POPULARITY
Part one of the process of figuring out the mystery of MH370 is finding explanations for the previously inexplicable things that happened. Part two is trying to verify whether those explanations hold water.In Episode 10, Andy and Jeff talked about a theory that MH370's specific vulnerabilities could've led to a hacking that not only allowed hijackers to take the plane north, but how it would've helped them cover their tracks.In Episode 22, they revisit this topic with a renowned ethical "white hat" hacker, Ken Munro of the Pen Test Partners in the UK. He talks about whether this Boeing 777 could've been hacked – and if he thinks it really was.Also, Andy shares his theory on what happened to MH370, an opinion accumulated after six months working on the Deep Dive podcast.Thanks to our Episode 22 sponsor, Finnished MKE. More information here: https://www.instagram.com/finnished_mke/Join this channel to get access to perks:https://www.youtube.com/channel/UCUXIrQ2rO5B_z-AEpjmKaAw/joinEven more information at our show page: https://www.deepdivemh370.com/p/22-the-hacking-of-mh370
Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: 106: Top Gun Meets the Cloud: Ken's Guide to Keeping Your Airplanes (and Data) SafePub date: 2024-02-01We are delighted to have Ken Munro joining us from the UK today! Ken is a Partner and Co-founder of Pen Test Partners. He is a seasoned technologist, the founder of multiple ventures, a pilot, a skier, and a dynamic and adventurous contributor to our community. Ken brings a wealth of experience and expertise that promises to enrich our understanding of the evolving landscape in cybersecurity. In today's discussion, we dive into his remarkable career journey and explore his perspective on OT and ICS-related cybersecurity.Join us for this informative session with Ken as he shares his valuable perspectives.Show Highlights:Ken discusses his cybersecurity industry journeyHow Ken's past Air Force experience relates to his current work in cybersecurityThe benefits of telling a story when communicating complex conceptsKen shares a story to highlight the importance of safety and security within the aviation industryKen talks about the unique systems on board planes and their vulnerabilitiesHow the isolated protocols used in older aircraft systems are more robust and stable than the modern systemsHow even simple display systems can cause airport outagesKen shares his concerns about cybersecurity risks within cloud management platforms for industrial control systemsHow including contractual language for liability in procurement contracts can protect organizations against cybersecurity risksKen shares his thoughts on the future of the cybersecurity industryLinks and resources:(CS)²AI Derek Harp on LinkedInKen Munro on LinkedInPen TestPartnersThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: 106: Top Gun Meets the Cloud: Ken's Guide to Keeping Your Airplanes (and Data) SafePub date: 2024-02-01We are delighted to have Ken Munro joining us from the UK today! Ken is a Partner and Co-founder of Pen Test Partners. He is a seasoned technologist, the founder of multiple ventures, a pilot, a skier, and a dynamic and adventurous contributor to our community. Ken brings a wealth of experience and expertise that promises to enrich our understanding of the evolving landscape in cybersecurity. In today's discussion, we dive into his remarkable career journey and explore his perspective on OT and ICS-related cybersecurity.Join us for this informative session with Ken as he shares his valuable perspectives.Show Highlights:Ken discusses his cybersecurity industry journeyHow Ken's past Air Force experience relates to his current work in cybersecurityThe benefits of telling a story when communicating complex conceptsKen shares a story to highlight the importance of safety and security within the aviation industryKen talks about the unique systems on board planes and their vulnerabilitiesHow the isolated protocols used in older aircraft systems are more robust and stable than the modern systemsHow even simple display systems can cause airport outagesKen shares his concerns about cybersecurity risks within cloud management platforms for industrial control systemsHow including contractual language for liability in procurement contracts can protect organizations against cybersecurity risksKen shares his thoughts on the future of the cybersecurity industryLinks and resources:(CS)²AI Derek Harp on LinkedInKen Munro on LinkedInPen TestPartnersThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Control System Cyber Security Association International: (CS)²AI
We are delighted to have Ken Munro joining us from the UK today! Ken is a Partner and Co-founder of Pen Test Partners. He is a seasoned technologist, the founder of multiple ventures, a pilot, a skier, and a dynamic and adventurous contributor to our community. Ken brings a wealth of experience and expertise that promises to enrich our understanding of the evolving landscape in cybersecurity. In today's discussion, we dive into his remarkable career journey and explore his perspective on OT and ICS-related cybersecurity.Join us for this informative session with Ken as he shares his valuable perspectives.Show Highlights:Ken discusses his cybersecurity industry journeyHow Ken's past Air Force experience relates to his current work in cybersecurityThe benefits of telling a story when communicating complex conceptsKen shares a story to highlight the importance of safety and security within the aviation industryKen talks about the unique systems on board planes and their vulnerabilitiesHow the isolated protocols used in older aircraft systems are more robust and stable than the modern systemsHow even simple display systems can cause airport outagesKen shares his concerns about cybersecurity risks within cloud management platforms for industrial control systemsHow including contractual language for liability in procurement contracts can protect organizations against cybersecurity risksKen shares his thoughts on the future of the cybersecurity industryLinks and resources:(CS)²AI Derek Harp on LinkedInKen Munro on LinkedInPen TestPartners
We're taking a trip to the movies this episode.
Podcast: 401 Access Denied (LS 34 · TOP 3% what is this?)Episode: 401 Access Denied Podcast Ep. 89 | Smart Hacking with Ken MunroPub date: 2023-09-20Hear how hackers target everything from airplanes to talking dolls. Pen testing expert Ken Munro discusses ways to close security gaps and protect embedded systems and connected devices.Connect with Ken Munro:Ken Munro on LinkedInTwitter: @TheKenMunroShowConnect with Delinea:Delinea WebsiteDelinea LinkedInDelinea TwitterDelinea FacebookDelinea YouTubeThe podcast and artwork embedded on this page are from Delinea, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Guest: Ken Munro, Partner at Pen Test Partners [@PenTestPartners]On LinkedIn | https://www.linkedin.com/in/ken-munro-17899b1/On Twitter | https://twitter.com/TheKenMunroShow____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsBlackCloak | https://itspm.ag/itspbcwebBrinqa | https://itspm.ag/brinqa-pmdpSandboxAQ | https://itspm.ag/sandboxaq-j2en____________________________Episode Notes"Fasten your seatbelts and join us for an enthralling episode on airplane cybersecurity, as our hosts Marco and Sean dive into a captivating conversation with expert Ken Munro."Welcome to another exciting episode of ITSPMagazine Coverage of RSA Conference USA 2023, in San Francisco. Your hosts, Marco Ciappelli and Sean Martin, dive deep into an intriguing conversation with Ken Munro, a cybersecurity expert who shares a fascinating COVID story that led to some groundbreaking research on airplane cybersecurity. This episode is one you won't want to miss, and we encourage you to think about the conversation, share it, and subscribe to the podcast. If you happen to be at RSA Conference 2023 in San Francisco, be sure to visit the Aerospace Village!When COVID-19 hit, the aviation industry experienced an unexpected outcome: an abundance of airplanes were retired earlier than anticipated. This led Ken and his team to explore airplane cybersecurity by accessing these grounded planes and learning about their systems. He shares his insights on the various networks found on airplanes and how these components interact with each other.Our hosts dive into the burning question: can you hack an airplane from the passenger cabin? Ken assures us that it's not possible, as safety systems are carefully segregated from passenger entertainment systems. However, he does acknowledge that hacking could be possible in specific scenarios that require physical access to the plane's inner workings.Ken's unique perspective as both a cybersecurity expert and a light aircraft pilot brings an engaging angle to this conversation. He emphasizes the importance of having pilots on board, as they have a vested interest in landing the plane safely. The thought of autonomous planes raises concerns, as pilots provide that crucial human element in critical situations.So buckle up and join Marco, Sean, and Ken as they take you on an informative journey exploring the world of airplane cybersecurity. This episode will leave you thinking about the intricate systems that keep us safe while traveling through the skies. Don't forget to share this captivating conversation with others and subscribe to the podcast for more exciting episodes! And if you're at RSA Conference 2023 in San Francisco, make sure to visit the Aerospace Village to immerse yourself in this fascinating world.____________________________ResourcesSession | Joining Forces with the White Hat Researchers: Aviation Industry Lessons: https://www.rsaconference.com/USA/agenda/session/Joining%20Forces%20with%20White%20Hat%20Hackers%20Boeing%20%20Pen%20Test%20PartnersSession | Vulnerability Disclosure: The People Factor: https://www.rsaconference.com/USA/agenda/session/Vulnerability%20Disclosure%20The%20People%20FactorPrevious RSAC Presentations: https://www.rsaconference.com/experts/ken-munroLearn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw____________________________For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
In our latest Electronic Specifier Insights podcast, we spoke to Ken Munro, Security writer & speaker, CVE board member at Pen Test Partners about the Counter hacking - the ethics of cyber security.
