Hardware.io, BruCON, and Virus Bulletin 2015

If you’re in Europe in late September and early October, there are a handful of conferences for you to check out. Hardwear.io is a first year conference focusing on hardware hacking. The venerable BruCON is back for it’s 0x07th year running. and the Virus Bulletin Conference celebrates its 25th year! This makes for a pretty amazing 10 day tour package. If you couldn’t slip away for the Vegas conferences this year, see if you can make it out for these.

Hardwear.io (September 29-October 2 | The Hague)

Hardware.io has a pretty impressive looking lineup for a first year conference in a specialty area. This one is focused on hardware, with trainings September 29-30, and briefings October 1-2. Here’s a sample of the goodness.

Jon Callas (Silent Circle & Blackphone) will be keynoting, as will Harald Welte (Sysmocom and other Open Source projects). Jon’s talk looks interesting – Everything is broken and always will be, we MUST be able to fix it remotely.

I’ll be moderating a C-level panel discussion with Jaya Baloo (CISO of the Dutch Telecom company KPN), Jasper Woudenberg (CTO Riscure from North America), and Christopher King (CERT/CC).

Other notable talks and trainings:

  • Security of Medical Devices | Florian Gunrow
  • Semantics-aware Intrusion Detection for ICS | Ömer Yüksel
  • Off-the-shelf embedded devices as research platforms | Lucian Cojocar & Herbert Bos
  • Low Level Hardware Reversing | Javier Vazquez Vidal & Henrik Ferdinand Nölscher
  • Integrated Circuit Security 101 | Olivier Thomas & Dmitry Nedospasov

BruCON (October 5-9 | Ghent)

BruCON is one of the premiere security community conferences globally. It’s now back for it’s 7th year and promises to be pretty awesome! They’ll run trainings from October 5-7 and briefings October 8-9. I Am The Cavalry will run a workshop (stay tuned for details). Other noteworthy trainings, talks, and workshops:

  • Offensive IoT Exploitation | Aditya Gupta and Aseem Jakhar
  • Assessing and Exploiting Control Systems | Don C. Weber
  • Brain Waves Surfing – (In)Security in EEG (Electroencephalography) Technologies | Alejandro Hernandez
  • Hacking as Practice for Transplanetary Life in the 21st Century: How Hackers Frame the Pictures in Which Others Live | Richard Thieme
  • A Hands On Introduction To Software Defined Radio | Didier Stevens

The ICS village will be a new addition this year, so if you missed it at DEF CON, come see if you can learn how those control systems work – and how to break them.

This is unrelated to I Am The Cavalry, but really cool is a DJ Workshop by Ocean Lam, Count Ninjula and Keith Myers!

Virus Bulletin Conference (September 29-October 2 | Prague)

Claus Cramon Houmann will be addressing the 25th annual Virus Bulletin Conference (VB2015) in Prague, Czech Republic. His will be a collaborative session, first introducing I Am The Cavalry and then brainstorming how to make an impact in Europe. If you’re going to be there, or nearby, come by and join the conversation!

Hope to see you at one or more of the events!

I Am The Cavalry at BSides Las Vegas 2015

It’s time to take the wraps off what a few of us have been planning for BSides Las Vegas. We are returning again to do an I Am The Cavalry track on Tuesday, August 4th. This year it’ll be a different room, a different format, and a different objective. Like last year, you’ll be able to drop in and drop out of any of the sessions throughout the day.

Our objective this year is to generate discrete initiatives that will make the most difference the quickest. We will spend the morning introducing the concepts, giving background, and priming participants for the afternoon sessions. Those sessions will be focused on two pillars – automotive and medical devices – where there is both popular interest and multi-stakeholder inertia.

To kick off each of the automotive and medical device sessions, we will first give an overview of the current landscape and progress towards cyber safety. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. There will be surprises and unveilings.

During each session, we want to identify 2-3 good projects with strong support and leadership. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

People with subject matter knowledge will be available to guide the hand of those ideas to help others avoid mistakes and replicate what has worked. It’s important to capture not just knowledge in Auto and Medical, but also in public policy, media, legal, insurance, and other stakeholder domains. To make sure that coming out of that room, those initiatives have the best chance for success.

We kick off the day after the BSides Las Vegas Keynote. You won’t want to miss that one.

11:00-11:30 Session Introduction and Overview Josh Corman & Nick Percoco
We will provide a brief overview of I Am The Cavalry, as well as outline the day’s activities. Participants who have yet to be introduced to the initiative will be; those who are very familiar will be updated on activities and progress over the last year. And we will describe the vision for the day’s activities. Even if you miss this first session, you can join for any of the others.

