Attack #2 can’t happen without Attack #1. Cisco can protect you from Attack #1 by sending out a software update. If your I.T. people have your systems well secured and are applying updates and patches consistently and you’re not a regular target of nation-state actors, you’re relatively safe from Attack #1, and therefore, pretty safe from Thrangrycat.
Unfortunately, Attack #1 is a garden variety vulnerability. Many systems don’t even have administrative access configured correctly. There’s opportunity for Thrangrycat to be exploited.
Charlie: [Screams internally] What has me most rattled about this is how ubiquitous Cisco’s technology is. And how there are plenty of juicy targets that some bad actors would, I’m sure, love to gain access to — government systems, stock exchanges, energy grids or power plants. And, like you said, even if the odds are slim, the I.T. business is messy. What is the nightmare scenario here and how worried should we be?
Sarah: The Red Balloon team told us that an attacker could get into some routers and then take down, say, the entire New York Stock Exchange. I think that’s probably the nightmare scenario here.
Thrangrycat is a “low level” attack — and when computer people say “low level,” they don’t mean inconsequential, they mean it reaches deep inside the infrastructure, it’s getting close to the bones of computing itself. In the case of Thrangrycat, we’re talking about the placement of pins on circuit boards.
The problem with low-level nightmare scenarios is that they’re highly theoretical. What’s possible depends on the state of everything that’s layered on top — hardware and software. I asked the Red Balloon folks whether data could be intercepted — like, say, my chats with you over the internet, right at this moment. And they said if end-to-end encryption were implemented correctly, probably not. The extent of the spying that’s possible through Thrangrycat is, at the moment, largely theoretical.
Charlie: But a theoretical security apocalypse just sitting out there is still quite bad, no?
Sarah: To go back to my steel beams metaphor, imagine if someone told you that the steel beams in your building are insecure but also they’re probably O.K. if the building is built under a certain height and the builders use a very specific brand of concrete. But also maybe the beams could give out if the wind starts blowing at a certain speed or if it’s really hot for 10 days in a row. Also, who knows if your building will actually fall over? Maybe it’ll just sway a lot or something and your floor will tilt? Who can say? Even if you’re probably safe in the long run, I’d say this kind of risk is just unacceptable.
Charlie: Your steel beams metaphor is going to haunt my dreams, mostly because it echoes what smart people who know how t