Auto-Update Leads to Auto-Hack

News broke recently that hackers exploited a backdoor to as many as 1 million ASUS computers by compromising the ASUS automatic update system. Hackers planted the malware in the system that pushes out software updates to ASUS computers. Automatic updates, by necessity, have access that bypasses a computer’s security system in order to install the software patches. 

These updates frequently patch security flaws. This blog has previously discussed the importance of timely and routinely installing patches, because doing so mitigates one of the greatest sources of cyber-risk. Equifax’s failure to implement a patch led to one of the largest data breaches ever reported.

The hackers’ exploitation of ASUS’s automatic update platform is particularly insidious because so many organizations make routine implementation of security updates a core part of their cybersecurity plan. Reports are that hackers in this case were likely only interested in a few particular machines, but it is not difficult to imagine hackers turning their attention to a broader target list.

This incident demonstrates there is no silver bullet in cybersecurity preparedness. Organizations cannot rely on automatic software updates to prevent every cybersecurity incident. In addition to hardware and software solutions, organizations need to implement controls and processes to reduce the risk of a cybersecurity event. These controls can include segregating duties within the organization, limiting access to sensitive information, and training employees on what to do when an intrusion has been detected.