Securing the Internet-of-Things (IoT)

Dr. Jared DeMott, CEO and founder of VDA Labs, chats with Chris Sienko about the security risks associated with the Internet of Things (IoT) and some of the ways that we might make these seemingly peripheral devices safer from unwanted intruders.

  • View transcript
    • Chris Sienko: Hello and welcome to another episode of CyberSpeak with Infosec Institute. Today’s guest is Dr. Jared DeMott, the CEO and founder of VDA Labs. Jared has made a career out of finding security vulnerabilities and is the author of “Fuzzing for Software Security Testing and Quality Assurance”. Today we are going to talk about the security risks associated with the Internet of Things, or IoT, and some of the ways that we might make these seemingly peripheral devices safer from unwanted intruders.

      Dr. Jared DeMott is an information security expert, and previously served as a vulnerability analyst with the NSA. He holds a PhD from Michigan State University, he regularly speaks on vulnerabilities at conferences like RSA, DerbyCon, Black Hat, ToorCon, GrrCon, and HITB, and others. He was a finalist in Microsoft’s BlueHat prize contest, which helped make Microsoft customers more secure. Dr. DeMott has been on three winning DefCon capture-the-flag teams and has been an invited lecturer at prestigious institutions, such as the United States Military Academy. Jared is also a Pluralsight author and a professor at Dakota State University. Dr. DeMott, thank you for being with us today.

      Jared DeMott: Yeah, absolutely, thanks for having me.

      Chris: Alright, so let’s start out by talking a little bit about your security journey. How did you get involved in security and vulnerability testing in the first place, and how do you feel like that industry has changed since you started?

      Jared: Yeah, great question. Got into it like many did. Growing up in the early 90s, it wasn’t really a thing, it wasn’t really a field. It’s not that I knew as an elementary school child that I wanted to be in cyber or anything, it wasn’t really a thing, but I knew that I wanted to be in technology. I was kind of the one that always tinkered with every remote control car and, kind of, a nerd like that. Just loved that, and actually had planned to go to the Air Force Academy, my parents talked me out of that. They thought I would die in some crazy overseas war or something, although I was going to go for aerospace engineering, so I’m not sure how that would’ve happened. I probably would’ve ended up behind a desk like I do today.

      Chris: Right, or out in space or something.

      Jared: It worked out for the best though, because I ended up going and getting a bachelor’s degree and then going right to the NSA, which I loved. Great place to start a career, a lot of fun there, and then throughout I had just kind of continued to buckle down having the energy and excitement to learn and grow and work for various other defense contractors, and the commercial startup companies out in California, and get a PhD, like you said, at Michigan State. I kind of got involved in writing, in teaching, and then decided you know what it’s time to stretch my own legs and try my own hand at VDA Labs, the Vulnerability Discovery Analysis. That’s the business that I run, and we have a lot of fun and we get to find bugs and help customers.

      Chris: When was VDA Labs founded?

      Jared: I actually founded it a long time ago. I guess I’ll have to look at my LinkedIn. I don’t remember the exact year, but it wasn’t until about three years ago that I quit my day job and took the big leap, which is really scary, right?

      Chris: Yep.

      Jared: You’re gonna hire staff and you’re gonna think of benefits and medical, the process of finding customers and developing pipeline. All my training was on the technology side, right? My PhD, for example, is in computer science. I never went to business school and that type of stuff, so I had to learn all that on my own, which was not really that hard. It just took time to develop that sort of network and all that to do that and really, it’s been great. I actually love doing that, I love meeting with customers and doing that part as well. Good stuff.

      Chris: Yeah, tell me a little bit about VDA Labs and your mission and methods, and your day to day operations, what sort of things do you do for your clients?

      Jared: Yeah, sure. We’re a full spectrum cyber company, right? So, anything from code auditing, pen testing, incident response, training, application security, ABSEC training, network training, Red Teaming, Blue Team engineering, you name it. We’ll basically take on any cool project that you would like us to help you with in the cyber space, and we’re really passionate about that. Our approach is more of the “bring a senior team of folks.”

      We’ve had too many experiences where we talk to customers, they’re like, “yeah we had a pentest from a big, well known company, I won’t mention, and it was basically just a message report or something.” And it wasn’t much there for findings. That’s too bad because we always find really good stuff and have a lot of fun doing that. I guess I’m just excited about helping people out in that way.

