The Insecurity of Things

Now obviously it would be remiss of us Uh to uh have a security stage without Talking about hacking and of course We're always aware of the fact that our Devices and our software can be fraught With vulnerabilities so it's brilliant That we are now going to have a Brilliant conversation uh with Amit Serper who's director of security Research at sternum iot to talk about These real vulnerabilities both in the Hardware and in the software And joining him of course will be Zack Whitaker security editor of TechCrunch a Round of applause everybody thank you so [Applause] [Music] Much welcome it's uh it's lovely to see You all here welcome Amit thank you nice T-shirt I love that thank you you've Already had quite the career in security Research you've discovered hack Telos You have investigated adware uh you Helped stop the not pet Cyber attack in 2017 as well and now your expertise is Focused on Smart devices Internet Connected things where did your Curiosity for iot hacking come from So um before I was working for security Companies I spent a lot of years so Obvious I'm if you can weird name and Accent and everything I am originally From Israel and when I was in Israel I spent

Nine years out of my life um in uh the Government uh at a government Intelligence agency And this was the beginning of the Previous decade I want to say and Routers and such things became more and More and more prevalent uh all over the Place not only because up until then a Router was like a this big complicated Thing that usually your internet service Provider had or like a big Network had And most houses had like one computer And they were connected directly to the Internet but then as technology Progressed and became cheaper and people Had you know the iPhone came out and People started having Wi-Fi on their Phone and they needed to have a router At home um I was very I was very curious And I was looking at those things like This is a little computer that has all Of the networks traffic going through it Um can we do something to it can we gain Access to it can we shape the traffic And we affect the traffic um and and That's how I became really focused on Those things and I used to take them Apart and learn how they work and Basically they're small computers Running Linux so tell us a bit about the Work that you do now at sternum yeah so At sternum basically what we do is we Are a product company and we have a Product that actually makes those

Internet connected devices and again it Could be anything from your home router To like a really complicated industrial Controller of some sort uh doesn't Matter if it's running Linux or some Kind of a realtime OS we have a solution For it and basically what our product Does is you deploy it on on on this Piece of hardware and From This Moment On It monitors everything that's Happening on the device uh especially um Especially with regards to things that Affect its security and integrity so Memory allocation dis rights and so on And we can actually detect Vulnerabilities and exploits before they Happen and we can we can mitigate them So if you for example have a device That's vulnerable whether it's at your Work at your home whatever um you at That point you're at the mercy of the Vendor to release a patch and sometimes They release patches sometimes they Don't sometimes they release a patch Very quickly but you don't know how to Deploy that patch because it's not Always a straightforward thing such as You know double clicking a file on your Computer uh so if that device comes with Our technology inside of it it kind of Lowers the the the the Panic threshold On patching and the vulnerability can be Mitigated just by virtue of having our Product installed on it and that gives

The vendor more time to react Accordingly so then why do B actors Target iot devices because it's easy Because there's no security there it's Great folks my were you expecting a Longer I I was I was but that's that's Kind of the thing isn't it is that these Devices are so ubiquitous they're so out There in the world you can buy them off The shelf at your best buyers your Targets and these are devices that come With vulnerabilities off the shelf yes And and and the vulnerabilities are There for many reasons I mean it could Be because of uh shoddy uh programming But it could also be because often times The software stacks on those devices are Ancient uh for example there's a device That I'm looking at right now it's a Brand new device it's uh meant for Electric vehicles so it's literally the Technology of the future but it's coming With software stack from when I was in High school and I'm almost 37 so it kind Of It kind of puts things in perspective When you look at this device uh and it's Running a Linux kernel from 15 years ago It's it's it's kind of crazy so then Folks might think about smart devices The smart plugs they have in their house The smart lights the smart bulbs uh and Think I don't care if the lights go on Or off like what is the what does the Risk really look like for those who are

Unaware yeah so that's a really good Question and um unfortunately or luckily For our conversation uh there are Examples so I think it was in 2016 or 2017 where uh half of the internet on The east coast of the US was sort of Down um because a bunch of Internet Connected devices such As security cameras room buuz whatever You want uh got taken over by attackers That and and and those devices because Again these are little computers they Have a CPU they have an operating system They have an internet connection so once You can write code on those things it's As if you control a regular computer and These devices were used to uh basically Um Doos uh Dy which was one of the Biggest DNS providers of the internet Basically rendering the the one of the Core components of the internet on the Eastern Seaboard kind of useless so many Websites went down Spotify went down I Think Reddit went down there were Banks And organizations that were relying on Dy went down because of the Cyber attack That a bunch of roomers a bunch of Roomers so just recently we saw the Excellent research that you did on a Popular smart plug which has an internet Connection and can be remotely switched On and off via an app you disclosed the Vulnerability to the company but my Understanding is there was no fix that