Fishing fanatics find themselves in deep water, Teslas go haywire after an update, and is there actually some good news about IoT? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Ken Munro. Visit https://www.smashingsecurity.com/251 to check out this episode's show notes and episode links. Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes. Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening! Warning: This podcast may contain nuts, adult themes, and rude language. Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Special Guest: Ken Munro.
In early 2021, hackers infiltrated the software that controlled the city's water supply in Oldsmar, Florida. Through dumb luck, they caught the intrusion shortly after the hacker tried to poison the city's water. This hack was part of a growing array of attacks against the Internet of Things, objects that used to operate offline but are now connected to the internet—and therefore vulnerable to hacking. From Wi-Fi enabled tea kettles to cars that can be taken over remotely to knocking power out for entire countries using smart thermostats, the risks are everywhere. We're just lucky there hasn't been an Internet of Things attack that has been on the scale of 9/11 or Hiroshima – yet. Guests this episode include Bruce Schneier, the author of Click Here to Kill Everybody; Nicole Perlorth, a reporter for the New York Times, Ken Munro, an ethical hacker, and Chris Valasek, a hacker who remotely took over a Jeep a few years ago and now works as the Director of Product Security at Cruise. To check out Nicole's book, click here: https://www.bloomsbury.com/us/this-is-how-they-tell-me-the-world-ends-9781635576061/ To buy Bruce's book, click here: https://www.schneier.com/books/click-here/ And to read about Chris's Jeep Hack as reported in Wired, click here: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ Pre order Brian's book - https://www.simonandschuster.com/books/Corruptible/Brian-Klaas/9781982154097 Support the show on Patreon at Patreon.com/powercorrupts
SECURITY VULNERABILITY FOUND IN SMART CHARGERSPenTestPartners has investigated smart EV chargers available to those buying for themselves as well as public chargers, finding many security vulnerabilities. For those interested, click here for PenTestPartners's own report. However, one concern is the operating system used by some firms. Where Raspberry Pi is used there are more issues, because that is not a suitable OS for a connected device due to a lack of security layers inherent in the system. For more info click here for Ken Munro's tweet, commending the quick reaction by one firm to the information. Click here for another tweet from Ken Munro expressing his dismay at another company's reaction. Click here for Cybergibbon's tweet explaining why Rasberry Pi is not suitable. FORMER FRENCH MINISTER UNDER INVESTIGATIONRachida Dati, a former French Minister, has been placed under formal investigation for payments made by the Dutch based Renault-Nissan joint-venture, during Carlos Ghosn's time as CEO. Dati has previously been cleared over payments and her lawyer stated these were all reported and legal. To read more, click the Automotive News article here. CLIMATE SPOKESPERSON CAUSES ONLINE KERFUFFLEAllegra Stratton, the Prime Minister's climate spokesperson, stated that for her a third-hand diesel Golf is better than an EV, due to the lengthy journeys she travels to visit relatives. One aspect is that she seems to have no understanding of the current state of EV and the charging network. Also, however, there were many Twitter conversations, where some journalists and those who should know better, demonstrated their lack of understanding of the current situation. To read more, click The Guardian article here. GOVERNMENT FUNDING FOR ZERO-EMISSION TRUCKS The Government is putting forward £20 million for initiatives aimed at helping improve the viability of electric and hydrogen lorries. To read more, click the Motoring Research article here. IMPORTANT CHANGES TO HIGHWAY CODE A new hierarchy of road users will be implemented with proposed changes to the Highway Code, meaning pedestrians and cyclists will be given priority over others. The idea is that those who have the potential to cause the most problems and danger have to take the most care to prevent that. Only snag the chaps can see in that idea is those who really need to know the changes will be oblivious unless there is a huge communication campaign. To read more, click here for the YesAuto article. FORMER TOYOTA EUROPE BOSS PASSES AWAYJohan van Zyl, the former head of Toyota Europe, has passed away after a short illness at the age of 63. He was instrumental in securing investment in the Burnaston site in Derbyshire, as well as over seeing the change of ‘no more boring cars' from the company. Thoughts are with his family and friends. To read more, click the Autocar article here. ——————————————————————————-If you like what we do, on this show, and think it is worth a £1.00, please consider supporting us via Patreon. Here is the link to that CLICK HERE TO SUPPORT THE PODCAST——————————————————————————-NEW NEW CAR NEWSHonda HR-V The order books have now opened for the next generation HR-V, from Honda. Prices start at £26,960, rising to £31,660 for the Advance Style model. To read more, click here for the Autocar article. Lamborghini Huracan STOIf you wish to know what the track focused YouTube star will be trying to get their mitts on and wrap, have a look at the Huracan STO, which Lamborghini have stripped a lot of weight from. Costing only £268,000 this 1339kg (dry weight) version has got both the chaps quite interested in. To find out more, including how they've got it in Motoring Podcast colours, click the Autocar link here. LUNCHTIME READ: FESTIVAL OF THE UNEXCEPTIONALAlan went to the Festival of the Unexceptional. So did many of our friends from Car Twitter. You can find out what happened by clicking Hagerty's own article link here. LIST OF THE WEEK: LITTLE CAR DETAILS YOU CARE ABOUTJalopnik asked their readers what are the little details that can make or break a car for them. Click here for the slideshow and no prizes for guessing which one the chaps highlighted. Don't forget to say which detail is the one for you and letting the podcast know. AND FINALLY: NEW MULSANNE LIMOS FOR SALEBentley has found five Grand Limousines that are now for sale, after the model finished production last year. These are unregistered and undriven examples of the stretched Mulsanne, so be quick to get in touch with your nearest dealer! To find out more, click here for the Autocar article
Lindsey O'Donnell-Welch talks to Ken Munro with Pen Test Partners about the biggest challenges around securing Internet of Things devices, and how regulatory efforts and consumer awareness are beginning to have a positive impact on the IoT security landscape.
