Internet of Awesome Things

Ep. 6: Staying Safe

August 30, 2019 Season 1 Episode 6
Internet of Awesome Things
Ep. 6: Staying Safe
Chapters
Internet of Awesome Things
Ep. 6: Staying Safe
Aug 30, 2019 Season 1 Episode 6
Russell Brown
How secure is the typical internet-connected device? Independent security consultant Erica Anderson and Spark Head of Security Josh Bahlman chat about IoT privacy and security issues.
Show Notes Transcript

How secure is the typical internet-connected device? Independent security consultant Erica Anderson and Spark Head of Security Josh Bahlman drop in for a chat about IoT privacy and security.

From hacked nanny-cams to botnet attacks, we’ve already had a few scares. And there will be more. Yes, IoT is as much of a wild west as every other tech advancement before it.

According to both Erica and Josh, many IoT device manufacturers are working as quickly and cheaply as possible. But, Erica says, they aren’t considering the outcomes of their tech going rogue. Josh adds that many device vendors don’t fully understand the built-in vulnerabilities. And even if they do, it seems that some don’t care.

Erica also tells of how she recently decided against buying an IoT-enabled heat pump because of potential security vulnerabilities. She suggests that anyone buying an internet-connected device should google the vendor’s name along with "security" and see what it turns up.

How do we prepare for privacy and security as 20 billion things light up around us? Erica and Josh are convinced that we'll need national and international regulation to force the implementation of robust security features.



Russell Brown:
0:01
Kia ora koutou and welcome to "The Internet of Awesome Things", a podcast all about the Internet of Things, brought to you by Spark. I'm Russell Brown. So far in this series we've talked about the many benefits of the Internet of Things, but with those benefits comes some risks. And that's what we'll cover in this episode. In some ways, IoT security mirrors our experience with the internet itself. We've designed email differently back in the day if we thought about spam, for example. And with IoT, we've already had a few scares, not least IoT botnets harnessing security cameras and digital recorders and attacking the rest of the internet. Yep, that happened. But have we learned any lessons a bit quicker this time around? And how should we prepare on privacy and security as billions of new things light up around us? I'm joined now by two people whose job it is to know, independent security consultant Erica Anderson and Head of Spark Security Josh Bahlman.
Russell Brown:
0:58
Well, welcome to you both.
Erica Anderson :
1:00
Hi, thanks for having us.
Josh Bahlman:
1:01
Thanks Russell.
Russell Brown:
1:02
Now Erica, let's start with the basics. What are the security challenges for the Internet of Things and how do they differ from general IT security?
Erica Anderson :
1:11
The differences between the two, they're really kind of the same. In a sense you are handling and handing your data to someone and putting it and transmitting that over a piece of technology that you can't control in exchange for something. For example, you know, when you're using an online shop, you're putting all of your sensitive personal information into a website in order to buy goods online. It's really kind of the same concept when it comes down to, you know, being able to turn on your heat pump when you're driving home and being able to actually transmit that request over to something in order to turn that on. So it's kind of in a sense trading that data for that convenience but it all comes down to the same critical security controls and you know, both those things just like a website. The technology that kind of drives the internet component of your heat pump needs to be patched and needs to be taken care of. You need to make sure that access is pretty well controlled. But they're the kind of the same...
Russell Brown:
2:06
So it's benefits and risks, isn't it? We didn't have computer viruses until we could actually connect up computers, which is a really useful thing to do. But Josh, the key here I guess is minimising the risk.
Josh Bahlman:
2:18
Yeah, yeah, absolutely. I think to like, to carry on from what Erica was saying, people aren't thinking about that risk when they're developing the outcomes for IoT. They're literally trying to solve a problem or make something easier for people to, people to do. So it's about getting fast to market and putting some cool features on, it's not talking ... They don't think about like how, how do you, how do you secure this device? Is this is going to impact someone's life if something happens to this device? Or what could this device do on the broader internet?
Russell Brown:
2:44
Are we catching up now on the era where as I understand that a lot of the early connected devices went out without much thought for security.
