Blog: Internet Of Things

Speaking at TEDx

Ken Munro 24 Jul 2016

I was privileged enough to be invited to speak at a TEDx event in Dornbirn, Austria. I speak at 2-3 events per week, with audiences from 25-2500 people, so why did this one make me nervous?

I don’t get nervous before speaking in public. Lots of practice and plenty of material to work with usually make it a fun experience. But I did for TEDx.

Watching the rehearsals, I realised that TED is a completely different style of event. I’m used to speaking at technical security conferences, either to my peers or to audiences that want to know about sorting their own security out.

TED speakers cover all sorts of subjects. I was in awe of the other speakers, one discussing why they felt that women were better at body language than men, another looking at deep analysis of medical data, others discussing immense personal challenges that they had overcome. And I was going to talk about hacking Internet of Things stuff. I felt rather humbled and a bit lame all of a sudden.

I threw away my talk and started again. My staple of highlighting ironic coding flaws by IoT firmware devs wasn’t going to cut it.

Here’s what I talked about instead:

The Tapplock – you don’t need to be a techie to understand hashing a BLE MAC address, nor seeing a list of addresses on an API response. Popping the lock live

Wi-Fi iKettle 1.0 – the gift that keeps on giving. Finding a static telnet password in a PDF is very visual.

My Friend Cayla – sadly TED policy doesn’t allow for swearing, so Cayla was mute. However, snooping on kids over Bluetooth got everyone’s attention

Swann security cameras – it’s not difficult to see switching camera serial IDs and accessing a different camera video feed.

Mirai & CCTV DVRs – some of the audience remembered losing access to various social networks back in October 2016 as a result of the Mirai DDoS

Thermostat ransomware – potential nation-state grade attacks against critical national infrastructure such as our power grid

And then we spent a little time looking at mitigating actions (e.g. sorting out ones own passwords & phone PINs first, before getting too excited about IoT)

Then, the rather weak response by governments to regulating and enforcing IoT security. Sadly, the EU Cybersecurity Act seems to have missed an opportunity to actually fix the problem.

Afterwards

What surprised me were how many people came to chat afterwards, saying they had seen hacking talks before, but hadn’t really understood. I made a real effort to show technical detail, but talk about it in an accesible way.

Did we make a difference?

Did anyone change anything as a result?

I don’t know, but even if just one person starts using a password manager and set stronger PINs, I think we did.

Hopefully, a few more people will think twice before buying IoT. Hopefully they will ask one or two questions about security of smart devices before buying them. Just enough to make IoT vendors spend just a little time thinking about their security.

Will anything change?

Maybe we will hear just a little less rubbish like this from vendors in future:

“Bank grade securty”

“Military grade encryption”

“256 bit AES”

And perhaps a little more:

“We use two step verification on login”

“We check users passwords against Troy Hunt’s password breach database”

“We follow the secure development lifecycle from OWASP”

“We comply with the voluntary ENISA / DCMS / US gov guidelines on IoT security”

We can at least hope!