“It’s a sunny March morning in 2023. … As you get into your car you are presented with an urgent message. Your car has been immobilized and you need to pay 4 Bitcoin in ransom.”
The world will have 50 billion connected devices by 2020. What does this really mean for individuals and society? Talking about this at the NAB Show will be Gary Davis, chief consumer security evangelist for Intel Security Group. We called him for insights; text is edited for brevity.
RW: Give us a little bit of insight into what you will speak about.
Davis: We’re basically bringing online about a million devices per hour right now; and one of the challenges we’re seeing from a security perspective is that most of those devices are being brought online without any thought about security.
I met with another journalist at CES who said they bought a connected toaster, and within 20 seconds of connecting that toaster, it was called and someone tried to access it with its username and password. In our own labs we bought a DVR and had that same thing happen within 60 seconds, where somebody called the device, they tried the default username and password, tried a couple different options, got in and then tried to place malware.
These devices coming online with little concern or little thought put in for securing these devices is opening it up for some challenges.
RW: Most of the people listening won’t be directly in a position to change the design element of the product. So is the message mostly about user awareness?
Davis: Sure. The most simple thing you can do is when you activate that new device — actually two things. First of all, in most cases that device was built five, six months, maybe a year ago, and there’s been some sort of firmware update since then. In a lot of cases, these firmware updates include security patches. So apply any firmware updates when you install the device.
The second thing you should do is set up a complex password. If you do that, you’re going to make it orders of magnitude more difficult for a bad guy to get access to it.
And don’t use the passwords that are typically used in every breach. Believe it or not, the top 10 passwords have never changed over the past several years, when there’s been a major breach.
RW: I imagine you speak to a lot of professional audiences.
Davis: I spend a lot of time at industry events where the audience are device manufacturers or people from that domain. For example, we know they’re solving for time and market convenience, but we say, “When you build the devices, if you put some security discipline into your development methodology, doing things like encrypted communications, requiring a password reset,” if they do those four or five things there’s less likely to be the headline in a Wall Street Journal, New York Times article saying “Device X was hacked and here’s what you need to do.”
RW: It’s remarkable that, in our own technical business, instances we’ve heard about of ransomware or hacks of air chains and emergency alert boxes are often traced back to the simple failure to change a password.
Davis: Yep. It’s that simple. That has been the bane of security forever. That simple password change requirement, even if you look back to the Mirai Botnet that took down a big chunk of the East Coast a couple months ago. That continues to grow, using that exact same method I talked about before, they’re crawling the internet constantly; as soon as they see a new device they try a default username and password; if they get in they install the Mirai malware, and the next time there’s a botnet attack, that device is going to be used as part of the attack.
Most consumers don’t want to be a part of that. If they knew they had a thermostat or a security camera that was involved in attacks, they would do all they can to make that not happen. If they would just do those, it would ease their minds to know they are not supporting malicious activities.
RW: The scope of what’s coming is probably hard for us to appreciate. The first device I think of for internet connectivity outside of the traditional computer has been my thermostat. Where else will these sensors and devices be in our lives?
Davis: They will be virtually everywhere. That’s what’s happening right now. It’s everything from light bulbs, to TVs, to refrigerators, to toasters, to ovens, to every device that you use in your life is going to have the ability to be connected. And for the simplest devices that are online, it’s going to make it that much easier for the bad guys to do whatever they want. That’s what as an industry we need to work on right now, to make sure that doesn’t happen.
Imagine every single device that you interact with having the ability to be connected. This situation is exacerbated in 2020 when 5G comes online. Right now, it is hard for someone to come in and take large amounts of data out of a business or home; but once everything is connected using 5G, you will have almost zero latency. You have 1 terabit per second speeds; the amount of data they can pull out quickly is going to make it really hard for businesses or consumers or small businesses to properly defend if they are under attack.
RW: Among the audience may be some who work on industry groups like NAB’s Pilot department, which deals with technology, or the National Radio Systems Committee. What role do organizations like these have in trying to get the industry around a standardized approach?
Davis: There’s a lot of groups that are coming online today that are really trying to build something as simple as a checklist. You know, one of the more popular discussions we’re seeing today is basically a security equivalent to Energy Star. When you go into Lowe’s or Home Depot, you see an Energy Star-compliant refrigerator or stove or washing machine; you pay attention to that. You know that if you buy that, you’re going to save some money because you are using a more energy-compliant or energy-saving device. We’re looking at similar things for securing your devices, a simple checklist: Here are the 10 things you should do in order to earn the certification.
RW: What else should we know?
Davis: We’re going to look at this from the volume of devices that are coming online and how exposed those are and some use cases we’ve seen where these devices have been basically hacked. We’re going to be talking about some examples from Def Con, which is basically a hacking event tied to Black Hat.
The other threat is really around this idea of the amount of activity going on in any given day. For example, we have our Global Threat Intelligence Network, and we take almost 50 billion queries every day. That’s more than Facebook, Twitter, Instagram and LinkedIn combined. We have this massive threat intelligence, and this is how we can tell with certainty there are three to four new pieces of malware every second of every day. It’s because we have this rich data set that we’re drawing from.
So we’re going to talk about all these devices coming out, to the tune of a million per hour; and then you’re countering that with a volume of activity that is security-centric. I’m going to draw the intersection between what happens when those two things collide, and talk through the impact to consumers and businesses alike.
The session “2020: Life With 50 Billion Connected Devices” will be held on Thursday of the NAB Show as part of the BEITC Conference.