Stop Ignoring Those ‘Update Your Device’ Messages

Even though the Asus malware attack was spread through software updates, the best way to protect yourself online is to keep your software updated.

Mr. Blaze is a professor at Georgetown University.

The inside of a computer with the Asus logo in Jersey City.
Credit...Jenny Kane/Associated Press

This week, internet security researchers woke up to disturbing news. An attacker had installed malware on as many as half a million Asus-brand computers running the Windows operating system. Reports of large-scale malware infections have become almost routine, but what made this one notable was how it was accomplished: the attacker compromised the Asus servers used to send periodic operating system and security updates to customers. In other words, as far as the customer could tell, the malicious software came directly from the manufacturer, complete with its digital stamp of approval.

Subverting a software update system (a type of “supply chain attack” in security parlance) is usually associated with international espionage and intelligence operations — not with run-of-the-mill attempts to steal credit card numbers or banking passwords — and for good reason. It requires considerable resources and skill because the hardware and software companies’ systems that have to be compromised are generally better managed and more carefully secured than those of individual consumers. But when they are successful, attacks against the supply chain are an especially powerful threat: They rely not on repeatedly fooling each user into, say, opening the wrong email attachment (a common way malware is spread), but on the trust that users naturally and reasonably place in the suppliers that sold them their hardware and software. It’s a dangerously effective way for the attacker to reach many thousands of victims (or a few carefully selected targets).

Fortunately, while the Asus attack exploited the vendor update mechanism to install unauthorized software on many thousands of computers, it appears that the malware itself was designed to affect only a few hundred actual targets and was relatively harmless to everyone else. But that still leaves us with the uncomfortable fact that a software update mechanism — a critical system intended to protect users — was turned on its head and used to attack them instead. And it’s not just Asus; almost every other major software and hardware vendor offers an update mechanism for its products, sometimes enabled by default.

To protect against the insidious threat of malicious updates, it might be tempting to immediately disable these mechanisms on your computers and smartphones. But that would be a terrible idea, one that would expose you to far more harm than it would protect against. In fact, now would be a fine time to check your devices and make sure the automatic system update features are turned on and running.

The reason for this counterintuitive advice has to do with the fragile nature of the software that makes modern computing and the internet work. In spite of decades of steady technological progress that has made computers better in almost every way, virtually all software still suffers from bugs — the small programming defects that can manifest themselves as everything from minor unexpected behavior to outright system crashes.

Some of these bugs have security implications; they can be exploited to do harm, for example, by exposing sensitive information to attackers. As systems become larger and more interconnected (as they inevitably do), the number of bugs, and our exposure to exploitable vulnerabilities, only increases. In other words, every computer, every smartphone, every piece of software is delivered to the user with a plethora of hidden security flaws preinstalled. We just haven’t found them yet.

Over time, of course, these vulnerabilities get discovered and used against users. The only viable protection is to fix them as soon as they’re found. That’s where the vendors’ software update mechanisms come into play. The most important updates quietly repair newly discovered security flaws that have already been, or will soon be, used to attack end users.

In other words, security in the modern internet can be understood as something of an ecosystem, where survival depends on continually adapting to protect against ever-evolving new threats. Vendor software updates, applied at regular intervals, are, for better or worse, the only large-scale method we have for adapting our defenses. Those who fail to update become prominently attractive targets, with their computers succumbing to automated attacks that might do anything from steal personal information to installing “ransomware” that holds important files hostage until payment is made. As the “Internet of Things” puts connectivity (and complex software) in everything from home security systems to light bulbs, the consequences of these attacks, and the need for regular software updates to prevent them, will only grow.

Therefore, the most potentially damaging aspect of the Asus attack isn’t whatever malevolent behavior it might have directly exhibited. It is that people might be frightened away from installing the critical software updates that keep life on the modern internet relatively safe. The calculus is simple: Allowing updates subjects us to a small risk of falling victim to a sophisticated supply chain compromise. But disallowing updates brings a near certainty over time that we will be successfully attacked. The danger here lies in overreacting to a small risk in a way that exposes us to a much more likely — and even more undesirable — one.

So what should we do? The main responsibility lies with the industry. Asus will no doubt be criticized for allowing its servers to be compromised and for failing to detect that it had been distributing malicious software to its customers. Other vendors should take note and harden their own systems. And especially as the Internet of Things turns our appliances into computers, lawmakers and regulators should increasingly understand computer security — and the requirement for high-integrity software updates — as a basic consumer safety issue.

Meanwhile, on the internet, it’s update and evolve, or die.

Matt Blaze (@mattblaze) is the McDevitt Professor of Law and Computer Science at Georgetown University, where he studies security and privacy technology and its implications for public policy.

The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email:

Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.