Applying “Secure By Design” Thinking to Events in the News 

By: Bob Lord, CISA Senior Technical Advisor 

In October, CISA and 17 U.S. and international partners released a refined version of “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” The update expands on the three principles outlined in the original version: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top. The whitepaper urges technology manufacturers to adopt "secure by design" principles in their manufacturing processes and highlights several tactics to make products safer by design. 

Both before and since we posted that paper, numerous news outlets have reported on potential threats facing consumers and the technologies they rely on every day. One such threat, humorously dubbed "juice-jacking," even received some lighthearted commentary on US talk shows. For those who missed it, the reports claimed that criminals were rigging free USB charging stations in US airports and other public spaces. Since USB cables can charge a phone as well as transmit data, the perpetrators allegedly exploited this capability to install malware on victims' phones. 

Reading these articles prompted us to consider how "secure by design" thinking could be applied to analyze the alleged problem. The reports didn’t cite evidence, but some key questions related to these alleged juice-jacking attacks could help determine if manufacturers need to do more to protect their customers: 

  1. Manufacturer response: What do phone manufacturers have to say about the vulnerabilities linked to these alleged attacks? Did phone manufacturers commit to fixing the problem?  If so, by what date?  

  1. Hardware: Is a specific hardware manufacturer or version of device more vulnerable than others? 

  1. Operating system: Does  the threat affect a particular mobile device operating system, e.g. Android phones, iPhones, or both?  Are fully updated phones affected, or just those with outdated software? 

  1. Device settings: Are there settings or configurations that can prevent the attack? If so, how can users adjust these settings to enhance security? Will the manufacturer make the secure setting the default in future versions? 

  1. Detection: Can users detect the start of an attack? For example, does the phone detect a potential problem and ask the user to approve a data transfer? If so, is the wording in the dialog clear enough for the user to take appropriate action? If not, will manufacturers create or improve confirmation alerts? Can users determine if an attack has been successful? Can they check their phones for signs of compromise from a juice-jacking attack? 

  1. Malware: What does the alleged malware do once installed on a phone? Does it steal passwords, mine cryptocurrency, or delete photos? Does the malware bypass normal OS authentication requests, or are users merely clicking "Accept", thereby giving the malware access to important files and data? Have any malware reverse engineers examined the malware to figure out its origins and purpose? 

I have not seen answers to these questions nor have I seen any evidence that juice-jacking is even occurring.  Despite the reports, the FCC notes that it is not aware of any confirmed cases.  That’s not to say juice jacking is impossible. Any code can have security defects and unsafe defaults, and phones are built from millions of lines of code. There may be vulnerabilities that make juice-jacking possible. But there is a difference between attacks that are possible, those that are probable, and those for which we have evidence of active exploitation. We should be careful not to jump from “it’s possible” to “it’s happening”

The security of consumer and enterprise products are not acts of fate. Security is the result of many conscious and continuous choices made by manufacturers starting even before products are designed. Customers and journalists can influence those choices in favor of better security in many ways, including by asking the kinds of questions above. In doing so, we shift the conversation away from what the attackers might be doing to their victims, to what the manufacturers are doing to keep customers safe. We should frame the debate in terms of empowerment (“Manufacturers have made these improvements”) rather than continue to imply our helplessness, (“Attackers are doing X”). Simply put, manufacturers must develop products that are secure by design rather than putting the burden of safety on customers. 

Finally, for folks in a position to give security advice, please orient your guidance around the principles and tactics in the secure by design whitepaper. Ask yourself, who is your intended audience?  Are you addressing the customer or the manufacturer? If you give advice to customers, please consider giving corresponding advice to the manufacturers so that they can fix the problem upstream and eliminate the need to warn customers in the first place. It’s more effective to advise a few manufacturers than it is to instruct millions of people to overcome the dangers of unsafe products. 

The road to a “secure by design” world will be challenging, but it is possible. One of the first steps on that journey is to accept the very idea that technology products can be made safe, and to ask manufacturers to make security a conscious and continuous choice as they build and maintain their products.