Episode 126 - Cavalry-Charged Medicine!
Published December 2, 2014
SPECIAL GUESTS: SpaceRogue & Josh Corman (IAmTheCavalry.org). In episode 99, we talked with Josh Corman of IAmTheCavalry.org, about how easy it is to hack the computer systems now in cars. On this episode SpaceRogue and Josh (both from IAmTheCavalry) join us to talk about the safety of cars, medical devices, and the overall Internet Of Things (IOT). From crock pots to cameras, defibrillators to insulin pumps, what does adding connectivity do to change our exposure to risk? What can we as consumers and citizens do to help make things more secure in this increasingly connected, increasingly exposed world? Recorded 11/20/2014.
You can download the episode here.
Mike & Matt's Recommended Reading:
About Space Rogue, from his website
Space Rogue on Twitter
About Josh Corman, from his personal site Cognitive Dissidents
IAmTheCavalry.org, grassroots organization that is focused on issues where computer security intersect public safety and human life
IAmTheCavalry.org's Five Star Automotive Cyber Safety Program
Episode 99 - Five Star Auto!, our previous episode with Josh Corman
More coming soon...
Alpha: Welcome to another episode of Robot Overlordz, episode #126. On the show, we take a look at how society is changing, everything from pop culture reviews to political commentary, technology trends to social norms, all in under 30 minutes, every Tuesday and Thursday.
Mike Johnston: I’m Mike Johnston.
Matt Bolton: And I’m Matt Bolton.
MJ: And joining us tonight from The Cavalry is SpaceRogue. Space, thank you for being here.
SpaceRogue: Thank you for having me.
MJ: To start out, could you tell our audience a little bit about your background?
SR: Well, my background goes back quite a way, which I guess is a good thing or a bad thing, depending on how you look at it. A lot of people have heard about L0pht Heavy Industries, which is where I really got my start. I worked on a website called Hacker News Website for a little while; testified in front of Congress, gave a bunch of talks at a bunch of cons over the years. Most recently, I work at a strategist for Tenable Network Security, and I’m working with Josh Corman and Nick Percoco with the IAmTheCavalry organization, trying to get some safety and some sanity brought into automotive computers and medical devices as well.
MJ: Joining us once again also is Josh Corman from IAmTheCavalry. Josh, thanks for joining us as well.
Josh Corman: Thank you.
MJ: Last time you were on Josh, we talked a bit about IAmTheCavalry’s five star auto program. Could you guys give us an update as far as where that five star program is, as far as how it’s been received. Is that still something that people could go to out of our show notes from that last episode? Is the petition site still online, can people still get involved in that?
SR: The five star automotive cybersafety program is still online, it’s still available, it’s still something that we’re promoting and we’ll continue to do so. We’ve actually gotten a lot of very positive feedback from people in the automotive industry who have reached out to us and have wanted more information about the program and exactly what it is we’re trying to promote here. So, it’s been a great conversation start for us to get our expertise out into the industry to people who are actually making these products and try to input some security into their thinking while they develop and produce these items.
MJ: Are there any definite points in the five star program that they’ve officially signed off on or is it still just at that conversational stage?
SR: I think right now it’s still at the conversational stage with most people, and I don’t expect it to get too much further beyond there. We have had a lot of interest in it, and a lot of people who are taking the five star steps and integrating into their own organizations, and while they may not come out publically and say “Hey, this is IAmTheCavalry and we’re supporting this,” they are integrating our concepts and our ideas into their own organizations as they make their product. We find that very positive for us and the efforts that we’ve put forth so far, and we’re expecting that to continue as we move forward.
MJ: What’s the next step then for you guys in IAmTheCavalry as far as getting those ideas out there and making sure that you’re taking them to the next level? Have you guys come up with the next step in the strategy or is that still an ongoing conversation?