April 2021 Bletchley Park’s latest temporary exhibition is called ‘Never Alone’ and asks ‘what happens when everything is connected?’ Based on an exhibition developed and designed by the National Science and Media Museum, ‘Never Alone’ explores the popularity and power of smart devices. There are now more devices connected to the internet than people on the planet. ‘Smart’ gadgets are becoming part of our lives, making us safer, bringing people together and making everyday tasks easier. In the exhibition, we explore the issues behind these gadgets. We discover some wartime objects and stories that show how concerns about privacy and surveillance aren’t unique to the internet age. You are invited to think about the decisions you make when you click ‘OK’, and to consider what being connected means to you. In this episode we meet two people who have loaned us objects for display, ethical hacker Ken Munro of Pen Test Partners and local museum professional Amy Doolan. We start by taking a tour of the exhibition in Hut 12. Image: ©Bletchley Park Trust 2021 #BPark, #Bletchleypark, #WW2,
Ken Munro is a penetration tester, security writer, speaker, and partner at Pen Test Partners. In this episode of Cybercrime Radio, he joins host Hillarie McClure to discuss shipping vessel cybersecurity, IoT vulnerabilities, and more. To learn more about Pen Test Partners, you can visit them at https://pentestpartners.com • For more on cybersecurity, visit us at https://cybersecurityventures.com/
On this episode of the Connected Aircraft Podcast, Ken Munro, founder of U.K.-based ethical hacking consulting and security services firm Pen Test Partners joins to discuss some of the latest research he’s been doing around connected electronic flight bags (EFB) and aircraft systems. Munro is a well known public speaker who has performed live demonstrations of vulnerabilities that have been exposed on Internet of Things (IoT) devices and systems. He is a security entrepreneur and industry maverick that has worked in infosec for over 15 years. He is a regular speaker at events held by industry bodies and associations and has spoken at the ISSA Dragon’s Den, (ISC)2 Chapter events and CREST (Council of Registered Ethical Security Testers) events, where he sits on the board, helping to establish standards in both member organizations and among individual penetration testers. We discuss some of the potential consequences of the manipulation of data used by pilots by a malicious hacker – and just how important the testing and assessment of EFB security is. Have suggestions or topics we should focus on in the next episode? Email the host, Woodrow Bellamy at wbellamy@accessintel.com, or drop him a line on Twitter @WbellamyIIIAC. Check out our publication Avionics International @AvionicsGlobal + www.aviationtoday.com. Join our Avionics International LinkedIn group to suggest topics we should cover in our podcast, publications and events. www.linkedin.com/AvionicsMag Register for our free upcoming Connected Aviation Intelligence webcast, Thursday, April 29th: https://www.gcasummit.com/aviation-intelligence/
Lisa Forte interviews the famous British penetration tester, Ken Munro. Ken built a reputation hacking ships, planes and hot tubs. He is one of the leading experts on IoT security and a sought-after speaker. Join Lisa and Ken talk about the issues around responsible disclosure, hacking hot tubs and sex toys and the current issues facing the information security industry. Ken is a hugely experienced penetration tester and is full of enthusiasm for his work. He teaches you about the potential pitfalls with responsible disclosure, the unique security challenges the aviation and shipping industries face and how he ended up being interviewed in a hot tub on national news!! This man has some truly inspiring and hilarious stories that we can all learn from. ►►►SUBSCRIBE! ►►► https://www.youtube.com/channel/UCaj1V0ptRrMDucohq41LDmg?sub_confirmation=1 ►►https://www.pentestpartners.com/ ►►https://twitter.com/TheKenMunroShow ►►https://www.linkedin.com/in/ken-munro-17899b1/ Hot Tub Story: https://www.bbc.co.uk/news/technology-46674706 Hacking Sex Toys: https://www.pentestpartners.com/security-blog/adult-iot-toys-privacy-invasion-or-worse/
How many smart devices do you own? And how many of them do you actually need? This week we discuss how safe these IoT devices really are, and all the challenges that come with penetration testing with Ken Munro from Pen Test Partners. Join us as we uncover a whole host of potential vulnerabilities, from the hilarious to the downright terrifying.We also dive into all the latest news in WatchTower Weekly and offer up some 1Password tips in our #Ask1Password segment.WatchTower WeeklyGovernments around the world are increasingly using location data to manage the coronavirusApple Safari now blocks all third-party cookies by defaultZoom is a work-from-home privacy disasterZoom isn’t actually end-to-end encryptedZoom is leaking some user informationZoom macOS installs without your permissionSwearing Doll: My Friend CaylaFollow Ken Munro @TheKenMunroShowFollow Pen Test Partners @PenTestPartnersVisit pentestpartners.comSome Good News with John Krasinski#Ask1PasswordAsk us anything! Please use the #Ask1Password hashtag or send us an email at media@1password.com.Real or Not Real?A man once ate an entire airplane. Read more here.Follow Us…Visit 1password.comCheck out our blogTweet us @1PasswordFind us on Facebook or InstagramPlease get in touch using #Ask1Password and let us know what you think of the show, you can also leave us a review on iTunes or wherever you listen to podcasts.
