Author: Bob Baxley

What’s lurking in your corporate airspace?

Seeing high profile research announcements in the weeks leading up to the infamous Black Hat and DefCon conferences is common. This year, our research team was getting pretty excited about ProxyHam, that is, until it was mysteriously pulled from the DefCon line up. The device claimed to be able to use a 900 megahertz radio link to give anonymous access to a Wi-Fi network from 2 miles away. In more plain language, a person could conduct illicit business over the Internet from his home, but appear as if he’s sitting in a Starbucks down the street. Ultimately, ProxyHam would make a user impossible to identify and track. But, in true hacker style, the presenter dropped the demonstration without explanation. It’s a bit odd that the paper was even accepted, since ProxyHam is more of a combination of Commercial Off-the-Shelf Products than custom hardware/software that is usually on display at DefCon.

With ProxyHam’s sudden disappearance a couple weeks behind us, researcher Samy Kamkar decided to revive the project and give ProxyHam a bit of an update. Kamkar released his version, called ProxyGambit, online just weeks before the Vegas conference season kicks off. For $238, anyone can build the location concealing device and Samy’s version extends the reach of anonymity to 10 kilometers, with an option to add a 2G GSM component that – in theory – allows you to access the ProxyGambit from anywhere in the world. Kamkar cautions that this is a proof of concept, but that didn’t stop our research team from using the plans to build one of their own. Of course (here comes the trite plug for our research team), you’ll have to wait until DefCon’s IoT Village to see what we do with it.

The intent of ProxyGambit seems to be on increasing privacy but attackers can repurpose the technology for nefarious use; it is possible to exfiltrate data from a corporate network over ProxyGambit’s 900 mGZ or GSM channels and this would go completely undetected by traditional IT security infrastructure. In much the same way a freedom fighter could plant a ProxyGambit in a coffee shop and get increased geolocational privacy, an attacker could leave behind a ProxyGambit style device to gain access to enterprise wifi or wired networks. Couple this with the original intent of keeping anonymity on the Internet and you have just created the perfect crime – limitless distance from the intrusion point.

Thankfully, it would appear as if the research community is starting to catch on to the increasing threat of using low-tech in an effort to target high-value environments. Just yesterday, Wired ran a follow up story on Israeli researchers that claim to be able to breach an air-gapped machine using RF. They upped their game since I wrote a blog on their original research. Instead of needing a smartphone to read video card transmissions, they’ve been able to accomplish the same attack with a dumb phone using a 2G network. It won’t dump down massive data like the Sony breach, but it could intercept passwords that could be used to access sensitive data environments. And all of this wouldn’t sound a single alarm.

The point of all of this is to illustrate that the level of cyber threats is increasing. Critical infrastructure and corporate networks will become softer targets as their environments get more porous with the addition of IoT. As long as there is money to be made in cyber crime, hackers will develop new exploits and new vectors to gain access to what they want. For now, the good guys seem to be staying one step ahead, but as IoT continues to connect our everyday lives to the Internet, these connections have the potential to bring in the bad guys and they will gain access through means that won’t always be detectable.

I’m looking forward to this year’s Vegas run. I hope you’ll check out what we’re doing at DefCon’s IoT Village – if nothing else we’ll get to see if ProxyGambit lives up to the hype.

Is your wearable selling you out? Data Privacy in an IoT World

Big Data. Cloud Computing. The Quantified Self. The Internet of Things. These things are not just marketing buzzwords, they are concepts that are fueling today’s IT ecosystem. And the one thing that they all have in common is the consumption and analysis of large quantities of data for better decision making. Whether you’re looking at consumer or business markets, one thing is certain, we want to know more about what we do and when we do it. The sensor industry is changing business landscapes and adding efficiencies and improvements to automation. The wearables market is allowing everyday people to examine their daily activities through constant data accumulation served up as digestible intelligence on phone apps. With all this data being aggregated, how much of it is being used outside of its originally intended purpose? Are we – the users, consumers and businesses – for sale? And if we are, would we knowingly put ourselves out there as much as we do?