Josh Bahlman:
2:53
Are we're catching up? I think some some vendors, like reputable vendors, are thinking about it but now I think we see the counters happening. You're getting a lot of cheap devices produced and a lot of cheap manufacturing places around the world and they don't care that ... They need to get the stuff out to market as fast as possible to make money. They're not really thinking about, "Do you need the capability of patching it or should it be patched?" It's not really something that they're really thinking about the lower, low-end of the market. And that's where the mass amount of these IoT devices coming from.
Russell Brown:
3:21
And the EU has actually started to force the issue now and said you can't have hard-coded default passwords, which seems obvious, doesn't it? But is it going to take regulation to stop these things being built like that?
Erica Anderson :
3:34
Yeah, I think unfortunately it is going to take regulation, and it even goes into the US as well. So they have the the California [Consumer Privacy] Act, where although it's quite broad, they're requiring that, you know, these devices have some type of security features. Although they don't specify what those features are, it's at least one good positive step towards actually making sure these devices are secure. So I think unfortunately, you know, regulation is what's going to force a lot of these other organisations, the ones that aren't as big as those large corporates who might have the enough capability and resources to take security seriously. But it's gonna force all of the other lower hanging companies to actually do something about it. So I think that is going to hopefully push the point home and make a lot of organisations actually think about, you know, in their whole development lifecycle, how are we actually going to maintain these components? How are we gonna keep them patched? What are we gonna do if there's a vulnerability? How are we going to protect access to that device? And to make them think about it before they push all of those hardware.
Russell Brown:
4:29
And I guess the thing here is that it involves devices where we don't necessarily think immediately of infosec security. I mean, Josh, the botnets that have appeared so far largely exploited security cameras that were connected to the internet and things like personal video recorders.
Josh Bahlman:
4:47
Yeah.
Russell Brown:
4:47
You know a bit about this. Can you ... What happened with those?
Josh Bahlman:
4:50
Well, I think you're talking about Mirai in the initial case where it took down some massive DNS platform in the US which actually took out most of the internet for a huge amount of big corporations like, y'know, Spotify and the Facebooks, et cetera. And, and Mirai was, you know, it's still kicking about, it's still sitting there. It's probably being used for some sort of [distributed] denial of service [DDoS] attack. But what's interesting is has been I guess some of the maybe the broader security community's response to that and building other sorts of botnets to actually combat this problem. So you've got all these ...
Russell Brown:
5:22
So there were white hat botnets battling the bad botnet.
Russell Brown:
5:27
I think to be honest some of them was probably but black hat versus black hat. But you've got, you know, you had Mirai on one hand that was, that was used to do denial of service then you had BrickerBot which was a, you know, a frustrated security individual who went out and started compromising the Mirai bots. So he would actually just take them offline. And then you had someone who had a slightly softer approach which built the Hajime botnet and that went out there and tried to patch these things or secure them, which is this ... It's the battle of the botnets out there at the moment.
Russell Brown:
5:55
This was a very largely used for denial of service attacks, flooding connections to take websites offline. Is there anything more bad guys could do with botnets like that?
Josh Bahlman:
6:07
Well, absolutely, I mean, yeah, the American one was heading their primary DNS service which then had a huge impact. But you could. I mean, we've seen ransomware-type stuff in the past. You could also use these to attack other things in other ways I guess. So if you're ... If you stick something on the internet these days, it's going to get knocked on, you know, thousands of times a day, from days, from people like, who are trying to just see what's out there on the internet. So you can also use it for more of an offensive, of trying to find out what's vulnerable, to take that over type of a thing as well, yeah.
Russell Brown:
6:36
Well, I suppose we should define what we're talking about when we talk about Iot security. I mean, to me it seems to divide up two ways. There's data privacy and the security of devices and systems. They're quite different things, aren't they, Erica?
Erica Anderson :
6:52
Yeah, no, definitely. Two very different things. 'Cause when you look at IoT from a security point of view, you know, you're agreeing to use this technology to transmit data and you're trusting it. But you still have a bit of due diligence you can do yourself. You know, how can you actually trust that thing before you blindly start feeding it all of your personal information. Whereas from a privacy point of view, you're using this device for convenience so you in a sense have to give it your data in order to get the service in return. So, you know, you kind of agree to any type of privacy risks. So you need to make sure that the device itself is quite secure to protect that data and make sure that the data remains private. But they are two entirely different things.