      Chris: How did you come to write, or co-author, the book on fuzzing. How did that become, sort of, an area of specialty that you found especially interesting?

      Jared: Good, good, good question. That was probably, I wanna say, somewhere around the 2005 timeframe. Fuzzing was just becoming a thing. Most companies weren’t really doing it, it was mostly just the bad guys, basically, doing it, finding vulns. This was the time when solid vulns were still on the servers, so think of like IIS, and FTP. You could basically just pop a box on the internet and you would be into someone’s DMZ, and then you were kind of hacked from the outside in. It was, sort of, before the time of client side exploits, and sending phishing emails, macros in Word documents. It was kind of before all that, really.

      I was into that and I had published a tool called GPF General Purpose Fuzzer. A gentleman out of Finland actually, Ari Takanen, reached out to me and said “Hey. You’re into fuzzing. We here at the University of Tulot, we do a lot of fuzzing too. He later founded, or helped co-found, a company called Codenomicon that got picked up by Synopsis and has become part of their commercial tool set offerings.

      So anyway, long story short, I met him. He actually came to Michigan, where I was living at the time, and stopped by the little town I live in, which was really fun. There were some wild blackberries growing nearby and I said “Hey look. You can just pick and eat these”. He’s like “Oh, that’s crazy. You can do that here”.

      But anyway, random stories. Then we involved Charlie Miller as well, who’s well known in the field, and asked him to write a portion of the book as well. And, I guess the rest is history.

      It’s just kind of one of those books that’s kind of fun and we have a lot of personal memories that sits on a shelf, and yeah, there’s lots of good information as far as finding bugs in software. You could probably google it and find a lot of that info too, or YouTube, or just finding data and stuff like that. It’s just neat to have gone down those roads and was experience of all three books so yeah, I think that’s…

      Chris: Yeah and it’s a very good sort of snapshot of where security was at the moment. I imagine some of that stuff is, with technology changing and stuff, its maybe not as relevant anymore but you get that sort of continuum of … or is fuzzing still sort of a-

      Jared: Yeah. So, with written material, I feel like that’s the challenge in security that by the time you launch a book, three years later after you started writing it, it’s sort of … Well we actually did do a second edition update that covered new information and some of the more recent open source fuzzing tools that are out there and things. It’s worth reading.

      Chris: We brought you here today to talk about the current status of the Internet Of Things or IoT, which for those of us who are watching this video and not really sure what that is, it’s basically any sort of device that has some degree of internet connectivity, right? Especially things that don’t normally have them. When I hear IoT, I think of things like cars with internet, or the old one was always your coffee pot’s going to have the internet in it, and stuff like that. What is your, sort of, formal definition for IoT enabled devices, I guess.

      Jared: You know what, it’s kind of taken on a pretty broad definition these days. I think it could almost be considered anything that’s not a traditional laptop, desktop, server, also, it’s generally not considered mobile. There are usually other definitions for the state of ICS, industrial equipment and automotive as well.

      But really, in many ways, they can all be sort of thought as IoT there. When you think about, what does a typical IoT do in reality. Besides the silly “is my refrigerator going to kill me, or my coffee pot going to strangle me”. There’s been ridiculous thoughts in the past, and no, it’s probably not going to, but, can you start your car from your mobile app? Yeah you can actually do that today. Can you unlock your car from your mobile app? Yeah, you really can. To me, the term Internet Of Things, has really just become this term that kind of means stuff that’s connected, and really that’s almost everything now.

      When you think about video games, for example, how there was a change. It used to be you had to a console. You’d set up a console and play and that was great. Now it’s like if you want to play it on your mobile and your PC for the same game you probably can, and maybe your skin, or your load out, or your profile, or whatever you call it in that particular game, follows you from your desktop to your mobile. How does that work? Well, It’s an API that talks to the backend that stores data. It’s very much the same way that you would unlock your car door or whatever.

      The technology behind many of those things … Another example that comes to mind is a padlock, I recently saw, that you could unlock from your mobile app. You could load your fingerprints into your mobile app and then it would load that into your padlock so that when you got to the gym, you could just touch your lock to unlock with your fingerprint and kind of managed, in the same way, through an API.

