Event Recording

Jackson Shaw - The Internet of Things One Year Later


Last year we had our first discussion of risk and value related to IoT. Over the last 12 months we have gone from “What is this IoT?” to IoT becoming a driver of digital transformation. All of the major platform (PaaS) players have made IoT a key part of their strategies. In this session Jackson will highlight how the IoT landscape has changed from a risk & security perspective for both consumers and enterprises, how it is driving digital transformation and why it is even more important for you to be planning your IoT strategy now.

Anyhow, Jackson. Great to have you here. You talk about IOT last year, right?
I talked aboutt last year and there's been so much excitement, you know, listening to Kim and following Kim, which is always a tough act. I wish the cloud thing would've been 10 years ago. Things would've been so much more interesting, but there's been so much change in the last year. I kind of wanted to catch people up a little bit on it and, and talk a little bit about
That then.
So I'm gonna start my timer because I do like to know at least where I am. Okay. Here we are. So I I'm very deliberate. Last year I had a, a particular title. This, this title I'll explain in a little bit. And for the folks that don't know, I work for Dell. That's why I work for, I had to put this in, sorry. You know, when the, the second Bush got elected, the second time, I'd come over to these conferences and traveled to Europe, like lots of my colleagues. And I was always asked this question, how did you vote for him? Well, I never voted for him and I'm not voting for this guy if he gets in. And for the folks that really know me well, Kim and I are both fellow Canadians and, and worked at zoom it together and went to Microsoft together.
I'm going to be in Canada until the election. And if he, for some crazy reason gets in, I don't think I'm coming back. I've got my place in Quebec and I'd RA thank you. Well, I also don't want to come here cuz I don't wanna explain to everybody, you know, how did I vote for him? Because I didn't, and I don't know who, who is. So I really don't know who is. I never knew who voted for the, for the bushes anyway. So I don't know. Who's none of my friends vote for this guy. So what happened since last year? I'm, you know, this was my graphic from last year. It really was the wild west. It kind of is some degree, the wild west with IOT still, but things have changed a little bit in the last year. And I want to, I, I do want to talk a little bit about some of those things, you know, very appropriate. A lot of people now talking about the internet of things equals the internet of threats. There's a, a lot of stuff happening, you know, I literally, and I am not kidding, updated slides. One of the, one of the points on the slides today, from something I learned and by the time of this presentation, since I sent it to Levant and the presentation, other things happened that I would've put on the slides, if I could've, I mean, things are almost changing that rapidly around this area.
So I, everybody talks about this. I had to talk a little bit about this hack hackers, remotely kill a Jeep on the, the highway with me in it. This was in wired magazine, which I do somewhat respect, but you know, I wanted to point out that the Jeep belonged to the hackers. They had a, you know, quite some time to do this. It wasn't just a, you know, I turned on wifi and took over the, the Jeep and, and drove it into a ditch. There was a little bit more than, than that to the guys that took them over a full-time team over a year to find a way to do it. It was, it was fixed immediately. And you know, you've heard about things that are going on with, with Tesla and some others. So these kind of things aren't going away, but you do have to remember that a lot of cases, the hacker has to own the, the device to some degree.
And as we used to say, years ago, once the hacker owns the device, you're dead anyway, it doesn't matter. Right. Cause then, then, then that's it. So a few more examples recently, I don't know how many people know Trane, but they're big in HVAC heating ventilation and air conditioning. They have had a couple of bugs reported that would allow attackers to install malicious software on devices and use those to maintain a persistent presence on the network on the victim's local network. And everybody ought to know the name of the company whose CEO and CEO, CIO, both resigned because of an HVAC invasion more than a year ago. This one just was publicly revealed a few days ago, issues around the way that the Samsung is implementing their smart things using oof, that allows for a compromise and a vulnerability. And that's an interesting thing. I think the way that they're looking at the social aspect of using oof wifi enabled lights leaking the wifi passwords very, you know, seems to be common.
We're hearing about this last year. And this year I happen to have a Fitbit area, wifi smart scale. I don't really care if an attacker can find out how much I weigh, but you know, it is, it is one of those things that happens also. And a lot of interest right now around telematics things that are being used in trucks and on ships that the protocol that they've been using is pretty vulnerable to, you know, some exploits around SSH and getting root access to these devices. So, you know, the security is not, is not changing. So, you know, there's still the issues with security. So I, I picked this new title, damn the torpedoes. Full speed ahead. Why did I pick that? Well, literally in the last year, I think we've seen from the time I started researching this a year and a half ago where people were very reticent about IOT, they were really concerned about security.
Now folks have sort of decided that security is going to take to some degree of backseat or they're not even thinking about it. So, you know, the heck with security or they're not thinking about security and we, we, we, we want the benefit. The benefit is outweighing things. Now this graphic is an awesome graphic. I, I will admit it's not my graphic, but I thought this was a really interesting illustration for you. There's been a lot of talk about identity and how you, how do you interface with IOT? And I think this to some degree explains some of the issues around trying to manage both security and manage identity to some degree with these, these things. You know, just a couple of examples. We,
