Crowdsourced Information Sharing In IoT Cybersecurity by K. Hooper-Warren, T. Stewart & S. McGurgan

so yeah thanks everyone for joining us on the uh for the presentation today um we'll be essentially chatting to you about uh how a community driven uh crowdsource solution towards iot cybersecurity has a place in current society so first of all does anybody here fall into any of these categories that you can see on the screen okay that's good we're in the right room then that's fine okay okay so you guys are the experts in the room um there's a lot of snake oil and buzzwords uh relating to iot at the moment so we'll try and avoid a lot of that uh in the talk today so as i said we are over providing a community driven cyber

security solution towards the internet of things and this is our first b-sides event and b-size is great because it brings together an industry which is notoriously siloed in the way that we work so by bringing together a community of like-minded individuals hobbyists professionals we couldn't be more excited to be here today so these two handsome chaps make up part of the iotable team i'm kieran the commercial guy i'm resident bfg and then we've got tyrone who's the product guy and ping pong connoisseur we also have a few of our tech guys in the audience today so if you want to chat tech with those guys afterwards feel free okay so you'll be aware of that iot has

become a bit of a buzzword lately uh past decade or so and so i guess the definition that we're going to follow to describe iot it would be any internet connected device that is not a laptop or a smartphone now these devices are are everywhere an example autonomous connected vehicles and who in the audience has one of these oh not that's what i was expecting but that's for a cyber security lot but that's fine um but you guys know like these things were once something for the expected in the future they're very much here and here to stay more example of iot devices medical devices again uh smart pacemakers smart insulin pumps home medical devices just

a few and coders really exacerbated this as we know manufacturing and utilities now smart manufacturing connected robots conveyor belts also utilities industries going through rapid digital transformation at the moment it's prime time for iot in all of these industries and really we're just hitting the tip of the iceberg so there's currently 22 billion iot devices in circulation across the world with an expected rise to 40 billion by 2025 is crazy number the numbers nearly going to double in the time of the next three years that what we've already seen for iot it's a booming industry and it's fundamentally changing the way that the world works now the benefits are countless but here for the purposes of presentation we've

counted three so first of all you've got connectivity and innovation with the world being more connected than ever before it's rapidly accelerating the pace of which companies are able to innovate [Music] secondly you've got sustainability now sustain there's all sorts of variables which underpin sustainability but in iot particularly you've got smarts environmental sensors smart agriculture smart waste management and these are all examples of how iot is improving sustainability across the world and then lastly quality of life fundamentally the introduction of iot has improved the lives of so many people across the world however [Music] it is not on all sunshines and rainbows as you see um obviously iot is fantastic it spurs innovation however what has

also surged the risks associated with these devices and especially due to the increase of attack services associated with them um so why does iot present such a risk to cyber security well we can split these into three main categories so the first insecure iot devices now there are a lot of devices on the market that are being made in places and that don't really prioritize you know the safety of the devices they don't go through the regular regular due diligence and therefore they really create them to maximize profits um and as a result easy for malicious actors to really exploit and just as a quick on top of that story so we for a bit of context work at a

tech and we checked with rit manager a few months back if we could mess about with the cameras just to see how much data and what we could actually do with them i have no technical expertise i've never written a line of code in my life but i happen to find myself in cyber security but what i did do is take it upon myself to learn some of those skills so i loaded up nmap scripted engine now a lot of you guys in the room will be aware that that is not realistically a high level skilled cyber security action but what i was able to do was load a few scripts onto the office cameras and

actually get inside them and that took me about a half hour and as i said no technical expertise it wasn't exactly very difficult to do exactly and i guess another problem in the space are um a deficit variety security professionals and now you'll be well aware these guys typically get tasked to look into a device uh formulate a report and report that with vulnerabilities back to whatever vendor manufacturer has conducted has asked them to conduct that security audit now this simply isn't enough for these professionals um and as a result it means that there are essentially too many devices to keep up with the amount of these people at the moment and that amount is only going to increase in the

future and there's also fragmented device information now all of this information from basic device information to vulnerability information it's all out there but it's all in scattered across different databases um essentially it takes a lot of time to find this um but what it seems to be very easy to find is you know a list of default passwords that user able to access these devices that seems to be the only thing that isn't really fragmented in the industry but so where have some of these attacks already happened well there's a couple of famous examples first one thermostat casino hack this is where essentially a bunch of attackers in an unnamed casino in las vegas managed to get 10 terabytes

of data from a smart thermostat on the side of a fish tank now that's pretty scary stuff when you think that it's just a thermostat on the side of the fish tank and then secondly you've got smart speakers listening to you now it's no secret that these speakers are listening and i guess how many times have you actually heard your smart speaker say something to you even though you've not said their name well that's because these devices are always listening to you and just like any web interface these speakers collect data through their apps so you'll be fooled to think if they're only listening to you when you want them to in fact police in the usa are now actively trying to