      That type of connectivity is kind of one thing I think of in the IoT space. There’s a lot of other things I think some people also consider, like home routers, home cameras, even your refrigerator, your whatever else. Those type of things that can be connected. They could be considered IOT as well.

      Chris: Do you think based on, like I say, 10 years ago or more there was a certain vision of what IoT would be like at this point. Do you think we’re, kind of, as connected and universal as we thought we would be? If not, what’s been the impediment, and if so, what do you think has been the net result of the efficiency or interconnectivity of all this?

      Jared: That’s a great question. From my standpoint in where we’re at, I think we’re every bit as connected as we want to be at this point because we’re moving pretty fast as a society. When you think about the learning curve, we’re basically moving faster than, generationally, we’re learning, in a lot of ways. So you think about street smarts. That’s something that I think most people probably have, not everybody, but you know. Maybe you don’t walk in a dangerous part of the city at night. You just kind of know that. How do you know that? Well, I don’t know, I just know it.

      Chris: Right.

      Jared: We don’t have that same intuition when it comes to cyber. When we’re traveling, we don’t think, oh I’m traveling, I better turn off my Bluetooth and my Wi-Fi and my modem. Why would you do that? Well, there’s some reason why you might do that. It reduces your attack surface. Less things that comes into touch. Its only when you touch… Those other three, or other two, interfaces in that point.

      I say all that just to say that we’re moving pretty fast in technology, right? When you think about your parents, my parents, and even younger people too, right? We don’t all have a cybersecurity background, in fact, the majority of the world doesn’t. When it comes to pulling a network at home that’s going to include a camera, that if breached, could what? Well, lots of things could happen.

      Chris: Yeah.

      Jared: We could talk about that, but that’s … So anyway, to answer, before I jump into any of that, to answer your question, I do think that we’ve moved pretty fast in terms of technology and in IoT. There’s a lot of things deployed now. Your car could drive itself, it doesn’t in most cases yet, and the reason for that is legal, its safety, its security.

      I think there’s a lot of good reasons why we have had to slow down the adoption in certain industries, but the technology is there. Your car could set up an appointment with a mechanic. All of those sort of APIs, and backends, and things do that type of stuff now. It’s essentially available, it’s just not being fully realized quite yet for probably a lot of good reasons. I think which is catching up we need to do in terms of security. Both on the software, the network, and the human side.

      Chris: That sort of leaps into my next question. Obviously nothing is completely safe, but in your opinion, has the security industry, or IoT manufacturers in general, kept up with what you think are adequate potential security issues inherent in IoT. Obviously that’s a hard thing to say across the board but, do you think people are taking it seriously?

      Jared: I would say yes and no.

      Chris: Okay.

      Jared: Can we do things safely and securely in almost any domain? Generally speaking, yes. We sort of know how, there’s generally the capability, in almost every case, to … Like you said, nothing is ever 100% secure. Both in the physical and in digital world. But, do we know how to do things, essentially, properly in most cases? We do. There’s just not always effort, there’s not always budget, there’s not always, maybe, training, there’s not always know-how.

      Let me give you a couple of examples to start making it more concrete. When you think of things like, there’s something called Android Things, and it’s a framework that Google has put out to help you create IoT devices based on a standardized framework. If you’re using a best practice framework from Amazon, or Google, or something like that, to create your IoT widgets, whatever they are, whether they’re little sensors in a drain field or a water tank. It could be anything, right? I think you can do that right. I think there is technology, and there is frameworks that, essentially are available, to make that relatively secure.

      So that’s kind of the yes part. The no part is, generally speaking, that’s often not being done. We need to think about the average, cheap, SOHO device from the east. You think about your cheap home router, your cheap camera, that type of thing. They’re not that, they didn’t use that framework they are basically a cobbled together mess of code based on some old version of Linux. There’s some PHP, and some Python, and some C, and some bash scripts, and Perl, and everything, kind of, all cobbled together so that they end up vulnerable to common, on the last top 10 things like command injection. If you read some of the blogs, we have on the media website, we talked through some of the vulnerabilities we’ve identified in wireless cameras, for example.

      Chris: All right. I guess what that sounds like to me is whether it’s just extreme penny pinching or not. It seems like to do things security compliant requires some outlay of money that not everyone, who is manufacturing things, is willing to do. Is that right?