11:30-12:00 Hack the Future Keren Elazari
This talk is about inspiring hackers to be the change agents of the future, with practical things hackers can do to create a positive impact. It’s about being a good hacker while staying out of jail and making the world a better place – with things like community outreach projects, crypto parties, voluntary red teams, responsible disclosure and stopping the spread of FUD.

12:00-12:30 Leading in a “Do”-ocracy Chris Nickerson
A man whose talks need no abstract… Prepare to be informed and inspired, the way only Nickerson can do.

12:30-14:00 Lunch

14:00-14:30 State of Medical Device Cyber Safety Scott Erven & Beau Woods
Beau and Scott will give an overview of the medical device space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Medical Device workshop.

14:30-16:00 How can we ensure safer Medical Devices? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Medical Device area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

16:00-17:00 Break

17:00-17:30 State of Automotive Cyber Safety Josh Corman & Craig Smith
Josh and Craig will give an overview of the Automotive space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Automotive workshop.

17:30-19:00 How can we ensure safer Automobiles? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Automotive area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

DEF CON 22 Videos

DEF CON fans and aficionados– the wait is over. The videos from DEF CON 22 are now available online. While this is not a complete list of all available videos, it showcases many of the ones of interest to the Cavalry and Cavalry followers. If you are looking for the latest that internet security researchers have to offer, enjoy!

 

DEF CON 22: August 7 – 10, 2014

DEF CON Talks
Hacking US (and UK, Australia, France, etc.) traffic control systems, by Cesar Cerrudo
This presentation discusses how to manipulate traffic signals, including how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks.
 

Hacking 911: Adventures in Disruption, Destruction, and Death, by Christian Dameff, Jeff Tully & Peter Hefley

Emergency medical services (EMS) are the safety nets we rely on every day for rapid, life-saving help in the absolute gravest of circumstances, but these services rely on antiquated infrastructures that were outdated twenty years ago with vulnerabilities large enough to drive an ambulance through, little municipal governmental support for improved security, and a severe lack of standardized security protocols.Quaddi, r3plicant, and Peter- two MDs and a security pro review the archaic nature of the 911 dispatch system and its failure to evolve with a cellular world, the problems that continue to plague smaller towns without the resources of large urban centers, how the mischief of swatting and phreaking can quickly transform into the mayhem of cyberwarfare, and the medical devastation that arises in a world without 911.
 

The Cavalry Year[0] & a Path Forward for Public Safety, by Josh Corman & Nick Percoco

At DEF CON 21, The Cavalry was born. In the face of clear & present threats to “Body, Mind & Soul” it was clear: The Cavalry Isn’t Coming… it falls to us… the willing & able… and we have to try to have impact. Over the past year, the initiative reduced its focus and increased its momentum. With a focus on public safety & human life we did our best “Collecting, Connecting, Collaborating” to ensure the safer technology dependence in: Medical, Automotive, Home Electronics & Public Infrastructure. We will update the DEF CON hearts & minds with lessons learned from our workshops & experiments, successes & failures, and momentum in industry and with public policy makers. Year[0] was encouraging. Year[1] will require more structure and transparency if we are to rise to these challenges… As a year of experimentation comes to an end, we will share where we’ve been, take our licks, and more importantly outline a path forward…
 

Hack All The Things: 20 Devices in 45 Minutes, by CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker

When we heard “Hack All The Things,” we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure.
 

The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making It Right, by Mark Stanislav & Zach Lanier

This presentation will dive into research, outcomes, and recommendations regarding information security for the “Internet of Things”. Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.
 

How to Disclose an Exploit Without Getting in Trouble, by Jim Denaro & Tod Beardsley

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure.
 

Cyberhijacking Airplanes: Truth or Fiction?, by Dr. Phil Polstra & Captain Polly

There have been several people making bold claims about the ability to remotely hack into aircraft and hijack them from afar. This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined myth buster style. Along the way several important aircraft technologies will be examined in detail.Attendees will leave with a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. No prior knowledge is assumed for attendees.
 

Just what the Doctor Ordered?, by Scott Erven & Shawn Merdinger

You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life.This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.
 

A Survey of Remote Automotive Attack Surfaces, by Charlie Miller & Chris Valasek

Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?
 

Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment, by Jesus Molina

Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?For those with the urge, I have the perfect place for you. The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, offers guests a unique feature: a room remote control in the form of an IPAD2. The IPAD2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allow an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and as a result, I was able to create the ultimate remote control: Switch TV off 1280, 1281, 1283 will switch off the TV in these three room. The attacker does not even need to be at the hotel – he could be in another country.

This talk provides a detailed discussion of the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an Ipad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfall in future deployments. Attendees will gain valuable field lessons on how to improve wide scale home automation architectures and discussion topics will include the dangers of utilizing legacy but widely used automation protocols, the utilization of insecure wireless connection, and the use of insecure and unlocked commodity hardware that could easily be modified by an attacker.