Russell Brown:
7:36
Yeah, because we've talked in this series about things like healthcare wearables that are actually ... They gather and transmit quite a lot of personal information about us. How are you approaching that, Josh?
Josh Bahlman:
7:49
Personally, I use a wearable, as you can see. I think you just have to be wary about that signing up to things. I think, you know, maybe gone are the days, but they're probably still around about people clicking through and accepting all the privacy terms and conditions. I see, you know, since GDPR has come in the EU a lot of companies are really simplifying some of the language around it. If you look at the the Spark privacy terms and condition now it, conditions now, we've really tried to sort of frame them up to they're, they're user readable, and they're short and they make you understand exactly what data we're, we're looking at and how we use it for maybe network assurance, et cetera. And then if there's, there's also options that you can opt out of that type of data too. So I think companies are really thinking about how to simplify the messaging because it is a really important thing for customers now.
Russell Brown:
8:33
And at the other end of the scale you've got things like the energy sector where IoT looks like a really good solution. But that's infrastructure. And the idea of power stations being taken out is kinda scary. I mean, Erica, you used to work at CERT which is the government security agency. I'm assuming they're looking at that stuff already.
Erica Anderson :
8:53
Yeah. So you know when I used to work at CERT, you know, their data and their information all relies on the amount of reports that come in from New Zealanders as well as sharing information from other countries like the EU and like the US. So it's definitely something that is on the radar for New Zealand Government but it's quite a hard problem to tackle. So I think, you know, whatever happens in New Zealand is probably going to be led by what other countries are planning on doing in terms of regulation and how they'll encourage companies and organisations to actually take security seriously but also be able to educate consumers to, you know, whether or not they should be trading off this convenience to use this new piece of technology.
Russell Brown:
9:33
Josh, whats' the role of network operators like Spark here?
Josh Bahlman:
9:35
I think it's interesting. I mean, we're gonna of course be providing the, the, the mobile and the broadband connectivity and, you know, new 5G with extra capacity and speed to things that are going to want to connect up to it. So it's a real big problem for us to see how, how this is going to progress. You know, Gartner's talking about 20 billion devices, et cetera, exponential growth and I'm sitting there going, "Ooh, well how we're going to sort of handle the capacity and the threats on this network? And how are we going to sort of break it up so we can, we can protect it better?" So we've got a big conversation that needs to play out over the next wee while as we sort of we .. we're building our, our 5G capability because I think that's really going to be when you're offering gig connections to the internet for a piece of really cheaply developed IoT device, there's a real huge risk around you know you put Mirai on that type of capacity, you've got a problem. Yeah.
Russell Brown:
10:29
I guess as a vendor of IoT solutions, you do have that choice: you can buy the better kit, the more secure kit, can't you?
Josh Bahlman:
10:35
I mean, our IoT services are only around, you know, building solutions for customers and we have the ability to sort of architect that in a proper way as well as choose the devices that we're putting on our network. Those are the ones that me as a security person is not really worried about as much. It's really the ones that we don't have control of. So you know the parallel importing, people buying off, you know, cheap websites on the internet in massive quantities is the real issue that we're going to have. Yeah.
Russell Brown:
11:01
Are there IoT devices that we don't need to worry about because there's not much harm can come? Yeah, I'm thinking of soil moisture sensors on farms, like, you know, I can't see how they could be harnessed into a botnet, or am I wrong?
Erica Anderson :
11:14
Yeah. So I think it comes down to, so there's two ways for a security risk to have an impact. It's either going to have an impact on yourself, because you're ... you yourself are going to lose that personal information or the data that that sensor is transmitting, or you're going to be used to attack others. So it's ... Although from a, from a point of view of thinking about a whole bunch of IoT equipment on a farm, perhaps losing that data about the actual farm itself, about you know the livestock and the soil it's not too bad, but you know, thinking back to Josh's point around the Mirai botnet, those are a whole bunch of new components that can be used to attack others. So I think really everything when it comes to IoT is quite important.