      Jared: That’s right. There’s three things that come into play really when you think about security. There’s, essentially, the budget part of it, which is are we willing to spend some money to follow an SDLC, to hire a security engineer, to conduct a third party pentest. There is some budget associated with that.

      There’s also knowledge gap, right? Do we even know what an SDL is, or why we should follow one. Do we even know how to interpret the result of a pentest? Do we even have people on staff that speak the right actual geographic language to talk to people that could help us. And in that type of thing, there’s a lot of practical, cultural, and monetary things that definitely play into security.

      The biggest other thing that’s always, unfortunately, at odds is convenience versus security. That’s always at odds. There are almost always some trade-off words like “Well, if we just didn’t lock the car door ever, we wouldn’t need a button that would unlock it”. And that would be easier, that’d be easier, right? For you and me. Walk up to your car and get in. You wouldn’t have to bring your key to start it ever. And it would be a lot less secure.

      Chris: Yeah. You’re going in the wrong direction of the solution there.

      Jared: Yeah, and there’s usually spectrums, right? There’s the left side, which is like ridiculously insecure, nobody does that, and there’s the right side, which is you don’t have a car because that would be more secure than owning one. Well, okay, but then you need one so there’s gotta be something in the middle, and it almost always is in every case. There’s always a happy medium in every domain that’s reasonable, that’s in budget, that makes sense, that’s easy enough for people to understand how to operate. But finding that middle, sometimes, takes a little bit of effort that, if you’re rushing something to market, you’re not willing to find that.

      Chris: Let’s talk sensational for a moment. What’s one of the most surprising IoT hacking success stories you’ve seen? What was the most surprising chain of events you saw from someone hacking a seemingly unsafe device and reaping huge rewards from it?

      Jared: Oh gosh there’s been so many. From personal things that we’ve seen, investigations that I probably shouldn’t mention, right? For client confidentiality and that type of thing.

      Chris: Sure.

      Jared: There’s also the more public things that you’ve heard about, like MIRIA botnet that took advantage of essentially open telnet port login with no credentials, and so it was a very … Is that a hack? Just log in with no credentials. I guess that’s a hack, you’re basically just logging in. People call it a hack.

      But the thing that was interesting about that was the scale at which it took place. They amassed this army all across the world. And then they could do what with that? Well, lots of things, you could make them all mine bitcoin, or you could DoS some target, or you could distribute malware, or spam. You essentially have an army of drones at your disposal that you could resell or monetize in some other way.

      One thing that’s really interesting in the IoT space is scale. The fact that many of these things are online, so if you do find a vulnerability in a widely deployed camera, or mobile, or car, or whatever it is. All of a sudden, in the physical world, maybe I could only take one person’s car if I wanted to steal their car. And maybe there’s risk associated with that too, both just personally, and maybe the owner is gonna see me doing it or something, I don’t know.

      But if you’re sitting on some island somewhere, and you could take over every type of a certain car from a vendor, or brand, or something, if we found a vulnerability. That would be wild, right? That would be a scale of which we haven’t seen things. That’s probably one of the things that we will continue to see in the IoT space is that if there is a breach found in a watch, or a phone, or a camera, Google glasses, or whatever it might be. Look out for the scale and impact of that, right?

      Chris: I want to jump ahead to a question I had saved for later. What are your thoughts on some of these sensational headlines that we see like, “Hackers could hack your pacemaker, or drive your car into a ditch,” or things like that. Do you think the emotional pitch of these stories is actually helping readers be more secure, or is it appealing to the freak show side? Are these things, the scale that they make it look, can a hacker really hack your pacemaker?

      Jared: Yeah, I think there’s some value in the television shows that sensationalize some of the hacking advance. Of course it’s not really that fast. That’s one of the things we always complained about is hackers, right. They’re like “On TV they can” And he’s like “I’m bypassing triple firewalls from… ”

      Its selling statements that aren’t true and just sound ridiculous to anyone in technology. But you know there’s some value. Some of those shows have gotten better, right? They’ve started to get more consultants to make sure that they’re actually using real pentest tools and that kind of stuff.

      And so I think that, essentially, you’re training the masses if you’ve got some television show that has better tech writing bringing it, you can actually teach people about some of the risks associated with poor passwords, or IoT, or whatever it might be, whatever the thing is talking about.

      There’s some value in that and then likewise, you were talking about medical in particular, right? Talking about hacking some medical stuff. A pacemaker, or-

      Chris: … Or like a self-driving car or what have you.

