BSidesIA 2017 Track1: IoT Attack Footprint – David Linder

for this start we have daily winner David is the vice president of solutions at envision these experience application security professional with over 15 years experience in computer security industry during this time David's work with multiple disciplines in security fields form application development network architecture design and support item security consulting security training and application security over the past eight years David specialized in all things related to mobile applications and securing them David supported many different clients including financial government automobile healthcare and retail the spare time David Holmes is mobile and iOS you testing skills by participating in numerous bug balance welcome thank you thank you if I'm not loud enough let me know I've got a pretty big voice like Greg thanks

for coming today I'm going to talk about some IOT stuff kind of the attack footprint threat model of IOT where we're at and kind of move forward but first Greg kind of went over who I am that's me I golf a lot a hack a lot so they call me golf hacker Dave's I do both at the same time usually one thing you'll know want to know about me is I'm a little salty actually at work I have what they call the lsi the lender saltiness index and one of my co-workers graciously put this together for me and said well I tracked your saltiness level which I update my slack messages about throughout the day

there's one sharp contrast here that you can see right I should probably eat and drink more because everything else drives away up so before I dig into the things I like to talk about I'd like to know who my audience is who hears would consider himself a security analyst okay how about any developers managers and what does everyone do lead hacker okay so I saw like five hands total raised what do you guys do we will answer the question is are the students what's up that's all you do is cool well I get I want that job so what I'm going to talk about today i'll talk about IOT kind of what it is its history

will go through kind of a threat landscape of what I cilt posing to us I'm actually going to try to address the issues which doesn't usually happen usually someone stands up here says all your ships bad and then walks out of the room right well I'd like to try to actually address things which is something that our community has to get better at and then maybe go over the future of IOT not necessarily like 10 years down the road like tomorrow future so warriors IOT we used to call these things embedded devices so it's just a new term for it right it's actually been around for quite some time it's like we just changed the words

to make them sexier so other companies can sell [ __ ] right and that's really what it comes down to but fax machines printers scanners cameras badge readers all that stuff I would consider IOT well that's been around forever and they're still here right so it hasn't really changed it's just gotten more excessive if you will so NIST actually defines things anyone work with NIST controls I pity you so they actually define it is the network of things right and they have a control the nist 800 183 for this and they define network of things as five separate components there's the sensor which I would consider hardware firmware stuff aggregator which is just your software layer communications obviously

we understand what that is external utilities which is kind of like a bucket catch-all for your mobile apps web apps cloud what have you right and then just decision triggers which would be like your business logic or any logical in the code they separate that out I don't recommend reading it because they're boring documents but I summarized it pretty pretty good for you there so what I want to do is I want to make an IOT device today ok so I grabbed this and said hey let's make a water flow monitor for your home we all probably have them in our home already right but let's connect it right not just where they can scan it from the street but let's put it

on the Internet right so based on what NIST says let's add some sensors throughout your home now you can sense different things temperatures a different water flow you know whatever you might want to send throughout your home oh and let's create mobile and web apps to you see where I'm going with this well if there's a mobile and web app we probably have some sort of cloud infrastructure or something that they're talking so we now have what used to be just this little guy has turned into this thing that's all over the place and you know it's in your home it's in your hardwood building wherever it is and it's being exposed externally so what can this thing do all these are

just some things that came off the top of my head maybe leak detection flow rates temperature maybe the ability to turn on and off your water usage stats maybe it can determine what appliances are being used so based on the water flow maybe it says oh well that's probably a water softener or that's just your refrigerator making ice right maybe can contact people in case of an emergency a lot of IOT devices are doing that now that's a little bit scary anything else this might be able to do come off the top of your head I like this to be interactive so if you just read them my powerpoint it's kind of boring do UK I wish it would that'll be

awesome yeah that's the I believe that what's that sure yeah definitely yep sure okay yeah I definitely know what use of stats who knows what what you could determine like a dummy stop using so much water in the shower so its security relevant for something like this the obvious answer is yes right of course it is there's a lot involved even in a system like this there's tons of data that may or may not be important to you but all that data could track you as a person if you will right when it comes down to it all that data can be manipulated compile whatever you want to call it and know exactly who you are where you live all that good

stuff right obviously there's connections Wi-Fi Bluetooth you know GPS stuff maybe net mesh networking all of that stuff is definitely going on in these IOT devices and then the hardware obviously there's a lot of different hardware involved you have major vices you have the sensors you've maybe got mobile devices involved maybe some bridges that that are being used in the the overall system so yes security is relevant it might sound simple when you go into best buy oh yeah cool water flow sensor I'll just go throw that on my network and it's going to tell me all sorts of cool stuff but these are the things that we're not really thinking about as manufacturers and as consumers of these things