Employers are turning to wearables as part of their corporate wellness programs. These small devices are being leveraged to incentivize employees into a healthier lifestyle. On the surface, the increased steps, better sleeping habits and friendly competition all seem like a win-win for both company and employees, but there could be a hidden danger in the massive data dragnet. For instance, many wearable companies have openly admitted to sending data – anonymized – to third parties for a variety of reasons. Privacy policies rarely call these cloaked third parties by name, though many will define the purposes for sharing your data. These are similarly vague, citing things such as product improvements or customer experience enhancements. Regardless of the purpose, you can rest assured (consult your wearable for your actual sleep metrics), that your private health data is making the rounds on the Internet.

With this said, let’s explore some questions that I have surrounding this data traffic:

1. Who owns the data? This is data about YOU. Is it yours, or does it belong to the device manufacturer? While some devices allow you to have a choice in your sharing policies, many, if not most, come with maximum sharing as a default setting. Likewise, terms like “third party” are vague enough that it can encompass just about anyone, including data brokers and companies looking to better target products to your activities.

2. Who is responsible for securing the data? Encryption and de-attribution are important, at rest and in motion. How is it being sent to third parties? Are those third parties then able to store it or send it elsewhere and are they doing so safely? What about apps that consumers elect to use with their wearables? Again, this is your personal health data, and while many makers state that they disassociate personal information from the data, will we really know until there is a breach? After all, I’m sure that the Feds thought OPM was taking great care of their social security numbers, which we now know was being housed unencrypted.

3. Will you be on the side of profit or punishment? These wearables will give insight into daily activities that can be used to adjust the costs – for consumers and businesses – on things like medical and car insurance. If you’re donning a wearable for your corporate wellness program, don’t call in sick and then hit the ski slopes or you could find yourself in trouble come Monday.

These questions just scratch the surface of data security. As IoT devices become more ubiquitous, our thirst for data and insights will only increase. And, as recent news has proven, the underground market for stolen data has an insatiable appetite. I suppose time will tell as to who will be picking up the tab.

Will the IoT Mean the End of Defense in Depth Cyber Security?

Searching for a cure for insomnia, I spent the weekend combing through the 162 page report released last week from RAND Corporation,the independent research organization best known for its influence on policy. The report titled, “The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” was fraught with fear and warnings about the impending attacks that will target companies around the world over the next decade. Citing grey and black markets for cyber criminals, the basement hackers and nation states will operate a $2 Trillion dollar Enterprise by 2020. As part of their report, RAND also released what they called a heuristic cybersecurity model to help organizations brace for the financial impact of combatting the future of online threats.

However, there’s a problem with the model. It’s still the same design that focuses on preventing cyberattack, when it’s been proven – OPM anyone? – that cyber criminals are going to get in. With the loss of, well, everyone’s SF86, OPM is clearly out of business. Defense and intelligence leaders, already suffering the worst intelligence failure in history, will no longer trust OPM to store records on their employees.  At OPM, Einstein, the government’s network monitoring and IDS/IPS system was supposed to secure the country’s most sensitive data and cost $3B of taxpayer money to build. But, this article is a great look at why even the best intended government projects usually fail to bureaucracy. OPM didn’t even have a Security Chief until 2013 when the agency hired Jeff Wagoner. Even he had this to say:

“Layers of ‘walls’ to let good guys in and keep bad ones out hasn’t worked very well…When you start tracing a user, any user, through the network as if they were the bad guy, it becomes incredibly real and scary when they realize they don’t always know what the user is doing…Can agencies effectively say they know the data within each application, each function and how they tie together?”

We’ll look at RAND’s model a little closer in a minute. Overall, the report was definitely a worthy read that had plenty of beancounters participating in the final analysis. They note that the sophistication of cyber attacks is increasing as is the breeding ground for hackers to get a foothold into corporate environments. For the purpose of this blog, I wanted to focus on the IoT components of the report, which were as vast as they were uncertain. The RAND report discusses connected devices and BYOD at length, explaining that both of these new technology trends will rapidly expand the attack surface for all organizations and that companies of every size should prepare for the financial impacts of this new frontier in computing. That said, to double down on simply thwarting breaches is futile. RAND seems to keep the focus on building walls instead of knocking them down in favor of real time visibility into network environments.