SR: It’s always an ongoing conversation with us. We’re always looking at the next step. Right now, we started out focusing on the automotive industry, but we really want to branch out and our next major vertical is probably going to be medical. We hope to have something to release for that in the next few months. Then we have other stuff that we’re looking at further on down the road from there. So, it’s always a continuing, evolving process with us as we, ourselves, get more organized. I think sometimes people forget that this is a grassroots organization itself, we’re all just volunteers and are trying to push what we feel very passionately about in getting the safety and security of these products that basically impact human life, and getting that done and rolling it out into more and more organizations.
JC: We’ve had some concrete engagement too. Like Space said, we haven’t gotten an official, formal public response from any single car company, but what we have had is a lot of engagement from automotive consortiums and industry groups. The Society of Automotive Engineers, or SAE, had us formally brief a large group of them; they’re really the technical cyber people, so to speak, from every major car brand and OEM, and after a successful exchange there, they invited us to join their technical working groups in a permanent capacity and we’ll be speaking at their Detroit event in April. So, that’s a really positive sign that they like the tone. I think everyone was cautiously optimistic at first, but wanted to understand our motives better. When they see that we’re focused on the long haul and being a collaborator instead of pointing out everything they’re doing wrong, it’s been pretty positive. A couple of other highlights are the White House National Security Staff had us come brief them and they’ve been very supportive of the approach that stimulates some self-regulatory and free market, and last week there was a Connected Car Summit from the Department of Transportation and DHS, and we got to present the five star and they basically want to weave that and other ISO standards and things we’ve pioneered here in the cyber security world into their guidance from the Department of Transportation. So, that’s the stuff we wanted to start -- we don’t want to come in and tell them exactly what to do and how to do it. We’d rather say “We really know our space, you really know your space, so let’s try to work together to make it best fit your existing investments.” So, they care about it and they’re taking the help slowly but surely.
SR: Yeah, so we’ve had a lot of interest from very disparate parts of the automotive industry and we think that’s really great, that we’re getting that impact from these organizations and we hope to expand that now as we move into the medical side of things, and hopefully get some medical device manufacturers to also engage with us so that we can share our expertise in the cyber world with their expertise in the medical device world.
MB: Josh, you just said that they were moving forward slowly but surely. It’s one of those things where if, all of a sudden, a car or a medical device gets hacked and all of a sudden this thing is going to jump forward at warp speed to try and fix these, is this kind of a “Well, there’s not a problem yet so we’ll just move slowly forward and get these things going,” and then all of a sudden there’s going to be a problem and then everybody is going to jump on board?
JC: Since the last time we spoke, one of the biggest learning lessons -- because we had our hypothesis on how this would play out, but one of the things that’s really dawned on us is the 2018 models are already done and if you think about the supply chain that goes into those, they’re even designed further up than that. So, if something really bad happens tomorrow, you’re looking at 2020-2021 before there would be a good hardware fix for it. I think that’s one of the reasons we’re looking at this as a marathon and not a sprint, and why we wanted to get in front of this before there’s a lot of proof of livehacking in the world. One of the goals we had in the five capacities that we talked about, like the ability to do secure updates, is if something really bad happens a year from now in their secure update capabilities, we won’t have to wait five years for a hardware refresh -- we can do it pretty instantaneously. I think they’re starting to recognize that this is one of those things that if you don’t dig a well before you’re thirsty, it’ll be an even longer response. We want our team to realize that the kind of project we’re doing here will take years to see payoff. The first automotive guidance I think the DOT is, at earliest, December of 2015, and that sounds really far away. But the truth is if we don’t engage now, it might have been further away.
SR: One thing I’d like to point out is if you look at the cars that were made from five years ago, from, say 2009, and look at the connectivity options you would get in your average vehicle in 2009, you would be lucky if you got bluetooth. Now, if you look at the cars that are manufactured for the 2015 model year, which is coming out now, they have fully integrated cellular navigation systems built into them. Now, think five years from now, the cars that are starting to be developed now are going to come out in 2020 -- think about what sort of connectivity and what sort of infrastructure, what sort of computer-generated/computer-controlled interfaces that are going to be in that vehicle then. That’s what we’re looking at, that’s what we want to make sure is secure, that’s what we want to make sure is coded properly so that the basic security principles are in place for those vehicles 5-10 years from now.
