By Marco Ciappelli
A Conversation with Dr. Ted Harrington
Let’s start with a simple fact: a lot of people love technology.
We are fascinated, intrigued, and mesmerized by it; we have always been. We want the latest gadget; we want to plug it in, see the lights turn on, and discover how great it is. The problem nowadays is that more and more of these new gadgets need an electric plug and an Internet connection – and while this raises the level of its awesomeness, it also complicates things A LOT.
I started this column called The Cyber Society to make a point about the fact that we are already living in a connected world and that we need to stop ignoring it or pretend that is not affecting us, because it is – and it’s not just unicorns pooping rainbows.
This is the first episode of a series dedicated to the famous – or infamous – Internet of Things. The intention is to translate complicated tech and related cybersecurity topics into a language that is easy to understand for everyone. “Everyone” being the people who use IoT gadgets the most.
In this episode, my guest is Ted Harrington, one of the partners of a company called Independent Security Evaluators. Together we will try to explain to the non-expert what the Internet of Things is, what it does and, most of all, what makes IoT devices secure or insecure.
Everyone nowadays is buying and using gadgets that are connected to the Internet, but only a few are aware of and understand the consequences, the risks, and the danger that come with that connection.
Unlike what most of the product manufacturers and their marketing teams are trying to make us believe, these extra features DO come with dangerous side effects and, more often than not, with many strings attached.
Users need to be aware of these side effects so that they can make informed decisions when they purchase IoT devices and the bring them into their homes and personal lives.
I personally think that this idea of keeping the masses ignorant and luring them in with shiny packages, inviting prices, and all sorts of bullshit is something that has to end. Seriously. There are hidden costs that the everyday users are paying, and most of the time without knowing, the “real price” that they are paying.
You see, these connected devices do not just send data, they also receive data. Now, this is not just your conversations, what your camera captures or your location, but every sort of data – the so-called BIG DATA that might not make much sense to the average user – that, once aggregated, gives insights to a business that wouldn’t be able to gain it without this type of device. And yes, you probably guessed, it can be highly monetized, in many different ways.
So, without giving too much away, I invite you to listen to this conversation and start thinking about what truly is "The Internet of Things." What is the ramification of it for our society? How can individuals make educated decisions about these gadgets that are so candidly welcomed into our homes and our lives without even remotely thinking that we might be bringing a threat into our house?
In my opinion, one of the main problems is that it doesn't come easy for people to understand and be aware of this issue, because many people just expect to get an out-of-the-box functioning, secure, approved device. Just like an old-school stereo, vacuum, TV, telephone or refrigerator.
Now that the game has been upped, what are we doing to approve these IoT devices, to protect and secure the users, like we used to?
Does the user need to take action? YES. We will discuss some tangible, actionable things that individual consumers can do to protect themselves and make the right decisions.
Oftentimes, when I talk to cybersecurity experts they tell me that in an ideal world the users shouldn’t have to worry about their online security. While this sounds just FANTASTIC, I’ll be waiting anxiously for the announcement that this train has arrived at that ideal station.
Until then, I suggest that all of you sprinkle some PARANOIA onto that cappuccino you just made with your Internet-connected espresso machine.
Enjoy the podcast, listen to it carefully and share it recklessly!
* If you have read my introduction above, you can go directly to the conversation by skipping ahead to 5:03 - Enjoy!
IoT Security Explained | Just Because Something Can Be Connected To The Internet, It Doesn’t Mean It Should.
• Marco Ciappelli: I'm here today with Ted Harrington, one of the partners of a company called Independent Security Evaluators. I had the pleasure of meeting Ted many times at different cybersecurity events. He's a great guy, very knowledgeable. I'm looking forward to this conversation where we're going to try to explain what the Internet of Things is to people who use all the gadgets but really do not understand the consequences, the danger, and that it's not just fun; there are certain things that we need to be aware of. So we're going to try to really break it down to what the core of the Internet of Things is, what it does, and where is it going.
Ted, how are you doing today? Can you tell us a little bit about yourself?
