On the Facebook page of the German Chapter of the ACM (link), Professor Hof, head of the research group INSicherheit – Ingolstadt Research Group Applied IT Security at the Technical University of Ingolstadt, and the research group MuSe – Munich IT Security Research Group at the Munich University of Applied Sciences, published today a comment on the Telekom-hack:
“Luck, the attackers have Goofed and nothing happened. It is however clear how vulnerable we are and how deplorable is the State of our Internet-connected devices in the home. With 900,000 acquired Internet routers and usual upstream speeds of 1 MBit / s the network would have seen an attacker up to 900 GB / s attack capacity compared to. Attacks of this magnitude can fend off today even large service providers only with effort, see the attack on dyn a few weeks ago. And one might not imagine how Deutsche Telekom’s probably could have gotten, to replace 900,000 router by customers or to provide, if the attacker had disabled the remote interface maintenance with new firmware.
We can no longer afford such vulnerabilities in the future. It is therefore only right if currently is required to take the manufacturer for security vulnerabilities in liability. I call an extensive software product liability for almost a decade. In short: who is responsible for a software or configuration vulnerability should bear the costs of a hacking incident. For hacking-related incidents are no force majeure but indicate lack of Produktqulität. Vulnerabilities can be avoided, but that costs money. That’s why a corresponding penalty must faced the effort to get security right, if security in the pants. Appropriate rules must apply to all network-enabled devices in all areas.”