The report does acknowledge the newer defense postures such as behavioral analysis and even the use of honeypots in more offensive efforts, but they seem to fall back to the defense-in-depth stance throughout the report. Alluding to labor intensive alert monitoring, the report seemed to ignore the need for more visibility (I only found the word ‘visibility’ twice in 162 pages), but that’s exactly what is needed. Home Depot, Target, JP Morgan, what do all of these have in common? They were infected by malware that sat there quietly for months before they were discovered because no one was looking for it. As devices and protocols penetrate every corner of the Enterprise, there is no way to know how they will interact with traditional security or if their presence will even be known to network teams. Fortifying walls and leaving the door unlocked is not a strategy.

To illustrate the vulnerabilities in IoT devices, RAND looked at two notable hacks that have taken place in the last couple of years. The first of these is a Z-Wave attack which debuted at 2013’s Blackhat. In it, malicious actors were able to command and control smart home systems, in essence, allowing hackers complete control of connected environments leveraging the Z-Wave protocol. The second illustration was a smart lightbulb allowing access to Wi-Fi passwords. While these were quickly fixed, RAND used these examples to demonstrate the emerging exploits resulting from the rapid – and insecure growth – of the Internet of Things. Proprietary protocols and poorly tested products, according to the report, will only intensify hackers desires to leverage them as a way into the corporate network.

The study interviewed 18 Enterprise CISOs, and all agreed – they are uncertain as to what really works at thwarting attacks on the network, but acknowledge that it will take a multilayered approach to stay safe. When weighing the numbers to spend on security, RAND noticed that it wasn’t necessarily proportionate to the value of the assets being protected. The number one reason given for more cybersecurity investment was not to keep information safe, but rather to protect reputation. The desire to save face comes amid embarrassing retail and financial breaches in 2014 that damaged stakeholder confidence and heightened public awareness of cyber related issues. But, I’d have to disagree again, Think Tankers. Cyber security, especially in today’s increasingly connected world is existential. Losing data is bad. Losing customers is bad. But when you start to introduce sensors into the mix, you could begin losing much more valuable assets that could directly impact business operations or public safety. To get more into the numbers:

RAND explored the cost of security in the following categories:

• losses from cyberattack

• direct costs of training users

• direct cost of buying and using tools

• indirect costs associated with restrictions on the ingestion of

• BYOD/smart devices

• indirect costs of air-gapping particularly sensitive subnetworks.

The outcome? A predicted 38% increase in cyber security costs over the next decade. The biggest impact would result not from the cost of a breach, but rather the cost of the people, policies and products that will be necessary to address emerging challenges. RAND refers these as “instruments”; tools, training, BYOD/smart devices restrictions, and air- gapping reigned as the most effective safety nets for organizations. Not surprising, their model highlights that the more connected the business is, the higher the risk. In the graph below, they highlight the dramatic rise in costs for ill prepared IT teams that venture into the IoT without the right instruments.

The report concludes by reiterating the need for CISOs to be aware of the increasing market for illicit sale of vulnerabilities, exploits and valuable corporate data, but remind executives to remain optimistic about the progress being made in software. Cybersecurity, in some ways, has improved dramatically since the 90’s when SATAN, COPS, and Internet Scanner were all the protection available. However, we’re also not looking at the same 1M node Internet as we were in the 90’s, which means that we have reverted to a primitive state in network security. Either way, the RAND report gives enough statistical research to warrant a PhD to read, but it serves as an excellent wake up call for CISOs to start raising awareness in the boardroom about the growing challenges and costs that are coming to fiscal budgets.

Connected Medical Devices Can’t Call in Sick

One of America’s greatest contributions to society in the last 100 years has been advancements in medical care. This furthering has been made possible, in large part, by our achievements in technology. So, it should be no surprise that the two have become explicitly intertwined; medical technology has given way to incredible improvements in cost, efficiency, and patient health. However, this marriage of computers, communication, and devices has not come without challenges. TV shows have hypothesized about the hijacking of a vice president’s pacemaker, but are devices really vulnerable or is this just a theatrical plot line for primetime drama?