      Jared: Vision Pumps was a big one that was mentioned. When you’re a black hat, for example, you could dump somebody full of insulin. If they’re a diabetic, then…

      Those in particular, I don’t really think they were over sensationalized, they were actual vulnerabilities, they were demonstrated. Thank goodness that the researchers who found those vulnerabilities were white hats and reported them responsibly.

      I think in the medical space, in particular its, to me it falls into a kind of IoT space, right? You think about some kind of machine at the bedside of a patient that is connected in some way or another that dispenses medication or receives or transmits data about their health in some way or something like that.

      If those go down, if they crash, if they get booted, if they have a vulnerability… Again, think about the scale. What if you could attack every patient laying in a certain type of bed by a manufacturer of certain type? I think there’s really risk there.

      I think that the researchers who have done some of the work have really tried to get these companies to do more and care more and learn more about security. Some of them have and some of them been “We don’t see the problem in that.” Or “We don’t think that anybody’s going to do that.” I think there’s a need in general.

      It’s kind of an off-topic subject, but when you think about, for example, some of the car hacking data that came out a while back and made some headlines and things. Some people say “well on one hand that was really irresponsible because they didn’t give the vendor appropriate time to patch.” And other people say “On the other hand, if they hadn’t brought up to the media, that particular vendor would have not fixed that maybe ever, or certainly not in a timely fashion like they did, because you put their feet to the fire, so to speak.”

      I think there’s really a place for, an appropriate and balanced place, for researchers to be able to publish these kind of researches and let people know what’s going on because otherwise I think people … I guess they just naively assume that all smart TVs are the same, security wise, and that’s just not true. Just like it isn’t for vehicles or anything else. Some are more secure than others, and I think consumers would like to know which ones. Wouldn’t you spend, if you knew a TV was 800 dollars, and the other one was 900, but you knew for sure the 900 dollar one was more secure. Wouldn’t you buy that?

      Chris: Absolutely, yeah.

      Jared: Well we don’t know how to know that. There are a few people that know. Maybe the pentesters if you did both those companies with a pentest maybe you would know, but generally you wouldn’t know that.

      Chris: Yeah. You had said something that intrigued me. You mentioned that certain of these TV shows, and I think you mentioned scripted dramas where they talk about hacking could be used as an educational tool. Do you feel like there’s any TV shows or movies that have come out recently that have sort of nailed the hacking experience, or the security experience? Because I know, like I say, there’s a lot of the flying fingers ones and the pull up in 3d rotate the body, and stuff like that. Any one really stick the details well you think?

      Jared: To me? Not really. I think they all still … The focus of any drama is on the drama, it’s on the humans. It’s all sort of dark and scary, or there are some love scenes. It’s not real life, that’s not. Pentesters, we’re doing a job, right. We’re working with our customer. It takes days, weeks.

      It’s not like there is all this ridiculous TV drama happening every minute of every day, so no. I would say that none of them really captured the essence of what its really like to be a pentester, but, one that I think a lot of people do reference that had better writing behind it, like Mr. Robot is one that comes to mind. Some of the details when they’ll show a screenshot of Kali Linux. And it’s an actual real command that a customer might type in. There have been ones like that where I think they’ve done a better job of it. At least when they do show technique, they are realistic.

      Chris: Speaking of pentesting. On your website, on VDA Labs’ website. A writer named Michael Fowl wrote “When considering where to spend limited penetration testing resources, most organizations and penetration testing shops focus on the typical mix of servers and workstations normally found in every organization. While this is a necessary area of focus, other things, like that IoT device sitting at the edge of a network, can be quite the playground for hackers that are willing to do a little reverse engineering.”

      Do you feel, in general, that this is a strategy that pentesters should be using more in the future? Should they be spending more time examining the vulnerabilities at the edge of the network?

      Jared: Yeah, definitely. I guess to try to expound on that, I mentioned earlier that, unfortunately, a lot of pentest shops, they don’t do that good of a job. You get one junior tester, he doesn’t have a team or support and you thought you were hiring big company A and you got junior person Z. And they give you a real bad pentest report, and there’s a lot of reasons for that.