get hold of alexa audio files to help solve domestic violence disputes it's a real concern for the future of our privacy [Music] so who's trying to solve it well everyone but how many times have you seen something like this these are the new buzzwords in cyber security at the moment as well as internet of things but i don't actually think they mean anything if you happen to disagree with me by all means pull me after this talk and we'll have a chat alright but as i said new buzzwords in but it's absolutely everywhere so yeah to really get a grand understanding of you know the main problems in the area let's go ahead and dig a little bit deeper to see what you

can find so obviously insecure devices this new cool iota robot whatever it is it may look cool probably does some good stuff but is it safe practically no for example do you really need a toaster that connects to your phone is it really necessary to have a wi-fi operated air condition unit again the short answer is no default passwords also we've already briefly touched upon this but these these devices can be shipped with default usernames default passwords simple as a username being username password b and password you get the idea not really the safest thing in the world and finally cheap manufacturing as mentioned um you know security isn't is isn't really being considered in these

manufacturing places and therefore they're getting shipped not only by consumers and adopted by amongst consumer industry but also across um cni firms um it really can be quite devastating so the second one is the deficit security professionals now this is an absolutely huge one because it's hitting every single person in every single industry there's simply not enough people to go around iot doomsday is just around the corner and the market currently has little response ready for it [Music] and then finally fragmented device information we've already touched upon this again briefly but the information is essentially scattered all over the internet so if you want to conduct a thorough security order you have to trawl through hundreds and hundreds of

google searches just to find the most basic device information now this can be stuff like hardware software and firmware i'm not talking anything super complex so ultimately it's a massive timing efficiency and it doesn't really need to be this way the industry has kind of brought the problem on itself by always kind of operating independently and not always fostering collaboration and information sharing across the industry but the one thing that the industry does fail to recognize is that its biggest asset is already here and that asset is in the community now we all have a role to play you know every single one of us could be sitting on information that could really help the iot cybersecurity landscape

know this software know the software version of your smart tv then share it know the sub components in your door sensor share it know the security vulnerabilities associated with that ip camera share it this is all important knowledge however this seems to be one online underlying blocker that professional seems to work in siloed workflows so what do i mean by this well iot security experts seem to work independently of each other they don't tend to collaborate on projects unless opportunities like b-sides present themselves businesses do have their own internal ways of communicating and sharing data amongst each other however that simply doesn't seem to transcend over to the general community obviously there's examples such as you

know vigilante groups um but if we could really carry that ethos to um to the general community it'd really go a long way so how do we do it well it's quite simple really crowdsourcing crowdsourcing has proven over the past 10 to 15 years it can be an extremely efficient way to fill knowledge gaps not only that but by taking part users actually feel as though they're contributing towards something for the greater good so by creating a huge information sharing knowledge bank among the community people can actually have access to information they otherwise wouldn't have and ultimately improves the participation and the knowledge of the wider network of users and does it work well the short answer is yes stack

overflows demonstrated that a crowdsourced community driven approach to filling technical knowledge gaps actually works what if there was something like this for cyber security in iot a place to share information with your peers with the goal of improving the broader space of iot and cyber security hands up here anybody who's actually used stack overflow now keep your hands up if you'd be stuffed without it [Music] yeah exactly and that's because it works um before stack programmers will have to go through heavy documentation just to find a simple fix for the simple problem imagine have to troll through hours of documentation to find something that should have just taken you five minutes sounds pretty tedious right

as well as that for the programmers who prefer a more rogue approach lots and lots of trial and error is needed it was a huge inefficiency in the way that opera the industry operated and we can definitely see parallels between that between then and iot at the moment so on the left we have pre-stack overflow the problems which we've mentioned obviously due to the lack of collaboration because stacks simply didn't exist and to the right we have the current state of iot at the moment with hundreds of google searches just to find basic device information is kind of the new heavy documentation that plagues the industry at the moment quite simply because stack overflow didn't exist there was a lack of

collaboration and this is again because we tend to at the moment work in solid workflows finally a huge problem that is often overlooked is the idea of repetitive work now i could be a security researcher based in brazil that is looking into a current the latest amazon echo i'm probably unaware that kieran is looking into the exact same device in a different country um but because there's no real formal way of bringing us together it means that there is a lot of inefficiencies there however stack overflow has mitigated the problem of uncaptured information by giving programmers um the the platform to crowdsource and collaborate together so we must ask ourselves why can't we as an industry do the same thing

now stick with me here food and iot are actually very similar now of course i'm not suggesting you start microwaving your smart devices that will cause one hell of an accident what i am referring to is the basic information that gets printed on the back of a packet if you imagine 30 years ago to find out the nutritional content of the fuji diet you'd have to send it off to a lab to be analyzed you get a report back six weeks later by then you don't care because you've digested it and it's now irrelevant well that's the current state of iot at the moment if you want an iot device audited you have to send it off

get report back and by then you probably already put it into your infrastructure so you don't really care anymore if the industry can share all of the basic stuff they know about an iot device and share it with the community we can ultimately improve the industry more broadly but what basic stuff do we actually mean and i'm mean the basics of basics here so software firmware hardware the industry doesn't need the next mr robot to share vulnerabilities right binary code or micro segment devices what the industry needs is hardware software and firmware information by having a combination of all of these things experts like you guys can extrapolate the security advice relatively easily hobbyists researchers students and many

