IoT security: how to get it right | IoT Insider Podcast Episode 18

Dan Cunliffe
Hi, everybody, and thanks so much for joining the Pangea IoT Insider. My name is Dan Cunliffe, and I’m Managing Director of Pangea. Today, I am very excited to be joined by our business development director Rich Crossingham to talk about IoT security. Hi Rich nice to have you.

Rich Crossingham
Hey, Dan, thanks. This is a an interesting topic.

Dan Cunliffe
IoT security. Yep, massive topic. And we’ll, we’ll cover off. Well, we won’t, we won’t won’t give it away too soon, but lots to talk about. But just as a bit of intro, as of last year, 2020, there were 20 billion connected IoT devices in the world. And there’s obviously predicting we’re getting to 30 billion by 2025. And it’s one of the fastest growing technologies out there. Of course, as more devices come in to play, the cybersecurity conversation just gets bigger, Chris Romeika our Ops Director, would like to call it the IoT growing pains, and probably one of the reasons why he’s lost most of his hair. However, you know, probably the questions to ask is, you know, what sort of priority? How big is the priority? When it comes to IoT security? I think that, you know, it has to be huge. I mean, people are saying the data is new gold, people say it’s the new oil. But you know, cyber attacks can happen anywhere. There’s far higher stakes, when we talk about autonomous things, particularly autonomous vehicles and machinery. Maybe just come straight into you. It’s about sort of, you know, thoughts about that and kick us off a little bit.

Rich Crossingham
Yeah, I think it’s important to look at some of the examples, many examples over the last few years of security in IoT devices. And that said, it’s important to remember how many things we might have in or around us, you know, in our house, in places we visit in toys and gifts, our children are given. That are connected to the Internet, and anything connected to the Internet represents a security risk. There have been incidents and flaws identified at security events like Black Hat, concerning children’s toys, there was one, I think it was leapfrog their rugged tablets designed specifically for children. They have a range of education games, ebook apps, things like that. But it was found that they could allow bad actors to track the device, send messages, or launch man in the middle attacks. And when you look into that, that problem, it highlights not only firmware and hardware risks, but also software and apps that could have backdoors or unknown issues that the bad actors can then take advantage of. So you need to kind of think of the not only the device itself, but the stuff that’s going on it and who’s putting it on there, and who you’re allowing to, to put onto it.

Dan Cunliffe
I’m just gonna say I kind of think that the people who are making these devices, maybe maybe a lot of that focuses around creating a great experience for the child and maybe not thinking about, hold on, if it talks to the internet, what is the level of kind of complexity that I’m out there putting my product into? Because the problem, the good and the bad problem of the internet is that it’s constantly moving. Yeah, it never stands still in terms of what can come at you from being out there. And I think, yeah, you know, I wonder if people like, you know, I’m sure you talk about Mattel or on these other guys, you know, who don’t really kind of think about that far down the road, they just go cool. I’m gonna put a Wi-Fi enabled modem in there or, or a cellular enabled modem in there so that Barbie can keep doing the cool things that does when it’s on the road? You know?

Rich Crossingham
I think you that’s a really good point. Because you’ve got things that are learning devices, educational devices, like these, these tablets and the intent was very pure for it. And then you start to put in some of the other toys, I can’t quite figure out why. So they had cloud pets. They’re connected teddy bears, and they’re thankfully now being discontinued I think in 2018. Prior to them being discontinued, it was discovered that over 2.2 million voice recordings had been exposed between parents and their children. Massive significant you know, data breach. And similar concerns were also seen in Mattel’s Hello Barbie. And for me, it’s kind of why you’ve got to I just struggle sometimes to understand why someone’s sitting there in innovation meeting going. Yeah. Do you know what we need to do? We need to just get this connected to the Internet. Think about like, what would it ‘what’s the worst that could happen?’ Kind of you know, Dr. Pepper phrase, for what is the worst that could happen if we do this? And I was thinking about these earlier and it kind of got me thinking back to the 80s 90s childsplay films. You know Chucky?

Dan Cunliffe
I was so scared of Chucky. I’m a grown six foot four man, I am very scared of Chucky.

Rich Crossingham
And you think so imagine Chucky in the digital age, a Chucky that not only comes alive in the bedroom, but it can now digitise itself and download itself into other devices. I mean, you just start thinking, it’s just the stuff of nightmares and potentially good films if we ever got one.

