You may have a secure network but one device can put your network in danger. Imagine that there is a TV sitting in the CEO’s office and this TV can be hacked, so your network is not secure anymore.
We had a fruitful interview with hacker Igor Lukic from Enigmsec on using Internet of Things as Cyber weapons at Locard Cyber Security Summit.
Please tell us about yourself and Locard.
I own a small security auditing company called Enigmasec based in the Canary Islands. We give services to our customers to make penetration testing, audit and ensure the safety of their systems. I’ve started the hacking business when I was a kid. I always loved technology, security, and hacking. Then we have begun making conferences in Spain about hacking which is called Hacron. I attended some conferences as a speaker in Istanbul. There I met Musa Savaş and Nurhan Demirel. We decided to bring a global view about cyber security and created our brand Locard. The idea is to have a global service security summit; Istanbul is chosen as headquarter, and the summit will be held in Istanbul each year.
This is the first Locard Summit. How did it go?
It went pretty good. We have different local, and foreign speakers, and the audience was interested.
Please tell me about a hacker’s life, you are actively doing it, and you are not under cover.
I’m a hacker and like technology but I am not involved in the underground scene! There are hackers and cyber criminals. We have to differentiate it. Cyber criminals are the ones that want to give harm.
Tell me how IoTs can be used as cyber-weapons.
It is important to know what are inside them. Obviously, people don’t think they can attack. They are friendly and help people with their lives, cars, homes, on their bodies. The intelligent data makes life easier but in the wrong hands when it is manipulated, it is dangerous. The networks, passwords, and privacy can be attacked, and the data can be sold.
Don’t we have the same threat while using smartphones? We already share most of our private data.
Yes, but the problem is nobody is suspicious about the Smart TV or an intelligent fridge. If this fridge is attacked, you will not know it; that’s the danger.
You say that smartphones are more controlled. The providers are more aware of the danger but that is not valid for IoTs. Right?
Yes, it’s like when the internet started. There was no security because there were no threats. Technology at the beginning was not like this.
Is it also valid for IoTs that we buy from a well-known brand?
Yes, of course. The problem is that they use many components made by many different providers. When you are purchasing a product from a well-known brand, you are buying ten different vendors’ products inside it, and you have no idea what you buy.
So, well-known brand product’s security is not enough. It’s hard to believe.
It depends on the provider. The problem is that they use internal items and the end product shall be simple. Consumer wears a fitness wristband, for example, it works, and that’s it. Usually, that approach has some security problems, especially manufacturers rush to release the products so that they can sell more. Security has the process that makes things slow and in business world slow means death. Somebody else may be faster, that is why there’s a race of releasing things. They usually skip this task. The approach is like “we will address a solution when the problem occurs”.
Then this is a quality problem, right?
Being qualified is hard. Security is not cheap. You need to hire great guys with high salaries, and usually, manufacturers skip that.
As far as I understand there is a security failure in the IoT sector, would you recommend startups to look into this part of the business?
No, there is an emptiness in the crosses of making internal things, but this is just that another process of the actual security. The security companies need to take internal devices into account in their operations. For instance, I was worried about my mobile phone like Whatsapp privacy; now I have to worry about the internal things also because they’re coming. You may have a secure network but one device can put your network in danger. Imagine that there is a TV sitting in the CEO’s office and this TV can be hacked, so your network is not secure anymore.
What shall a consumer do then during shopping?
There is a saying in Turkey “inshallah” (good willing)! That’s the way it is. I can give you a magic pill which may work for one day and tomorrow it will not work. That is the problem. Security is an infinite process. Companies need to have strategies. They need to have multiple layers, first physical, network, program, and kernel security.
As a consumer, it’s the same concept. As a consumer, you need to know a little bit more and have a great responsibility. Users don’t even read manuals.
People are imposed on too much information already, and now you say we need to think about the risk management of the devices we use!
Life is tough!
When I’m buying an IoT where shall I check to make sure that it is secure?
That’s a good question. My definition is you need to analyze the thing; this is a tactical approach. The typical consumer should do first to think of “what is the real threat?” For ex. what is the real threat of knowing how many calories you burn? Why is a hacker interested in knowing this? You need to think widely. If it has a GPS tracking, they can know your location and your activity. So, you need to analyze the threat and accept or reject it.
I shall not use it.
Imagine you are the President of the United States, and you’re using this type of technology, this is a threat. You’re an extraordinary person, and if there’s a data leakage of this kind, your security is in danger. Now, from the perspective of a typical consumer, it’s a lower threat. That is not so bad from my point of view.
You mentioned communication and automobile are real threats.
Here, the brand and quality are critical. Tesla is a great example. Tesla knew the car is going to be highly tech, so from day one they made an update system that can update all the cars at the same time. Other manufacturers did not see it. So, when you have a security risk, your consumers are in danger until they go to the provider for a fix. That is not only about technology, but it is also a security approach. You need to analyze the threat.
You gave an example of a fight between an orca and a white shark in your presentation. The main idea was to know the methodology how to attack. Would you explain it?
Sure, so as I said internal things are being used as cyber weapons. That is linked directly to the “advanced persistent threat” concept. It’s used when somebody is targeting a cyber-attack to a victim. For example, I want to attack you, and I know you like sports and carry a wristband, and I use it as the weapon. That is a targeted attack. APT (Advanced Persistent Threat) is used to attack to companies, big brands, people, and governments. Sponsored attackers directly want you to be damaged.
I gave the example of a fight between an orca and a white shark, which I had seen in a National Geographic documentary. When an orca and a great wide shark are fighting, the orca is not approaching to a shark face to face. It analyses the enemy and finds out how it can give the most damage. So if you attack a great wide shark, you need to hit it in the belly and flip it, then the shark goes in a trance mode. It can’t move, and the brain chemical causes harm. So, orca just sits on top and waits for the shark to get drawn and kills it with no scratches. It’s a silent but targeted attack. It’s tactical. Once you hit, there’s no way of coming back. Nowadays, this is an approach we are using for the security.
In the cyber-security sector, what would you recommend to the startups?
Internal devices are a significant threat to the society, and if someone finds a tool that will help control the “threat,” people will buy it.
Is it like an app that checks whether my IOT is secure or not?
There are apps, but they do not provide a 100% security. Today there are only partial solutions. A complete solution is required.
Thank you very much