Sorry, I can't talk to him right now. You know, for protocols, we worry about three protocols in it around T C P I P thousands of protocols. Potentially when you look at all the different operating systems, you look at all the different hardware vendors, you look at all the different things that including some things that don't even use T C P I P on T. So, you know, I'm still struggling with how do we, how do we integrate these systems? How do we discover this, these systems? Because a lot of those things are not built into IOT and there's not really anybody working on them. There's some people thinking about it, but not necessarily from that perspective. But, you know, as I said, there's this whole issue about, you know, as this, this comment came up, I believe that there was great value balanced against reasonable security risk.
And there's been some big announcements. There was a great one just recently with Microsoft and their OT suite, you know, roll Royce, basically integrating their T capabilities from their engines with Azure IOT. And if I remember correctly from the article, something like three terabytes of data from every flight that will be analyzed in realtime analytics, I think that's obviously Rolls-Royce believes that they can get all kinds of great information and their, their out they're, you know, they're doing this balance of, of how do we manage between security and, and risk, and they're making the choice on or sec security and benefit. And they're making the choice on the benefit, you know, Disney world, which is just down the road from where I, where I live during the, during the winter, you know, it's amazing what they've done with the magic band. I don't know if you've seen it, or if you've been at Disney world or Disneyland, I don't know if they do it in Paris yet or not, but certainly the, the properties in the us, you get your magic band, which is really R F I D, and, and walk around and buy things and do everything you want.
And again, for them, the risk versus reward was, was far outweigh. And I think they've seen that another great example around healthcare. And I thought this was a particular interesting thing from Stanford to get 10,000 people enrolled in a medical study. Normally it takes a year and 50 medical centers around the country. And by, by basically doing this study around the iPhone and healthcare, they signed up over 10,000 people overnight. So again, the benefit hugely outweighing the risk dam, the torpedoes full speed ahead. And, you know, a couple things I just wanted to point out the bottom left things like monitoring pollution levels. You know, there's not a lot of risk in that. If, if somebody hacks that device, you, you know, you probably know pretty quickly that something's out of date I'm last year. I had no IOT. Now I'm totally IOT in my home. You know, here's an example. I know in this particular case at my downstairs cottage, it's 18.4 Celsius, and I'm putting all of these things together and, and integrating them with my heating system. And all of that, again, I'm looking at from a risk reward perspective, damn the torpedoes. And I wanna move forward with, with that.
So I, I thought this was interesting, you know, I, I just, again, literally read this a few days ago. I thought it was very interesting. And I wanted to tell you about it. I don't know if Apple's leading the way, it's a question for all of us, but I thought it was really interesting that as with different than a lot of vendors, they were thinking about security. And I appreciate that as, as a consumer, as someone, you know, who has an apple watch and I use apple pay, it was a very interesting point to me, only the apple watch regularly changes its Bluetooth Mac address to protect user privacy. Oh, here's someone actually talking about privacy. That's actually awesome. While the apple watch alters the device's Mac address, every time it's rebooted and around every 10 minutes while active all the other trackers. And by this, they mean fitness trackers maintain the same Mac address for a period of months, leaving the user open to persistent monitoring. So, you know, there's some progress being made. And I really loved the fact that in this particular case, it was apple who was thinking about it. I mean, I would be happy if it's any vendor, but I thought I would point that out again. That was fairly, fairly recent that I saw that.
So last year I showed this graphic. I, for those that were here, they remembered, if you weren't here, let me just give you the quick Pressy of what happened. You know, so I worked for Dell in the security group. They, when we joined, they said everybody should get a firewall. They sent us all firewalls. You know, I asked in my, my earlier presentation, how many people have a commercial grade firewall in your home? A few people. Okay. A few people. I certainly didn't have one. This thing was very complicated. Six months, it sat on a shelf. I finally installed it, turned on all the features and walked away from it one day, three months after it was running, turned it on or not. Didn't turn it on. Went into the interface, happened to look at this thing about top locations. And as they say in French, Avala, there was 6% of my internet traffic to and from China.
Okay. And you know, that opened up an awful lot of questions. What the heck was talking to China? Why was it talking to China? Was it talking to a good address? If I can't talk to China, does it compromised? My security? So it made me, it made me think of a lot of things. And I, I wanted to, to just ask you some of the questions that if you saw this last year or you're seeing it now for the first time, I want you to ask, like, and, and again, this is something you can't really do at home because you don't have this capability. And I think this is one of my biggest concerns about IOT is so much of this stuff is gonna happen through the home that the average user would never have this visibility. But do you review your inter internet traffic?
Can you even at your, at your business, do you know where all of your internet traffic is going on? Why it's going, you know, have you determined if China or the people's Republic of career or whatever odd traffic is legitimate, right. And how do you do that? That's not an easy task, right? How do you know if that traffic is legitimate? Have you moved to a no trust device policy or assumed you're already breached? And these are, these are all important points. I think that you, you need to be considerate of and you know, things like no trust, I don't mean zero trust. I mean, no trust, you know, in the old days, as I was saying earlier today, to somebody else on your firewall, you used to have a plug, you know, a port that you, that said trusted, and then you, or bunch of ports that said trusted in another port that said untrusted, which you hooked to the internet.
