I believe it's exponentially easier to defend when you can anticipate the offense. So what will cyber offense start doing this year, and how can you prepare? I’m David Brumley, CEO of ForAllSecure, and here are my top three predictions for offense in 2023:
I’m pegging 2023 as the first year someone finds ransomware has locked them out of their car.
Why 2023? As Berkshire Hathaway’s Charlie Munger once said, “Show me the incentive, and I’ll show you the outcome.”
Automotive cybersecurity is bad. For example, a recent article by Sam Curry found serious vulnerabilities in almost every major car company's tech stack. He estimates an exploit for one of those vulnerabilities would allow an attacker to disable over 15.5 million vehicles.
Compounding the problem is how software for cars is made. In 2022, I did an informal analysis of code from all major car vendors I could find online, and found major vulnerabilities in each one. For example, in 2021 researchers showed how to hack a Tesla using a drone. While Tesla fixed the problem, that same vulnerability is still present on several other car platforms today.
I’ve responsibly disclosed the issues, but my impression is that car companies themselves are still not quite sure what to do. A typical car is a mix of open source, OEM, and custom code. Car companies know how to do safety, such as building redundant controllers. But they’re still wrestling with cyber and how it’s different.
If you’re a car company, I’d love to work with you to make my prediction wrong.
If you don’t work for a car company, my best advice is to keep your webcam handy. You might need it to work from home when your car gets hacked.
Attackers love zero-day exploits. What they don’t love is the time it takes to create them.
Fortunately, scientists have been working around the clock to make offense easier.
Existing code scanners have historically been pretty useless for offense. Their Achilles heel is that while they can give a hint about where a bug might be, they require a ton of manual effort to first weed out false positives and then figure out how to actually trigger the suspected bugs.
The new generation of software security tools work differently and forgo the scanning approach all together. Instead, the new generation uses sophisticated, self-reinforcing dynamic analysis algorithms, like coverage-based fuzzing and symbolic execution. The algorithms don’t scan—they learn and create reproducible tests that trigger those corner cases your developer missed.
That test case can be replayed at any time to trigger the bug, making it a bit like a proof of concept exploit when the bug is a vulnerability.
For example, take Mayhem's result on 1,644 open source programs. In 2022, Mayhem explored over 132 billion new code paths in those programs, automatically authored 2.24 million missing tests for corner cases the developer missed, of which 1.32 million tests will crash, hang, or break program logic due to 29,691 new unique bugs.
That exploit is all defense needs to know to confirm, debug, fix, and test for that vulnerability. Offense can build off the proof of concept (and of course will still have to spend time weaponizing).
Why do I think 2023 is going to be a breakout year? The tech is matured, available, and shown to scale. It’s just a matter of time before your typical cyber criminal gang puts it into practice.
In fact, we believe nation states are already doing something similar. In 2016, the US spent $60 million dollars building the first prototypes for a completely autonomous zero day hacking machine. Other countries like China quickly followed suit.
Simple. Run these same techniques on your own pipeline. That way you’ll find the exploitable bugs before they ever hit production. There is a growing number of companies like Cloudflare, Motional, Google, and Microsoft using these smart dynamic analysis as a fundamental pillar in their defense programs.
You can start ad-hoc with open source tools like AFL and libfuzzer, or use commercial enterprise-grade platforms like Mayhem.
There is a tragedy of the commons for open source software security, and I predict in 2023 we will continue to see more of the same.
The term “tragedy of commons” comes from English economist William Lloyd from a paper in 1883 where he analyzed the economic incentives of shared grazing land for animals. What he saw was while everyone shared a diffuse responsibility to not overgraze, that wasn’t enough to prevent it. The tragedy of the commons can occur when everybody acts in their apparent own best interest, but with the result of harmful over-consumption.
Economically, commercial companies benefit from communal open source because they don’t have to pay for the initial development. But if every company acts solely in their own apparent best interest to minimize software development costs, no one will invest in the scarce talent and time needed to secure the communal software.
There are some small points of light. The US is now requiring a software bill of materials, which helps make explicit the quantity of OSS we depend on. However, the SBOM is silent on who needs to improve the quality and security of that software. Nonprofits like the Linux Foundation, and a few big tech companies like Google are investing. Those efforts are important to amplify.
But ultimately, I don’t think we have a firm understanding of the right incentives to create a secure open source ecosystem.
So, I don’t think we’ll see major changes to OSS security in 2023. The consequence: a continued rapid pace of a single vulnerability like log4j having a disproportionately large effect.
So there are my top three predictions for offense. Attackers will start zero day farms, your car will be ransomed, and we will continue for another year where everyone says everyone else should start securing OSS.
Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.
Thank you for subscribing!