In May of this year, TrapX Security, a cyber security defense company, released a report on MEDJACK – an attack created to illustrate the vulnerabilities in medical devices. In testing three devices commonly found in critical care departments, TrapX found that they were all being used as an entry point to the hospital’s network and that data was being exfiltrated from the hospital’s’ databases. In many cases, the malware identified was old; variants of Zeus and Citadel were specifically called out. Data exfiltration is one thing, but the hackers from TrapX also found that the malware could alter patient records and potentially compromise the devices themselves. Other researchers are taking note of these physical vulnerabilities. This Wired article released yesterday details the ability to hack dosage parameters on a Hospira pump.

Of course, bodily harm is rarely the desired endgame, and the motivation for the recent attacks on hospitals comes down to basic greed. Electronic health records, or EHRs, can often sell for $50 or more on the black market. This is a far greater payoff than traditional credit card numbers, which are lucky to fetch a buck in today’s underground economy. EHRs are particularly attractive because of the amount of detail that they can hold about a patient – social security numbers, banking information and most importantly your medical ailments – as seen in the recent Anthem and Blue Cross breaches. This holistic information allows crooks to use your medical identity to acquire drugs or medical equipment which can be sold for additional monetary gain.  Hackers have become creative, with data hostaging of photographs and data en-vogue today, its foreseeable that medical devices could also be held hostage for ransom.

Battling data thieves isn’t the only challenge facing hospitals today, they must also contend with the bureaucracy of being the most regulated industry in the country. All medical devices must be approved by the FDA prior to going to market, and it is this scrutiny that requires manufacturers to lock down all aspects of a device, thus creating an internet connected “black box.” In fact, the majority of medical devices in hospital settings are operating 24/7 without any visibility or control by hospital security staff. Since medical devices are manufactured and FDA approved with a high level of specificity, these devices can only be serviced and maintained by the original manufacturer. Combine these OEM resource limitations with the high level of need in critical care departments, and it’s little wonder why patches and security updates often go undone for long periods of time.

The OEM blind spots aren’t exclusive to medical care. In one our own pilots, we routinely find third party products with an open wireless connection that was completely unknown to IT staff. As companies look to improve efficiencies and leverage data coming from costly infrastructure investments, the security and connectivity of these OEM sensors need to be known and monitored in order to maintain the integrity of the network. Of course, it might be pie in the sky thinking when you consider the billions of connections that will invade the corporate environment in the coming years.

As we continue to connect sensitive environments, it becomes harder to take this critical infrastructure offline for regular maintenance. It’s one thing to not be able to send emails while IT upgrades a server, but to patch the blood gas machines in the ICU will take careful planning. For now, we may have to settle for simple awareness. Unfortunately, this will likely mean more data breaches, but I’m hopeful that progress will be made before we actually see patient health impacts.

OpenDNS Report Details the Enterprise Risk of IoT

This week OpenDNS released a report on the Internet of Things and Enterprise security. I found this report to be one of the most thorough, yet troubling, to date. I wanted to use this blog to summarize the findings and provide some context in which Enterprises can approach safety and the Internet of Things.

The report highlights a number of key areas. The first of which most companies are already aware of – the IoT will introduce new avenues of exploitation for all sectors of business. Perhaps one of the most troubling points in the survey was that of the 500 IT environments surveyed, 23% reported having no controls around IoT devices connecting to the network. I would argue that even of the 77% who claim to, in practice have no ability to enforce these  controls. This is a catastrophe waiting to happen in some of the world’s most sensitive verticals. The report specifically calls our higher education, managed services and the highly regulated healthcare industry as the most connected companies it observed.

