Andrew Lockley – Exponential Investor (United Kingdom) –
Pacemakers can kill people – if they’re suddenly sent haywire. Recently, hackers uncovered thousands of vulnerabilities in pacemaker software – so this is a real threat.
Luckily, there are no (known) cases of pacemaker assassinations – but Dick Cheney had his pacemaker’s wireless connectivity disabled in 2013, to prevent a potential attack. The fact that he took such a threat seriously shows that a dystopian future of lethal hardware hacking could be just around the corner.
This risk isn’t just about medical devices. Everything from domestic appliances to the power grid is potentially vulnerable. The consequences of a hack could range from the irksome, to the catastrophic. If you’d like a worst-case scenario, imagine what would happen if the Thames Barrier was lowered during a severe storm surge.
Today, we’re talking to a man who’s made it his mission to help secure the “Internet of Things” (IoT). I’ll hand you over to Yali Sela, chief technical officer of Nyx Security Solutions. He’ll explain the threats – and profit opportunities from neutralising them.
AL: Let’s set the scene… can you please explaining how the world of hardware security is changing?
YS: Nowadays, a lot of objects come with some form of connectivity – Wi-Fi, Bluetooth, and so on. The software operating them is vulnerable to hackers and viruses, in exactly the same way your computer is. Theoretically, all it takes is for a hacker to press a button on his phone to remotely shut a pacemaker off.
Similar attacks have already happened. Stuxnet, the virus that sabotaged the Iranian nuclear program, was a well-known example. It tampered with software operating the centrifuges, and destroyed a good deal of them.
To offer another example: last year, Johns Hopkins students hacked (in three different ways) into drones and made them crash. Cyber-threats for the IoT are “a thing”, and cybersecurity for IoT had better come up with something suitable to protect against them.
AL: Can you explain in a bit more depth: what exactly is the “Internet of Things”?
YS: IoT is a broad term that describes anything that’s not a computer, but still has the ability to communicate over a network. That would include routers; printers; pacemakers; drones, cars and airplanes; as well as pretty much anything in your Smart Home.
AL: What do you mean by cybersecurity, exactly?
YS: Actually, it’s a very broad field. When you mention cybersecurity, people usually seem to think about encryption – but that’s actually just a small part.
You know those Hollywood hacking scenes? They’re pretty far-fetched, but the core concept is real. Hackers exploit vulnerabilities in software – and these let them get into systems, or take control of them. A large part of cybersecurity deals in preventing these exploitation attempts.
Verifying someone’s identity is also part of cybersecurity – whether it’s a user being verified with a password or fingerprint; the website you’re connecting to being verified with a certificate; or checking that a document wasn’t modified by someone who delivered it to you.
There’s more, but like I said, it’s a broad field. It all happens in the background. This means that people don’t realise just how much security is actually involved in the simple process of, say, connecting to Facebook.
AL: And all that technology is connected to cyber-related news we see, such as high-profile cyber-attacks?
YS: Yes, exactly. These attacks originate with a person or a group that decides to achieve some goal – usually financial or political. They choose to exploit mediocre cybersecurity to achieve that goal. Anything from defacing or crashing websites, through ransomware, and all the way to Stuxnet – it’s all related to poor cybersecurity.
AL: Can you tell me more about Stuxnet? It’s probably one of the most famous cyberweapons.
YS: A few years ago, this tool was used to sabotage the Iranian nuclear program. The specific malware in that case used four different unknown Windows bugs to propagate through networks. In the end, it had to reach a network inside the nuclear facility that was air-gapped – ie, not connected to the outside world. In this case, Stuxnet was spread by an infected USB stick. Poor standards of security led some guy to insert a USB dongle in a computer connected to the air-gapped network – and the virus went in.
AL: I assume security has improved a lot since then?
YS: Yes, and no. It’s basically an arms race. Good, modern security standards are being published – but in places where few people bother to check, and even fewer implement them. Despite improved security, cybercrime is actually on the rise – with ransomware becoming a popular approach.
For the criminal, it’s all about risk vs reward. Cybercriminals can make big wins, with low risk of arrest. Furthermore, sentences are generally far lighter than for crimes involving physical force.
AL: What’s specific about IoT cybersecurity?
YS: Basically, any device that’s more complicated than a flashing light is nowadays controlled by software, and sometimes by complex hardware. These software and hardware systems are made by humans, who invariably introduce bugs, mistakes, and unnecessary maintenance features. Sometimes they just omit security altogether, treating it as a “nice-to-have”.
These bugs – or lack of security features – can be exploited to perform unintended actions. For example: imagine if a hotel lock expects a six-digit number from your keycard, but gets a ten-digit number. If the developer didn’t take that possibility into account, weird things may start happening; possibly a system crash, followed by the door unlocking. This could be deliberately designed – so that a malfunctioning lock doesn’t trap a guest. Why should the developer even check if the number was of the right length? The cards are always magnetically programmed to hold a six-digit number. That works fine, until a smart aleck comes along, and makes his own malicious card with a ten-digit number.