      I think that this is one of them. They haven’t spent the time. They don’t have a senior staff. They don’t have a teamwork situation where they thought they were researching, looked at IoT vulnerabilities, where they know how to audit web apps properly, where they know how to abuse, even maybe some certain cases where they have certain types of security in place, like multi-factor on, we can sort of maybe trick that under certain circumstances if it wasn’t bold outright, or keeping notes. I highly recommend if you can use this assumption.

      I think that this, knowing about IoT, and using that as one of the actual factors. Hackers will find the thing really going to work and it’s kind of what you want a pentester to do. You want them to look for, not just run tool A because tool A is widely understood, you want them to really kind of understand your code, and your network, and your devices, and your exponent, so that you can be safer.

      Chris: Lets sort of look to different sectors of society or whatever that use IoT devices. First, what policies do you think enterprises should be enacting in future to endure that their IoT devices and other seemingly innocuous parts of their network can be safer?

      Jared: I guess IT shops in general, or any home user, or anybody who’s doing anything with IoT, it’s Security 101 is how I think about anything, really. Does it update itself? No? Why not? Well, it just doesn’t. Well, that’s too bad, right? When is the last time you’ve updated the firmware on your home router?

      Chris: Right.

      Jared: Never. Well, and it doesn’t do it on its own, so, that’s vulnerable. That type of scenario is sort of a bad scenario, even being investigating products that maybe do, there are products that, are now, forword thought a little bit, and they do update themselves and that’s a good thing.

      Kinda making sure that you understand enough about the technology to know how to play it safely. Maybe you segment it, there’s that camera … What’s the one big, I don’t know, any kind of installation. University or whatever it is, do the building controls that control HVAC, do they need to be on the privileged IP network for your communicating controllers. Probably not. They should probably be on a separate segment. Maybe if they need to be manned remotely, which is kind of scary if they do. There should be white lists of the certain IP and two-factor auth.

      So really its stuff that we’ve known about for 20 years in IT. I call it Security 101 that I would hope many businesses know about, not all do. I would say 50-50 on that. It’s even less likely that your average home user, if asked to do some advanced configuration, they may not know how to do that.

      That’s kind of a problem, and one of the solutions I guess we’ll talk about it is having a device to sort of help you and give you some assistance.

      Chris: Okay. Anything specifically for individuals? It sounds like basically the same thing. You just need to know what you’re buying and what it can do in terms of firmware updates and things like that. Are there any publications or anything that, sort of, critique IoT or home devices to let people know which ones are more secure than others?

      Jared: I don’t know if there is an exact list of that because there’s so many devices out there right now that I don’t know if there could be a secure configuration guide for everything but trying to find it would be important, so making sure that you have good encryption and authentication setup on your primary Wi-Fi router if you’re a home user, so that your devices that are going to connect to that are going to be secure.

      Maybe…, BSSID hidden, super long key, if you have to use a pre shared key, another certificate-based way could be better. And knowing enough about how to set up wireless, in particular, because it seems like most devices are wireless… Whatever smart grill or something like that. It’s probably going to be wirelessly connected.

      Knowing how to set that up properly is good. Keeping them updated, keeping them patched is reducing any unnecessary risk. For example, I went to a small dentist office not long ago and the dentist was bragging. I heard him talking when the patient left “My Wi-Fi is so strong I can access it from the next block over. I’m thinking why do you want that, it should be limited to this this office. That’s horrifying-

      Chris: Yeah.

      Jared: It shows that there’s a real lack of understanding about what’s impressive and what’s not.

      Chris: Mhm, mhm. I ask this of a lot of guests. If you had a magic gavel and were able to enact a passel of legislation aimed at making IoT or smart devices, or what have you, more safe from hackers, what would you propose as a universal legislation if any?

      Jared: There is something called CyberUL, or industries.ul.com, cybersecurity… Those are all trying to bring some of the same standards to cyber and in code that are in, toasters, basically, kind of electrical safety standards, and that the idea that my toaster shouldn’t shock me. There should be some basic electrical engineering body that’s run on credits, those devices to make sure they are essentially safe for home use.

      We don’t even have that in any kind of code. You can write an app and publish it in an app store for anything, essentially. Legislation forces you to use a secure development life cycle, for example. Some basic legislation around “Yes you should use SCL, yes you should train your law firm, yes you should get a third-party audit.”