• Ted Harrington: Thank you for having me. Like Marco said, my name's Ted Harrington. I'm one of the partners at Independent Security Evaluators. We've been performing security assessments and security research for over 12 years now. We came out of the PHP program at Johns Hopkins back in 2005, and we were actually born out of a piece of security research that was pioneering a concept that, in a lot of ways, predated the current state of certain elements of the Internet of Things – and that was where we were actually looking at how you could hack a car. This was, of course, before cars had cellular or Wi-Fi connectivity.
What we were investigating was how to defeat the immobilizer function in the vehicle, which is what is in place so that someone who is, say, a valet who's been handed your car key can't copy the key and come back later and steal the car. There's actually an onboard computer that prevents that. We were looking at how could you attack that onboard computer to circumvent that anti-theft and safety measure, and ultimately that's what we were able to do. We built a weaponized software radio. We hacked this car about 12 years ago, and the rest as they say is history. We've really gone on to focus on not just IoT, but many different aspects of many different industries. It's interesting that now as IoT is getting so hot, the roots of our company really came out of this concept.
• Marco Ciappelli: Right. So that goes way back before we were even talking about IoT, and nowadays things have changed a lot because we talk about the Internet of Things all the time. But I feel like we talk about it, we say IoT, the everyday user has a ton of gadgets that are smart and connected – wireless in the house, TVs that are smart, smartphones, smart salt shakers. I don't know what the utility is of that, but everything is connected. But what exactly is the Internet of Things? Can you break it down and just explain it in simple words for our readers?
• Ted Harrington: So there's not necessarily a common, universal, agreed-upon definition. Like, you couldn't pull up Merriam-Webster's dictionary and see the definition of IoT in there. There are many different variations on what the definition is, and what is even included in IoT. The common theme amongst all the different ways that someone might define this category of technology really boils down to communication – the ability for devices to communicate with each other within some sort of environment, to be able to communicate with humans, and to be able to aggregate data in ways that can then be analyzed or monetized.
The Internet of Things is essentially a collection of devices that speak to each other and are purpose-built; these are actually built to be connected devices. An example of a purpose-built connected device would be something like a wearable, like a Fitbit, something that would not have utility before connectivity was viable. So that's one type of connected device.
Another type of connected device are things that have been around for a long time, but have traditionally been more analog in their operation, but now connectivity enables them to do new things in new ways. An example of that type of connected device would be the Nest Thermostat. Thermostats have obviously been around for a very long time. They control the temperature in your house. Nest (and its competitors) enables you to remotely control the temperature of your house from your mobile phone. It has all sorts of tracking analytics for how to optimize or improve your energy consumption.
So those are some examples of what IoT is, but essentially it’s a collection of devices that have new ways of communicating with each other.
• Marco Ciappelli: So this communication opens the door to a lot of new features, things that couldn't be done before? It opens the door to cloud computing and to feedback on data that are collected about the usage of your devices. It's not just communication that goes one way, but it's actually communication that comes back, that gives feedback, that learns things and gets better all the time, correct?
• Ted Harrington: Yes, and both sides of that communication chain delivers some really robust benefits to different stakeholders. So on one hand, there's a benefit to the user who can now communicate with their device, can do things like – I used the thermostat example a moment ago, so to expand upon that, the user gets great benefit out of the idea that they are on vacation halfway around the world, and they're able to log in to their thermostat and realize "Oh, I left the heat on. Well, that's going to be a waste of energy. I can now change it, turn it down."
There's also tremendous benefit to the business who sells the device, this thermostat, because now they're able to track things about this particular customer, or in the aggregate across all customers, like what type of temperature do they typically like? What hours are they in their home, or they are not in their home? This type of data provides avenues for many things.
So for instance, the data can be resold to another company, let's use as an example an alarm system company, and now that company has some analytics about where the individuals are spending their time in the home, and maybe that informs the strategy around how they might market their security services, and I'm talking about physical security here. Or the company might use this information to cue up targeted ads. Let's say they can sell the data to some sort of ad platform who says "Oh, I know that this person typically runs their temperature warmer than what is the historical average across the country, and that suggests to me that this person generally has a colder body temperature, so maybe we should send them ads for things like sweaters or scarves or things that might keep them warmer because if this person tends to run colder, they might buy that type of product."