Russell Brown:
11:52
So what specifically are you doing about it, Josh? You as Spark?
Josh Bahlman:
11:58
Yeah. Well, I guess so, as we sort of, you know, we're, we've architecting our 5G network and what that means we have a few ways to to break up networks, to be able to sort of I guess stop them getting access via the internet and there's a few ideas that we're kicking around and one, one in fact over lunch today was around how we can use networks slicing to isolate untrusted IoT vs. trusted IoT. So I mean, we're looking at building, building networks that will actually help facilitate untrusted IoT so we can actually protect the rest of the internet and our customers from getting attacks and attacked, yeah.
Russell Brown:
12:35
So there are as I referred to that responsibility role, that there's a responsibility role as a big vendor and the network operator.
Josh Bahlman:
12:42
I think it was like a telco good citizenship thing here that I think, yeah, we do feel responsible for, as well as trying to protect our customer's privacy if they are going to go and buy these because we can't stop them in reality. So we need to help them protect themselves, absolutely.
Russell Brown:
12:55
The other thing where it seems like security could be an issue is telematics, IoT devices in cars. Maybe there's a privacy issue but there's certainly a security issue about the control of a vehicle being taken over. How realistic a fear is that?
Russell Brown:
13:10
I mean, it's it's the same as a security risk. I mean, definitely when it comes to assessing the security risk of a Fitbit versus a car, you probably take a bit more precaution and do a bit more research about the car itself. But it's really kind of, you can break it down into the same components. You know, these cars have, you know, software in them that help run and make a whole bunch of new fancy, new-fangled features and you'd want to be concerned as to, "Okay, well, how, how is a firmware in my car actually gonna be updated?" You know if there, if there is a way for an attacker to gain access and control of, you know, my car itself, how can I be ... you know, how can I feel comfortable that it's going to be fixed? You know how can I feel comfortable as to how people can actually access my car to make those patches? So it kind of comes down to the same things. But I would say when it comes to vehicles there's a lot more, I dunno, risk involved. So I would sincerely hope carmakers would be considering security before they're pushing out any type of vehicles versus you know fitness watchmaker probably doesn't have as many concerns.
Russell Brown:
14:19
I guess with general IoT security there are security standards for devices. Is something of that kind of emerging for IoT?
Erica Anderson :
14:28
Well, there's the regulation for sure, that's going to kind of encourage better development practices using IoT but in terms of standards itself it's ... it kind of follows along the same standards of how you build secure software. So, you know, making sure that you're thinking about how you're going to maintain it in the long run, how you're going to control access to it. It's the same way that you would manage a web application versus, you know, from wearing your watch. But it really kind of follows the same standards.
Russell Brown:
14:55
But I guess it's a lot bigger. There are already more IoT devices out there than there are us.
Erica Anderson :
15:00
Totally. Yeah, which gets quite tricky because, you know, something that IoT device makers need to consider is, "Okay, so how am I actually going to push out patches?" You know, for myself, you know, I've got a smart TV at home and it's really sad to consider how long it took me to actually apply updates to it. And I consider myself, like, quite computer-savvy. So I can't even imagine how you know my dad and mom probably feel if they're trying to do the same thing but it's, like, you know, are you going to rely on your users to actually have to push out those updates versus are you going to do over the airs or force updates. But there's a whole bunch of different business impacts that organisations have to consider. You know, if they're pushing out an update it might cause a reboot. Well, you don't really want to reboot a very critical device while someone might be using it. So, you know, you need to kind of figure out how that's going to work for your users.
Russell Brown:
15:48
Now, didn't you decline to buy a heat pump recently because you ... it was actually internet-connected and you weren't happy with the security?
