IoT Cybersecurity Requires More Than Scare Tactics

At Black Hat USA, leaders of McAfee and Google stressed the importance of dialogue in addressing IoT cybersecurity.

LAS VEGAS — Christiaan Beek, McAfee’s lead scientist and senior principal engineer, was in the hospital with his expectant wife when he inadvertently learned about a troubling IoT cybersecurity vulnerability. When the ultrasound technician measured the size of their youngest child, Beek glanced at the screen and saw the message “saving data to image” flash across the screen. “You would expect the data to be written to a file,” Beek said in an interview here at Black Hat USA. “That’s what sparked my interest.”

Beek then dove into medical imaging security and found significant vulnerabilities involving poorly implemented open-source picture archiving and communication system (PACS) software as well as the use of “We found so many vulnerabilities. It was unbelievable,” Beek said. “I was shocked by it.”

Christiaan Beek

In his research, Beek found strings of clinics whose medical images directly connected to the internet. Beek shuddered to think that a cybercriminal could have seen an image of his youngest child before the baby was born. “Especially as a researcher, a discovery like that freaks me out,” he said.

Beek now has a central goal of researching the security of connected medical devices, vehicles, airplanes and industrial control systems. He wants to start a dialogue with the industry around the vulnerabiliities of connected devices and systems – not scare people. “It can be great to live in this interconnected world, but it’s easy to increase our attack surface — in our homes, cities as well as our nations — without knowing it,” he said.

To address the IoT cybersecurity problem as an industry requires a holistic strategy and a long-term view. “You know how we go and get a flu vaccine each year? Wouldn’t it be great if we had a super-vaccine that will protect us for life against the flu?” Beek asked. “Translated into the world of malware, would it be possible to develop the equivalent of a vaccine for certain threats?”

In a keynote at Black Hat, Parisa Tabriz, at Google, shared similar conclusions. Many cybersecurity defense strategies have a narrow focus or fail to learn from the past. “It’s incredibly frustrating when I see a report of a security vulnerability that I know is previously fixed or is some trivial variant of a bug we know about,” she said. “As things get more and more connected, we have to stop playing [cybersecurity] Whac-a-Mole.”

Parisa Tabriz

Part of the reason for this seemingly eternal recurrence in cybersecurity rests on the fact that many manufacturers fail to follow basic cybersecurity lessons, according to Beek. “With all due respect, it is easy to ship an IoT device without default passwords or leaving telnet enabled,” Beek said.

In the medical field, vendors have long prioritized ensuring that critical medical devices are rugged and capable of working without interruption. “If the battery on a medical device runs out, it can be exchanged very quickly,” Beek said. “But using encryption on the disk of a machine holding medical data,” for instance, is likely not a high priority. “Sometimes the attitude of [medical device companies] is: ‘Cybersecurity is too difficult. It’s too much of a hassle to fix.’”

As the world hurtles toward a future with tens of billions of IoT devices, where, as Tabriz said, “computer security is becoming security of the world,” approaching computer security and IoT cybersecurity as a community endeavor with high standards becomes critical. “We have to identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes,” Tabriz said. “We have to build a coalition of champions and supporters outside of security, so that [our long-term cybersecurity] efforts are successful.”