WNCRY ransomware demonstrates dangers of homogeneous, unpatched networks

Whenever history seemed to repeat itself, my Granny used to quip, “same song, different verse.” As the WannaCry (WNCRY) ransomware spread like wildfire in a dry forest, I heard the familiar refrain and discordant notes of previous worms: Blaster (2003), Welchia “Nachi” (2003), and Conflicker (2008). Each of these worms spread via well known flaws in Microsoft Windows for which patches were already available. Why then, after a decade and a half, are we still seeing worms spreading via known flaws? I believe there are three root causes:

  1. Upgrading is hard and expensive
  2. Patching seems risky
  3. Homogeneous environments are really vulnerable to worms

Our CEO Barry Mainz noted, “Every company is going through an evolution in enterprise computing, from legacy to modern.” This category of modern operating systems includes mobile OSes Android and iOS, as well as Windows 10. In this new world, IT organizations will need to adapt to a different and much faster way of handling upgrades and patches - and to the new reality of a heterogeneous environment.

Upgrading is hard and expensive

So many organizations are still running obsolete operating systems that Microsoft issued a patch for Windows XP, which the company had officially stopped supporting over three years ago!

Why were these organizations still running an unsupported version of Windows? The answer is that upgrading is hard and expensive. Upgrading can mean having to buy new licenses for 3rd party software as well.

Then there are the challenges with systems that interact with expensive hardware devices. Take medical scanners as an example. Controlling these devices requires specific software and device drivers that may not run on newer OSes, and there’s the risk that upgrading the OS may void the warranty on a system that costs hundreds of thousands of dollars to purchase and maintain. We used to call these “embedded devices” but now they’re “Internet of Things” (IoT) devices. They present new challenges, which we’ll return to later.

Now, contrast all the difficulty and expense in legacy computing with what happens in mobile computing. According to 9To5Mac, iOS 10 was running on over 65% of devices within 27 days of release. With that kind of adoption rate, it’s safe to assume that upgrading mobile devices is relatively painless and cheap. One key thing about mobile OS architectures is that applications are not allowed to tie themselves too closely to the OS. Thus, they’re less likely to break after an upgrade. The App Store model also gives mobile OS vendors the opportunity to test each new release with large numbers of 3rd party applications; something that is not easily accomplished in the legacy computing world.

Patching Seems Risky

In a legacy computing environment, fixes are distributed individually. This lets IT pick and choose which security fixes to apply, but it also means there are a huge number of potential patch combinations installed on any given system. Sometimes, even the order in which the patches were applied matters. The result is that many IT departments are reluctant to install patches without extensive testing. Contrast this with the mobile model where whole new versions of the operating system are distributed. For instance, Apple just released iOS 10.3.2, which fixed some two dozen security issues. Applying these patches is an all-or-nothing proposition.

Microsoft is moving to a similar approach for Windows. This has real benefits for customers. It’s far easier for software houses to develop, test, and support a handful of discrete releases than to support a world where every customer has a different set of patches installed in different orders. This improves stability because testing resources can be focused on a small number of configurations deeply rather than many configurations shallowly. Thus, fewer bugs escape into the wild to plague customers and IT departments. This lets IT deploy updates faster because there’s less testing needed.

Homogeneous environments are really vulnerable to worms

In the legacy computing model, IT works towards standardising all systems on one OS and a small number of device models. There are some benefits to this, and it was arguably necessary in order to successfully manage legacy systems. But WNCRY and other worms see that homogeneity as a huge attack surface. We’ve learned from nature that homogeneous ecosystems tend to be hugely vulnerable to diseases that wipe out entire populations.

In contrast, the mobile computing world is characterized by diversity. If you visit a modern software development organization, you’ll find a variety of systems: iOS, Android, Linux, MacOS, Windows, and maybe even a Chromebook or two. None of these OSes is completely immune to attack. However, just as diseases have difficulty jumping from species to species, so too malware that affects one OS is often harmless to others. Thus, with greater diversity the value and impact of attacking any given OS goes down. The attackers have to work harder to find and package flaws in each OS individually.

