Momenta Insights

Insight Vector:  Looking at IoT Security From an Auditor's Perspective

Written by Ed Maguire | May 3, 2018


Innovation and market perspectives from leading IoT innovators

Momenta Partners’ alliance partner ISE specializes in security audits for both enterprise and industrial clients and our conversation provided just a brief overview of the deep, comprehensive work they do. Contact us for further information on how Momenta and ISE can bring a secure, comprehensive business and product strategy to your business.

Ted Harrington,

Executive Partner

Independent Security Evaluators (ISE)

 

Can you share a bit of the background of ISE?

Independent Security Evaluators has performed security evaluations, assessments and research for over 13 years. In security this is many lifetimes! We’ve contributed a considerable amount to research in the industry. Most recently we’ve focused on medical devices, connected devices IoT, mobile phones car hacking, election hacking and others.  We’ve matured from a couple of 'cook' hackers – we still have the same foundations of trying to figure out how attackers break things so we can fix it. Our mission is vocal activists. We organize innovation events at RSA, DefCon and others. We are industry advisors serving on working groups and trade associations helping to write standards. 

 

How do come up with topics for security research?

We have both a research practice and consulting practice which is revenue generating.  In consulting it’s customer driven.  We start with the problem first and work backwards. One example comes from passive medical devices.  We wanted to understand how an attacker could hurt or kill somebody. The worst outcome from hacking systems in the past was stealing credit cards or crashing a system, but the worst possible case of all is killing people.  It’s either transportation or health care as the likely sector, and we developed studies to explore this.

 

What are some of the insights that have been significant over time?

One thing we’ve observed is that it’s not that there are new vulnerabilities.  The root problem is that the principles of secure design have remained static for decades.  With innovations there are business decisions to move away from these principles.  With the adoption of cloud, connected devices, Bring Your Own Device, mobile devices – the desire to satiate market demand has been perceived as being in conflict with principles of security.  The exploitable vulnerabilities at the base level are the same violations of principles as when we started 13 years ago.  The problems are actually a human one.

 

What are some notable vulnerabilities or exploits you have found?

With cars, one of our first pieces of research in 2005 - way before cars had cellular or Wi-Fi connectivity. There’s a function called the immobilizer function between the onboard computer and chip in the car key before push button ignition to make sure someone didn’t copy the key at a valet.  We were interested in this and over a period we build a weaponized software radio that exploited a vulnerability in the system to start a Ford vehicle with a key made at Lowe’s. We have a funny video about that.

More recently, we researched medical devices.  There are active devices like a pacemaker and passive devices like glucose meters that react to the patient.  Most research is focused on active devices because it’s a logical connection to hurting someone.  People have not looked at passive because it’s not linear.  How would changing the readout on a patient monitor affect the patient?

We looked at the workflow around delivery of care to see how a surgeon would interact with devices.  We found how a remote hacker could exploit vulnerabilities in a monitor to say whatever the attacker wanted it to say.  It could result in prevention of care by sending fake data or the reverse, sending data saying the patient has issues triggering an unnecessary response.  If the doctor ends up losing faith in the technology this could result in wasted time or error-prone workarounds.  You could metaphorically push a button and make a physician do something.

We also organize the IoT Village at DEF CON – the annual security research conference. We have manufacturers donate technologies and we bring in people to research the devices and demonstrate zero-day vulnerabilities. We’ve been doing this for 3 years and have published 223 zero-day vulnerabilities across 51 device types from 50 different manufacturers. 

 

What are unique challenges around securing industrial equipment?
There are many, but I’d point at two in particular: One of the things needed is stability and uptime in Industrial IoT – downtime and maintenance are a challenge when you are delivering water or power.  Once something is working there is resistance to any type of change, including patching and updates.  Stability can manifest itself in adverse ways from a security perspective.

The second challenge for IIoT is when it comes to deployment of devices, there’s expectations of extremely long deployment life for devices. There are reasons such as amortization of devices, and an extension of stability. This is problematic because the attack landscape changes so fast.  Even two years ago the innovation of ransomware was new! To think there aren’t new types of attacks would be a naïve viewpoint. 

 

Any common misperceptions you see in the market?

The most common is how companies think about defending against adversaries.  All too often companies take a lightweight approach with scans, penetration testing, or compliance with some framework.  Many businesses meet the minimums without understanding how attackers exploit systems, most attackers are far more dedicated than those sorts of systems (scanners and compliance or pen tests).  This leads to a vast array of issues. Executives that don’t understand and support security thinking commodity approaches are effective when they are grossly ineffective.  There’s misplaced confidence in commodity approaches, low level lightweight, combined with a heavy reliance on products.  Companies think they have Anti-Virus, firewalls, anti-DDoS, IDS, IPS products – but they often are not integrated or coordinated. 

 

Quick suggestions how organizations can address their needs more effectively?

Partnerships are the key. We have talked to companies where people have said, “I don’t hire any outside security experts because I don’t trust any outsiders in my system”. Understanding how different partners can help is key. ISE performs security assessments.  We think of it as a toothbrush – people think of it but there is a huge range – from the cheap throwaway on an airplane to the high end sonic toothbrush with a subscription service based on high quality materials and deep science.  We understand the science, and it is still relatively inexpensive relative to everything else you spend money on.

 

Recommendations:

The ISE blog

Ted Harrington’s LinkedIn page

Momenta Partners encompasses leading Strategic Advisory, Executive Search, and Investment practices. We’re the guiding hand behind leading industrials’ IoT strategies, over 150 IoT leadership placements, and 25+ young IoT disruptors. Schedule a free consultation to learn more about our Connected Industry practice.