In this episode, we look at the need to secure the internet of things, physical workspaces, and the products companies make. From planes to children’s toys to oil rigs, more connected devices are vulnerable to attack than ever before. Ken Munro is an internet-of things security researcher, penetration tester, and writer with two decades of experience in the security industry. He is also the founder of security services company Pen Test Partners. Munro helps expose the vulnerabilities in items we use every day, and he discusses some of the most important skills that cybersecurity experts can have, why companies are at risk for physical security breaches, and something he calls “supersystemic flaws.” Business Lab is hosted by Laurel Ruma, director of Insights, the custom publishing division of MIT Technology Review. The show is a production of MIT Technology Review, with production help from Collective Next. Music is by Merlean, from Epidemic Sound. Ken Munro, on Twitter Ken Munro, Pen Test Partners “Kids Tracker Watches: CloudPets, exploiting athletes and hijacking reality TV,” Pen Test Partners Security Blog “Think you’ve had a breach? Top 5 things to do,” Pen Test Partners Security Blog “Internet of Things Security,” a TEDx presentation by Ken Munro
Conversations At The Intersection Of Technology, CyberSecurity And Society. Guests: Pete Cooper | Ken Munro Hosts: Sean Martin | Marco Ciappelli ITSPmagazine’s Unusual Gatherings XXXVII: Cybersecurity on Land and in the Air Following our previous discussion about cybersecurity in space and at sea, we decided to bring the conversation up a notch from the ocean (up to land) and down a notch from space (down into the commercial air space). Given that most modern aircraft fly by wire via autopilot and that we are seeing autonomous vehicles doing trial runs in cities around the globe, are we entering a time when the machines will do the long, tenuous work for us humans? While an autonomous model may work for certain tasks in a heavily monitored, controlled (and regulated) environment—looking specifically at commercial airlines, air traffic controllers, and the Federal Aviation Administration (FAA) here with this—when we introduce a ton of unknowns into the equation (such as pedestrians, dogs, rubbish on the highway, etc.), can we really rely on machines to take over? What is the responsibility of the human when something unexpected happens? Can the human override the machine—or will the machine be trusted to a point where it can’t be controlled by a human? In one view, that could be the whole point of this… to remove the human—and the human error—from the equation. But what about the machine error? Catch 22, anyone? While the above example focuses on ground transportation, there is a lot to be gained by studying the autonomous [monitored, controlled, regulated] world of aviation. This is something we discuss deeply with our guests, Pete Cooper and Ken Munro. Do we get the answers we need during this conversation? Perhaps some. Likely not all of them. Ready to be taken somewhere? OK—hands off the wheel. Let’s go! __________________________________ For more Unusual Gatherings: https://www.itspmagazine.com/unusual-gatherings __________ Interested in sponsoring an ITSPmagazine talk show? Visit: https://www.itspmagazine.com/talk-show-sponsorships
If you think your maritime satellite terminal is safe from hackers, give Ken Munro a call to make sure. He’s probably already found a backdoor to your system on the internet. Ken is the founder of Pen Test Partners, a network security consultancy firm, as well as a widely respected and very entertaining public speaker on all topics cybersecurty. His presentations include live hacks on local devices, hotel keycards, keyless cars and a range of Internet of Things (IoT) devices, including wearable children’s toys. Ken travels the world, sharing his disdain for device vendors that fail to secure their technologies in order to protect their potential customers. We sat down with Ken following his keynote at the 2019 OilComm conference in Houston, Texas, to discuss his recent fascination with the commercial space industry, specifically due to what he sees as a concerning lack of security for satellite ground systems. Ken explains his recent work with the commercial satellite industry and shares some ideas on how satellite companies can help better secure their networks in the constantly evolving IoT ecosystem. The episode also features a replay of the second half of Ken’s keynote at OilComm, which presented the results of a satellite terminal hack for the oil and gas industry. It’s a funny, enlightening, and at times, terrifying presentation packed with some good advice for those who are unsure of their ground systems’ cyber defenses.
Kicking off our new Smart Cities Smart People series is Ken Munro, ethical hacker and partner at Pen Test Partners. Ken has more than two decades of experience in the ethical hacking and security circuit, and gives his thoughts on what 5G can do for smart cities, his biggest pet peeves, and more! https://www.pentestpartners.com/
This week: How does the internet affect us? What does it mean for our security, our wallets, and ourselves. We're taking a deep dive into the world of all things cyber... Like this podcast? Please help us by supporting the Naked Scientists
This week: How does the internet affect us? What does it mean for our security, our wallets, and ourselves. We're taking a deep dive into the world of all things cyber... Like this podcast? Please help us by supporting the Naked Scientists
On this IoT For All podcast episode, Ken Munro, Partner at Pen Test Partners, shares his experience finding and disclosing security vulnerabilities by breaking embedded IoT systems. Ken walks us through the testing and reporting process for security vulnerabilities and how liability is handled in cases where devices are tested and issues are found, especially when manufacturers choose to ignore said issues. He also addresses how companies without impregnable devices can be put out of business due to security failures and why security continues to be an afterthought. The episode concludes with a discussion about how companies are handling the growing threat of cybercriminals, what the catalyst will be to driving rapid change across the industry and how IoT device regulations in states like California and Massachusetts can be adopted nationwide. Finally, Ken answers the tough question of whether or not we should be scared of IoT. If you're interested in connecting with Ken, check out his LinkedIn! About Pen Test Partners: Pen Test Partners is a partnership of high-end penetration testers, cherry-picked for their wealth of knowledge and years of experience in the pen testing sector, with a passion to be the very best at what they do. Key Question and Topics from this Episode: (6:26) What is the device testing process like for PenTest Partners? (7:49) How is liability handled in cases where devices are tested and issues are found but manufacturers are not open to change or feedback? (8:48) Why is security an afterthought in IoT? (10:27) What size companies are impacted the most when it comes to being put out of business due to security failures? (12:08) What is the reporting “process” when you find issues with devices? (17:11) Outside of cost, what is contributing to the cause of these security vulnerabilities? (19:48) What can be done to fix security holes once a product is launched and out in the market, if anything? (21:17) How wary should consumers be of products coming from smaller companies/startups? (23:06) How are IoT companies dealing with the growing threat of cybercriminals and the potential threat to their businesses? (25:15) What is it going to take to start driving change across the industry? (26:58) How will IoT device regulations in states like California and Massachusetts be adopted by other states? (36:02) What advice can be given to consumers when it comes to buying an IoT device? (31:58) Should we be scared of IoT?
Join Chris John Riley and Martin McKeay live from annual FIRST conference in Edinburgh, Scotland as they interview Ken Munro. Ken is a partner and founder at Pen Test Partners, LLP and was the opening keynote for the 31st Annual FIRST Conference.
Sy Montgomery on final farewells to beloved pets. Russell Wynn of the Marine Robotic and National Oceanographic Center in the UK shares the adventures of Boaty McBoatface. The weird wonders of bipes with Sara Ruane of Rutgers University-Newark. Ken Munro of PenTestPartners hacks smart devices to keep you safe. Walt Wolfram of North Carolina State University explores the Hoi Toiders dialect of the Outer Banks..
Dr. Ken Munro, Canadian history expert.
Researchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable or meddle with multiple vehicle systems. Ken Munro is a security researcher with Pen Test Partners, and he joins us to share their findings. The original research can be found here: https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
Researchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable or meddle with multiple vehicle systems. Ken Munro is a security researcher with Pen Test Partners, and he joins us to share their findings. The original research can be found here: https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/ The CyberWire's Research Saturday is presented by Juniper Networks. Thanks to our sponsor Enveil, closing the last gap in data security.
Podcast: The CyberWireEpisode: Alarming vulnerabilities in automotive security systems — Research SaturdayPub date: 2019-03-30Notes from @BEERISAC: CPS/ICS Security Podcast Playlist:NB: In some cases, the car engine could be ‘killed’ whilst it was drivingResearchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable or meddle with multiple vehicle systems. Ken Munro is a security researcher with Pen Test Partners, and he joins us to share their findings. The original research can be found here: https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/ The CyberWire's Research Saturday is presented by Juniper Networks. Thanks to our sponsor Enveil, closing the last gap in data security. The podcast and artwork embedded on this page are from The CyberWire, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Microsoft Edge whitelists flash autorun on Facebook, WinRAR vulnerability existed for up to 19 years, and researcher Ken Munro says hackers could easy sink ships at seas on episode 225 of our daily cybersecurity podcast.
Interview with security researcher at Pen Test Partners, Ken Munro, on the firm's recent discovery of dangerous vulnerabilities in MiSafes GPS enabled child tracking smartwatches.