And those are the kinds of insights that a business might not have without this type of device collecting that data, and then aggregating it in a way that can then be monetized.
• Marco Ciappelli: So now we go into a completely different kingdom, which is privacy. This is data harvesting, what they call the new “oil” because it's so valuable that companies are actually collecting it even if they don't really need it because, as you say, they can resell it. Now, a lot of companies say "Well, we collect the data because then we can make the product better for you." So this is probably a conversation for another occasion.
The bottom line is that there are many, many, many benefits, but many times when we hear the news, there is also a lot of risk connected to that. What are those risks, and why is there nothing that has been done so far? Because when the user, the everyday person, buys the thermostat or a light that turns on and off on its own, or anything that is connected, they don't think that they're putting a threat in their house, so how does this become a threat?
• Ted Harrington: So there's a few different aspects to the risks here that we should consider. First and foremost, it's important to separate conceptually the ideas of privacy and security.
These two are, of course, the principal risks that come with deploying these types of devices, and I'm making this distinction between the two because in many conversational contexts, and even in some very professional contexts, these two are sometimes conflated, meaning they're sort of lumped together, and they shouldn't be because they're distinct.
So privacy is the idea that individual users can make decisions about their data, and security is the integrity of a system to protect the data assets that it houses or provides access to, as well as ensures that the integrity of those decisions about privacy are being carried out.
So if we break those two down and sort of look at them individually, some of the privacy risks surrounding connected devices are things like: by deploying this device in your home environment or in your business environment or even in enterprise environments and industrial control settings, they're being deployed in critical infrastructures, such as hospitals. I mean, this is not just a home situation we're talking about here.
But of course the risk is that by deploying it – and the purpose of these devices is to track and capture data – they're going to analyze and potentially sell the data. And that is something that a given user might want to think about. Again, we’ll use the thermostat example: how much time they spend in which rooms in their house. Is that something they care about?
The second concept, this idea of security, this is the idea that is dominating headlines, where you hear about a company getting hacked, or an individual getting hacked. This is really what security points to or is really focused on, the idea of preventing unauthorized users, the bad guys, from being able to obtain access to the devices or the data that is being collected by the devices.
So that's really the security risk, and we can, of course, go much deeper into it than that, but that's the high-level description of these two principal areas of risk that come with deploying connected devices.
• Marco Ciappelli: I always end my intro to these podcast with a quote from Sir Arthur C. Clarke: "Any sufficiently advanced technology is indistinguishable from magic, but only to those who don't understand it." I love that because people, the everyday person, they get this gadget, they don't think about the consequences. But I don't think that they ignore it on purpose, they just don't think about it because they don't even know that there are possible side effects to the usage of these connected devices.
It doesn't come easy for people to understand and be aware of this, because many people just expect to get an out-of-the-box functioning device. So are we doing something to protect and secure the users?
• Ted Harrington: Some of both. I think it's unfair to generalize or to paint broad strokes across entire industries. It would be inaccurate, I think, to believe some of the headlines that are common today that say that all connected devices are insecure, and you read a lot of those headlines these days. There are—
• Marco Ciappelli: Well, they make news—
• Ted Harrington: Right, right. There definitely are companies that are investing in security that are doing it right, that see it as a process, that realize that it's more than just trying to put a marketing claim on the box, to actually try to protect your customers. So there are companies who are doing that. Unfortunately, I think those companies are probably, well they're definitely in the minority. The question is to what extent of the minority are they? And part of what's driving that, I think, is there are just market forces at play here. And you hit on it in your question, that many consumers don't even know to ask the question about security. But even those who do know to ask the question and do care about it, they're not necessarily empowered because many of these devices have some sort of security claim on the box, but many of those claims are very hollow, and so that's a precarious position for a consumer.