In looking at healthcare for instance, the report revisited the Samsung Smart TV, which was the subject of a blog that I wrote a couple of months ago. Samsung’s Smart TV privacy policy indicated that the TV was constantly monitoring voice activity and transmitting this information to a third party. While this function can be turned off, it’s unlikely that many companies do it. After all, it negates the point of a SmartTV. OpenDNS decided to test the TV; their results found that the TV was beaconing even when not in use so long as it was powered on. To add fuel to the fire, the TV also beacons to a domain using an untrusted certificate, which the report notes has no logical use case. While the research didn’t find anything inherently malicious about the TV’s beaconing, it’s important to note that this is just additional information for hackers to monitor use. Likewise, these TV’s have a microphone and a web interface, making them a perfect – dare I say easy – attack for a targeted hacker.

Andrew Hay, the report’s writer, also went on to explore the number of consumer devices entering and connecting to the corporate infrastructure. While they removed the data from FitBit’s for the purpose of the report, OpenDNS notes that the majority of the 70B daily Internet requests that it examined from Enterprise companies came from not just TV’s, but from consumer products like FitBit, Nest, and Western Digital’s cloud service. These types of consumer services are keeping company in what OpenDNS called “Bad Internet Neighborhoods.” According to Hay, these IoT devices are being hosted in environments that also house malicious domains and some are even susceptible to vulnerabilities such as Heartbleed and FREAK.

Of course, these problems will only perpetuate as IT departments struggle to identify these holes in their environment. And even once detected, some of the vulnerabilities remain outside of IT control. Patching, for instance, isn’t feasible with consumer devices. And especially in healthcare, many of these IoT devices were never designed to receive patches.

IoT is in the enterprise, and it’s penetrating deeper into the most sensitive verticals. DNS is an excellent instrument to identify the existence of devices and monitor them for malicious behavior; perhaps the important first step is in the detection of these devices and a layered approach to this detection and security. Finally, Hay recommends that Enterprise companies move beyond BYOD and develop a comprehensive IoT policy for employees. Of course, with the majority of new employees entering the workforce being accustomed to an “always on” lifestyle, policies will be disregarded. The main takeaway from the report lies in the data. This is a great instrument for CISO’s to take to the boardroom to reinforce the need for continued investment in IT security.

Smart Cities Could Mean Metro Mayhem

The world is awaiting the idea of the smart city; a city digitally connected to its residents and operators to provide an enhanced quality of life and cost savings. South Korea, Barcelona and now India are all boasting about their cleaner, greener and yes, smarter, city projects. And, while the idea of digitally driven cities is less common in North America, there is a growing momentum behind the idea, driven in large part by the massive growth and interest in the Internet of Things.

Frost and Sullivan estimates the Smart Cities market to grow to 1.5 Trillion, but its unclear how much of that will be spent on security. What is clear is that without the proper security supporting these technical advances, the result could be chaos in the city. So, while communities enjoy free wifi to enables apps that find open parking spots from beaconing meters, are city leaders and residents alike truly ready for the security risk that comes with smarter urbanization?

My own city fell victim to a hack of public property when a digital billboard in one of Atlanta’s busiest intersections displayed lewd images for all of Buckhead’s citizens to see. The prank isn’t new; as a matter of fact it was shown at DefCon in 2013 and since then a number of how-to articles have made their way online. While a billboard has no ability to truly harm people or infrastructure, it is an example of the insecurities in the connected, public domain. The following year at the same conference, Cesar Cerrudo of IOActive demonstrated how easy it was to completely control traffic lights in major cities like New York and DC with less than $100 worth of equipment. Weak passwords and poor encryption make commandeering our traffic systems all too easy – and worse yet, remotely.

And we’re only at the beginning. Wellington Webb, former mayor of Denver, said it best; “The 19th century was a century of empires, 20th century was a century of nations and 21st century will be a century of cities.”

As the burgeoning population makes life less bearable in major cities, leaders are turning to technology to help ease the pain. If you’ve ever traveled on the tube in London, then you’ve heard the voice announcing that your train will be late for one reason or another. It’s for this reason that London has decided to completely revamp their tube system by leveraging IoT. This is on top of an already hyper-connected cityscape, including the largest CCTV network in the world and real-time traffic and air quality monitoring. You can even see how many bikes are available for rent in a city-wide data dashboard.