We interview Ken Munro from PenTest Partners (https://www.pentestpartners.com/) discussing his work testing and identifying security flaws in connected building devices. What do building owners / installers and manufacturers need to do to make buildings more resistant to Cyber Attack? Cyber Security Essentials - http://www.cyberessentials.org/
We have more Ken Munro in this second part of our podcast. In this segment, Ken tells us how he probes wireless networks for weaknesses and some of the tools he uses. One takeaway for me is that the PSKs or passwords for WiFi networks should be quite complex, probably at least 12 characters. The hackers can crack hashes of low-entropy WiFi keys, which they can scoop up with wireless scanners. Ken also some thoughts on why consumer IoT devices will continue to be hackable. Keep in mind that his comments on security and better authentication carry over quite nicely to the enterprise world. Transcript Inside Out Security: You’ve focused mostly on testing the IoT — coffee makers, doorbells, cameas –and it’s kind of stunning that there’s so much consumer stuff connected to the internet. The Ring Doorbell and iKettle, were examples I think, where you obtained the WiFi PSKs (pre-shared keys). Could you talk more your work with these gadgets? Ken: Yeah, so where they're interesting to us is that in the past to get hold of decent research equipment to investigate, it used to be very expensive. But now that the Internet of Things has emerged. We're starting to see low-cost consumer goods with low-cost chip sets, with low-cost hardware, and low-cost software starting to emerge at a price point that the average Joe can go and buy and put into their house. A large company, if they buy technologies, has probably got the resources to think about assessing their security … And put some basic security measures around. But average Joe hasn't. So what we wanted to do was try and look to see how good the security of these devices was, and almost without exception, the devices we've been looking at have all had significant security flaws! The other side of it as well, actually, it kind of worries me. Why would one need a wireless tea kettle? IOS: Right. I was going to ask you that. I was afraid to. Why do you think people are buying these things? The advantage is that you can, I guess, get your coffee while you're in the car and it'll be there when you get home? Ken: No. It doesn't work like that …Yeah, that's the crazy bit. In the case of the WiFi kettle, it only works over WiFi. So you've got to be in your house! IOS: Okay. It's even stranger. Ken: Yeah, I don't know about you but my kitchen isn't very far away from the rest of my house. I'll just walk there, thanks. IOS: Yeah. It seems that they were just so lacking in some basic security measures … they left some really key information unencrypted. What was the assumption? That it would be just used in your house and that it would be just impossible to someone to hack into it? Ken: You're making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all. I think that's one of the biggest issues right now is there are a lot of manufacturers here and they're rushing new product to market, which is great. I love the innovation. I'm a geek. I like new tech. I like seeing the boundaries being pushed. But those companies that are rushing technologies to market with not really understanding the security risk. Otherwise, you're completely exposing people's homes, people's online lives by getting it wrong. IOS: Right. I guess I was a little surprised. You mentioned in your blog something called wigle.net? Ken: Yeah, wigle is …. awesome and that's why WiFi's such a dangerous place to go. IOS: Right. Ken: Well, there's other challenges. It's just the model of WiFi -- which is great, don't get me wrong -- when you go home with your cell phone, your phone connects to your WiFi network automatically, right? Now, the reason I can do that is by sending what are called client probe requests. And that's your phone going, "Hey, WiFi router, are you there? Are you there? Are you there?" Of course, when you're out and about and your WiFi's on, it doesn't see your home WiFi router. But when you get home, it goes, "Are you there?" "Yeah, I'm here," and it does the encryption and all your traffic's nice and safe. What wigle does — I think it stands for wireless integrated geographic location engine, which is crazy … security researchers have been out with wireless sniffers, scanners, and mapped all the GPS coordinates of all the wireless devices they see. And then they collate that onto wigle.net, which is a database of these which you can basically query a wireless network name … and work out where they are. So it's really easy. You can track people using the WiFi on their phones using wigle.net. You can find WiFi devices. A great example of that was how we find the iKettle, that you can search wigle.net for kettles. It's crazy! IOS: Yeah, I know. I was stunned. I had not seen this before. I suspect some of the manufacturers would be surprised if they saw this. We see the same thing in the enterprise space or IT. I'm just sort of surprised that's just so many tools and hacking tools out there. But in any case, I think you mentioned that some of these devices start up as an access point and that, in that case, you know the default access name of the iKettle or whatever the device is, and then you could spot it. Is this the way the hackers work? Ken: No, that's right. The issue with an IoT WiFi device is that when you first put it up, you need to get through a process of connecting to it and connecting it to your home WiFi network. And that is usually a two-stage process. Usually. It depends. Some devices don't do this but most devices, say, the iKettle, will set itself up as an access point first or a client-to-client device, and then once you go in and configure it with your cell phone, it then switches into becoming a client on your WiFi network. And it's going through that set of processes where we also found issues and that's where you can have some real fun. IOS: Right. I think you took the firmware of one of these devices and then was able to figure out, let's say, like a default password. Ken: Yeah. That's another way. It's a completely different attack. So that's not what we'll do in the iKettle. We didn't need to go near the firmware. But a real game changer with IoT devices is that the manufacturer is putting their hardware in the hands of their customers … Let's say you're a big online retailer. Usually you bring them in with application and you buy stuff. With the Internet of Things, you're actually putting your technology -- your kit, your hardware, your firmware, your software — into the hands of your consumers. If you know what you're doing, there's great things you can do to analyze the firmware. You can extract off from devices, and going through that process, you can see lots of useful data. It's a real game changer, unlike a web application where you can protect it with a firewall … But the Internet of Things, you put your chips into the hands of your customers and they can do stuff with that potentially, if they have got security right. IOS: Right. Did you talk about they should have encrypted the firmware or protected it in some way? Is that right? Ken: Yeah. Again, that's good practice. In security, we talk about having layers of defense, what we call defense in depth so that if any one layer of the security chain is broken, it doesn't compromise the whole device. And a great example for getting that right would be to make sure you protect the firmware. So you can digitally sign the code so that only valid code can be loaded onto your device. That's a very common problem in design where manufacturers haven't looked at code signing and therefore we can upload rogue code. A good example of that was the Ring doorbell. Something that's attached to the outside of your house. You can unscrew it. You can walk off with it. And we found one bug whereby you can easily extract the WiFi key from the doorbell! Again, the manufacturer fixed that really quickly, which is great, exactly what we want to see, but our next step is looking at it and seeing if we can take the doorbell, upload a rogue code to it, and then put it back on your door. So we've actually got a back door on your network. IOS: Right, I know. Very scary. Looking through your blog posts and there were a lot of consumer devices, but then there was one that was in a, I think, more of a borderline area and it was ironically a camera. It could potentially be a security camera. Was that the one where you got the firmware? Ken: Yeah, that was an interesting one. We've been looking at some consumer grade CCTV cameras, although we see these in businesses as well. And we've particularly been looking at the cameras themselves and also the digital video recorders, the DVRs where they record their content onto. So many times we find someone has accidentally put a CCTV camera on the public Internet. You've got a spy cam into somebody's organization! The DVR that records all the content, sometimes they put those on the Internet by mistake as well. Or you find the manufacturers built it so badly that .. it goes on by