Champion of white hat hackers Keren Elazari, analyst, author and senior researcher, Blavatnik Interdisciplinary Cyber, gave a lively presentation describing how the vulnerabilities of a modern wired world reflect circus concepts of yesteryear. Elazari began by emphasizing that in 2017, cybersecurity is about the trust people place in “everyday things” like baby monitors, cars and insulin pumps. But researchers and white hats are eager to demonstrate just how untrustworthy these can be. Elazari noted that “It’s not about secrets anymore. It’s about the trust we place in our way of life. How can people trust technology given so much hacking and so many threats?”
She advocated that amid the media frenzy, stunt hacks, and high-profile disclosures, friendly hackers can help industry build safer products. Citing Barnaby Jack, who showed how to hack an insulin device at RSA several years ago, she explained how that contained, non-harmful demonstration led to big changes in US Food and Drug Administration protocol and warnings to device manufacturers. Jack proclaimed “you have to demonstrate a threat to spark a solution”, now a mantra for Elazari.
The Tightrope Balancing Act
Elazari went on to describe other high profile incidents around medical device vulnerability. In 2016, security firm MedSec approached Muddy Waters Capital to license its research claiming pacemaker devices made by St. Jude Medical (and others) were vulnerable to hacks. Muddy Waters accepted, ostensibly aiming to short St. Jude stock; but the story also triggered considerable patient concern. In January, the FDA found that the devices indeed can be hacked. In another case, doctors implanted a defibrillator into Dr. Marie Moe after she suffered cardiac arrest, but without her knowledge or consent. She now has concerns about the “Internet of Things” in her body. Elazari noted that more and more “We’re being expected to accept these things without knowing what they do or what the impacts could be.”
She further described a General Motors firmware update that was required as a result of a white hat hack that found serious flaws in the company’s Jeep automobile. To implement the update, GM sent thumb drives containing the fix to Jeep customers—who had no training in what to do with them. Expecting people to be technologists for their own cars, Elazari suggested, is not a good approach.
Fearless Lion Taming
By contrast, Tesla Motors brought its Model S to DefCon 23, actively engaging hackers to work with them on hack-proofing their signature car. As a result, Tesla have the capability to “push a button” and make SW updates to all cars when they learn of security vulnerabilities. Tesla even awards coveted Challenge Coins to top researchers who contribute findings. Elazari found this ‘lion taming’ approach far superior to GM’s tightrope walk.
Public awareness and opinion about cyber security has increased dramatically and continues to rise. This past October, Google saw a huge spike in security searches in the wake of last October’s Mirai botnet attack. The incident was a wake-up moment for many people outside of the security industry.
Which brought Elazari to the proverbial Elephant: the media. A key player in the security ecosystem, the media pushes stories and influences audience thinking on security issues. She cited the Internet of Things-enabled Barbie doll and stories about hackable baby monitors. But, she contends, fear mongering, a tactic strongly embraced by the security industry, is not helpful. A power blackout last week in Brussels was the result of a technical error in a high-voltage substation, but had many Belgian citizens worried their country was under cyber attack. Ultimately, media and public opinion will affect policy and government decision-making.
Stop the spread of FUD—Fear, Uncertainty and Doubt. Instead of spreading rumors, get the facts about risks and attacks, and tell people about them. She urged the audience not to generalize or talk in fear-inducing statements.
She also encouraged everyone, regardless of occupation, to step up. “You have to start thinking of yourself as the CISO of your home, your car, and what you bring into your house. You have the capacity to have safer products at home—get those by demanding them from the companies who make them, by changing your passwords, and by securing your network.”
Finally, she encouraged her fellow cyber pros to join www.Iamthecavalry.org, a grassroots org focused on the intersection of computer security, public safety and human life.