I’m sure that all of this instant information is great for app loving Millennials that thrive on knowing the easier, faster or better ways to get what they need, but could all this ubiquitous sensing birth a new breed of criminal? Smart Cities mean Smart Homes, and our own research has been able to bypass wireless security alarms, silence door chimes and render locking your vehicle impossible with a device purchased off of Amazon. And, according to a recent article, should such personal property violations occur, the police might be slow in responding due to potential vulnerabilities in connected police cars.

And then there’s the big one, the one that could cause major damage on a global scale – an attack on critical infrastructure. Real time smart metering on water, energy, gas and oil via embedded technology widens the attack surface of our utilities exponentially. However, it also provides great data to help municipalities conserve resources and save tax-payer money, but that will need to be balanced to ensure public safety. And, while this entire blog has been riddled with FUD, it’s important to note that the good guys are doing something about it. Recently, my company joined Securing Smart Cities, a not-for-profit brainchild of Cesar Cerrudo of IOActive. The organization is comprised of several companies and cyber experts that realize the necessity of getting ahead of the risk that could come with smarter cities.

We all want to live in communities that are fiscally and socially responsible. And as we turn to technology to improve our quality of life, we must remain vigilant to it’s compromise from the bad guys.

The Mile High Club, of IoT of Course…

A very elite club was just created by Chris Roberts, if his allegations of commandeering an airplane are true. Modern day transportation relies heavily on remote access to the outside world…and consumer trust. These two things have been at odds recently, ever since the world read a tweet from Chris Roberts, in which he jokingly suggested releasing oxygen masks while aboard a commercial flight. Whether or not Roberts was actually joking about hacking the aircraft is up for debate, but the move led the Government Accountability Office to issue a warning about potential vulnerabilities to aircraft systems via in-flight Wi-Fi.

What may be of more grave concern is that Mr. Roberts claims that he dismantled passenger seats 15-20 times, plugged in a CAT6 cable and fired up Kali Linux, or at least that’s what’s said in the search warrant. If I were the passenger sitting next to him, it probably would have resulted in a call the flight attendant to notify the air marshal on board. As a pilot myself, having a passenger issue a climb command and remotely monitor the cockpit would be disturbing to say the least. But, maybe he did. And perhaps this is a wake up call for all transportation industries to heavily consider security before they implement Internet connectivity.

While the aviation industry is downplaying the claims, United Airways (the airline that banned Mr. Roberts for his attempt at in flight humor) is taking security seriously. The airline has issued a bug bounty, compensating hackers with flight miles for reporting vulnerabilities in United’s tech team. Though, and it’s important to note, there’s no reward for debugging anything having to do with in-flight Wi-Fi or on-board systems. They’ve even gone so far as to warn that any attempt to access live systems would result in criminal consequences.

While I agree that we don’t want every 16-year-old script kiddie trying to tamper with people’s lives at 35,000 feet, we do wonder if United or any of the other major carriers would be willing to park a plane at Black Hat. Surely if they were certain that there is no way to exploit the pilot’s aviation systems, they would be willing to allow expert researchers to have a look while the plane is on the ground? Tremendous insight and overall global information security could only improve if a major carrier or manufacturer hosted a hack week on a Dreamliner on the tarmac at McCarran international.

I’ll issue that as my own personal challenge to security minded commercial airline companies – allow these white hats access to a plane in a safe location so that you can be certain your passengers are safe. Right now, we’ve got claims, and refutes, but no one is really saying much more than that. Remove the doubt.

As for the concern at hand, this isn’t the first time that white hat hackers have claimed to be able to access, and potentially control or damage commercial aircraft with simple methods. In 2013, a hacker by the name of Hugo Teso debuted an Android phone app at Hack in the Box, the Amsterdam con that draws thousands of security researchers, claiming he could override the autopilot from the smart phone. By simply pushing a message through the communication system (ACARS), which he claimed had no security, and that the exploit could actually be done remotely from the ground. This was all done in a lab, of course. But, it was a strong thesis. And for those that are wondering about the app – it was never intended for public consumption.