Russell Brown:
15:57
Oh no. Totally. Yeah. Which is ... It's quite funny because, yeah, last week I was at one of those home idea centre workshops and listening to a seminar about heating and cooling, and the salesperson – I won't go into detail as to who it was – but they're going on and on about how, "Oh, you can turn on your heat pump while you're in your car headed home." And I was sitting in the audience and just googling the name and security vulnerabilities and I was like, "Ooh, there's actually quite a long list." And you know, the best way for people to assess whether or not a company is taking security seriously is literally just googling the name, googling "security" and see what comes up. People are very vocal on social media and on threads about, you know, "Hey, I reported this vulnerability or this issue. The vendor never responded. They never issued a patch. They go silent on the issue." And that just kind of proves that they're not taking security seriously. So it doesn't mean you have to troll through code and, you know, look at technical diagrams. I think it's just a matter of what type of feeling, how comfortable are you when looking at the face of this company and are they actually going to take security seriously.
Josh Bahlman:
17:04
I still don't think they necessarily understand it. A friend of mine bought a new gas heater ... yeah, a gas flame heater that ... for his house and y'know he had the option of connecting it to his WiFi, so he did. And then he had a look at the box and found out that there was an admin portal. So he logged onto it with default credentials and then he sort of had a little, a little look around the code and realised that he could turn all of the heating right up and then, then shut down all the valves which would essentially overheat the thing in a few ... I don't, I don't know how long but really causes some, some issues. And so he contacted the vendor and said, "Hey, there's some issues with your, your software that you're running on these heaters, you know, when you connect them to the WiFi. You might want to think about these things here that you may want to go away and fix." And the response was something that we've heard for, for decades really, which is, "Oh, no one would ever do that." So that type of mentality when you're talking about these manufacturers are really just wanting Erica to be able to turn her heater on for when she's in the car going home on a cold Wellington day. They don't care. That's not something that's actually in, in their thought process.
Erica Anderson :
18:00
There's definitely only good people on the Internet. I promise you.
Josh Bahlman:
18:04
It's a great place.
Russell Brown:
18:05
This does sort of make me think of Barnaby Jack's infamous proof of concept on hacking a pacemaker via remote and basically as a great way of assassinating old, older politicians.
Josh Bahlman:
18:17
Who was it, was it Rumsfeld who turned it off? Donald, was it Donald Rumsfeld who turned off his pacemaker, and internet, correct me if I'm wrong but I believe it was one of those guys that was actually reporting into Bush at the time and similar time around when Barnaby released that, that exploit that went and actually turned the functionality off on their pacemakers because they actually saw it as a real threat. So yeah, I think that's the thing, I mean, that's, that's not necessarily connected to the internet but who's not to say that your pacemaker can't connect to your app sometime soon and therefore ... So in healthcare it's going to be massively important how they're connecting this stuff because there's so much extra cool functionality you'll be able to do that inside of healthcare, but how you do it is a real ... Is it gonna be a real issue for them. Yeah.
Russell Brown:
19:01
It sounds like that's actually going to become part of the consumer choice as well. I mean you guys are security experts. How, how do we mere mortal consumers assess this stuff?
Russell Brown:
19:10
Yeah. So when ... When it comes to, I guess, you know, people not like Josh and I, when it comes to assessing these things, you know, just taking a look online and if when you're coming into these issues and you find things that don't quite look right and you're reporting them to the vendor if they're not listening to you then you're taking it to the consumers. The Commerce Commission our submission. Yeah. So taking your complaint to the Commerce Commission and reporting them through you know if you're a more technically savvy person you know plug for certain New Zealand but they've got a vulnerability disclosure program. You know you can report these vulnerabilities and then they can help you actually getting them patched. And then lastly you know as Josh pointed out and as you pointed out is that I mean eventually sometimes these vulnerabilities go public. You know researchers kind of points out the fact that we've tried to. We've tried to connect with you we tried to help you get this fixed. This is going to cause harm to be. Well so sometimes the only way to do that is by naming and shaming publishing research publishing findings.
Russell Brown:
20:07
Is there a rule of thumb about what to do about what device to buy and whether to plug it in?
Josh Bahlman:
20:12
Yeah, sure. I mean for me it comes down to, "Hey, Josh do you want to connect your fridge to the internet?" And the answer is, "No, I'm good. I don't need to do that." And it's sort of like a semi self-assessment on a creep fact that you can probably apply to life. "Does that need to be connected to the internet?" And really ask yourself, "Do I need that functionality in my life? Do I want that functionality my life?"