So I think if we were to try to summarize it in a single concept, it would be that on the average, now this is not to say everyone, but on the average, many connected device companies are not approaching security effectively, and our advocacy would be for the average, the aggregated average, for the common type companies to really look at the pioneers in this space who are pioneering security, and think about well, if those companies can do it, how can I also do it?
• Marco Ciappelli: That's a really good point. And one point that I bring out a lot because of my marketing background is the value, the marketing value, of not lying. The marketing value of really being secure. I don't think it comes down to cost, because if you pay a little bit more for an organic product, or you pay a little bit more for a safer car, or a little bit more for a safer anything or better quality, I think that people would be able to make their own decision. But if you find a lie on a package, that's not going to help. So I think what could help, is if people knew what made an Internet of Things device, a connected device, more secure than another. Is there a simple way to explain that?
• Ted Harrington: Yes, there is a simple way to explain it. A lot of companies have a hard time executing it, but there are these principles that are essentially universally accepted truisms about how you build anything that is secure – or the more accurate terminology would be “resilient against attack.” Nothing is ever a hundred percent bulletproof, but you can put things in place that can withstand attacks better than others.
And so these principles, they're known as a secure design principle. They are the fundamentals that have been basically the bedrock for decades of how to build these strong systems. What's really interesting is when you read a headline about whatever company getting hacked, when that happens, it is almost entirely because of lack of adherence to one or more of these principles.
That's a long way of answering those very good, simple and straightforward questions, which is to say that yes, conceptually it's easy to understand how to build these things in a secure manner, but in the real-world execution of that, many organizations stumble for several reasons. Some reasons are related to understanding the principles, but many don’t have anything necessarily to do with security, but rather with real business-level problems – like there's not an appropriate executive buy-in at the top of the company saying that security's important, or even an awareness or understanding from the executive level about why security would be important to that particular company. Then that, of course, influences down through the various decisions being made throughout different levels across the organization.
• Marco Ciappelli: Starting the design right from security, and not trying to add security later on – I think that's a good principle. The other thing is that it should be the mission of the company, like you said, and not only in the technical department, but in the core of how a company does business. But as a user, what should I look into when I buy one of these things? A couple of tips for people to be a little bit more secure.
It's really hard to understand for the non-technical person that when you connect something to your Wi-Fi, somehow a hacker could hack that particular device and then from there the hacker could jump to your television, your computer, your camera, security cameras, and so on. So that alone is kind of like sorcery. So there is the general understanding of how this little connected device that I control on my phone is actually making my entire house a danger zone, and what can I look into, or what can I do, to avoid this?
So it's kind of like two questions in one, but I would like to move the end of the conversation towards something a little bit more practical like this.
• Ted Harrington: I think if we were to distill it down to some tangible, actionable things that an individual consumer can do, there are a few things we can really take a look at, and of course this is keeping in mind that the average consumer can't have a line of access to the CEO of whatever company made this device to say "Hey, talk to me about the security assessment you did of this." Even if they could make that call, they're not going to get the insight that they're looking for. So the consumer really needs to do a handful of things.
First thing would be that prior to actually buying any sort of device, you really want to think about “Do I need the connected version of this device?” This is one of these principles that is known as “reducing your attack surface.” If I'm going to buy a device, it comes with these privacy and security risks, and effectively connected devices are new ways for attackers to attack whatever environment it's going to be deployed in. So the first step is thinking about how do I feel about taking on that risk?
• Marco Ciappelli: Because there is a risk. Like you said, there's always a risk. Nothing is a hundred percent secure.
• Ted Harrington: Absolutely. There's definitely going to be risk. That doesn't mean not to take it. I mean, we can't live in a zero-risk world. Risk is all about being accepting of, or at least aware of and then accepting, the different conditions that you would be adopting. So this would be a case where someone might say "You know what? Yeah, there's risk that someone could get access to data or information about me that I would rather not share, or a hacker could possibly get into my home environment because of this and then get to my tax return, but the benefit of me having this is superior, so I want to do that. I want to get the Amazon Alexa so that when I'm cooking and my hands are full, I can ask it to read me the recipe, and that is a hugely beneficial outcome for me, so I don't care that Amazon is recording my conversations. That's worth it to me." So that's step one.