      Now, there’s going to be a lot of hardship through that, right? In the sense that well, that’s going to force small businesses or something to a higher cost … entrepreneurs, or maybe it’s difficult for kids to make an app on a game for mobile… start trying to do that, or maybe it’s going to… Somebody could claim that they followed all that but they didn’t really get a very good pentest at the time. They got the cheap one or something.

      I would say that nothings ever going to be perfect in this phase, but at least setting a standard that says “this is what we generally expect” out of these products, and if you’re going to write code, it should be … we should know something.

      I think that’s healthy, not overdoing it. I wouldn’t want to go heavy handed on any kind of legislation, where the government’s in your books, looking at every line of code. That would be ridiculous and it wouldn’t do them well, and then it would become obtrusive and expensive.

      Some lightweight process that’s … It’s not formally legislated, at least consumers know that you didn’t do this. There’s a stamp on your product that says-

      Chris: Yeah. Some kind of a consumer bureau for certain standards or something.

      Jared: Yeah. You chose not to do, investing in security and IPSEC, so, I’m not going to buy your stuff.

      Chris: Right. What do you think the future of IoT hacking is? Where are the hackers looking for next, and what do security people have to be extra vigilant in monitoring going forward?

      Jared: Good questions. I think a lot of it is scale. A lot of its updates. A lot of its similar things in any other space. Authentication. Encryption. Authorization. Situations where you install a mobile app on your phone for your car, for example, and it turns out that that mobile app doesn’t have a vulnerability that you could be vulnerable to, but the mobile app itself is insecure in a way that it would allow somebody to access data on your phone in another app, or something like that.

      So, you’re sort of weakening the security posture of your … There are so many things that could go wrong. From physical things to … From the actual physical device, imagine the car side if you will, or the device side, or more of the app side, or the server side, the backend. I think we’ll see problems and challenges, like we have throughout across the board, big exposures of customer pie, if the backend gets breached.

      Imagine if for that padlock scenario, you’re putting your fingerprint just so you can open your gym locker. That saves you, I don’t know, 10 seconds, not having to put in the combination to your gym locker. If you do that every day, 10 seconds times 5 times your life, I guess that’s significant time savings. Makes your life more convenient, that’s nice.

      But you’re giving up something, your fingerprint, and if that backend were to get breached, then, that stinks, now hackers have that. Maybe your fingerprint is useful also for your front door, or something else. We see a little bit of a lack of understanding still, across the board where people aren’t sure. They might think “well, it’s just a padlock”. You know what I mean? It’s like they have that mindset. Instead of “Well I don’t care if somebody were to hack my camera because it just looks at my front door.”

      Chris: Right.

      Jared: But it’s also on your network. You keep your books and your home business on your network. You know what I mean? Or whatever it is that’s … probably more on your day on your network and who knows what they could do with that outside of audio visual snooping, but beyond, he could possibly use that as a launch point to infect your neighbor, or, who knows what, by you not caring about your privacy and security, cuz some people don’t care about privacy or security one bit. That’s weird. I don’t understand that but, okay. If not, do you at least care about the security of others? Because your lackadaisical attitude can cause others to become breached, and other data lost because of that, using your access as a total. I think people have more data and more important things with them than they realize. And so, we kind of think through that a little more. I think that the types of things that we’ve seen. Everything from personal attacks, to more broad company exposures, to who knows what other sort of physical damage can be done through IoT.

      I think as a society we’re still exploring what are the real dangers, and what is the appropriate level of scientific method. It’s at a reasonably safe level knowing that you could trip down the stairs and die tomorrow. We’re never 100% secure, but, we shouldn’t be negligent.

      Chris: Alright, and on that note, I think we will wrap it up. Dr. Jared DeMott, thank you for being with us today.

      Jared: No problem. Thank you.

      Chris: And thank you all for listening and watching.

      If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to YouTube and type in ‘Infosec Institute’. Check out our collection of tutorials, interviews, and past webinars.

      If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you’d like to qualify for a free pair of headphones on the class sign-up, podcast listeners can go to infosecinstitute.com/podcast to learn more about this offer. And if you’d like to try our free securityIQ package, which includes phishing simulators you can use to fake phish, and then educate your colleagues and friends in the ways of security awareness. Please visit infosecinstitute.com/securityiq. Thanks once again to Dr. Jared DeMott, and thank you all again for watching and listening. We’ll speak to you next week.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.