MB: I just read a thing where I believe General Motors, starting this year, all of their cars are going to have built-in WiFi hotspot in the car.
SR: Exactly. If that doesn’t scare you, based on how WiFi is implemented in general everywhere, and it’s going to be in your car as you travel 80 mph down the highway, it gives me a little pause for reflection. So, that’s where Cavalry comes in and that’s where we hope to try to kickstart the conversation with auto manufacturers, to say “We have experience in the security realm and we really want to share this security experience with you so that when you make your vehicle and input the WiFi into this car, that it’s done in a secure manner.”
MJ: For IAmTheCavalry being a grassroots group, would you guys say it’s primarily made up of people in the security industry then, or is there also an opportunity for your average people to kind of engage with it or share the message out via social media, or anything like that -- are you guys doing that yet or have you thought about it?
SR: We’ve attracted interest from a wide variety of people, not just information security people, who come to us and say “Hey, I’m really passionate about this topic. I want to help in some way. Here’s what I do in my day job, how can you use me?” -- volunteers that are coming to us. I’ll be honest, we haven’t been as effective in utilizing the volunteers that have come to us as we probably should have, because like I said, we are a volunteer organization ourselves, so it’s kind of hard to wrangle volunteers together. But we have had interest from a wide variety of people and it hasn’t just been information security people. Because of the fact that it impacts people’s lives that people get passionate about it and they say “Wow, this is really an important topic. I really want to be involved in this and I really want to help.” So, they contact us and we’re actively looking for people to take on various roles and we welcome their input from various aspects outside of the infosec echo chamber.
JC: Some of the coolest participants, they’re not cyber security per se, but they work in a medical device company, or they work in a hospital or what not. In fact, I don’t know if we told you this last time but we had a senate staffer come to Defcon with us for the whole week. He was kind of wrapping up his stint there, but knowing how Capitol Hill works, and he was very passionate about the mission and he’s going to help, and now he’s going to grad school and what not. We didn’t want this to be a bunch of security researchers. As we said, people who have technical literacy and want to be a voice of reason and a translator to try and bridge the gaps between these communities, that’s pretty much -- when we say “IAmTheCavalry,” it wasn’t meant to sound arrogant, which is an unfortunate side effect. So, now whenever we say it, we say “And so are you.” So, pretty much since we’re all depending on this technology and we’re all concerned about the safety to ourselves and our loved ones, it takes all shapes and sizes and this is just a “coalition of the willing,” so to speak.
MJ: Space, you mentioned the medical devices. For me, I have a personal connection to that as an issue. My dad has one of the defibrillators and it is able to be updated, I don’t think over the air per se, but they are able to gather some data off the phone line. I’m not sure exactly which protocol it uses; I guess I’m really not that educated about it. But what would you say, on the medical device front, some of the issues that people might face that really they’re not aware of, that really they might think “Oh, these are just magical technological solutions to health issues”; what are they not thinking of themselves? What questions should they be asking their doctors or making sure that their doctors have answers to?
SR: That’s a good question. The question that the patient needs to look at when they’re looking at a medical device -- right now, it’s hard to know. Let’s say you’re an information security professional and you know what things to look at in devices, and your doctor says “Well, I want you to use this device now because you’re a sick person and you need this device to stay healthy.” You’re like “Well, what does this device do?” You go and try to research it, and you go to the manufacturer’s website and you look up this information spec sheet, and the information is just not there. The code is not open source, you’re not going to be able to review it. You may get a feature list, you may not. You may not know everything that’s in there. Case in point, Josh help me out here, one of our medical guys who did the diabetes insulin pumps.
JC: Yeah, Jay Radcliffe.
SR: He’s a security researcher, and so he tested four different insulin pumps and found that they all had problems, and they all would not issue the correct amount of insulin because of software flaws. He’s like “Well, this thing could kill me because if I don’t get the right amount of insulin, I can die.” So, he no longer uses one of these pumps and he does his injections manually, which is kind of going backwards in the way that we want to go. We want to have these devices be trustworthy enough that people can trust their lives to them. If you have an insulin pump that’s not giving you the amount of insulin that your doctor prescribes because of a software problem, that’s a really big issue.