 

Attacking the Internet of Things using Time, by Paul McMillan

Internet of Things devices are often slow and resource constrained. This makes them the perfect target for network-based timing attacks, which allow an attacker to brute-force credentials one character at a time, rather than guessing the entire string at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started.
 

Optical Surgery; Implanting a DropCam, by Patrick Wardle & Colby Moore

Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device.Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam.
 

Playing with Car Firmware or How to Brick your Car, by Paul Such & Agix

A lot of papers have already been done/produced on hacking cars through ODB2/CanBus. Looking at the car firmware could also be something really fun :) How to access the firmware, hidden menus & functionalities, hardcoded SSID, users and passwords (yes, you read right), are some of the subjects we will cover during this short presentation.
 

Elevator Hacking – From the Pit to the Penthouse, by Deviant Ollam & Howard Payne

Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

 

Heartbleed, Shellshock, and Erosion of Third-Party Trust

Heartbleed, Shellshock, and Erosion of Third-Party Trust

TL;DR

  • Today’s software inherently depends on unreliable computer code. Devices that have the ability to impact public safety and human life should have a trust model based on assurance, not assumption.
  • Our failure to manage the software supply chain undermines our ability to predict and manage effects of root cause issues like Shellshock and Heartbleed. A necessary component of reliable, trustworthy devices must be an accounting of the software supply chain.

If you’ve been paying attention to information technology and security media lately you’ve probably heard of a bug called Shellshock. This term refers to a specific vulnerability in software code written over 25 years ago. This particular computer software – a program called Bash – has made its way into dozens of computer operating systems across millions of systems and devices.

As far as we know, the Shellshock vulnerability has only been discovered within the past month. We also know that this bug has the highest severity, and allows for complete takeover of the affected computer or device. What we don’t necessarily know is which systems, to what degree they are affected, and whether the vulnerability in each of these systems could be triggered by malicious attack.

Shellshock isn’t a unique phenomenon. Since the vulnerability first became publicly known, a new one has been found in the same software package that gave us the Heartbleed vulnerability.

We are increasingly adopting computer technology into devices we depend on. Computer software is becoming a fundamental component of medical devices, automobiles, public infrastructure, and home electronics. Computer software is complex, and is not flawless. When flaws are exposed, the software tends to fail in complex ways with unpredictable behavior. Unpredictable behavior in a fundamental component of a device leads to a cascade of unreliability.

Manufacturers understand that no matter where its components come from, they have the ultimate responsibility for quality and reliability. To make a reliable device, each component must be trusted to perform predictably. This is why they spend so much time and effort on assuring the quality of what they receive through their internal or third-party supply chain. As computer technology is increasingly transplanted into devices, software is a critical component in these supply chains. And yet scrutiny of the software component of devices has not yet caught up to quality control of other pieces.

We must improve the quality and traceability of software components in devices that have the ability to impact human life and public safety.  A recipe for this will have the following ingredients:

  • A Secure Software Development Lifecycle helps ensure that the computer code in our supply chains is relatively free of severe defects. This allows us to prevent failures.
  • A supply chain inventory, or bill of materials, allows mapping of issues to impacts. We can reliably say what computer code exists on which systems, and what functionality depends on it. This allows us to understand how systems will be affected when flaws are found in computer code.
  • Implement a secure and safe way to fix software issues after device release or deployment. This protects safety at a greatly reduced cost, as compared to a recall.
  • Openly share knowledge of issues and their fixes, among security researchers, manufacturers, and the public. This enables manufacturers to benefit from the decades of experience securing a software supply chain. It also puts power and responsibility into the hands of the device owners on when and how to apply the fix.

Shellshock and Heartbleed are subsets of bigger issues. We are increasingly depending on systems, undermined by unreliable software supply chains. This leads to an erosion of trust among manufacturers, their suppliers, consumers, the government, and others.

These are not intractable problems. We must think long term. We must keep pushing. We must focus on that which matters. We must lead in areas we care about.

We can get started on this today, and everyone can help. Work towards these things in your own organization and with those in your supply chain. Advocate good practices to others in your industry or a different one. Team with others (like I Am The Cavalry) looking to do the same.

Source Links and Further Reading
https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html#.VCuKZildVDk
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html#.VCuKryldVDk
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCuK0SldVDk
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
http://www.technologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Also thanks for contributions to the article by:
Jeff Jarmoc (@jjarmoc)
Tim Anater (@bfbcping)
Dennis Groves (@degroves)

The Cavalry In Europe

The Cavalry made our first appearance at a European conference. Josh Corman was invited to The Hague as the closing keynote for the National Cyber Security Center’s One Conference. In his keynote he chose to revisit the theme of his TEDx talk, which highlights issues that The Cavalry is addressing. 