itself, which is just crazy. IOS: Yeah, there's some stunning implications, just having an outsider look into your security camera. But you showed you were able to, from looking at the...it was either the firmware or once you got into the device, you could then get into network. Was that right? Ken: Yeah, that's quite ironic really, isn't it? CCTV cams, you consider to be a security device. And what we found is not just the camera but also the DVR, if you put it on your network and ,,, it can create a backdoor onto your network as well. So you put on a security device that makes you less secure. IOS: One of things you do in your assessments is wireless scanning and you use something, if I'm not mistaken, called Kismet? Ken: Kismet's a bit old now ... There are lots of tools around but the Aircrack suites is probably where it's at right now And that's a really good suite for wireless scanning and wireless g cracking. IOS: Right. So I was wondering if you could just describe how you do a risk assessment. What would be the procedure using that particular tool? Ken: Sure. At its most basic, what you'd be looking to do, let's say you're looking at your home WiFi network. Basically, we need to make sure your WiFi is nice and safe. And security of a WiFi key is how long and complex it is. It's very easy to grab an encrypted hash of your WiFi key by sitting outside with a WiFi antenna and a tool like Aircrack, which allows you to grab the key. What we then want to do is try and crack that offline. So once I've got your WiFi key, I'm on your network, and we find in a lot of cases that ISP WiFi routers, the default passwords just aren't complicated enough. And we looked at some of the ISPs in the U.K. and discovered that some of the preset keys, we could crack them on relatively straight-forward equipment in as little as a couple of days. IOS: Okay. That is kind of mind-blowing because I was under the impression that those keys were encrypted in a way that would make it really difficult to crack. Ken: Yeah, you hope so but, again, it comes down to the length and complexity of the key. If you WiFi network key is only say -- I don't know — eight characters long and it's not really going to stand up to a concerted attack for very long. So again, length and complexity is really important. IOS: Yeah, actually we do see the same thing in the enterprise world and one of the first recommendations security pros make is the keys have to be longer and the passwords have to be longer than at least 8. Ken: We've been looking at some ... there's also the character set as well. We often find … the WiFi router often might only have lower case characters and maybe some numbers, and those numbers and characters are always in the same place in the key. And if you know where they are and you know they're always going to be lower case, you've reduced the complexity. IOS: Right. Ken: So I'd really like to be seeing 12-, 15-, 20-character passwords. It's not a difficult thing. Every time you get a new smartphone or a new tablet, you have to go and get it from the router then but really I think people can cope with longer passwords that they don't use very often, don't you think? IOS: No, I absolutely agree. We sort of recommend, and we've written about this, that you can...as an easy way to remember longer passwords, you can make up a mnemonic where each letter becomes part of a story. I don't know if you've heard of that technique. You can get a 10-character password that's easy to remember and therefore becomes a lot harder to decrypt. We've also written a little bit about some of the decrypting tool that are just easily available, and I think you mentioned one of them. Was it John the Ripper? Ken: John is a password brute force tool and that's really useful. That's great for certain types of passwords. There are other tools for doing different types of password hashes but John is great. Yeah, it's been around for years. IOS: It's still free. Ken: But there are lots of other different types of tools that crack different types of password. IOS: Okay. Do you get the sense that, just going back to some of these vendors who are making these devices, I think you said that they just probably are not even thinking about it and perhaps just not even aware of what's out there? Ken: Yeah, let's think about it. The majority of start-up entrepreneur organizations that are trying to bring a new IoT device to market, they've probably got some funding. And if they're building something, it's probably going to be going into production nine months ahead. Imagine you've got some funding from some investors, and just as you're about to start shipping, somebody finds a security bug in your product! What do you do? Do you stop shipping and your company goes bust? Or do you carry on and trying to deal with the fallout? I do sympathize with these organization, particularly if they had no one giving them any advice along the way to say, "Look, have you thought about security?" Because then they're backed into a corner. They've got no choice but to ship or their business goes bankrupt, and they've got no ability to fix the problem. And that’s probably what happened with the guys who made the WiFi kettle. Some clever guys had a good idea, got themselves into a position where they were committed, and then someone finds a bug and there's no way of backing out of shipping. IOS: Right, yeah. Absolutely all true. Although we like to preach something called Privacy by Design — at least it’s getting a lot more press than it did a couple years ago — which is just the people at the C-level suite should just be aware that you have to start building some of these privacy and security ideas into the software. Although it's high-sounding language. And you're right, when it comes to it, a lot of companies, especially start-ups, are really going to be forced to push these products out and then send out an update later, I guess is the idea. Or not. I don't know. Ken: That's the chance, isn't it? So if you look at someone like Tesla, they've had some security bugs found last year and they have the ability to do over-the-Internet updates. So the cars can connect over WiFi and all their security bugs were fixed over the air in a two-week period! I thought that was fantastic. So they can update in the field ... if you figured out that, brilliant. But they don't have the ability to do updates once they're in the field. So then you end up in a real stick because you've got products you can only fix by recalling, which is a huge cost and terrible PR. So hats off to Tesla for doing it right. And the same goes for the Ring doorbell. The guys thought about it. They had a process whereby it got the updates really, really easy, it's easy to fix, and they updated the bug that we found within about two weeks. And that's the way it should be. They completely thought about security. They knew they couldn't be perfect from the beginning. "Let's put a cable in place, a mechanism, so we can fix anything that gets found in the field." IOS: Yes. We're sort of on the same page. Varonis just sees the world where there will always be a way for someone to get into especially newer products and you have to have secondary defenses. And you've talked about some good remediations with longer passwords, and another one we like is two-factor authentication. Any thoughts on biometric authentication? Ken: Yes. Given the majority of IoT devices have being controlled by a smartphone, I think it's really key for organizations to think about how they've authenticated the customer to a smart device or, if they have a web app, the web interface as well, how they authenticate the customer to that. I'm a big fan of two-factor authentication. People get their passwords stolen in breaches all the time. And because they will reuse their passwords across multiple different systems, passwords stolen from one place and you find another place gets compromised. There was a great example, I think, some of the big data breaches ... they got a password stolen in one breach and then someone got their account hacked. It wasn't hacked. They just had reused the password! IOS: Right. Ken: So I'm a real fan of two-factor authentication to prevent that happening. Whether it's a one-time SMS to your phone or a different way of doing it, I think two-factor authentication is fantastic for helping Average Joe deal with security more easily. No one's going to have an issue with, "Look, you've sent me an SMS to my phone". That's another layer of authentication. Great. Fantastic." I'm not so much a fan of biometrics by themselves and the reason for that is my concern about revocation. Just in case the biometric data is actually breached, companies get breached all the time, we've not just lost passwords because passwords we throw them away, we get new ones, but if we lose your biometic, we're in a bit more of a difficult position. But I do biometrics work brilliantly when they're combined with things like passwords. Biometric plus password is fantastic as a secure authentication. IOS: Thanks for listening to the podcast. If you're interested in following Ken on Twitter, his handle is TheKenMunroShow or you can follow his blog at PenTestPartners.com. Thanks again.