JC: Yeah, and we don’t think bad people are going to try to kill your grandma per se in a targeted attack. That’s not exactly the risk that we’re concerned about. We often talk about it in terms of accidents and adversaries. So, with a subdural defibrillator, of course you have to have some sort of wireless capability unless you want to have to have surgery. But the same five stars that we applied to cars, we designed that in such a way where it’s going to be, at the abstract level, the same for medical devices and critical infrastructure and home IOT, or connect at homes rather. If you’re going to add software, remote connectivity, do you do adversary resilience testing? Are there any known vulnerabilities in the open source code that you do? Are you doing threat modeling? Are those systems hardened? Is there any key exchange? You want to do risk management. It’s not that we’re never going to take a risk -- you may need that device to stay alive. But if there’s three device manufacturers that you could choose from and one of them takes cyber security seriously and the other two don’t, these are the kinds of things we want to start raising as an issue.
SR: This isn’t really a new problem either. There’s a classic case study that’s taught in universities of a device called Therac-25, which is a radiological device that wasn’t used to give x-rays but it used radiation to basically give a dose of radiation for cancer patients. There was this very weird software flaw that would overdose the patient on radiation, and I think it actually killed three people. This is a classic case that’s taught in universities, and it’s a software problem that killed these people, and severely injured several others, that could have been prevented had there been proper security precautions in place when the software was written. So, this isn’t a new problem -- the Therac-25 dates back to the ‘80s at least. It’s only going to get worse unless we step in and try to raise awareness and start these conversations now with these manufacturers so as they develop new products, they can try to prevent these issues from occurring in the future.
JC: An immutable truth is there’s a certain number of defects per million lines of code -- it’s a fact. As you add more code, you add more defects. So, it was one thing when you had a few lines of code to do something necessary, but some of these cars have more lines of code than a Windows XP operating system. So, that complexity brings attack surface, brings some normal defect rate. If you look at the effect of having a breach a day in the payment card industry in the financial services sector, what if that software attack/defect rate carries over to cars and medical devices? It would be nowhere near acceptable. I think in the cyber security industry, we know how bad things are amongst ourselves, but I think the outside world comes to think of software as reliable and dependable much more than it is. What we want to do is not necessarily tell them bad news but make sure that our dependence and the trust that we place in these devices is merited. Given just the facts and the physics of software development, software is infinitely vulnerable and if we don’t take the appropriate steps to mitigate those risks, we’re going to end up paying the penalty.
MB: I was actually reading an article, I had shared it on Twitter earlier this week, and they actually talk about Radcliffe and the insulin pump in the article. They go on to talk about how a lot of these medical devices still are reliant on Windows XP. Do you find that that’s because of the older software, they’re more vulnerable because they were designed a ways back and they’re still being used?
SR: When it comes to Windows XP, it’s usually on a desktop machine that’s used to control the medical device. If it’s used properly, it’s not really as bad as it sounds. The problem is nobody uses it properly. It’s not isolated from the network, it’s not cut off from the WiFi and only connected to this medical device. Because, of course, as the guy who’s using his Windows XP machine to administer whatever it is he’s administering to the patient, he wants to check his email or something. That’s where the problem comes in. It’s not so much that somebody is going to specifically target that medical device off of the Windows XP machine so that they could kill a patient, but that there may be some malware installed that has some unintended consequences and the machine crashes at a critical point, or something of that nature. Then you get into a whole bigger issue of FDA certification with an old software because it’s still Windows XP, and whether or not that should be deprecated and what not. It becomes a much larger issue. Those are some of the talking points that we’re trying to get across to people about some of the risks that are involved with these medical devices.