so what are the typical security hurdles for for these sorts of things from a manufacturing standpoint mobile kind of screwed things up for us in my eyes from a security perspective we're doing things really really really fast you've got to be first to market right if you're not first to market you've probably failed unless the first to market fails right so there's a speed thing to it there's a cost of manufacturing you know they're you know depending on how many different sensors the type of hardware that's needed and then there's perceived security of the device which frankly I don't think people care right do you think people really care if that device does something cool do they

think about security when they go to the store to buy it no right there's it an n+ halo this can be something cool I don't think about everything else right so unfortunately that's being used to the advantage of the manufacturers right and they do things very quickly which honestly I think mobile created this whole agile push right it's just speed we can do things faster which may or may not be good yeah

it could be right I mean or they could connect for the main device which is then internet dating but there's something within that system that's connected to an Elvis if you will so then there's the user behavior you know what is safe for me to actually use this device it's a set I'm in Florida on vacation and I can push a button and turn my water on and off right is that safe maybe but think of it beyond that that means that there's some sort of connection from me in Florida to my home to my home network right how far in fact do we push this boundary right you know water flow sensor is probably pretty minimal but

when you start installing all of these sensors in other facets of our life whether it's at work at home you got to start asking yourself what can we do and what should we actually do I'll talk about some of that in the future and some of the things that are being done today so well let's talk about the landscape the threat landscape of IOT and kind of how I see it now some of this stuff I'm going to talk about wearables too because they are kind of IOT in my eyes most people have something some sort of wearable but there's a lot of threats right malware social engineering you know data theft BYOD is a problem botnet all this stuff

still is a problem with IOT it's just we're putting all these things everywhere right but one of the attackers after

yeah resources data access money control maybe just to make you mad you know be a burden yep and there's there's all sorts of avenues of attack here it's just it's not just an exposed port for some website somewhere right I've got devices multiple different devices probably multiple communication channels different web components cloud components all this stuff in one system and it's all got to be secured so it looks kind of like this you know and that's definitely not all here sorry those sensors could be exposed to the Internet you know you know you could speak directly from the mobile app to a sensor this is just kind of high level of all of the different communication that may be

going on you know whether it's Bluetooth or HTTPS or TCP WebSockets what have you right there's a lot going on here so where can we screw up with all of this

everywhere right everywhere and we do for numerous reasons I mean those sensors are so minimal from a computing standpoint that a lot of times they're not even powerful enough or they worry too much about the battery life but they can't do simple things such as like HTTPS or TLS because the battery life will just be destroyed ok so as a manufacturer and as a consumer I've got to understand all this at least a little bit to realize that it's not just me buying some water flow sensor I'm not exposing things that I'm not usually exposing to an Internet of people who don't like people let's just get down to it so let's talk about attacks against the

actual devices themselves so the monitor and the sensors right so I would say there's a pretty low likelihood that someone's going to attack that device more than likely you would need some sort of physical maybe close proximity type access unless there's a way to remotely do it or steal someone's mobile device but that gets into a whole nother story small victim pool right so it's probably a device or installation instead of many right but if there are input api's that are exposed you know that can always go up impact may be medium it just depends right data compromise is probably an issue manipulation and control and assets in the case of this is probably the biggest thing

and if you can pivot into the local network I mean frankly that's what I'd be looking for in a case of a water sensor right I don't care what the temperature your water is what I do care if I can install some backdoor into this internet-connected system and now I'm on your network right now I can look around and see what else you have exposed like your tax information that this water sensor just process for you right but the thing is they're so minimal and and they don't they're not complex you don't have to be a hacker to do this on these devices right i mean those sensors are probably tiny and maybe all they're doing is

collecting data but if there's somehow connected into your network games over right so what about attacks against communication channel this is the one that i would say most of the IOT devices that I've looked at struggle with is the communication channels and mostly in the Bluetooth category right so Bluetooth 40 ble 40 was was released in 2010 low power low cost low bandwidth late to see all that good stuff sounded amazing right but it has some massive security issues so they fixed a lot of those in ble 45 4.2 but the problem with that is is a lot of the hardware and such doesn't support it so a lot of them are still stuck on 40 right and now five is

available and like nothing supports that yet right so we're in this this like Google mode and we'll talk about Google and a little bit where the only way to fix it is to upgrade your hardware right and manufactures like well why would we do that people don't care about the security other things they're using HTTP and co-op anyone here heard of co-op so obviously you've heard of HTTP that's your typical web browsing protocols right it's a very heavy protocol right so a lot of these manufacturers are moving to co-op which is like HTTP but much lighter and they do that for battery reasons resource consumption right it has all the same benefits of HTTP you can do co-op from a TLS