more are all sat on top of valuable information that can provide value to the industry and they don't even know it and the community does have all of this if the cyber security community can crowdsource all the basic information and package it in a way that helps the community to learn and develop the industry can actually help to solve some really cool problems how to collaborate how to fix iot and how to get more people involved in cyber can all be solved with a community driven and crowdsourced approach and crowdsourcing has been attempted by some companies and however this crowdsourcing typically comes from the elite vetted individuals who are essentially offering a service rather than a community

additionally all of this crowd-sourced information goes back into other silo databases therefore inherently away from the community to make it work to make it work the industry must foster collaboration and include inclu inclusion to a crowd-sourced approach so that means no more silo databases and working habits instead the community can help to foster more collaboration across the industry and build an inclusive ethos among individuals who choose to take part but if you're currently there thinking yeah grateful what's in it for me then let me enlighten you first of all you get to build your network by utilizing crowdsourced information people are actively becoming more informed based on the information that you're giving them this gives you the opportunity to

influence and therefore build your network with like-minded people secondly you can change the industry through collaboration become pioneers in the way that the industry operates by advocating for crowdsourcing early on you're actively improving the industry all while collaborating with your peers at the same time and then finally build a portfolio by contributing your knowledge and demonstrating exactly how much you know about iot and cyber security you never know who's going to be looking at your skill set so how do we build trust in a community that is inherently distrusting well crowdsourcing is notorious for producing misinformation yet platforms have placed the platforms that have placed trust in the community to verify this information have always been the ones to succeed

and what is the similarity between them all peer review now by the community vet and each other's knowledge there is minimal risk or misinformation being spread as everyone is working together for the common good what does peer review mean well fundamentally to put the trust in the hands of the community through community members verifying whether knowledge is correct or not creates a collaborative ecosystem it also means the community can help can help to fill where knowledge gaps exist to see change in the industry there has to be an element of influence from all stakeholders involved however we fundamentally believe that the community has to be the one to drive the change [Music] iot security needs you because the

future of our industry depends on it now we have a lot of great ideas on how the cyber security can influence change what we really want to hear is from the community firsthand and what you're doing out there so please get in touch to talk all things cyber iot and what's going on over at iot base and finally if there's one thing to take away from this talk it's this let's collectively collaborate to make iot safer with community and crowdsourcing being at the heart of it all thank you [Music]

does anybody have any questions [Music] is

yeah yeah i couldn't agree more i think one thing we've really noticed over the past few months or so is that twitter's taking off in the security space i think more now more than ever i'm not sure why that is why why the trend seems to be that way but yeah i couldn't agree more twitter is very much a collaborative space for the security industry um but aside from that i think the way we see is that the the industry is very much still kind of silent in the way it works people want to work together if they're trying to achieve a common goal but aside from that they won't share information and i think twitter's a good example of that

for for example you mentioned that vulnerabilities and malware etc get published on twitter and that's great if they're trying to get company attention um however you if you're trying to build essentially a team or collaborate in any any way shape or form

yeah yeah absolutely yeah and i think why twitter is also good is because it puts a lot of pressure on the vendors as well people the manufacturers they see oh my god there's a huge buzz on twitter everyone's talking about this vulnerability my device should probably do something about it um that's something that we want to tap into and we want to carry that sort of ethos beyond twitter as well you said that they they get together and they take it offline well if we could help them take it to a different platform but then also have other people join into that we think it could cause a real buzz there as well yeah another question

[Music]

yeah yeah awesome i'm happy to take the first bit um so we mentioned in the presentation peer review is going to be important um for our platform we see obviously an opportunity for people of the community to be able to contribute information and also to do that we it should we should create a space that allows the community to also verify the information that other security professionals put on that platform and so you're not only verifying the information that someone contributed to you're also directly verifying their profile so let's say that um if you follow like a traffic light system where each profile is representative of let's say if it's a green then i suggest that our security

professional elects information and that information is rigorous you can trust it there's integrity there someone who's amber who's which suggests okay um if that person has contributed information then you need to take it with caution and that but you'd be able to also see the portfolio to back that up as well red as well which i guess a lot of these people responsible for the mirai attacks would fall into and would suggest that okay if that person's on the platform then maybe the information that they put on there shouldn't be held in the same regard as a green person and then it would also be important if there was like some sort of flagging mechanism so

if they if there are these red people then other security professionals are able to flag that and that would then report it and then they would have to be some sort of process to minimize the input that that individual has and just on the point about responsible disclosure um for us the way we see it is that it doesn't necessarily have to be zero days that being reported in a collaborative ecosystem it just has to be the basic stuff about a device or cyber security more broadly so that the people on the other end can make a more informed decision whereas at the moment all of this stuff is going completely uncaptured because the community is

sitting on all of it they just don't even realize it and have nowhere to share it so it's not necessarily about sharing zero days and and creating new ones it's more about kind of making everybody more informed by creating this collaborative ecosystem [Music] any more questions cool thank you yeah if anyone's got obviously we're going to be around anyway so if anyone can think of anything then feel free to pull us we're very very open engaging people so yeah cheers