Internet  of  Things:  Cybersecurity (Recap)

Ever wonder how many cyber attacks are happening right now? Check out this awesome map: World Map of Cyber Attacks. As the first event of the year, Internet of Things (IoT) and Cybersecurity will be a hot topic in 2017. It is estimated that the IoT industry is a $6 billion industry and will grow to $30 billion by 2020. With this rapid growth, you can bet that companies are taking advantage and the competition to get products to market first is becoming fierce. Where does Cybersecurity fit in and how are you protected.

Meet the Panel:
Eric Winsborrow, CEO of Distrix
Adam Shostack, Founder, Confidenza Security
Richard Henderson, Global Security Strategist, Absolute Software
Ryan Wilson, CTO, Kubera Payments
Alex Dow, President of The Mainland Advanced Research Society (moderator)

Are consumers driving the cybersecurity problem?
As new products are hitting the market at a rapid pace, from cars to laundry machines, it is
becoming increasingly common that your new purchase with be connected to the IoT. The
panelists highlighted that as exciting as this is, there is a concern is around how products are
coming to market and the support they receive after purchase. Businesses cannot keep up with
testing against all cyber threats to make sure products are secure when racing to outperform
their competition. Making sure it goes to market secure is part of the battle, but also updating
with firmware updates to patch against new threats is largely not happening.
It’s possible that the business might go out of business or a new development team takes over
to build the new version of the product. Consumers wouldn't pay $1,000 for a temperature
gauge if it is offered by another brand for $200. Even at $200, we would question if we really
need that item as you could buy a manual temperature gauge from a local hardware store for
under $40.
Tonights panel discussed how consumers are not aware or educating themselves to the issue of
these possible cyber threats they are now introducing into their own personal ecosystem. Does
the average consumer ever think of firmware updates or support? Probably not.
To highlight how IoT products have been built as products first vs security first, here are some of
the examples:
Alexa Echo ­ Alexa goes on a multiple $5,000 Dollhouse shopping spree! A news station
picked up a story of a 6 year old girl who ordered a $5,000 dollhouse to her parents house
through the alexa in their house. As the news story aired on TV, those watching with an Alexa
near their TV heard the command to order the dollhouse and tried to place the order. The echo
is always listening and sending data back to Amazon. Good, bad?
Light bulb attack ­ Through light bulbs that have an IP, hackers have been able to install a
worm that gives them control of the bulbs. Which might not seem that scary, so what if they can
turn the lights on or off and different colours? The hackers found that if they turned the bulbs
into FCC test mode, they could create ‘white noise’ that would knock out wireless internet in the
area of the bulbs.
Finland heat held ransom ­ In Finland, during the winter, hackers started to turn off the heat in
ransom for bitcoins before turning the heat back on.
There are bunch of other examples, such as the San Francisco public transit fare system being
hacked, again for a ransom. You can learn more about these by googling The Internet of
Ransomware.
The panelists all agreed that as exciting the growing IoT industry is, we as consumers need to
be careful. If it has an IP, hackers can gain control. Prepare to be attacked and hacked with a
plan on how react if it and when happens. Having a plan in place will help minimize the damage.
It’s important to know what you want to protect about yourself and create a secure system
around that information.
Children’s toys was another topic tonight as it’s a rapidly growing industry. The question was
that with these new IoT children toys, is your child's privacy out the window? Toys will be the
biggest privacy risks and laws around consent are currently vague and messy to interpret.
Say your child goes to their friends house and talks to some IoT toy barbies or dolls at their
friend's house. That data of your child is being recorded and sent back to private companies
which interpretation of data can go in any direction. Your child’s voice is being indexed and
recognized as well as their conversation between friends and with the toy.
What happens next?
Regulations need to be in place to require security measures. FCC has to start with your startup
being security first vs product first. Liability will be hard to define. Is it you the consumer with the
light bulb that took part in a DOS attack, the isp, manufacturers?
Companies do realize this is a problem and are starting to take steps in making sure that
consumers are safe. The pentagon has started a bug bounty program for example, paying
hackers to find security flaws and the FTC is starting to hold companies responsible. You can
google DLink to learn more.
It was an interesting night and it the ransomware topics stuck with me the most. It’s on us as the
consumers of IoT products to make sure we learn about the companies selling the products to
us. In learning about the products you wish to purchase and add to your personal ecosystem,
do your research to make sure you understand how to protect yourself from cybersecurity risks.
Does it need to be connected to the world or can it live on your private network.
A source for information that was recommended was: Krebs on Security.