If you want to understand the ways of a pen tester, Ken Munro is a good person to listen to. An info security veteran for over 15 years and founder of UK-based Pen Test Partners, his work in hacking into consumer devices — particularly coffee makers — has earned lots of respect from vendors. He’s also been featured on the BBC News. You quickly learn from Ken that pen testers, besides having amazing technical skills, are at heart excellent researchers. They thoroughly read the device documentation and examine firmware and coding like a good QA tester. You begin to wonder why tech companies, particularly the ones making IoT gadgets, don’t run their devices past him first! There is a reason. According to Ken, when you’re small company under pressure to get product out, especially IoT things, you end up sacrificing security. It’s just the current economics of startups. This approach may not have been a problem in the past, but in the age of hacker ecosystems, and public tools such as wigle.net, you’re asking for trouble. The audio suffered a little from the delay in our UK-NYC connection, and let’s just say my Skype conferencing skills need work. Anyway, we join Ken as he discusses how he found major security holes in wireless doorbells and coffee makers that allowed him to get the PSK (pre-shared keys) of the WiFi network that’s connected to them. Transcript Inside Out Security: You’ve focused mostly on testing the IoT — coffee makers, doorbells, cameas –and it’s kind of stunning that there’s so much consumer stuff connected to the internet. The Ring Doorbell and iKettle, were examples I think, where you obtained the WiFi PSKs (pre-shared keys). Could you talk more your work with these gadgets? Ken: Yeah, so where they're interesting to us is that in the past to get hold of decent research equipment to investigate, it used to be very expensive. But now that the Internet of Things has emerged. We're starting to see low-cost consumer goods with low-cost chip sets, with low-cost hardware, and low-cost software starting to emerge at a price point that the average Joe can go and buy and put into their house. A large company, if they buy technologies, has probably got the resources to think about assessing their security … And put some basic security measures around. But average Joe hasn't. So what we wanted to do was try and look to see how good the security of these devices was, and almost without exception, the devices we've been looking at have all had significant security flaws! The other side of it as well, actually, it kind of worries me. Why would one need a wireless tea kettle? IOS: Right. I was going to ask you that. I was afraid to. Why do you think people are buying these things? The advantage is that you can, I guess, get your coffee while you're in the car and it'll be there when you get home? Ken: No. It doesn't work like that …Yeah, that's the crazy bit. In the case of the WiFi kettle, it only works over WiFi. So you've got to be in your house! IOS: Okay. It's even stranger. Ken: Yeah, I don't know about you but my kitchen isn't very far away from the rest of my house. I'll just walk there, thanks. IOS: Yeah. It seems that they were just so lacking in some basic security measures … they left some really key information unencrypted. What was the assumption? That it would be just used in your house and that it would be just impossible to someone to hack into it? Ken: You're making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all. I think that's one of the biggest issues right now is there are a lot of manufacturers here and they're rushing new product to market, which is great. I love the innovation. I'm a geek. I like new tech. I like seeing the boundaries being pushed. But those companies that are rushing technologies to market with not really understanding the security risk. Otherwise, you're completely exposing people's homes, people's online lives by getting it wrong. IOS: Right. I guess I was a little surprised. You mentioned in your blog something called wigle.net? Ken: Yeah, wigle is …. awesome and that's why WiFi's such a dangerous place to go. IOS: Right. Ken: Well, there's other challenges. It's just the model of WiFi -- which is great, don't get me wrong -- when you go home with your cell phone, your phone connects to your WiFi network automatically, right? Now, the reason I can do that is by sending what are called client probe requests. And that's your phone going, "Hey, WiFi router, are you there? Are you there? Are you there?" Of course, when you're out and about and your WiFi's on, it doesn't see your home WiFi router. But when you get home, it goes, "Are you there?" "Yeah, I'm here," and it does the encryption and all your traffic's nice and safe. What wigle does — I think it stands for wireless integrated geographic location engine, which is crazy … security researchers have been out with wireless sniffers, scanners, and mapped all the GPS coordinates of all the wireless devices they see. And then they collate that onto wigle.net, which is a database of these which you can basically query a wireless network name … and work out where they are. So it's really easy. You can track people using the WiFi on their phones using wigle.net. You can find WiFi devices. A great example of that was how we find the iKettle, that you can search wigle.net for kettles. It's crazy! IOS: Yeah, I know. I was stunned. I had not seen this before. I suspect some of the manufacturers would be surprised if they saw this. We see the same thing in the enterprise space or IT. I'm just sort of surprised that's just so many tools and hacking tools out there. But in any case, I think you mentioned that some of these devices start up as an access point and that, in that case, you know the default access name of the iKettle or whatever the device is, and then you could spot it. Is this the way the hackers work? Ken: No, that's right. The issue with an IoT WiFi device is that when you first put it up, you need to get through a process of connecting to it and connecting it to your home WiFi network. And that is usually a two-stage process. Usually. It depends. Some devices don't do this but most devices, say, the iKettle, will set itself up as an access point first or a client-to-client device, and then once you go in and configure it with your cell phone, it then switches into becoming a client on your WiFi network. And it's going through that set of processes where we also found issues and that's where you can have some real fun. IOS: Right. I think you took the firmware of one of these devices and then was able to figure out, let's say, like a default password. Ken: Yeah. That's another way. It's a completely different attack. So that's not what we'll do in the iKettle. We didn't need to go near the firmware. But a real game changer with IoT devices is that the manufacturer is putting their hardware in the hands of their customers … Let's say you're a big online retailer. Usually you bring them in with application and you buy stuff. With the Internet of Things, you're actually putting your technology -- your kit, your hardware, your firmware, your software — into the hands of your consumers. If you know what you're doing, there's great things you can do to analyze the firmware. You can extract off from devices, and going through that process, you can see lots of useful data. It's a real game changer, unlike a web application where you can protect it with a firewall … But the Internet of Things, you put your chips into the hands of your customers and they can do stuff with that potentially, if they have got security right. IOS: Right. Did you talk about they should have encrypted the firmware or protected it in some way? Is that right? Ken: Yeah. Again, that's good practice. In security, we talk about having layers of defense, what we call defense in depth so that if any one layer of the security chain is broken, it doesn't compromise the whole device. And a great example for getting that right would be to make sure you protect the firmware. So you can digitally sign the code so that only valid code can be loaded onto your device. That's a very common problem in design where manufacturers haven't looked at code signing and therefore we can upload rogue code. A good example of that was the Ring doorbell. Something that's attached to the outside of your house. You can unscrew it. You can walk off with it. And we found one bug whereby you can easily extract the WiFi key from the doorbell! Again, the manufacturer fixed that really quickly, which is great, exactly what we want to see, but our next step is looking at it and seeing if we can take the doorbell, upload a rogue code to it, and then put it back on your door. So we've actually got a back door on your network. IOS: Right, I know. Very scary. Looking through your blog posts and there were a lot of consumer devices, but then there was one that was in a, I think, more of a borderline area and it was ironically a camera. It could potentially be a security camera. Was that the one where you got the firmware? Ken: Yeah, that was an interesting one. We've been looking at some consumer grade CCTV cameras, although we see these in businesses as well. And we've particularly been looking at the cameras themselves and also the digital video recorders, the DVRs where they record their content onto. So many times we find someone has accidentally put a CCTV camera on the public Internet. You've got a spy cam into somebody's organization! The DVR that records all the content, sometimes they put those on the Internet by mistake as well. Or you find the manufacturers built it so badly that .. it goes on by itself, which is just crazy. IOS: Yeah, there's some stunning implications, just having an outsider look into your security camera. But you