Well, now every port needs to be labeled untrusted inside or outside the corporation next to you in your office or at home. And the wake up call I had, as I explained before, was seeing this report. And then a couple days later, I think it was on the weekend. I needed to do something at corporate and I, I started up my VPN from home to Dell to, I don't know, look something up, do something on HR. I don't remember what it was and having this liminal moment where I said, oh my gosh, I just opened up a door directly from whatever traffic I I'm, I'm, I'm having with the, with, with China and my corporate headquarters, not a position that I really want to be in. So, you know, I, I, I moved all of my devices that were not my, my, my PC or my iPad. I moved them to a VLAN and separated the traffic from my network. I didn't need my refrigerator, traffic, you know, going off to Dell and, and, and doing whatever refrigerators do in these different, in these different locations.
So, you know, the, the moral of the story is, you know, customers buy solutions to problems. I bought, you know, some temperature sensors. I bought some, some stuff that interfaces to my, my, my electrical system or my heating system. And I'm doing analysis on that. And I've decided that the, that the reward is gonna outweigh the risk, but I bought the solution. They don't buy security, privacy, or even IOT. And from the very beginning, you know, when I started in directory years and years ago, people don't buy directories, right? They buy solutions, they buy office 365. They buy email, they buy things that leverage the use of a directory. And it's the same really with I T so the, the, the point I want make to you is the, is the, it folks is the, the choice will mostly be made likely without involvement from you.
They're not gonna come to you. You generally speaking and say, what do you think about the security of this IOT device that you'll, you'll come in one day and suddenly there'll be devices, or even the worst scenario? I think for most companies is where employees start bringing devices into the office themselves. And you don't know anything about it, right. You know, in, in, in the days when Kim and I were at Microsoft years and years ago, they used to walk around with a wifi detector, looking for people who put in rogue wifi access points until they went to 8 0 2 0.1 X authentication. Well, it's very similar, but you can't really do that with, for all these IOT devices. You don't know if someone put a camera in your office or a sensor or a motion sensor, or these kind of different things. So they're just gonna happen.
So you have to trust nothing. You are now an infinite attack surface. You've heard everybody say there's gonna be 40 billion devices in X amount of time, or what have you. It does truly make you an infinite attack surface. Even at my, my cottage, I've installed six of these devices, and I've got more to go in. I, you know, I've gone from a very small attack surface to a much larger attack surface and at a company it's, it's huge. Your firewall shouldn't care what it's connected to. I really think that, and I, and I speak also as a vendor about firewalls, that you have to move to this completely untrusted thing. You have to move to multilayered approach. Everything should go to a VLAN until you decide. Otherwise, you need to understand the before and after the manufacturing or origin of these, these things. And, you know, we have this big debate internally, always about things like FIPs and common criteria.
I don't care about that with IOT devices. What you're really interested in this penetration testing, has it been done? Who did it, what were the results? And can you do it yourself to verify it common criteria isn't gonna help you there? And stupidity will continue to prevail. I mean, absolutely no question about it. You know, this example here is, is a great example. It's a screenshot from a BBC show where they brought up the British rail system in London and had the log on and the password written on the monitor, and it was displayed for everybody. These kind of mistakes are gonna happen constantly around things like IOT, that the people who are building security are putting in hard, coded passwords. All this stuff is being discovered. It's, it's, it's exceptionally stupid and it will continue to prevail. And you have to keep that in mind. So with that, thank you. I thought I would leave you with this last Twitter quote, which I, I did laugh. I thought it was, it was pretty funny. So do we have any questions? Do we have time? I know it says one minute left.
Thank you so much. Yes.
So, no,
We are still a little bit of a time, but we maybe still have a time for one question. And there's one question and that has been submitted some of someone.
Yes, no. There you
Go. Oh,
Ation of IOT devices coming up in the near future. When, when
Yes. Which
One? Yes. Which one? I, you know, I do try to keep up with this and like I say, it changes daily and I don't know that I've seen a specific standard that crosses, I mean, there's so many protocols you think of SCADA, which doesn't use T C P I P you think of some of these other protocols. I think we have a long way to go before they're gonna be standards and then getting adoption. As we know, even in the identity world, adoption of things like, you know, OAuth two and open ID connect and all these things all take time. So I'm, I'm not, I'm not confident yet that there's gonna be, you know, a tremendous move over the next five years to that.
Yeah, I would agree. It's probably seems to be kept separate for so far and the numbers and the percentage of installed it, devices that are still vulnerable, too hard bleed.
Great question. I'll bet you there's. A lot of them out there, we did a huge, a huge inventory internally at Dell. Like most other vendors did and, and weeded out all the problems we had. I don't know that that folks did that with the devices. But again, this goes back to that point about penetration testing. Don't rely on what you're told. Don't rely on certifications, verify yourself. If you're gonna deploy IOT devices in your corporation, you should understand the security of them and where they were built and et cetera.
Thank you very much for thanks. You're
Welcome. Thank you.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Frontier Talk