They issued or at least yet yeah so that Was that was interesting so what Happened is um we took this device and One of the things that we're doing in my Team is we're looking at popular devices And we're saying okay if this is a Popular device um and and you can gather That information from a lot of places by The way if you go to like a device's Page on Amazon and you look at the Amount of reviews like that gives you a Good uh a a good number and so we take These popular devices and we take them Apart and we start look looking at the Firmware which is the code that actually Runs on the device and we analyze it and Usually there are like really bad Vulnerabilities there Um so bad that I've been I I have very Intimate uh uh relationship with those Vulnerabilities I have one of those Tattooed on my arm and um and we often Find them fairly quickly and then we say Okay if this is a popular device and we Have a vulnerability that we can exploit And we can trigger and we can run Arbitrary code on it what could be the Ramifications of it so we found a Vulnerability like that on this popular Uh smart uh electrical plug and again This is a product that was meant for People to uh you know if you have a lamp Or a fan or whatever and you want to Remote control it from your phone you

Just plug your device into that device And you plug that into the electrical Socket and there you go um so we Disclosed this Vulnerability uh to the vendor and the Vendor said uh and it took them a while To respond they had a they were working With one of the uh bug Bounty companies And we disclose this vulner ility Through one of those companies and Haven't heard anything from them for Like I want to say 3 weeks and then I Was at a conference in DC and the CEO of That buck Bounty company literally sat Next to me and I was like oh hello hello Good to see you here yeah um he like hey How's it going and I'm like you know I May need your help we disclosed this Thing we didn't hear hear back from the Vendor and he just tapped his phone and A day later uh I got a response and the Response was this product is end of life We're not going to do anything with it Um now this company never bothered to Tell anyone that this product was end of Life it's still being sold I mean I went To Best Buy like a month before and got It I I have these very same devices in My house yeah did you ever get a a Notification did not get a software Update no not at all well now you know This now I know this but what I find so Bizarre about this is that these are not Old devices these are 2 years old 3

Years old Max yeah yet it still seems Like there needs to be considerable Encouragement uh from security Researchers to try and get these Security issues fixed yes so you know we I imagine that when you disclose such Thing um they would at least acknowledge It or say okay we will release an Out-of-bound patch and it didn't happen When that didn't happen um the Press you Know covered it you covered it too and That caused a lot of ruckus over on Social media especially on Reddit like a Lot of people on Reddit were like okay I'm done with this company I'm not going To buy anything it was like a lot of Po We were just like we were just like you Know sitting at work and just like Watching and like oh my god did we do That it's like this meme with the house Burning down and then there's this girl Smiling to the camera so it's like That's sort of like how we felt and and I think a day after all of the media Covered it they actually issued a Response to the verge I think and they Said oh um you know following that Publication we're actually going to uh Issue an outof band patch I don't think That patch was released until this video Very day it's been what 6 months I still Haven't got an update on my phone I Checked this morning still nothing so Good job so there will be folks in the

Audience now who might be in a situation Where they are at a company a startup uh They find a security issue maybe they Face some internal company pressure to Ignore it to meet deadlines to meet a Milestone what advice would you give Them it's kind of a tough question I Mean would you would you as a developer As someone who's pass about security Would you lose your job over it I don't Know it's I'm I I don't think it's my Place to give this advice I can only Give advice to those companies that if Your product is popular enough um there Are a lot of curious people like me um And some of those people are way smarter Than I am and they can come up with Vulnerabilities and exploits pretty Quickly so I think that it's in it's in The it's in the best interest of those Companies to actually work with the Research community work with companies That do security research have bug Bounty pro pro programs but even if you Have those programs um stand behind your Own products if someone is disclosing a Critical vulnerability that affects an Entire product line because we believe That the vulnerability that we found the One you talked about with the smart Plugs this is only one product of this Company they have a few other products And they share a lot of the components a Lot of the code so we believe that the

