The Device Chronicle interviews Ted Harrington, a world famous cybersecurity expert and author of Hackable who gives us a summary overview of the complex issues involved in IoT and security. Ted is one of the founders of IoT Village – a major cybersecurity and security hacking event and three time DEF CON Black Badge Winner.
Ted begins by elaborating on the serious threats right now to IoT devices running on enterprise networks and raises two questions. One, when it comes to IoT and security, what are the possible catastrophic outcomes? That’s maybe one way to think about it. Two, what are the attacks the makers of IoT devices should be concerned with?
For Ted, the first question is really interesting because he believes that it’s something many people misunderstand or they don’t think about in the right frame. They think about IoT as almost whimsical, a fun thing. Light bulbs that can change colour based on the way they set them up through an app. They don’t necessarily think about the fact that anything that has an embedded computing module in it or uses any sort of computational power is in fact “IoT”. “IoT” then includes automotive, medical devices, airplanes, trains, you know, transportation.
The most significant impact from a lack of IoT cybersecurity that people should be thinking about is safety. For instance, a malicious user could manipulate a connected medical device. Ted says “As the question: How could that harm a patient? It’s not about the compromise of the device or even the compromise of the data. It’s about the real world impact of compromising that device and compromising that data. And I think by focusing through this lens that really helps put it into an extreme perspective, which I admit is an extreme perspective. Like, how could someone get hurt?”
Ted believes that the biggest threats are to systems that are real world entities that are connected now. These are the ones which should be invested in properly for security. Ted was asked for tangible examples of where human life has been taken or or someone was seriously injured because Iot infrastructure was compromised in some way? He says, “yes, it has definitely happened. But no, there’s not a specific IoT exploit that we can point to and the distinction I’m drawing. There’s no diagnostic coding for Cyber attack. We see it happening with ransomware in hospitals right now. There was a case in Germany where the hospital was suffering ransomware attacks, so they couldn’t service incoming trauma patients. And a patient arrived at the emergency room in need of care. They couldn’t serve the patient. The ambulance has to go on to the next Hospital. And so, there’s a direct correlation between the real world impact of a Cyber attack on human life.”
Ted also points to one of the big problems with IoT devices – many are small with very low computational power. This combination of low computational power and small footprint means that they’re just physically isn’t enough space for them to have what is needed in order to have security capabilities. Ted continues “Now that actually is probably an excuse that a lot of device manufacturers hide behind. So we can’t put security in but they secretly, they just don’t want to put security. They don’t want to pay for it.” But nevertheless, that is a practical limitation. This means that for some of the smaller or lesser expensive devices, authentication and authorization sometimes is omitted or is very easy to defeat. In some cases, they’re built, where they’re hard coded with those credentials, where it’s essentially publicly available information and you could just search in Google for the default password for the device. A lot of these devices are also inherently set to trust other devices on the same network. So once one of those devices is compromised, it can pivot access to other devices on the same network. One of the practical issues that a lot of companies face is that they know that segmentation is important. They know they need to put sort of critical systems in one network segment and maybe systems that could be more compromised without issue in another segment but it just doesn’t happen. Because usually there’s an expense and there’s effort involved with that. There is a lack of understanding of how attackers might actually go about attacking these things.
Ted provides a case study example of a real risk from IoT and security. Take kiosks in hospitals in the United States where you can check in for your appointment rather than checking in with a receptionist. They work like an ATM or you push your button, say your name and it tells you that you checked in for an appointment. This is a connected device with a public vantage point. Anyone can walk into the hospital and start interacting with this device. Anyone can walk up to this device and take it out of what’s called kiosk mode. Kiosk mode essentially limits the capability of the device to its intended purpose. Ted says “You are able to interact with the software because you’re a patient but they don’t want you to really do anything else. But if you take it out of kiosk mode, you’re operating with the operating system and interacting with the device at the admin level. You are then able to pivot to other systems on the same subnet on the same network. And it turns out, this publicly accessible device was on the same segment as some of the life critical systems including things like the blood working system. And so from there in the lobby of a hospital, an able hacker would have been able to access the blood working system and from there, they could manipulate the blood work information. If you change someone’s blood type and then the position administers the wrong blood type, that could be fatal to the patient.”