Enabling the Machine Economy and Decentralized Internet of Things | Frontier Talk #5 - Peter Busch

Raj Hegde sits down with Peter Busch, DLT Product Owner at Bosch , to discuss how decentralization is enabling a wide range of exciting use cases across industries. Tune in to this episode to explore the concept of machine economy, understand the needs of machines and dive deep into the…

Interview

When AI meets IoT: Does the Public Perception Reflect Reality?

The Internet of Things is everywhere around us. Almost every device we use is connected to the internet. But are they really smart or intelligent? An most important – what are we and will we be doing about their security? Join Thom from SentinelOne and Alexei as they discuss what…

Webinar Recording

API Security: Separating Truth from Fiction

APIs (application programming interfaces) have undergone a truly amazing transformation in recent years. From an obscure technical term only software developers were familiar with, they have developed into one of the foundations of today’s digital business. Nowadays, APIs are…

Webinar Recording

Solving New Authentication Challenges While Finding Parity Between User Experience and Security

In an increasingly hostile world, where you don't know who to trust, companies still need to be able to deliver trusted, personalized experiences for users, without making them jump through hoops to prove who they are.

Webinar Recording

Digital Identities in the Internet of Things - Securely Manage Devices at Scale

The Internet of Things is disrupting all industries and use cases; from customer IoT, to Industrial IoT. Companies are forced to become more innovative with their products whilst their services are being, or will be, digitized. Top drivers of this digitization are eroding margins and…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00