IoT Cybersecurity Requires More Than Scare Tactics

Brian Buntz

August 13, 2018

3 Min Read
Ultrasound

At Black Hat USA, leaders of McAfee and Google stressed the importance of dialogue in addressing IoT cybersecurity.

LAS VEGAS — Christiaan Beek, McAfee’s lead scientist and senior principal engineer, was in the hospital with his expectant wife when he inadvertently learned about a troubling IoT cybersecurity vulnerability. When the ultrasound technician measured the size of their youngest child, Beek glanced at the screen and saw the message “saving data to image” flash across the screen. “You would expect the data to be written to a file,” Beek said in an interview here at Black Hat USA. “That’s what sparked my interest.”

Beek then dove into medical imaging security and found significant vulnerabilities involving poorly implemented open-source picture archiving and communication system (PACS) software as well as the use of “We found so many vulnerabilities. It was unbelievable,” Beek said. “I was shocked by it.”

beek-300x267.jpg

Christiaan Beek

In his research, Beek found strings of clinics whose medical images directly connected to the internet. Beek shuddered to think that a cybercriminal could have seen an image of his youngest child before the baby was born. “Especially as a researcher, a discovery like that freaks me out,” he said.

Beek now has a central goal of researching the security of connected medical devices, vehicles, airplanes and industrial control systems. He wants to start a dialogue with the industry around the vulnerabiliities of connected devices and systems – not scare people. “It can be great to live in this interconnected world, but it’s easy to increase our attack surface — in our homes, cities as well as our nations — without knowing it,” he said.

To address the IoT cybersecurity problem as an industry requires a holistic strategy and a long-term view. “You know how we go and get a flu vaccine each year? Wouldn’t it be great if we had a super-vaccine that will protect us for life against the flu?” Beek asked. “Translated into the world of malware, would it be possible to develop the equivalent of a vaccine for certain threats?”

In a keynote at Black Hat, Parisa Tabriz, at Google, shared similar conclusions. Many cybersecurity defense strategies have a narrow focus or fail to learn from the past. “It’s incredibly frustrating when I see a report of a security vulnerability that I know is previously fixed or is some trivial variant of a bug we know about,” she said. “As things get more and more connected, we have to stop playing [cybersecurity] Whac-a-Mole.”

Parisa-Tabriz-300x173.jpg

Parisa Tabriz

Part of the reason for this seemingly eternal recurrence in cybersecurity rests on the fact that many manufacturers fail to follow basic cybersecurity lessons, according to Beek. “With all due respect, it is easy to ship an IoT device without default passwords or leaving telnet enabled,” Beek said.

In the medical field, vendors have long prioritized ensuring that critical medical devices are rugged and capable of working without interruption. “If the battery on a medical device runs out, it can be exchanged very quickly,” Beek said. “But using encryption on the disk of a machine holding medical data,” for instance, is likely not a high priority. “Sometimes the attitude of [medical device companies] is: ‘Cybersecurity is too difficult. It’s too much of a hassle to fix.’”

As the world hurtles toward a future with tens of billions of IoT devices, where, as Tabriz said, “computer security is becoming security of the world,” approaching computer security and IoT cybersecurity as a community endeavor with high standards becomes critical. “We have to identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes,” Tabriz said. “We have to build a coalition of champions and supporters outside of security, so that [our long-term cybersecurity] efforts are successful.”

 

About the Author

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on kurzweilai.net, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like