Dan Cunliffe
But I kind of come back to that point of like, actually, are the manufacturers, you know, thinking about all the way through? I’m sure they are, I’m sure they are, I think the people we’ve spoken to where, quite often the connectivity side isn’t always front of mind, when, you know, I think it needs to be in terms of how am I connecting? And what am I doing to try and make that happen? I think that, you know, as parents, we, we want to, of course, you want to, you know, give kids the right toys, and with the advancements of smartwatches. And I’ll talk about that in a second. But smartwatches and the ability to, I suppose assumingly, the more protective of your child is actually you also run the risk of not protecting your child, because you’re giving them something that’s digitally connected.

Rich Crossingham
The worry in those is is is it counterproductive? And then what’s the end goal is the thing that you’ve just given your child counterproductive to what you wanted to do smartwatches examples, great. Lots of them going around. Now, something a lot of parents thought, a good idea to help keep track of their children. But if you can expose personal and location data, you then open the door for various insidious threats. Now, I’ll leave it there. But you know, there are a number that have been identified, which these devices all had security issues, and hackers could then track and call children. And that’s the last thing you ever wanted, you know, you’ve actually created the problem more so that if you’ve not given them the device in the first place, so yeah, it’s, it’s concerning. But I think you can also then start moving from children’s toys to adults toys. And I like the segue here, because you start thinking, Well, what what do I have, and one of the great examples from very recently was, well, a great place to start is with Mercedes. And the second half of 2020, it was revealed that the Mercedes Benz E Class went to market with 19, vulnerabilities. This enabled, among other things, attackers to remotely unlock the car door and start its engine. And I think this was only, you know, four or five, six months ago that where we’re seeing things bought to market, you know, big machines that can go on the road, and what you know, take it a step further later, but look at the Tesla and autonomous vehicles coming on to the UK streets this year. Well, Mercedes six months ago, had a device that was going to market with 19 vulnerabilities. And then 2015-16, Jeep, they had a an SUV, which had a firmware vulnerability, and the researchers were able to hijack the vehicle over the Sprint cellular network, and they could make the car speed up, slow down and even veer off the road. For me, you know, it’s, it’s definitely the proof of concept for emerging IoT stuff, you need to ensure that you haven’t ignored the security of peripheral devices and networks, because consequences can be disastrous.

Dan Cunliffe
Yeah, I mean, it’s huge. I mean, I think, you know, we don’t, while we are sort of, kind of exasperated a little bit in what we’re saying, but trying to create something that is a level of seriousness with our listeners, because these are things that you have, you know, most people have vehicle, most people have a toy for a kid or have given a toy for a kid, you know, and it may connect the Internet. And I think the point is that actually, while we are in a global IoT company, connecting things, providing solutions for our partners, it is important that we understand the stuff too and give advice, right? And say like, actually, Hey, are you thinking about this stuff? And if you’re not, let us try to help you think about it. I think it’s important to maybe talk a little bit about how, you know, how do we think that people should be addressing security issues, or even maybe looking at examples where other home devices may be vulnerable too. I mean, smart speakers have grown far quicker than I think we’ve imagined. Particularly with us all being at home during COVID. I think more and more people have probably improved their devices at home and gotten more devices for home and smart speakers being one of them. I find it very disturbing, as I’m sure many people do that within seconds of saying something I’m probably going to get an IoT security advert from somebody very shortly, because because of what’s surrounding me.

Rich Crossingham
And it’s all of them, Amazon, Google and Apple have all come under criticism for this where investigations are found employees at companies can listen on, and listen to the conversations that have been recorded. And it’s, it’s concerning, because, you know, the the excuse or the reasoning for doing it is to help improve the capability of the device to understand more and work out where it’s not understanding it. But I think people will be quite concerned if every thing that you were saying in the home was being recorded business calls that you could be having, especially with us all working from home, as you said, all those things that might be talking about brand new IP, or trademarks, or development or whatever, and it’s all potentially being recorded by any one of the big tech players that we’ve just talked about. And then, I think, you know, recently when, when you talk about how impactful this is, you know, someone from Google Home talks about the reports emerging that Google employees could capture audio of domestic violence or confidential business calls, and the positive side is that they could use the call to alert, you know, for a fire for domestic abuse, for break in for those kinds of things. And for some of those things, you might think, you know, that’s a really positive thing. Yeah. But how do you Where do you draw the line?