standpoint it just works at a lower level so unfortunately we're seeing more of that but we'll get into that in a little bit so attacking the communication channel you still probably need physical or close proximity access it really depends on the device right i mean if that actual device is exposed to the internet you know you definitely don't right but i'll talk about some ways that that they've been exposed in my experience more than likely there's multiple victims in this case communication channels are established standards so people understand where flaws might be already um you know they're not writing their own thank god a lots of plaintext api's are going on here because they're not doing

encryption so i recently looked at one and exposed basically you plugged it in it exposed the captive portal and the only thing it did that for is it needed to get information about your Wi-Fi network so you connect to its access point and you enter Wi-Fi information once you were connected to the AP it sent that Wi-Fi information in clear text just a JSON request in clear text and applied it to the system and then it connected to the network the problem was it took him three parameters and two of them were exploitable from an rce standpoint right so we could remotely execute code on that device and we were able to then back door into the device and now work

on the note right so if they if they wouldn't necessarily expose the plain text it would have been a little bit harder for us to do that because they're like oh well we've got network isolation turned on yeah well it's still in clear text right it doesn't solve the problem um so there was definitely Danny can't compromise over the year I mean outside of the fact that we could break into the device itself it's going over clear text now I know your SSID and the password I need to connect to it that's being just sent over here and there possibly be some data manipulation control parent devices may be back end systems if you get access

through some communication channel and then probably tracking right it just depends on what that attacker wants to do so where would I go if I was a bad guy right well these are everywhere right look I mean he imagined all their [ __ ] in a big apartment building is going and start listening right or set up a pineapple Wi-Fi with the name AT&T or Hilton or whatever it is that people are automatically going to connect to I just I don't know a really close type neighborhood other places i would go any ideas yeah here yeah sure how about a gym right how much data is being transmitted and transferred with all the different devices that people have now

sure yeah Super Bowl right I mean heck be the Olympics this last year they had sensors like all over the place all over I was like can I get involved in some helping with that now we're good yeah never never heard anything better but they were tracking everyone and everything that everyone did with sensors throughout all their different buildings so how about parent devices we don't have any mobile device problems right well the biggest problem my eyes isn't necessarily security but people leave these things all the time leave them in cabs or airplanes or on a bench and coffee shops wherever it is it's actually lower now but that's because they're not being stolen as much because

of some of the protections that Apple Google and so on have put into the devices themselves it's a lot harder to steal it and turn that around for profit because you can't necessarily wipe it as easily let's so 5.2 million devices in 2014 that was a lot of latest static could find but it's probably about similar to that today so attack against the mobile device usually you would probably mean some sort of physical access to said mobile device that's not real easy to do more than likely you would need root access to do something so you'd have to jailbreak or root that device which again isn't isn't as easy to do today as it used to be

and the fact that many devices are lost or stolen each year and devices aren't up to date and I'll show you some stats about that here the next slide impact probably medium you know if you compromise that device that water flow sensor is probably the least of your worries right with all the different apps of people i think they said the average user of a mobile device today has about 150 apps on their device they probably use five of them but just in case I need that tape measure that sends my data to China right small understand cool but you know with data manipulation and control you know the the attacker would love to get a

hold of that device so what happened that was big in 2016 a lot of cyber espionage and spyler stuff going on pegasus the nexus by iOS and Android respectively they were trying to target high-profile high-level executives and basically they were spying you know text messages recording calls you know anything that they could do when they got onto those mobile devices but one of the problems I see with mobile is the fact that Android is still way behind when it comes to getting devices updated and if you look at those numbers I know if you can see that all the way to back but the newest versions of Android of nougat which is 70 and 71

two-point-eight percent of devices are running that 2.8 whereas you look at iOS when seventy-nine percent of devices are running almost eighty percent or almost uh iOS 10 right so but you have to go way back in the androids back to like jelly bean before you get to you know the iOS centers that's a problem and it's a problem that google PR and marketing has tried to address and they've tried to kind of pull out security components and provide the ability to update but as a manufacturer wouldn't you just want people to buy new devices and spend more money so that's really there's three cooks in the kitchen there's Google manufacturers and then cellular providers and they're

all doing their own thing so this is why we've run into this and I don't see it's coming out of it time soon so you can hate on Apple all you want in their dictatorship ways but from a security perspective it's working better than google I don't know if it can

be one result and I think that's ever going to change if they don't have extinguished evening from other

just go back to the Nokia stuff right like this but no I get it all right but [Music]

but you're right i mean it's it's not going to change with that many cooks in the kitchen without google saying all right you can't change our or less anymore right but even then it is fairly hard to move anyone here do android development oh my god i pity the man like the fact that you look at this or look at the numbers here and now you got to decide what versions of android are you writing your app for it's not as easy in iOS and you can just move to the new one fairly quickly but you gotta support two or three or four major versions back to support all your users and that sometimes requires some drastic changes