showed you were able to, from looking at the...it was either the firmware or once you got into the device, you could then get into network. Was that right? Ken: Yeah, that's quite ironic really, isn't it? CCTV cams, you consider to be a security device. And what we found is not just the camera but also the DVR, if you put it on your network and ,,, it can create a backdoor onto your network as well. So you put on a security device that makes you less secure. IOS: One of things you do in your assessments is wireless scanning and you use something, if I'm not mistaken, called Kismet? Ken: Kismet's a bit old now ... There are lots of tools around but the Aircrack suites is probably where it's at right now And that's a really good suite for wireless scanning and wireless g cracking. IOS: Right. So I was wondering if you could just describe how you do a risk assessment. What would be the procedure using that particular tool? Ken: Sure. At its most basic, what you'd be looking to do, let's say you're looking at your home WiFi network. Basically, we need to make sure your WiFi is nice and safe. And security of a WiFi key is how long and complex it is. It's very easy to grab an encrypted hash of your WiFi key by sitting outside with a WiFi antenna and a tool like Aircrack, which allows you to grab the key. What we then want to do is try and crack that offline. So once I've got your WiFi key, I'm on your network, and we find in a lot of cases that ISP WiFi routers, the default passwords just aren't complicated enough. And we looked at some of the ISPs in the U.K. and discovered that some of the preset keys, we could crack them on relatively straight-forward equipment in as little as a couple of days. IOS: Okay. That is kind of mind-blowing because I was under the impression that those keys were encrypted in a way that would make it really difficult to crack. Ken: Yeah, you hope so but, again, it comes down to the length and complexity of the key. If you WiFi network key is only say -- I don't know — eight characters long and it's not really going to stand up to a concerted attack for very long. So again, length and complexity is really important. IOS: Yeah, actually we do see the same thing in the enterprise world and one of the first recommendations security pros make is the keys have to be longer and the passwords have to be longer than at least 8. Ken: We've been looking at some ... there's also the character set as well. We often find … the WiFi router often might only have lower case characters and maybe some numbers, and those numbers and characters are always in the same place in the key. And if you know where they are and you know they're always going to be lower case, you've reduced the complexity. IOS: Right. Ken: So I'd really like to be seeing 12-, 15-, 20-character passwords. It's not a difficult thing. Every time you get a new smartphone or a new tablet, you have to go and get it from the router then but really I think people can cope with longer passwords that they don't use very often, don't you think? IOS: No, I absolutely agree. We sort of recommend, and we've written about this, that you can...as an easy way to remember longer passwords, you can make up a mnemonic where each letter becomes part of a story. I don't know if you've heard of that technique. You can get a 10-character password that's easy to remember and therefore becomes a lot harder to decrypt. We've also written a little bit about some of the decrypting tool that are just easily available, and I think you mentioned one of them. Was it John the Ripper? Ken: John is a password brute force tool and that's really useful. That's great for certain types of passwords. There are other tools for doing different types of password hashes but John is great. Yeah, it's been around for years. IOS: It's still free. Ken: But there are lots of other different types of tools that crack different types of password. IOS: Okay. Do you get the sense that, just going back to some of these vendors who are making these devices, I think you said that they just probably are not even thinking about it and perhaps just not even aware of what's out there? Ken: Yeah, let's think about it. The majority of start-up entrepreneur organizations that are trying to bring a new IoT device to market, they've probably got some funding. And if they're building something, it's probably going to be going into production nine months ahead. Imagine you've got some funding from some investors, and just as you're about to start shipping, somebody finds a security bug in your product! What do you do? Do you stop shipping and your company goes bust? Or do you carry on and trying to deal with the fallout? I do sympathize with these organization, particularly if they had no one giving them any advice along the way to say, "Look, have you thought about security?" Because then they're backed into a corner. They've got no choice but to ship or their business goes bankrupt, and they've got no ability to fix the problem. And that’s probably what happened with the guys who made the WiFi kettle. Some clever guys had a good idea, got themselves into a position where they were committed, and then someone finds a bug and there's no way of backing out of shipping. IOS: Right, yeah. Absolutely all true. Although we like to preach something called Privacy by Design — at least it’s getting a lot more press than it did a couple years ago — which is just the people at the C-level suite should just be aware that you have to start building some of these privacy and security ideas into the software. Although it's high-sounding language. And you're right, when it comes to it, a lot of companies, especially start-ups, are really going to be forced to push these products out and then send out an update later, I guess is the idea. Or not. I don't know. Ken: That's the chance, isn't it? So if you look at someone like Tesla, they've had some security bugs found last year and they have the ability to do over-the-Internet updates. So the cars can connect over WiFi and all their security bugs were fixed over the air in a two-week period! I thought that was fantastic. So they can update in the field ... if you figured out that, brilliant. But they don't have the ability to do updates once they're in the field. So then you end up in a real stick because you've got products you can only fix by recalling, which is a huge cost and terrible PR. So hats off to Tesla for doing it right. And the same goes for the Ring doorbell. The guys thought about it. They had a process whereby it got the updates really, really easy, it's easy to fix, and they updated the bug that we found within about two weeks. And that's the way it should be. They completely thought about security. They knew they couldn't be perfect from the beginning. "Let's put a cable in place, a mechanism, so we can fix anything that gets found in the field." IOS: Yes. We're sort of on the same page. Varonis just sees the world where there will always be a way for someone to get into especially newer products and you have to have secondary defenses. And you've talked about some good remediations with longer passwords, and another one we like is two-factor authentication. Any thoughts on biometric authentication? Ken: Yes. Given the majority of IoT devices have being controlled by a smartphone, I think it's really key for organizations to think about how they've authenticated the customer to a smart device or, if they have a web app, the web interface as well, how they authenticate the customer to that. I'm a big fan of two-factor authentication. People get their passwords stolen in breaches all the time. And because they will reuse their passwords across multiple different systems, passwords stolen from one place and you find another place gets compromised. There was a great example, I think, some of the big data breaches ... they got a password stolen in one breach and then someone got their account hacked. It wasn't hacked. They just had reused the password! IOS: Right. Ken: So I'm a real fan of two-factor authentication to prevent that happening. Whether it's a one-time SMS to your phone or a different way of doing it, I think two-factor authentication is fantastic for helping Average Joe deal with security more easily. No one's going to have an issue with, "Look, you've sent me an SMS to my phone". That's another layer of authentication. Great. Fantastic." I'm not so much a fan of biometrics by themselves and the reason for that is my concern about revocation. Just in case the biometric data is actually breached, companies get breached all the time, we've not just lost passwords because passwords we throw them away, we get new ones, but if we lose your biometic, we're in a bit more of a difficult position. But I do biometrics work brilliantly when they're combined with things like passwords. Biometric plus password is fantastic as a secure authentication. IOS: Thanks for listening to the podcast. If you're interested in following Ken on Twitter, his handle is TheKenMunroShow or you can follow his blog at PenTestPartners.com. Thanks again.
We were thrilled when Pen Testing veteran, Ken Munro joined our show to discuss the vulnerabilities of things. In this episode, Ken reveals the potential security risks in a multitude of IoT devices – cars, thermostats, kettle and more. We also covered GDPR, Privacy by Design and asked if Ken thinks “The Year of Vulnerabilities” will be hitting headlines any time soon. Munro runs Pen Testing Partners, a firm that focuses on penetration testing on the Internet of Things. He’s a regular on BBC, and most recently, he was interviewed by one of our bloggers, Andy Green. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS The post The Vulnerability of Things – IOSS 21 appeared first on Varonis Blog.