For now, the good news remains that these guys are on the right side, having no other motivation than to make air travel safer. But as we move into a world where transportation is more heavily reliant on Internet communication and embedded sensors, these types of vulnerabilities will have the potential to fall into the wrong hands with devastating consequences. This is why IoT security has to remain first priority, above and beyond any conveniences or cost savings.

And for the record, if Chris Roberts did in fact breach a plane in flight, I do not ever condone that by any person – no matter how smart or well intentioned. I’ll leave by once again reiterating my offer to the airlines. Park one of these on the ground and let us help you make air travel as safe as possible.

Forget Back Doors – The IoT Makes it Just as Easy to Come Through the Front

The alphabet soup of acronyms describing the coming connected world is a signaling that is time get brush up on your security lingo, because the world is changing. IoT, M2M and ICS devices introduces an incomprehensible expansion of exploitable attack surfaces. Historically, information security has been defined as a perimeter of security around your most valuable IT assets. This security included different layers of protection for various areas of vulnerability.  And while there is still a very healthy and innovative market for traditional information security, the ecosystem is changing and an increasing number of new threat vectors are being established. There was a time when security only needed to consider exposed web services as an attack vector. With the IoT, the attack surface expands beyond the web into hardware, multiple operating systems, multiple protocols and the cloud. Where there was one, now there is five…or more.

There are security companies that have introduced solutions to fix some of these gaps in protection. For hardware security, the market is steadily embracing MDM technologies.  These smart operating systems with very clever agents allow organizations to secure data on mobile devices, remotely wipe them, and give individual access control to company assets.  This seemingly convenient way to allow employees to use their own preferred devices has proven helpful, however some Millennials in the workplace are beginning to object to the idea of “the man” having so much control over their personal devices. Just recently, a woman was fired for removing an app that tracked her whereabouts 24/7. The workforce management app seemed a little too “Big Brother”, which may well have corporations moving back to issuing company devices to employees. Of course, it doesn’t matter who owns the device – security at a device level still relies on an agent. As we move from a network of computer, tablets and smartphones, towards a network of billions of connected “things”, installed agents simply can’t scale. The end result will be a multitude of unprotected “things”

Protocols are also problematic…and profuse. There are more than 100 wireless protocols of the IoT that are invisible to the enterprise – even those companies using the most sophisticated security measures. The tools and technologies being used today protect environments from wired and Wi-Fi threats, in a couple of years, these will be the least of your worries. An office building with 5,000 employees, each with 20-40Mb/s LTE of connection, essentially has a 10-20GB/s of Internet connection that is completely invisible – and this is just when considering personal cell phones. Of greater concern are the smaller, more fragile protocols that exist in the enterprise and operate quietly without causing much anxiety.  An example of this would be ZigBee. I have seen an engineer brick a ZigBee light bulb within minutes of unpacking, simply by sending malformed packets. This would be the equivalent of a telnet connection to port 23 of a router, holding down CCCCCCCCCCCCCCCC, and the router being destroyed, with no chance of repair other than being sent to the factory. I’m certainly not picking on ZigBee, they are just one example protocols that exist in the enterprise that could be vulnerable to basic attacks.

In another example of IoT vulnerability, our R&D teams analyzed an IoT deadbolt lock. We were surprised to find many more doors into the product (no pun intended) than we expected. When we decompiled both the Android and iOS versions of the management software for the device, we discovered that these were clearly developed by several different teams and it appeared that the testing was done on individual pieces of the product, but a full code audit wasn’t done on the product as a whole. This meant we could use the app to access not just the hardware, but also the manufacturers’ servers. As more companies outsource development of various product layers, the attack surface will continue to expand.

In the examples I’ve talked about, it’s clear that there is still work to be done with IoT hardware, applications and protocols. But, perhaps what will be most paramount to IoT success is the cloud. I have a startup, and we don’t own a single server, no need to in 2015.  IoT devices don’t want a server, they will communicate through a gateway, or as in my prior reference through a mobile application. IoT devices will pair, provision and license through the cloud.  When credentials or other key security parameters can be extracted, wirelessly, through packet sniffing, or even the unbelievably common practice of hard coding credentials into mobile apps, the provisioning of these devices can be compromised. Just ask any of the Snappening victims how much devastation can be done by neglecting basic security encryption.