• Marco Ciappelli: As long as you know that that is an option though, so you can make a educated decision.
• Ted Harrington: Right. You hit the nail on the head: make an educated decision, right? We want consumers – and I'm saying the word consumer but I'm also speaking about people who are buying these devices for more enterprise-class deployment for critical infrastructure for government or wherever; they're in the same boat – to be informed, and you should be thinking about "Am I okay with taking on this risk?" The next stage is once you determine "Yes, I'm ready to buy," be an informed consumer about what you're going to buy.
One way to think about this is to really look at some of the security discussions about whatever this product is with a critical eye, because there are definitely some red flags that should suggest to you that security is really not well-implemented by a particular product manufacturer. Those are going to be things like: do they not talk about security on their website? or is security something that's only buried in the frequently asked questions section? Another flag might be okay, they have a security section, but it really just sounds like a lot of buzzwords. They don't actually tell me how it's secure.
Another red flag would be the use of claims that are very misleading, things like "This has bank-level encryption" or "military-grade security." What those kinds of claims are saying is "This system uses a level of encryption that is the requirement for the financial services industry," not "This must be a very secure product."
Well, that's misleading because attackers don't attack the encryption, they actually attack what's known as the authentication model. They attack the idea of who is allowed to decrypt the thing. They don't try to actually break the lock, they try to see where the keys are so I can open the lock.
Understanding those kinds of things so as you're reading the marketing material and you're researching a given solution, if any of those red flags are popping up, that should be an indicator to you that hey, this company doesn't know how to talk about security, so maybe security's not going to be well-built into this solution. What you want to be looking for are things like: do they talk about how security is a process? What do they do to take your security seriously? How are they performing security assessments? How is it baked into the philosophical culture of the way that they talk about the company and the product? That will show a very stark contrast to someone who is just saying "We're secure because you have to log in." Well, everyone has to log in, that doesn't make it more secure. I mean, it is better than no log in? Obviously. But that in and of itself is not inherently the epitome of security.
So then that leads to the third area of what an end user, a consumer, of one of these devices can do. So now you've decided that the risk is worth taking, you have done your research about which product to buy, and you've observed those red flags. You make a decision, you buy the thing, and now you're taking it out of the box and you're ready to plug it in. It's imperative that users now make sure that they do some of the basics like change the default password. The reason that this is important, is that default passwords are essentially publicly available information. So when a product ships with the password being "Admin" for the username and then "Password" for password, every device that that company ships comes with whatever those credentials are.
There are actually tools available online – there's one called Shodan that is essentially a Google search engine but specifically for finding connected devices, that enables an attacker to go find devices of a certain type, and then once they find that a certain device is deployed somewhere, they can just do a search on the real Google to find the user's manual for that device. And in the user's manual will be those default credentials, and then they can just log right in if you have not changed those default credentials.
So those are three areas that I think are tangible and actionable, that even the lowly technical consumers can pursue.
• Marco Ciappelli: This is great. We could talk a very, very long time about this and our subcategories, specific areas of Internet-connected devices. That applies to city infrastructure, to whatever they call a smart city, smart cars, and a lot of other things. At this point we are a connected society, we are a cyber society. It's not a thing of the future.
I'd like to end this conversation by first of all thanking you, and I of course will invite you to be part of the podcast again to talk about other areas of the Internet of Things, any time that you have time.
I like what you said at the beginning about the assessment that you need to do as a user: "Do you really need a connected device? Just because you can connect something, it doesn't mean you have to." That is a really, really good starting point. Not only to make a decision, but to understand how this actual device works because once you know that, you can start thinking sideways about how they can affect your security, your privacy, and then how they can actually be part of your house, but in a very efficient and positive way. So thank you for your participation, and I hope you can be part of this again soon.
• Ted Harrington: Yeah, thank you so much for having me. I appreciate it.
• Marco Ciappelli: You're more than welcome.