JC: One of the lies that keeps getting told over and over, and the FDA has tried to clear it up but the device manufacturers keep it murky on purpose, is there a belief that you’re not allowed to patch if there’s an operating system flaw, that you’re not allowed to patch once you’ve gotten FDA certified, and that’s not true. You’re allowed to patch security flaws. What you’re not allowed to do is change intended functionality. So, often times when the device manufacturer doesn’t want to issue a patch, they just hide behind the ambiguity around that FDA guidance. Part of what Jay Radcliffe, Billy Rios, and some of the other guys, Scott Irvin, people that are concerned about the connected safety issues -- we’re trying to work with the FDA, some of their comment periods and some of their workshops. There was one last week that some of our guys went to; a couple weeks ago Beau Woods went to one, to again be an ambassador and get some real talk and straight talk and clarification so that we can at least head towards better guidance. Right now, there’s really no testing or validation. They’re still in the learning curve of first, do no harm and don’t get in the way of free market innovation. The trick is if we have a crisis of competence in patients because bad things happen, that will get in the way of free market innovation. So, we don’t think it’s an “either, or,” it’s more about applying pressure, offering help and changing the nature of the stalemated conversations.
MJ: Do you guys think that some of this is driven by manufacturers constantly shoehorning in functionality? Space, I think you mentioned all the different things now that are in cars, all the different connectivity options, and I know I find myself asking this a lot around some of the smart home innovations -- “Do I really need an internet-connected crock-pot when some hacker can get in it and decide to set fire to my house with it?” Not that that is necessarily a huge exposure -- I don’t think Romanian hackers are really interested in my crock-pot, for example, or even really maliciously wanting to overload my dad’s defibrillator, but just how it’s all connected and they’re so concerned with adding these functionalities, that they don’t seem to be properly considering the security trade-offs and the exposures that they’re generating by shoehorning all of this stuff in there.
SR: Whether or not your crock-pot is going to actually be targeted, I’m going to say it probably won’t be -- but of course, if I can mine bitcoins on it, I’ll be looking for that crock-pot. It’s possible. There’s the case of the video cameras that’s going around right now, where people are actively seeking out video cameras online so that they can look into people’s bedrooms while they sleep. You wouldn’t think that anybody would really care to do that, like “Who cares if they’re looking at me while I’m sleeping?” or even at an empty room, but there are lists going around of these open video cameras on the internet right now so that people can be voyeurs on the internet. So, there may be lists of crock-pots going around so that people can check out “Oh, what’s this guy cooking in his crock-pot? What’s his temperature set to? I have a collection of 500 crock-pots on the internet.” It’s really weird sometimes what people are motivated to do, but if you take a little bit of extra time when you design this crock-pot, to threat model it, to do the code review, to make these minor changes if you will, before the product is released, you won’t have these problems as you get down the road. Sure, the odds of your crock-pot getting popped for anything is minimal. The odds of your crock-pot, even if it does get popped, then having the temperature set high so your house burns down is even smaller still. But wouldn’t it be nice not to have to worry about it? Wouldn’t it be nice to leave the crock-pot at home cooking your pot roast and then go out, go to work that day and not have to sit at work, at your desk, wondering “Hm, I wonder if my crock-pot is still online and if my house is not burnt down.”
MB: But the one nice thing though is if you screw up your pot roast, you could always blame it on hackers really.
SR: Yeah, you could blame the hackers.
JC: We have to be risk-adjusted too. That’s one of the reasons we’re not as concerned about some of the home IOT stuff, is that we had to choose to prioritize things that can affect life and limb. So, even the privacy letter that came out last week from the automotive industry, they said “Oh, we’re going to take privacy seriously” -- we’re happy to see that but our quip was “We love our privacy, we want to be alive to enjoy it, so let’s make sure that when we go encrypt the database in our car, we’re also hardening the remote access interfaces.” There’s lots of talk about the crock-pot, but my guidance to IOT innovators is just because you can put software and connectivity into something doesn’t mean you should. In Sweden, there was this presentation from the Philips Hue project, and they had this really cool demo where all the lights in the house, they would play some techno music and it was automatic disco mode, and they were saying how much awesome it was. The base unit that controlled the whole thing was popped one week prior and it also controlled the home locks in the house, so it was kind of like “It’s really cool to have a free disco mode in your living room when you have friends over, but it’s also not so cool that that disco mode base station was popped and allowed people to break into your home.” We don’t want to quibble over flaws in a crock-pot when it’s Underwriters Laboratories Certified not going to burn your house down, but we do want to care about the cameras that might put your kid out of safety, the home door locks, home alarm systems and what not -- we have to be somewhat prioritized in the things that we care about.