Dan Cunliffe
Yeah, where do you draw the line between what’s, you know, tackling serious problems to actually encroaching on private lives? You know, there’s a, there’s a real kind of difficult way to get around it. I did watch a very interesting startup, talk about monetizing that for for greater good, where you could take that piece, but, you know, back to the security side, you’d probably consider that we probably want to not have that stuff be able to be broadcast everywhere it wants to go. Yeah, I mean, I think we’ve said a lot of that. I mean, so basically, question is. How hard is it to ensure that your devices are secure? Like, how do you actually, you know, make sure that there are things in place, and it is a daunting topic? And I think that, you know, to be honest, there are there are simple ways in which we can, you know, try and do things to make the thought process and the the kind of sitting around new product development. And when you consider the security part being, you know, not that difficult? The Online Trust Alliance suggests that 95% of cyber breaches can be prevented with certain rudimentary measures. Maybe we should go through some of our top tips that we can sort of offer people and at least they can walk away from the podcast today with some ideas, should they need them.

Rich Crossingham
Yeah, I think when you talk about that 95%, one of the really interesting ones that we were talking about earlier was the Mirai botnet in 2016. And that, you know, that only became so successful, because of its ability to use insecure IoT devices, digital cameras, DVR players, creates a DDoS attack from that, that took down loads of the Internet, Twitter, Reddit, Netflix, all that kind of stuff, gosh, imagine being without Netflix, and the others. But, you know, it was once it had been reviewed, it was entirely preventable. If the devices default passwords have been changed, and the software is updating. And it’s, it’s those kinds of things you think, if people just update, so I think maybe if we run through the top tips, we probably address most of the issues that we’d see out there.

Dan Cunliffe
Well, you touched on the first two, which is, which is pretty obvious. And like sometimes it’s just seen as a chore, but you know, change the passwords. And even me personally, I’ve been guilty of that, right? I mean, sometimes you just think I’ll leave it for now, I’ll come back to it. But it’s actually very important, because the improvement in kind of hacks and the ability to try and infiltrate your secure password areas is constantly moving every day, and you don’t realise it, but you probably have 10s of different websites where your passwords are probably similar. And, you know, it just needs to find one and then sort of find its way through to kind of replicating that. And the other one is obviously, you know, keep your devices updated. Don’t fall into the cycle of just hitting remind me later again, it’s something that personally I’m sure everyone on the call has done is like yeah, I’ll just I’ll pick it up later because I’m kind of busy with this task right now. Two things you can pick up on.

Rich Crossingham
Yeah, I think sometimes it’s not necessarily the right thing to just go straight for the cheapest IoT device on the market. I get you know, there are budget constraints for everything. But if it’s impossible to change the already preset password with a capital P and then ASSWORD you’re opening yourself up to a real world of pain for later on. So I think you know, when you’re buying something, assess what it can and can’t do. Because there’s no way that you want that to be the piece that takes everything else down in your home environment, in your work environment, wherever it is.

Dan Cunliffe
Yeah, I would add that some of the interesting companies I’ve come across in particularly IoT security and device security are using real world elements to try and improve the way that the security works. So an example would be some of these devices will have a sensor on them that could pick out the weather conditions or the humidity conditions at that moment, and then compare that with what it is supposed to be. And if that’s not right, then they know that that’s not exactly what we’re expecting to be spoken to by some other kind of incoming message. And I find that quite fascinating, because it’s impossible, well, I say impossible, but it’s very difficult to get it right. If you said, What is the temperature to the second decimal point in Miami to actually get it correct, or whatever it might be using real world implicit examples of what the sensor has read and what you’re saying it’s going to be? It’s pretty interesting.

Rich Crossingham
Yeah, yeah, definitely. I think we kind of think of security now. And when you when you watch films that are set in the future, or few years ago, when you’re watching films that were set now, and people would be accessing doors with fingerprint scanners, or biometric readers under their skin, or iris recognition, and you think, you know, people have highlighted iris recognition, and fingerprints, they’re so unique, that it, it adds a level of complexity that most people don’t ever add to their passwords. So being able to add those kinds of things, make a very hard to beat two factor authentication process.

Dan Cunliffe
Yeah, exactly. Well, we’re kind of one of the other big ones, obviously, a lot of our clients use this with us. Choosing the right IP address structure, do you want something that is going to be easily accessible on the Internet? Or do you want something that’s going to be way more private? You know, a lot of our customers choose us for private IP services, where, in fact, it’s kind of hidden, you know, and it’s very difficult. It makes it harder to actually access those devices because of that. And, you know, it’s a simple thing really, isn’t it? It’s not a difficult thing to to add on. You can you can make it really simple.

Rich Crossingham
Absolutely. And I think a lot of people, sometimes skirt around this issue, because they don’t quite get what a public static IP or a private static IP is. And I think, if anyone wants to ask us, and then wants us to help them understand the benefits, the pros and the cons to it, you know, absolutely, always email in ask us the questions. We’ll help show you what the best solution is, for what you need, you know, security over dynamic capability or whatever it is. But we’re always more than happy to help explain, because sometimes people don’t want to ask, they’re like, Oh, no, I think it’s right to have this kind of IP addressing. But I would always say, if you’re not 100% sure that you know exactly what that means. Security, and IoT security is so much of a potential risk that you should absolutely ask the question.

