Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2017
06:30 PM
50%
50%

Get Ready for the 2038 'Epocholypse' (and Worse)

A leading security researcher predicts a sea of technology changes that will rock our world, including the Internet of Things, cryptocurrency, SSL encryption and national security.

BLACK HAT USA – Las Vegas – Buckle in for a wild ride in the next two decades where the role of security professionals will rise in dramatic importance, Mikko Hypponen, F-Secure chief research officer, predicted at a Black Hat presentation today.

"Our work is not to secure computers, but our work is to secure society," says Hypponen in his presentation The Epocholypse 2038: What's In Store for the Next 20 years.

The security researcher pointed to likely sea changes the industry will witness in the coming 20 years: the 2038 Unix Millennium bug that will drive industry worry on par with Y2K, major shifts in the way security professionals deal with Internet of Things devices, cryptocurrency, SSL encryption and national security.

Y2k Redux in 2038?

When January 19, 2038 rolls around, the industry is bracing for a situation where the computer industry running on Unix will out of bits and systems will crash.

The 2038 epocholypse has been compared to Y2K, in that fear and loathing hype is mounting. Hypponen recalls how he was busy standing guard on New Years Eve when 2000 rolled in and the entry into the new millennium went smoothly. But despite all the bashing that the industry cried wolf about the doom that could have occured on New Years' day 2000, Hypponen says two points were missed -- and it's something to keep in mind for 2038.

One point is that an enormous amount of work went into finding bugs and fixing them prior to Y2K, so the impact was greatly minimized on the actual day, said Hypponen.  The second point is that not all Y2K-related problems immediately emerged on Jan. 1. Some came much later, such as inaccurate readings for Down Syndrome risk in pregnant women, he recalled, noting how some women underwent abortions unaware of the misdiagnosis.

"[The year] 2038 is way off in the future. People think we have plenty of time to fix it,  but I will guarantee you we will run out of time," Hypponen warned.

Cryptocurrency Game Changer

Bitcoin and other forms of cryptocurrency will likely take a big chunk of business away from the brick-and-mortar banks but these virtual currencies won't likely cause institutions to go out of business, predicted Hypponen.

But cryptocurrency is dramatically changing the landscape related to how law enforcement will chase the bad guys and follow the money. Cryptocurrency not only allows cybercriminals to conduct transactions anonymously but also gives them an avenue for laundering the money through multiple digital accounts with lightning speed, he noted.  

And thugs are also using the cryptocurrency when committing traditional physical crimes, Hypponen said, pointing to a Brazilian kidnapping where the attackers demanded a ransom payment in Bitcoins.

SSL, IoT, and Nation State Attacks, Oh My

Quantum computing is reaching a point where in the very near future it may pose a threat to SSL encryption, Hypponen predicted, explaining how the ability of quantum computers to crunch through waves of prime numbers puts the security of SSL encryption at risk. Evidence: IBM's announcement earlier this year about the construction of a commercially available universal quantum computing systems for its IBM cloud platform.

In addition to the potential demise of SSL encryption, humans are also facing greater risks with the rise of IoT devices. "There will be a day when consumers buy products and don't even realize they are IoT devices," Hypponen said. "If it is a smart device, it is a vulnerable device," which he predicts will create the need for a separate IoT network.

But what keeps Hypponen awake at night is the prospect of a nation state attack on consumers. "Wars today are fought with drones," he said, asking what would happen if the software that feeds into computer chips and devices were instructed to have the device catch on fire, simultaneously across millions of homes.

"Technically, it can be done," Hypponen said, showing a demo of one device in flames.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
7/31/2017 | 1:14:09 PM
Flying Without Technology
While I suspect this will ultimately be fixed through some well-written code to manage patching systems to either relieve us of time-related services or getting creative with real-time hijacking of 32-bit time functions with 64-bit (can't wait to see that), I think the cautious will familiarize themselves with what infrastructure could be affected.  Case in point, transportation that utilizes embedded technology that could be affected by this issue could be brought to a halt.  While an unusual thought these days, anyone with access to low-tech infrastructure, planes in particular, could still get around thanks to enterprising business leaders who will quietly set up a "shadow" low-tech infrastructure in anticipation of the need.  Planes, trains, ocean liners - anything whose safety could be compromised using current embedded tech could be replaced with low-tech versions, or re-vamped to remove reliance on these systems.  Of course, the more I read about this issue, the more I'm hoping the fix is already in the can.  Other things that are airborne and rely on embedded tech include missiles and satellites...

   
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...