AL: If companies hire top-notch developers, do they still need to worry about these things?
YS: The better the developer, the fewer bugs he produces. But the more complex a system becomes, the more bugs are introduced. There’s no software out there without bugs – even Facebook, Google, and the Pentagon have bug bounty programs – because their own employees can’t find all their mistakes. These vulnerabilities exist everywhere, in huge numbers.
AL: What threats should I be worried about, as a consumer?
YS: The old days of viruses erasing your hard drives for some guy giggling in the background are over. Writing a working piece of malware is not so simple anymore, and the people who bother doing it have a meaningful goal in mind.
As a consumer, you can be indirectly vulnerable. Your water company could experience a cyber-attack, for example. That might affect you – but you can’t do anything about it. In the realm of personal IoT, you need only really be concerned about ransom, network intrusion, and maybe invasion of privacy. If you’re not a particularly interesting individual, no criminal will pay you special attention. If you have a smart door, maybe an attacker will decide to take control of it and lock you out until you pay him some bitcoins. The same might happen to an autonomous car, and it could drive itself off somewhere – “holding itself ransom”, on behalf of the hacker. A more creative hacker might tamper with your router, look at your internet traffic, and blackmail you – but that’s not an easily automated process. The National Security Agency did it – for example with Juniper routers about a year ago – but the average Joe doesn’t seem overly concerned about it.
IoT devices can also be used to reach “deeper” into your network and attack your computers, phones, and other IoT devices. In turn, if you connect an infected smartphone to another network, it could be used as an entry point to jump into this new network as well.
However, regular consumers shouldn’t worry too much about IoT threats: only VIPs, companies, and governments should be concerned.
AL: Why aren’t you worried about consumer threats?
YS: A specific consumer isn’t usually interesting – and there are far more appealing targets. It’s only a matter of time until a US drone strike becomes thwarted by a simple that crashes the drone – and one has already been forced down. Pacemaker assassinations are also a realistic possibility. Last month, researchers found over 8,000 vulnerabilities in pacemakers – and attackers may exploit these for political goals. To give a less political example: a hotel had all of its doors locked and ransomed. Of course, they had to pay immediately because their guests were locked in or out of their rooms. A hotel company doesn’t want that sort of bad publicity.
AL: Isn’t there some anti-virus equivalent to deter these attacks?
YS: Yes and no. The whole IoT field is still nascent, but some companies already offer defence products for specific IoT devices. For example, Arilou produces a sort of firewall for cars. There are companies specialising in router defence. There will soon be tens of thousands of different IoT devices – and they can’t all have a tailor-made defence product. You need to paint defence products in broader strokes for them to be usable.
AL: Is that what your company does?
YS: Yes. We make a more general defence product, one that works effectively on many types of IoT devices. We don’t cover the basics – if the developer decides the system will not ask for a password, then we’re powerless to change that. However, we do fortify the system against bugs and implementation errors. We stop viruses and exploits from taking control of your device, whether it’s a router, a drone or a smart microwave.
AL: Other people probably had the same idea. What does the market offer, other than Nyx?
YS: A lot of companies are approaching the problem from a similar angle, but none are doing exactly the same thing. For example, some competitors produce something that protects just one type of device. Alternatively, they might prevent hacked IoT devices from progressing further into your computer network. Others may detect (but not stop) viruses that cause a lot of suspicious network activity, whether they sit on your IoT devices or your computers. We stop all of these, one step closer to the source. By defending the IoT devices themselves, we give you an added layer of protection that competitors don’t.
AL: Tomorrow, another team could just make the same thing but better – what’s stopping them?
YS: Something between “it’s really hard” and “we have years of very special training”. Our team has years of hands-on offensive cyber experience. We served in the Israeli Defence Force, and actually hacked military-grade devices for years – so we know exactly how it’s done. This means we also know many ways to make the attacker’s life more difficult. We chose some of the hardest and most sophisticated ideas we had, and decided to go with them.
AL: What exactly is your product?
YS: It’s a file that companies install in their systems, kind of like an antivirus. “Installing” here involves copying the file, and then running an installation that either tells the operating system to use us in order to reinforce every process on the system, or only specific processes that you want “armoured”. It’s the firm’s choice.
AL: Do you presently have clients using your product?
YS: Currently, we’re in early testing phases with several companies. They want to appraise it and become early adopters – once we show its effectiveness.
AL: How do you think the cybersecurity field, and Nyx specifically, will develop in the future?
YS: Cybersecurity has always been sort of a cat-and-mouse game. There is no perfect attack, and there is no perfect defence. Every time, innovation uncovers a new winning method. Alternatively, advances in technology make previously impossible feats absolutely common. I don’t think this will change in the future. Attacks are a matter of value against value: “It costs so-and-so to attack the target, and the value is so-and-so – should we do it?” The role of Nyx in this future will be to innovate, and provide new methods to make attacks more resource-heavy to execute.
Quick – leave us a comment below before you get hacked!