SR: When Cavalry first started and we had our big meetings at various conferences and we had a large number of people join in, one of the underlying tenets of those meetings that we had was that we really need to focus on things that impact people’s lives, which is why we started with automotive and now we’re going to branch out into medical, and as we get further down the road, we’ll start looking at home door locks and video cameras maybe, and things that really impact people’s lives. I don’t see us doing a lot of stuff with crock-pots.
MJ: I don’t mean to pick on the crock-pot per se. It seems, like you were saying Josh, that they haven’t really thought that through as far as putting that functionality on there. What does it really get you to open that up as an exposure into the house? Maybe the crock-pot isn’t that big of a deal, but the video cameras that connect to cloud services -- I got into an argument on Twitter with I think it was Revolv before they got bought by Google, about how I don’t like the idea -- I mean, I tried to start a home automation company and I love home automation, but I don’t like the idea of that connecting to cloud services. I love the idea of having that data myself. I’m really uncomfortable by having it out there, where people can tell when I’m home, those kind of safety issues. It’s not quite as threatening as my defibrillator going off because it’s got a virus, but it’s still a threat. And really, does it need a cloud service? I don’t think they’ve properly, really thought that value proposition through. I think they think it through from “Oh, this is something we can gather analytics on and sell it as advertising data.
JC: That’s their primary business model.
SR: To expand on this a little bit, and this is a little bit off Cavalry topic, but if somebody does break into your crock-pot or your refrigerator, that could then be used to launch an attack further into your home network, because people have home networks now. I’m contemplating segmenting my network out so I can put all these IOT devices on its own segment in my house. I shouldn’t have to do that. Who else is going to do that? Mom and grandpa and your uncle and your aunt aren’t going to do that because they don’t know any better. Segmenting networks -- that’s not something home users should have to do.
JC: One of the things that came up lately, and this is going to seem like it’s out of left field -- I think we assume that if we put software connectivity into something, it’s just net good. It’s just going to make it better. We called it the “Bacon Principle” -- everything is better with bacon, everything is better with bluetooth, whatever. But the way I look at it is it’s not about net good, it’s a trade. I was fixing my deck before the winter and I had to buy more galvanized nails. Do you know why you galvanize a nail?
SR: So it doesn’t rust.
JC: It’s so it doesn’t rust. But what people don’t realize is the galvanization process weakens the metal. So, I want us to look at this as when I care more about rust, I’m going to galvanize. If I care about strength, I can’t do that. I want us to look at software the same way. If I want these benefits, I’m going to take them at the cost of making them vulnerable and I’ll only make that tradeoff decision when it’s appropriate. If it’s a life and death situation, it may not be appropriate, or you might need a higher caliber adversary resilience test to threat model. But I don’t think, as a culture, we look at it that way yet, that it’s a trade and I think a tradeoff is probably a much more enlightened way to view this.
MJ: Is there anything you guys want to make sure that we mention before closing?
SR: I think we’ve covered a lot of good ground. The site is IAmTheCavalry.Org. It’s hard to see a lot of the work that we’re doing because a lot of it is behind the scenes, but we are driving conversations, we are reaching out to manufacturers, and we hope to have a lot more stuff to say in the near future, especially about medical devices. So, I encourage everybody, if you want to get involved, if you want more information, visit the website IAmTheCavalry.Org. Send us an email, we’d be happy to hear from you and we look forward to more work that we’ll be doing in the future.
MJ: Well guys, thanks very much for joining us.
JC: Thank you.
MB: Thanks a lot.
A: That’s all for this episode of Robot Overlordz. You can find our show notes, including links from this episode, on our website at RobotOverlordz.FM. That’s it for this radio broadcasting. We would love to hear your thoughts on this episode in our forum, or you can review us on iTunes. We’re Robot Overlordz with a Z.
MJ: Thanks everyone for listening.