Same vulnerability affects other Products from the same product line and If at this point you're like oh well we Don't we you know it's end of life we Don't we don't take care of it anymore Then what's what's the point of having a Security program what's the point of Having a bu Bounty like why are we Pretending so this is extremely Frustrating for me as a security Practitioner because I care about those Things and a lot of other people care About those things and no one else cares About those things especially not the Vendors so this is kind of a weird Situation then who is responsible Ultimately for Internet of Things Security well I think that the Responsibility lies with the vendors I Mean if you are as a vendor I mean let's Say that for a moment I am one of those Companies and I'm creating this smart Plug I mean I have the option of Creating a brand new product with a Modern software stack but of course it's Easier for me to go on GitHub or to go To like an older solution that was made Years ago or with an older software Stack that's full of Vulnerabilities that would be easier for Me as a company the time to Market would Be shorter um you know we're we're Dealing with a software stack that we Know but if I am as a vendor pushing a

Product with a Linux kernel from 15 Years ago and with a bunch of libraries From 18 years ago this is all taken from Examples that some of them I even told You about in Person I will be in the wrong here and If there will be a big hack which is Like which will be a result of that Negligence then I think that the vendor Should be responsible for that and there Should be I think regulations just like You have regulations on seat belts and Airbags and other things that keep you Safe I mean this is 2023 almost 2024 those things that are surrounding Us can be used against us yeah I want to Stay on that point really because you Know as we know iot security has Historically been largely a trash fire Um and security these days is is not Much better I think is is fair to say to Some extent at this point should iot Security face that regulation from from Government and and so that there is at Least a baseline level of of security Standards absolutely and I think it's Starting to happen and um for example With medical devices which is something That in at sternum at our company uh We're dealing with quite a lot there There is new regulation um that um is Requiring from the makers of various Medical devices to um have certain Security standards and protocols and and

And such like our product for example uh So so you do see that starting to happen But you know even if you have this Regulation and even if you have rules And laws and whatever how will you Enforce it like if you go on to Best Buy And you buy a device with a default Password that can't be changed yes this Happens I mean who like who are we Blaming here who are who is going to be Responsible this unnamed company in China that makes these products and they Don't respond to emails when you tell Them that they have security issues so I Think that again the responsibility Should lie on the vendor but we as Consumers if if these are consumer Devices that we're dealing with uh or if We're professionals and this is like a Some kind of of like an industrial Control thing that you use I think that We all should be uh aware and and and And and Vigilant to to to these devices And the the the risk that that they Might um introduce to our environment a Few weeks ago on madon you posted that a Particular device was I just want to Quote quote one of the worst things I've Seen throughout my career which sounds Like it's saying a lot um you now in That disclosure process why was that one Of the worst things you've seen yeah so Um all of the examples that I gave here In the past couple of minutes uh so it's

All of that and more so for example this Is a device and I'm I'm I'm trying to be Careful here because we're still in the Middle of a disclosure process so this Is a device that you plug into an Electrical into an electric Vehicle um and this device uh Is very prevalent so you could buy this Device to your home right but there are Also public instances of that device um And all of those devices they share the Same code uh and they share the same Authentication Keys meaning if you have One device you took it apart you manag To get into the firmware and take the Keys the authentication keys from the Device you can connect to each one of Those thousands if not more uh of the Available devices out there And you can also connect to the the Company's network with those um Authentication keys and allegedly do Really bad things with it um these are Devices that are you know connected to Uh high voltage Power what could possibly go wrong and Um as I said we're in the middle of a Disclosure process but it it was Honestly it was just like a bad thing After another after another after Another and at one point and I even told Like my bosses when they were like okay Are you continuing the research on that Thing and I'm like you know what I mean

I could but I don't see the point I mean It's pretty bad as it is I mean so if I So I'll have another two really really Bad critical findings I mean okay they First need to respond to our emails yeah Uh so yeah that's have have they Responded to you yet so there we Disclosed it uh I want to say a little Little over three weeks ago they Responded I think after a day they were Like oh thank you so much we'll go Through it and there was like a least a List of people on the on the thread and It's like oh this person will reach out To you this person will reach out to you Next week it's been over two weeks I Haven't heard from them so so it's going Great so going great so far so that's an An example perhaps of a company not Doing iot security that well or could be Doing better in your experiences um and Your kind of background and what you've Seen over the years which companies do Iot security rights if Any um some are trying I mean no I mean You know um uh the company that um I Mean you know the one we talked about With the smart plug can I say their name Here I yeah it's published so bin uh wio So I remember when I bought their first Version of this uh smart plug I was Actually surprised by their firmware Update process that is almost like Handsfree like you'll have a message on

