19 October 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 362,776Views 36Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Don’t give them any water: How the IOT is like The Gremlins

14 July 2015  |  2392 views  |  0

The Internet of Things represents a dramatic change in life as we know it. As everything around us is brought “online” through the inclusion of sensors, computing power and network connectivity, we will be provided with a much different life experience from what we have today. But if you think today’s cyber attacks on corporate networks are a cause for concern, think of a world where everything around you – on a national, city, street, home and office, or personal level – senses its environment and interacts with other things. Can this magical world be protected from cybercrime – or is it already too late?

Gizmos and Gremlins

Security researchers already point to an alarmingly high number of vulnerabilities in Internet of Things appliances – everything from smart homes to cars to wearables have been hacked by white hatters, and some devices – such as smart refrigerators – have actually been, compromised and used to spread spam, very much like a home computer.

Experts have already prescribed several basic remedies that, if applied today, can save us a great deal of trouble when the IoT era fully sets in upon us:

  1. Don’t save security for later – bake the necessary security stack into the infrastructure right now
  2. Don’t let the applications run without standardization
  3. And whatever you do, never, EVER, release an IoT device without the ability to patch itself

These three simple, well-defined rules make a lot of sense, and if we just follow them, we’ll be safe and sound. But those of you with a nagging feeling that you’ve seen similar rules before are absolutely right. Here, let me refresh your memory….

  1. Keep them out of the light
  2. Don’t give them any water
  3. And whatever you do, never, EVER, feed them after midnight

Yep. These were the rules that the owner of Gizmo, a cute, furry, fuzzy creature was given in the 1984 cult classic movie Gremlins. And even if you haven’t seen the film, it’s not too difficult to guess what happened. Clearly the rules were somehow broken – and the adorable Gizmo – spoiler alert in case you haven’t seen the movie – turned into a hoard of vicious monsters, setting off a chain reaction of chaos and destruction across the entire hometown.

Just like in Gremlins, IoT appliances should follow three basic rules. And just as in Gremlins, we know that there is no real chance that they will be followed.

Rules Made to be Broken

Let’s take a closer look at each one of the security pillars need for a safe future, to better understand why they are so devilish to follow.

  1. Don’t Save Security for Later: If we look at the current state of IoT infrastructure and the glut of commercial IoT-ready appliances, we’re essentially discussing a “Kickstarter Economy” that is focused on rolling out catchy, hip and useful products to users. The infrastructure on which IoT appliances are built is more focused on agility, connectivity and adaptability than security. Baking security inside is at best not a priority for these developers, most of whom lack the discipline, resources and know-how required to effectively equip their new Kickstarter-ready device with the right level of security.
  2.  Standardize the applications: The BYOD industry is essentially based on two platforms – Android and iOS. IoT on the other hand is the Wild West of development. The two main hardware stacks on which IoT developers build products – Raspberry Pi and Arduino – are both open source and free-wheeling. If you Google “Arduino security,” you’ll find plenty of web pages talking about building home security systems using that platform, while if you Google “Android security,” you will find many articles discussing security on the Android platform. In fact, the way the IoT stack develops seems very similar to the first days of the Internet in which quick access and open functionality, not security, were the primary focus for developers. While there are a number of initiatives currently being undertaken to help standardize IoT product development, they are quite disconnected from what is actually happening on the ground.
  3.  IoT devices must be patchable. Out of the three rules, this one actually has a better chance of being complied with – not because of security, but because manufacturers will offer firmware or software upgrades to the consumer. This means that many IoT devices are in fact patchable. There is, however, a catch. Allowing remote upgrades also means an opening for hackers who might exploit weak security around the upgrade process to push malicious code. They may also use the patching as a platform for social engineering, duping users to download “patches” that are in fact Trojans and malware – which is bound to happen when it comes to wearables..

The Fallout

All of this means that we’re probably heading into a Swiss-Cheese-like IoT wave with easy-to-exploit security holes. And so, sooner or late, the attacks on IoT infrastructure are bound to come, and will be harsh when they do. Cars are already hackable – but think of autonomous transportation networks. National grids. Regional utilities. Offices. Homes. Personal wearables remotely controlled en-masse by evildoers.

What can be done to get ready? For individuals at home and at work, you will be able to set up a “cyber-security camera” for your smart home or office. Knowledge is power and if you understand what is under your control, and what symptoms might signal an attack is about to take place, you will put yourself in a position of strength to properly prepare and fend off attacks.

Then there’s a general guideline: trust no one. If you’re a corporation, a utility or just someone who works with suppliers, don’t make any assumptions about IoT vendors and make yourself knowledgeable about security updates and what it takes to remain “sustainable” in the face of threats.

Finally, take a deep, clear look at your personal risk and threat assessments. Does your insurance cover home-based smart networks that are compromised? What risks are you opening yourself up to when installing a smart fire detector or thermostat? Make sure you can confidently answer these questions, and if you are not satisfied with the answers, don’t be afraid to reconsider.

The Takeaway

The IoT reality, like many other technological revolutions, will change our lives. Just check out this video. Let’s just do our best to make sure it’s safe as well.

(Note: this is an article I wrote for Geektime.com)

 

Gremlins are no Gizmos TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3727 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3050 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22120 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3743 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts