Tim:So Mark we’re here in Austin at the BSides Security Conference, and you gave a talk today and you want to help people who work here in Austin to have a little idea about security with the Internet of Things. So first of all, as a term what does the Internet of Things mean, and what are some significant aspects of it?
Mark:Sure. So Internet of Things really comes down to mostly Internet-enabled embedded devices; that’s kind of the easiest box to put it in. So a lot of the devices like IP cameras, thermostat, they are internet-enabled. Those kinds of devices that we’re all putting on our networks right now, we consider that the Internet of Things.
Tim:Okay. Now pervasiveness is one aspect of the Internet of Things, why is that significant?
Mark:Well, if we had one internet-enabled device, maybe a computer in our home, that’s not such a big deal, but when we have 5 or 10 or 12 of these devices that we’re putting on our network maybe in a couple of weeks, you have a lot of devices to update, you have lot of firmwares to consider, you have a lot of possible attack surface that maybe you didn’t have even a month ago.
Tim:And when you say attack surface, what are some examples of attack surfaces that this sort of ubiquitous computing brings in?
Mark:Sure. So lot of the devices themselves have open ports that might beon the Internet if you don’t have perhaps the right network filtering. Some of these devices have network connections that will go outbound to the Internet and then allow maybe an attacker to go through a third-party servicing, connect back into your network. So there’s just a lot of added exposure to your network that wouldn’t have been there previously without these devices.
Tim:Now, you are a security researcher, but you’re obviously not a malicious black hat hacker who is trying to break people’s networks and that kills devices for your own pure greed or anything like that, you mentioned in your talk you believe in coordinated disclosure, what does that process mean for you in this context?
Mark:Yeah. So really I think giving vendors an opportunity to fix the issues in their devices really benefits not only the vendors in terms of goodwill to the security community knowing that researchers are out there to help them and do cool projects and find out interesting things, but also give consumers a chance to have a patch device before details maybe come out that could impact their security safety privacy.
Tim:Now is that complicated by the fact that in this world there are a lot of things that are going to be coming from vendors that we haven’t heard of now, but we will hear about in 6 or 12 months. Kickstarter is one of the things you mentioned, a lot of cool projects are coming out of there, does that change the equation when it comes to disclosure?
Mark:It does, there’s a really wide path of vendors that we have to talk to now, where before it was Microsoft and Samsung and Belkin, that’s a few companies that you have to get familiar with, talk to once, get exposure to them, so they know who you are. We have a lot of vendors. If you look at the website Postscapes or Wolfram Alpha actually has a devices page now for Internet of Things, there are lot of devices out there and almost all the devices you’ve never heard of the vendor making them.
Tim:Now on that front too there is complications simply for sheer numbers, what are some examples, what sort of things do we already see and what should we expect really coming from crowd funding, from small cap companies, what are some examples here?
Mark:Sure. So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.
Tim:Now the talk that you gave today, you mentioned some rules that you’d like to see developers follow, some sort of tips, what are some of the most important of these? If you are a developer nowadays, you really have a lot of security things to think about, if you’re making a device that’s going to control a thermostat or that might access a bank account because you are swiping a credit card through it, what are some of the rules that developers should keep in mind for security?
Mark:Yeah, even to the extent that we’ve seen, I believe Samsung actually has an oven that’s mobile enabled that you can change the temperature and so, it’s not just turning a light switch on and off as a threat, we actually have a lot of devices that could pose actual risk to either privacy or life. So simple things like not embedding secret values into firmware or passwords into a mobile app binary that you put into the app store, really basic ways of getting a product to market that is kind of a shortcut to doing things the right way is one of the biggest areas that people fall over when it comes to security.
Another thing is people just still don’t use encryption enough, they don’t do it from end-to-end encryption, whether it’s from your device to a server that they own, but also just encrypting passwords that you might be giving them on the other side of their service. So a lot of this we’ve seen year-after-year...if you’re doing web or mobile best practices, ISO standards. This isn’t anything new but the reality is that we’re putting a lot of devices online without understanding them nearly as well as we should. When we build a piece of software deployed on a Windows machine, all you have to worry about is the software, now we have to worry about the firmware, the operating system, the architecture of the chipset, we have to worry about the third-party vendors, there’s a lot more ways that an attacker could actually break into one of those devices and potentially compromise them and do bad things. There’s a lot more at stake as well, again getting back to ovens that are on the Internet. A lot worse things can happen and if we talk about security theatre, at the point that you could turn on an oven, a broiler all day for weeks on end when someone is gone, that could be a really serious consequence for someone.
Tim:One of the things you mentioned today is that instead of being 1 or 5 or 10 devices too, we may have 30 or 50 things around your household.
Mark:Absolutely. I mean the number of devices that you carry in your pocket that are WiFi-enabled, the number of devices that are meant to have a third-party service that they connect out through a phone home if you will, this isn’t going to be one or two or three things, you might have 10 things per person in a family of five, that’s a lot of devices connected to the internet whether it’s a proxy or reverse-proxy, an openport on the internet directly. There are a lot of things that we have to be cognizant about that are going to be on our networks, that we aren’t going to know exactly what they’re doing, they’re a little bit of black boxes and what does that mean to our kind of risk profile as consumers or even businesses?
Tim:A lot of weakest link things too; if they have reverse proxies you maybe exposing every other device in your network.