What does this mean for you? We are all in a Brave New World when it comes to security and the IoT. We are surrounded by blind spots that have the potential to be seen by the bad guys before the rest of us. For Information Security professionals, it’s imperative that you prepare for intrusions to come from multiple angles.

Top 10 Internet of Things Tweets at RSA 2015

It’s been a great two days of information sessions and expo mingling at the 2015 RSA Conference (#RSAC) in San Francisco. In conjunction with our first birthday, Bastille is debuting at RSA in booth S2426, and demo’ing our IoT security solution for the 30,000 security professionals in attendance. The trade show isn’t nearly over, but one thing is clear – IoT is hot. An RSA spokesperson acknowledged that speaking submissions for IoT-related topics were up 450% compared to last year; and Twitter has been a-buzz with IoT chatter.

Without further adieu, here are our Top 10 IoT Tweets from RSA 2015 (so far):

10.

9.

8.

7.

6.

5.

4.

3.

2.

1.

How the IoT Has Invaded My Life

It is impossible to create a usable environment that is 100% free from risk. Whether in your home or business, the cost of embracing technology is accepting some risk via new IT services. The more services in use, the more vectors are created for bad guys to exploit.

The corporate computing environment is incredibly complex. Think about what it takes to service tens of thousands of workstations and servers. It involves layer upon layer of infrastructure such as routers/switches, core services such as service directories (DNS/LDAP/Active Directory), and ingress/egress technologies such as proxies and firewalls. Each of these layers requires dedicated experts to manage and deploy, but the mitigation of risk created by these layers is the job of the lonely and often understaffed InfoSec group.

Now consider a much simpler environment, the common home. Most people do a pretty good job of locking their doors and windows to create some barrier to entry. But as they add more technology to their home, they too are increasing their risk. As I look at my own environment, I see a multitude of vectors that have been created by various Internet of Things (IoT) devices:

• A wireless security system that is powered by Bluetooth and wifi, has mobile phone control to arm/disarm, and sends alerts before the police arrive.
• Wireless cameras connected to the cloud
• Yard controls that allow me to turn my heater, lighting, and irrigation on/off via a proprietary wireless transmitter connected to the cloud
• TVs and ROKU/Chromecast-like devices that connect via Bluetooth and Wi-Fi to create their own networks in order to share content.
• Wearables have invaded my home. Three family members now monitor their vitals with FitBit, ihealth and other products, each transmitting sensitive data to the cloud.
• We are even tracking how we dribble basketballs and kick soccer balls due to Santa bringing my kids the latest IoT enabled sporting toys.
• One family member recently had a wireless heart monitor surgically installed that uploads vitals to a web site for their doctor to view.
• We have about a dozen smartphones, tablets, and laptops constantly connected and getting infected by malware.

Think for a minute how my once secure home has been opened by this new era of IoT connectivity. We already know that wireless home security is vulnerable to hacks. By connecting household controls, I’m – at minimum – opening myself up to allowing outsiders to see my daily habits, ultimately being able to profile my comings and goings.

Having been previously tasked with securing a Fortune 100 infrastructure, risk is constantly on my mind and I am waging a friendly battle with family members to walk the line of security and convenience, urging them to turn off services that are not needed, change passwords, etc. I try to put our mobile devices on a separate network so my personal files are not easily exposed. But I know the risks given my profession, many other families are oblivious to the tradeoff between the conveniences of connectivity and safety.

Companies may not have had an influx of IoT into their environment at the same pace as I have witnessed it in my own world, but it is like a freight train barreling towards them. The same technologies that have enabled my personal world to be more connected and useful are quickly being positioned for use in the enterprise. Employees are bringing new devices in en masse. Departments are looking to manage infrastructure with new sensors and controls. The major industrial control manufactures and integrators such as Honeywell, Emerson, Schneider Electric, Siemens, GE, Tyco etc. are touting how they have embraced the IoT. The time is now to start thinking about how to embrace the IoT in the environment by surrounding it with security.