Here’s an example of why heterogeneity is so useful. (Note: all numbers are made up, but they serve the point.) Let’s assume that there are 10,000 hackers in the world capable of finding and exploiting security flaws to make worms like WNCRY. Let’s say that Microsoft employs 30,000 engineers. That means that for every three Microsoft engineers trying to build code and fix problems there is one attacker looking for flaws. Since it’s far easier to find flaws than to eliminate all of them, the attackers will win.

Now consider a mobile environment. Assume that Microsoft, Apple, and Google each employ 30,000 engineers. The number of attackers has stayed the same, but now there are 3X as many engineers building and defending their systems. Additionally, finding new exploits for systems requires deep knowledge of the platform, so now the attackers have to spread their efforts over 3X as many platforms. In other words, the defenders just gained a 9X advantage! And that doesn’t consider the relative benefits as these software development firms improve the security of their products to gain competitive advantage.

One of the classic arguments against a heterogeneous network has been that IT doesn’t know how to manage all these different OSes, but mobile computing is changing this. All major mobile OSes support similar sets of controls and EMMs are able to provide a single pane of glass to manage all of them. As one of our customers observed:

“If we want to add another operating system to our mobile device inventory, we're well prepared with MobileIron...” - Thomas Hönig-Heinemann, Head of the ICT network department.

And for Windows 10, MobileIron Bridge allows IT organizations to leverage their legacy GPO settings via their MobileIron EMM. All of this leads to an environment where IT can manage a diverse set of systems, something that was nearly impossible just a few years ago. EMM’s have the ability to quarantine devices that are not properly patched. Integrations with products from Cisco and Aruba can even be used to quickly kick potentially vulnerable systems off your network. Since not every system is vulnerable, the business can continue to function. While this may impact a subset of users, it can buy IT valuable time to deploy patches or other mitigations in the event of an outbreak like this one.

The bottom line is business continuity: with a heterogenous environment, you won’t see all your systems disabled or compromised.

IoT could make things worse

We have already seen botnets like Mirai take over huge numbers of systems using nothing more than default passwords. It’s not hard to imagine that in a few years when IoT vendors have addressed these basic issues, hackers will begin looking for code-level flaws in these products. While mobile computing is characterized by fast update cycles, IoT today is characterized by the never update model. Thus, some security experts fear that we will see huge numbers of unpatched IoT devices lingering on networks for years after exploits are well known.

MobileIron’s vision for IoT starts by securing intelligent gateways that manage endpoints – sensors, machines and actuators. These gateways can then properly isolate the IoT devices behind them. If the IoT devices get compromised, these intelligent gateways could be configured to block the incoming connections used to spread worms, filter dangerous network traffic, and even interface with intrusion detection(IDS) or intrusion protection (IPS) systems. Organizations can then perform the necessary corrective actions.

We also see a convergence where IT organizations are extended not only to manage mobility and desktop devices but also intelligent edge as organizations go through their digital transformation.

Mobileiron recently launched an IOT division focused on bringing this vision to market.


WNCRY demonstrates that that today’s government exploits can easily become tomorrow’s hacker tools. Organizations need to assume that they’re going to be targeted by attackers with government-grade exploits. In this new reality, the legacy computing model of slow, infrequent upgrades, slow patching, and homogeneous environments fails. The mobile computing model delivers more security as a direct result of the diversity of platforms and devices. IT organizations now have the tools to manage this diverse ecosystem. The challenges are real, but the opportunities for improved security and business continuity are huge.

Timothy Jackson

Senior Security Architect

About the author

Tim Jackson is a security professional with over 12 years of experience helping development teams identify and understand security requirements in order to design and build secure solutions. Before joining MobileIron as a Staff Security Architect in 2015, he worked as a security engineer at Citrix, Citrix Online, and in the payments industry. This gives him broad experience in securing enterprise software, network appliances, and SaaS. His current role is to work with business stakeholders to identify needed security features and certifications (e.g. FIPS 140-2, Common Criteria, FedRAMP, PCI-DSS, etc), provide technical leadership of certification efforts, develop technical vision for security in MobileIron products, set internal engineering security standards, ensure products are designed to meet customer security needs, monitor trends in the broader security landscape, participate in standards development groups such as the TLS 1.3 working group and MDMPP Technical Community, mentor junior security engineers, and engage with customers through meetings, blogs, and presentations at MobileIron events.