Tim:Just because one thing is broken.
Mark:Breaking into one service, if they have access directly into your network to actually manage one of those devices or give you access to manage it yourself with say a mobile app, the difference between you managing a device the right way, an attacker breaking in through that proxy and then connecting through other network devices isn’t much of a leap.
Tim:Now you did some research that exposed some holes in IZON cameras. That doesn’t seem like the very worst thing that could happen. What are the biggest dangers if you can control, let’s say, all the devices that are going to be in your house, 2 or 5 or?
Mark:So, I think a lot of it is going to be the kind of accidental exposure. So, for instance , with the IZON camera, it was just running a Linux. So you break into a Linux device over the internet and now you have access to all of the computers on that network, so all the computers that actually have your tax files, your personal information, your password lists. So perhaps it’s more of a jump point type scenario where maybe the device like, obviously compromising a camera and watching someone isn’t the most – it’s a little bit disconcerting for any consumer but it’s also not the end of the world for most cases.
Tim:It’s not immediately life threatening?
Mark:Sure. Whereas if I can break into your network and then use that camera as a point to compromise all of your other systems and now have access to all your bank accounts and all your personal documents and all of your photos, that can really change and make a consumer in a position where things like we see CryptoLocker where attacker breaks in, takes your files, encrypts them in a way that you can’t decrypt them and then ransoms them, we could see similar things happen with Internet of Things where I can break in through an IP camera, get into your network, steal all your data and then not give it back unless there’s a ransom. There’s a lot of really cascading problems here.
Tim:One of the reasons that you gave a talk is because you actually have some ideas that aren’t just leaving people with the end-of-the-world scenario, you actually got some ideas for fixing some of this. Can you talk a little bit about that?
Mark:Sure. So, out of security research projects over the last couple of years, myself and my co-researcher in a lot of ways, Zachlin here, are looking at doing a website called Build it Securely, so that’s builditsecure.oi and then we’re actually going to be having more details about that this coming April. And what we’re really trying to do is two things, primarily is give resources to vendors that want to do IoT devices, so that they’re aware of security risks, the right way to work with security researchers, some of the things that might affect their device as an engineer or a product manager or a developer and give them a little bit better of a sense of what happens when a security researcher reaches out to them with some problems and how best to approach those issues.
The second thing is, we’re actually partnering with the service called Bugcrowd and we’re going to be setting up vendors in the IoT space, small-commercial kick-started angel-invested-type small companies that don’t have the money to actually invest in their own security, don’t have the money to pay for a consultant to review how they did their information security program and actually let them go directly with security researchers and have researchers look at devices, send bugs in, triage them and then actually get results back from the vendor directly and say, hey, thanks for submitting these bugs, here is a t-shirt for the time you spent looking at our device, we appreciate you doing it.
Tim:Now just besides money, are there other barriers that small companies or new nascent companies have when it comes to this kind of review?
Mark:Well, especially in the IoT space, with the ease that we really have right now with creating a device from a $20 chipset and a shell with 3D printer, anyone can really be an IoT manufacturer right now which is great and terrifying at the same time. We’ve obviously seen security for companies, companies like Linksys and Cisco, they’ve had some of the same kind of amateur errors, if you will, over the years for some of their devices and I think it’s a fair assumption that a lot of these engineers, may know electrical engineering really well, but may not know information security best practices, TCP security, password security and what we really need to do is try to help them get down that road with us, so that when a researcher does reach out, it’s a good experience, not a bad one. So what we really need to do is formalize that a little bit more and I think using Bugcrowd as a kind of a mechanism to do that will give them a shot.
Tim:Let me ask you one more question, how often and where should developers use Telnet when developing an interface?
Mark:If we kind of do a little bit of a timewarp, 1990 would have been an okay time. Telnet, however, even though we see this on devices still today, IZON being an example, Telnet should never be used as any kind of remote access mechanism for any of these IoT devices and especially in the IZON case not to upgrade firmware. So, there’s a lot of best practices and again a lot of these people that are manufacturing products, they have the best of intentions, they’re not malicious, they’re not dumb, they just don’t know the nuances of security.
And so, I think Build it Securely will be a bridge between the gap of that lack of knowledge, but also giving them a vehicle to work with researchers in a creative way and a way that actually lets us kind of endear ourselves to vendors rather than kind of make it a bad experience where they might feel either challenged or they might feel like we’re calling them out. We want to make it about the research, about the expertise that we can lend to a situation because we do this because we’re passionate, not necessarily because we want to make a lot of money and we want to show vendors that we are here to help them and not just hurt them.
Tim:And we don’t know now whatwill be as obvious as Telnet is now because there are things that will break.
Mark:Sure. There’s always going to be things that are going to break. There’s always going to be – we saw the UPnP flaw a couple of years ago that affected a ton of internet-enabled devices. You can’t always forecast those things, but there are a lot of best practices that we can do right now we know that are good ideas or bad ideas. And if we can point people in the right direction, I think that they’re going to pick up on it and if we start helping the little companies that we can talk directly to the founders rather than having to go up a chain of command 12-deep, I think we can make a lot of impact and actually help people that are coming to market for the first time and have a lot of energy and passion for what they’re doing. And if we can really bring security to that mechanism as well, we’re going to have products that we want to buy on Kickstarter, we want to have them be secure, we don’t want to waste our money, why not help them get out the door in the most secure way possible.