Dan Cunliffe
I think probably the last tip is; if you have strict guidelines to follow, or there are particular requirements, we believe in the market, for certain content filters that you can provide, where you can be very specific in the things you want to connect to and things you don’t want to connect to. And even as far as using genres rather than specifics to try and get you through those questions, we actually look after close to just over 100,000 vulnerable homes that need to connect to the Internet but cannot or should not be connecting to things that are probably not allowed, but equally, we don’t want attacks towards them either. So looking after those using content filtering, is a really big play. Just to close off on the UK government actually announced that they want to make IoT devices safer, obviously, understanding that increased volumes, and particularly those who are consumers. Did you just want touch on those laws that they pass through as well.

Rich Crossingham
Yeah, yeah, definitely. So the law basically states that IoT device passwords must be unique. Manufacturers must name a point of contact so anyone can report a vulnerability, which is a big important one because a lot of people now have the ability to report these things. And people make a living out of them by reporting and getting paid for identifying flaws in firmware and software vulnerabilities. And I think a lot of people just you, me, and the person on the street, didn’t know who to go to, to speak about this. So it’s a real key thing. If you spot something and you think it’s a problem, absolutely having the right person to be able to report it to is key. I think the other one latest one was manufacturers must tell customers, how long they’ll support devices for with security updates. This goes back to also enterprise level hardware, where you’ll buy it and the lifecycle of that hardware will be three to five years, maybe a bit longer. You’ll get firmware, and security and vulnerability updates, and then they’ll start their end of life cycling. Yeah. And once you reach, you know, the complete end of life of that device, they won’t release new patches, new firmware. And so overnight, your entire estate becomes potentially at risk.

Dan Cunliffe
Yeah. Non secure? Absolutely. I mean, I also think what it drives is more accountability in the manufacturers, if things go wrong, so we talked earlier about vehicles being attacked, or whatever it might be vulnerable. We might actually have a bit more focus in these things saying like, Look, I need to kind of sell this into the UK market. Have I got everything checked up? Am I willing to put my name against that vulnerability that comes out there online? Yeah. So we’ve got expect to see way more involvement in security support from the manufacturers. That’s what I think is going to hopefully go in that direction. Excellent. I mean, I think there’s more we can say here. Don’t know if you wanted to kind of close off on anything?

Rich Crossingham
I think it’s probably important to highlight the positive side being the amount of devices that are connecting every day to the Internet, and the sheer kind of breadth of types of devices, from autonomous vehicles, to clever vending machines, or whatever it is. And yet, you know, we’ve highlighted some, some that are cause for concern. But there’s probably many times the amount of products that meet the requirements that are meeting the security requirements as well. And I think that’s probably worth shining a light on because we can highlight these so that everyone can learn from the risks and ensure that going forwards, you know, there’s more security support, there’s more involvement, there’s more and better, IoT security, going forwards. But also, it’s not like we’re reading off a list of a million different products. All vulnerable right now. So I think, you know, it’s, it’s good that people are concerned about this, and being mindful of ensuring security going forward.

Dan Cunliffe
Yeah, I’d agree. And, you know, I think, the more the more we use the IoT, the more good we are driving because of the ability to use IoT to help us make better decisions, using the capability of what machines can do for us to drive that is the right thing. I think we just need to keep an eye on how secure it is, and avoid the breaches. I think on that point, Rich, thanks so much for joining me on this one. Love your insights, and I’m sorry, I’m sorry for myself here to bring Chucky into the conversation. But anyway, you know, I’ll get over it somewhere. But to our to our audience, and, you know, if you’ve got an IoT solution that you want to secure, head over to our website, check out any of our IoT security blogs, or even better, give us a call. Be great for you to check out our content filter product, our private IP, the various things we can do.

Rich Crossingham
Dan, I would say in closing, give it a year, Chucky 2022, in the cinemas, Chucky versus the digital world. Yeah, I can see it now.

Dan Cunliffe
I tell you, I’m not going. I’m not going. I just refuse. But yeah, on that note, for those who are loyal listeners. Thanks so much. If you’re a new listener, please do hit up the website or get in touch if you like anything you’ve heard or just get in touch with us through the phone number which is on our website as well. Thanks again, Rich. My name is Dan Cunliffe, Managing Director of Pangea. Thank you very much for listening.