Your phone saying oh there's a new Firmware version tap here to update and You just do it and it updates so that is Good that is a step in the right Direction you have some companies doing It but usually it comes usually it comes With a higher price point so like if You'll go to Best Buy and you'll buy for Example like a $30 Router don't expect much if you opt into Like higher grade stuff such as uh so Like what I have at home for example is Like this almost like a office grade Level networking Equipment um their former update process Is fully automatic I don't even know That it happens like I just get like an Email oh you know it was updated last Night at 4:00 a.m. Okay cool so that is Great usually uh companies that have had Bad experiences with uh with with bad Hacks or vulnerabilities will try to be Better at it but unfortunately there's No golden standard I can't tell you like Oh you know company a is amazing Company B is eh like they're all kind of bad and To your point though there are you know Medical devices that have to meet that Particular threshold of US Government Standards so I think some of those Potentially are doing better yes but Those requirements are pretty new like They're uh maybe a year old maybe and so That will take time for things yeah so

It takes time until it comes down and You know there's also the the field that I'm in is kind of weird because it's Very important and and people understand It it's it's important but it's also Kind of hard to sell so uh I hope that These regulations will make it easier to Both explain how severe the problem is And also help help companies such as Ours exist and help other companies be More secure so it's sort of like a Symbiotic relationship I think that um You know over the years there have been Plenty of devices with an internet Connection that probably shouldn't have Had one can you give us an example of a Few devices maybe that uh should not Have an internet connection I think There are internet having an Internet Connected device you know increases the Attack surface dramatically yeah so a Lot of devices I mean by saying internet Connection I mean a lot of devices can Connect to a network wireless ethernet Cable whatever at the end of the day It's DCP IP packets going on from side To side I think that when you're saying Should not be connected to the internet It's it's it's literally that they Should not be accessible from the public Internet and unfortunately there's like A million examples uh there is a really Good talk from a few years ago by a Friend of mine his name is Dan tentler V

He had a talk about wild things he found On on on showan showan Safari exactly And you know he found everything from Like people's Smart Homes to uh huge Controllers that control dams or uh uh Traffic lights or I don't know web comes In offices barers that PO you know that PO out of the ground so a lot of those Things are connected and no one cares It's like it's incredible how simply Nobody cares like you would expect that Someone would care no what would get People to care more besides potentially The worst things happening cyber attacks And hacks I think that worst things Happening I mean look if if you look at What happened in Ukraine in 2017 with With not Peta uh while I was involved in That and I found a way to to stop it and And and and I was in touch with the Ukrainian authorities back at the time I Didn't know until I read Andy Greenberg Andy Greenberg's book uh uh sandworm I Didn't really know what were the Ramifications that happened there so Like things didn't work people wanted to Go to the ATM to get money that didn't Work people wanted to take the train That didn't work so like once those Things will affect our lives and those Things happen in other countries it just Didn't happen here yet well there were a Few small ransomwares and I think here In San Francisco even there' been a few

Yeah yeah of course but until like Something really serious is going to Happen I think that we're all still Going to be like sort of casual about it I mean a couple of years ago in Massachusetts where I live um uh there Was like a gas pipeline explosion and Like people's gas ovens exploded and People started saying this is a Cyber Attack this is a Cyber attack which it Wasn't but what if it what if it were What if it was or what if it will happen Again and it will be a Cyber attack so That's sort of uh something to uh be Scared of I guess so with just a minute Left really on the clock uh what advice Would you give to device makers what Common flaws or errors are they they Making how much time do you have um when You develop your Product um just don't because a lot of Those products are using um third party Libraries or code that was written by Other people or even open source code That they're not really Uh supposed to use but I don't know for Some reason they always use the most Vulnerable code from like ages ago and Like even this product I'm looking at Right now it has the it's it's using uh A a some piece of code that was taken From a repository online again brand new Product connects to electric cars and It's running a piece of code from 2006

While um the same person who maintained This code supported it and released new Versions until 200 8 so like why so um This is something I really don't Understand so I think that the most Important thing is use recent code audit That code look actively for Vulnerabilities perform pent tests don't Wait for people like me to embarrass you Because you're going to have a bad time So I think that this is this is the most This is like the best advice I can give And also there are companies such as Such as ours sternum uh that we have Solutions for those things so also if You if you don't really trust your code And you think that you can't really Handle it well go to someone that can Help you with it heed this warning thank You so much Amit Sera thank you thank You