Ted then talks about responsibility for IoT and security in a large organisation. Ted says that in healthcare in particular, there is “a little bit of a nuance.” It’s a shared responsibility model. So the hospital itself is responsible for ensuring that the network segmentation is set up properly and that there is a secure way for medical devices to be deployed. On the other hand, the medical device makers also have responsibility. They have to ensure that they provide a secure device to the hospital. This is unique to healthcare and that introduces a unique problem where both those sides can wind up blaming each other rather than collaborating.
Ted also explains IoT security responsibility in other types of enterprise organisations, the enterprise itself is usually responsible even when they’re working with third parties. “In regards to who is the individual who is responsible for the security policy at each company, that might shift a little bit in terms of how high on their list of priority security is.” Ted points out that the ultimate person who’s responsible is the CEO, and that’s something that’s often overlooked. Most CEOs come out of finance, sales or operations. It’s not that common for them to come from technology. So, most likely the CEO is not going to be a technical person, but cyber security is still their responsibility. But then as you go down the organisational levels, the responsibility for security gets closer and closer to that person’s core job. So like the CEOs job is to ensure the financial success of the company and security is a piece of that. Some companies, it’s the CTO, some companies, the CIO, some companies, it’s even down to like the VP of engineering, but one thing that’s really common across all companies, of all sizes, all industries and all geographic locations, is that usually the person who’s responsible for iot security, the person who’s responsible for OT or IT security, it’s usually not their whole job. That’s usually an important piece of their job but they usually have competing priorities and that is a really complex situation for any human to be in.
Ted covers the things that are hard to get right with IoT device security. “A lot of people’s understanding stops at the idea of a compromised device. Who cares if someone attacks my light bulb? Well, you might care if they attack all the light bulbs in a geographic region and create a botnet out of them. And then turn that turn that computational power against a single victim. And people often don’t think about that.” This for Ted is one of the hardest things to understand: What does the attacker think about connected devices? Ted also says that the second thing is that it is hard to make an effective business case for security. “You’ve got to convince the CEO and the board. Whoever it is in the organization that ultimately signs off on making sure that there’s the appropriate budget and the appropriate head count is available so that security is appropriately prioritized. That’s a remarkably difficult thing to do in most companies. It is critical and is the definition of succeeding or not.” The third thing Ted mentions is from the technical standpoint how can you better understand and anticipate how an attacker might operate. How do you actually find those exploitable vulnerabilities and how do you fix them? Almost all organizations struggle when they try to solve it through automation alone. They try to just run some tools, then they think they’re secure but unfortunately security doesn’t work that way. The organisation needs to analyse sophisticated attack scenarios in order to find exploitable vulnerabilities and then correct them.
To conclude, we asked Ted for his thoughts on OTA software updates and IoT device security. He responded “It goes without saying that updating the software is how we evolve and adapt and keep things secure over time. It’s also an area that many organizations struggle with. They just don’t feel like doing it or have fears that will break configurations when they update software on devices. The over-the-air component is really interesting because one of the limitations that IoT devices in particular Introduce is the fact that once it’s deployed, the ability to update it is sometimes cumbersome. Sometimes people just forget about the importance of this process and there’s also a manual component of going to touch it or whatever. So, the idea of making the update process easier, which is my understanding of the whole ethos of OT updates, is inherently a good thing. IoT devices can quickly become legacy.”
He concludes by providing the example of centrally controlled and automatic door locks in hotels. When they are installed, they have a life cycle of 15 years on average. They are installed with present performance and cost management in mind. But rarely is the software system that will secure the locks 15 years out thought about. Everyone staying in a hotel can imagine how poorly a 15 year old piece of software might be at performing its function if it wasn’t designed to receive updates in the first place.
Ted has written a book on how to do application security properly entitled Hackable – How to do Application Security Right. Learn more about the book here.