Erica Anderson :
20:33
Yeah. And it kind of comes down to don't feel obligated to kind of trade off your data and your information just for that convenience. You know, just because your fridge might be able to scan all your contents and tell you when you're low on milk, like, you know, do you really need that convenience of trading off now it's got a microphone in your kitchen.
Josh Bahlman:
20:48
Don't be so lazy.
Russell Brown:
20:50
You pay $2000 more for that convenience.
Josh Bahlman:
20:53
Yeah, yeah.
Erica Anderson :
20:54
But it also, it kind of comes down to the concept of threat models as well. So, you know, my threat model of being a infosec professional and dealing with a whole bunch of clients and confidential information is completely different from your own, Russell, which is you know journalists that probably has quite a bit of private information that's unpublished. I mean it kind of just comes down to, how do you want to secure yourself. So you know I have certain things in my life that I ... I want the convenience. So yeah I have a Google Home in my kitchen and I use it to set kitchen timers because I'm lazy. But at the same time, you know, I know that there is essentially a microphone in my kitchen so perhaps I'm not taking client calls and you know in my lounge. So it all kind of comes down to what you're comfortable with but, yeah usually that it comes down to do I want this information out on the internet for anyone to access and do I want this as like a tool for someone else to beat someone else up with.
Josh Bahlman:
21:44
Yeah, I guess the one thing that I've got in my house right now is I've got Arlo, which is ... It's a video camera set up that I can connect to an app, et cetera. But I sort of thought about it and gone, "Well, what's, what's really the harm here I'm looking at? Is any of those cameras in a place that I don't really care, you know, I really care about from a privacy perspective?" And it's like if Arlo or the or the manufacturer got really badly compromised I'd probably be able to figure it out within a couple of days because of how crazy the media would go on it, given it's a big reputable brand. So you just have to factor in the use that you're getting out of it versus some of the risk. There's always going to be risk there, but, you know, how ... Can you tolerate that risk?
Russell Brown:
22:21
Well, that's vaguely reassuring, given that you're both professional paranoids. Is there anything else reassuring we can say.
Josh Bahlman:
22:30
You think we're the bearer of good news? That's not our job.
Russell Brown:
22:34
I think as, not to be super negative, but I think as technology develops and as these, the new regulation comes out and as stuff changes I think IoT will be a bit more of a welcoming area. But right now there's just lots of manufacturers that are just trying to pump out products, they're not thinking too much about security. And I think right now it's quite risky. But in two, three, four years' time it could probably be a lot better with a bunch of these support mechanisms maybe.
Josh Bahlman:
23:07
Yeah, I think you know definitely growing. People are really focussed around momentum on growing IoT. But I do think there is the pressure there from, from other parts of the industry, whether it's telco, whether it's governments, whether it's people buying them. There is pressure there for these products to actually be reasonably good. So, you know, I've got faith in people that it will come right and that we will be able to sort of at least do the right things to protect, say, from a telco view, from Spark, to protect our customers. And you know if they if they're gonna go buy cheap, shoddy stuff, we'll try and work out how we can protect them the best we can.
Russell Brown:
23:39
I really appreciate the effort to be reassuring there, Josh, thank you. Thank you, Erica.
Russell Brown:
23:45
Independent security consultant Erica Anderson and Head of Spark Security Josh Bahlman. If you'd like to know more about IoT security, you can email iot@spark.co.nz and if you want to know more about the Internet of Things in general, check out spark.co.nz/iot. If you liked this podcast you may want to check out my other podcast, "Actually Interesting" which is all about AI or artificial intelligence and it's sponsored by Microsoft. You can find that in the Future section of the Spinoff website or by searching your chosen pod platform. Thanks to today's guests, to Cooper Studios, to Gareth Thomas for our theme music, to Spark for making it all possible and to you for joining us. We'll have another episode of "The Internet of Awesome Things" for you soon and we'll still have 20 billion things to talk about.
×

Listen to this podcast on