October 11, 2019

Don't be fooled, nothing is unhackable.

Don't be fooled, nothing is unhackable.

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

One of the things that really bothers me is when companies claim that their product or solution is unhackable. In this blog I'll tell you why that's utter nonsense.

No device is unhackable

What you see here is 15-year-old ethical hacker playing the game DOOM on a Bitfi. A Bitfi wallet is device that stores crypto-coins and assets.

They claimed it to be unhackable, but a collective of security researchers hacked it in every possible way and could even steal the funds from it.

Another example is this "Unhackable" USB flash drive.

Which was then fairly easy hacked by a pentesting company.

These are just a few examples, I could go on for a while. The point is that each (internet connected) device, website or app is hackable. There are certainly products that are better secured than the examples I gave here, but there's no such thing as 100% secure, hackproof or unhackable. A motivated hacker will always find a way to break the security.

But maybe we can fix all security holes by using next generation security appliances?

Well, no...

You know these product selling commercials on the television, right? The ones in which they try to sell you something you don't need. For instance a scratch repair pen for your car. It's not only the best scratch remover ever, that removes inch deep scratches, it also is very cheap and easy to use. And you didn't hear the best thing yet, if you order today you get a 40% price reduction and you get two of them instead of one. So order NOW!

If you have ever bought any of these products you will very likely be disappointed when you use them. If you're realistic, you know that removing deeper scratches from your car is work for specialists and it will cost you a lot more money than the $29,99 for the set of scratch repair pens.

These commercials often contain a lot of false claims and they try to manipulate people to buy the advertised product, for instance by exploiting the sense of urge. "Only if you buy today you'll save a lot of money."

Well all this is no different for security products. They are sold as if they will fix everything for you. Take this commercial from CUJO for instance.

They promote their smart learning Internet security device that "guards all connected home devices against hacks". In this video they use exactly the same tactics as you will see in the commercials that want to sell you a scratch remover.

But what's even worse is that they use scare tactics to try to convince security unaware people to buy their product.

I'm not saying that there aren't a lot of security risks and there are criminals out their to exploit them and steal your data. But it's very unlikely that they are sitting in the dark wearing a hoodie and they are hacking in green in a browser. If you want to have some fun, you can try the tool they use in the video here. just press the space and enter button to become a "hacker".

https://hackertyper.net

Whilst this device might help to fend off some attacks, don't be fooled, there's no silver bullet solution that solves all the security problems for your connected home devices. Not a chance that one device can protect you to all the known and not yet known vulnerabilities for instance in this smart lock.

Attackers exploit holes in devices and software that even the company that made it wasn't aware of. And no virus scanning solution will be able to protect you for 100%. It's an ongoing game between criminals and defenders and the only thing you can do is is defend by using different layers of security and applying best practices.

And I have to disappoint you, but unhackable firewalls don't exist either...

Why this is a problem

I'll sum up a few reasons why these kind of false claims are problematic:

  • People definitely don't get what they have been promised, which is logic because products or solutions that provide 100% security don't exist.
  • The people that buy these products are the ones that understand the real security risks the least. Blindly trusting on (the wrong) solutions can have nefarious consequences. Even financial ones if for instance the funds from your "unhackable" Bitfi get stolen.
  • It's a shameful practice to abuse people's lack of understanding to sell snake oil.
  • By claiming that something is unhackable you might not only attract security researchers, but also people with malicious intentions might be eager to prove you wrong.

Conclusion

Claims like unhackable or 100% secure should be a red flag. There's no such thing. I will not buy or use products and solutions that make these claims because it's utter nonsense. I hope you'll be very critical when you see something like this. Don't blindly believe all the buzzwords that are used on marketing websites or video commercials.

That's it for today. More security awareness tomorrow. Stay safe online in the meantime!