Claus Houmann, a strong supporter of The Cavalry, and someone who has urged us to come deliver our messages in person across the Atlantic, gave us a warm welcome post entitled Call to arms! Fellow Europeans, mount up. Thanks, Claus. We look forward to many good interactions on your Continent.

Down The Rabbithole Cavalry-esque Discussion

For those of you who don’t already listen to it, the Down The Rabbithole (DtR) podcast is a long-running podcast hosted by Raf Los (aka. Wh1t3 Rabbit) and James Jardine. Over the holiday weekend I was catching up on the podcast and ran across a great Cavalry-esque episode I thought I’d draw your attention to.

On the April 7th Newscast Raf and James discussed the downfall of Windows XP and how this will affect life critical systems. They went beyond the superficial issues and talked about the bad assumptions that have led to decision making failures for several years in the computer technology space. The true costs, they mention, won’t be on the Internet, they’ll come when computer security affects humanity. Our inability to accurately predict the future leads to public safety, human life and trust problems.

They also discuss wholly managed devices, such as the Google Nest thermostat. What are the implications of that management? If an update breaks a device what are the ramifications? They also talked about the fact that the updates themselves can be an attack vector, similar to my comments in the BBC article on ghosts in the Internet of Things.

We’re placing ever more trust in those who are behind our connected systems. We are trusting that they are acting in good faith. And we are trusting that their decision making process is sound. Shouldn’t we KNOW that these decisions are worthy of our trust?

IATC at ISSA Los Angeles, May 16th, 2014

I Am The Cavalry is proud to be an organizational sponsor of ISSA Los Angeles (Event Flyer). The conference will be on May 16th, 2014, from 7:30 am to 6:00pm, at the University City Hilton in Los Angeles. Keynotes include Richard Clarke and Marcus Ranum, and featured speakers include Jackie Lacey (LA County District Attorney), Marc Manfred (Beyond Trust), Jim Manico (OWASP), and Jeremiah Grossman (White Hat Security). I Am The Cavalry will have a table at the event – come by and say “hi”!

Security of Things Forum

The first inaugural Security of Things Forum was held May 7th. The forum, organized by The Security Ledger Editor in Chief, Paul Roberts, was keynoted by Dan Geer. Mark Stanislav of Duo Security and BuildItSecure.ly, and Josh Corman of Sonatype also spoke at the conference.

CSO Online wrote an article, predominantly driven by Josh’s talk, an updated version of his Swimming with Sharks TEDx presentation.

In the Digital Ocean, predators outnumber protectors

Just because something is scary doesn’t mean it’s a figment of your paranoid imagination…. There is reason to be afraid because the dangers in the digital “ocean” are as real as swimming in a physical ocean of sharks, with blood in the water.

Editor in Chief of IoT World, Rich Quinnell also took the opportunity to write about security of the Internet of Things and introduced his readers to I Am The Cavalry and BuildItSecure.ly.

Security Cavalry is Coming to the Internet of Things

One of the biggest concerns many people have about the Internet of Things is its security. Each point of connection between our systems and services and the wide area network is a potential point of vulnerability to cyberattack, yet security is at best an afterthought in many IoT designs. Something in the way we handle IoT security has got to change, and that is a key goal for a new grassroots organization [called I Am The Cavalry].

Finally, Channelnomics wrote a detailed account of the forum and the security issues in the Internet of Things. Definitely worth a read.

A Dose of Reality in the Rush to Connect All Our Things

“Security is the absence of unmitigatable surprise,” [keynote speaker Dan] Geer told SECoT attendees. “My design goal is ‘no silent failure’.” It the end, it’s not about raining on the IoT parade, said [Forum organizer Paul] Roberts, but rather moving the conversation into a more prudent and defensible space by bringing the vendors and the often insular communities together.

BBC Future Story, Featuring The Cavalry

bbc_icon

Last week BBC Future published a piece called Internet of Things: The ‘ghosts’ that haunt the machine. The article discusses the potential long-term network congestion that could come about from noisy IoT devices. The Cavalry gets a mention and a quote, in the context of the potential for takeover of the devices, either by targeting the endpoints or by taking over expired domains for update servers, etc.

Once the ghost machine is taken over, the potential for damage is considerable, says Beau Woods, a founding member of I Am The Cavalry, an organisation focusing on protecting the general public from digital attacks. “What could someone malicious do if they could modify or replace the software on the device? This could range from pranks, like funny photos on a fridge screen, to making profits by inserting advertisements on your television, to interception by digitally eavesdropping on your home network, to disablement through wrecking the software on the device, to doing physical damage by overloading the electronics or burning out a motor. In automobiles, medical devices, public transport, airplanes and other more critical systems the damage could be much more severe.”

The story hit the front page of the BBC website, which gave us some good exposure to a global audience.