in your code right yes so what about attacks against cloud right cloud is definitely one of those terms I mean it's not really that different than what we're used to it's just how the data is hosted and all that good stuff right but this is where the real stuff is exposed if you're talking data and information right it's exposed within the cloud or whatever the back-end infrastructure might be so attacks against multiple victims is common if I was the bad guy and I wanted data I'm not going to run an attack against the stupid Fitbit you're wearing I'm going to find where that data is housed the backend stuff and try to find a problem there right because I'm going

to get all your data instead of just one of you you know attackers would need to exploit the fallibility that's in the cloud not necessarily something that's on the device itself now there is one example so Fitbit had an issue it was to end of 2015 where researcher was able to package like tiny kilobits of data into a Bluetooth stream and infect the parent mobile device with it now they didn't take it any further than that but more than likely it would have been infecting you know whatever the backend cloud infrastructure was to branding it was just a tiny amount of kilobit data that who knows what they could have done in that space but in fact is definitely going to be hi

this is this is where you get wall street journal front page right this is the targets the home depot stuff like that where they've exposed millions of users data right so impact to an organization is going to be very high and then you know depending on what that data is you can probably track and single out business so how do we address some of these issues right it's not easy it's not it's not ever going to be easy but here are some things that I think we need to do fixing the devices themselves since they're so little and their ability to process a whole lot of things is minimal I say don't store a whole lot

of data there push the data to central as much as possible just to get rid of it whatever data you're collecting have some sort of poison pill right if that device or whatever it hasn't checked in in a while kill it off and it's you know back to factory reset or whatever else very easy to implement make data as anonymous as possible so say I found your Fitbit or I was able to steal my you know water device after it was returned right that data shouldn't be tied back to a specific person if at all possible turn the device off when not in use are not needed for communication so I actually recently looked at an IOT

device and it was really really hard to dynamically assess it only used web sockets but it only used them when it needed to and it shut everything down when it wasn't exposing that right and it only pushed from the device to the back end it didn't allow into communication the other way which is also then his number five here you know if at all possible just push don't allow you know push and pull data from the back end don't allow or the back end to actually modify that unless if at all possible obviously that's not going to happen in every case but in the case of this all it was doing this data collection and it's like oh cool i'll

just do this web socket quick you have any data for me if not i'll shut it back down

great question so the back end can still modify the vice but what I would like to see is that device only pushes and pulls so it will push something and then it will query likes a queuing system and say hey you have data for me it's not the other way around with the back end just says hey here's a bunch of data you know it's not making the communication device is controlling all of that right so what that is is that lessens the ability for anyone to remotely tie into that unless they've compromised the back right because it's not exposing an open court that's accepting traffic if you will because it's controlling all that from the device

fixing communication channel issues so here's another thing we have a problem with an info separate we can't come up with terms that are the same for everyone right if I said what do you think a pen test is I'd have 27 different answers right same thing goes for Bluetooth here iOS calls the different things whether it's a you know the device or whatever else is central and peripheral so the iOS device itself is the central whatever the other devices connecting to the peripheral Android closet client server okay chipset manufacturers they call master slave so you would think we'd be able to come up with common terms here but this is good to know because you can get kind

of confused when they're leaving in and out you know I would like to see everything using ble 4.2 or five now but again you know we've talked about this a lot of the you know external type devices that can't support it but I would like to see that because it's much stronger than 40 was I mean iOS 8.2 and Android 4.3 will support those communications but the it's not necessarily the mobile device of issue it's whatever they're connected so the other thing is talking about the authentication scheme so there's basically four different communication schemes when it comes to be le there's just works please don't don't use that ever if you buy a device that uses it take it back

basically there's no authentication at that point it just connects it'll connect to anything most of your bows its own systems was it so knows all your speaker type things this is what they use everyone see the bows problem lately anyone have the QC 35s me so anyway bows was exposing users playlist data and all that through their mobile app that they tell you to download with the headphones you just buy so that's a big hub of right now the other ones you ver comparison this one's better right usually it's set up before you connect so you'll buy something and within the manual says hey here's the six digit passcode that you're going to need to

connect to this Bluetooth device that's better unless that's the same passkey used in all the devices you've now delivered right past key entry is the other one we're creating or the device creates a random you know 62 whatever digit passcode the only thing here is the device you're connecting to has to be able to display it so it won't work for everything what I would like to see is everything news out of band but there is a problem with using out of band but out of band is basically allowing to use certificates things like that to to initially pair the devices the problem is is like iOS still doesn't support how to band bluetooth still the

only time it uses it is when it talks and connected to your Apple watch that initial pairing that little screen that everyone seemed there that's using out of fans to connect and in talk show iOS in general from an application development standpoint only supports pasty or just works in their court lu two i don't know why they don't provide access to NFC or anything like that that would allow them to do the out-of-band parents android it's supported out of and pairing for as long as i can remember right so they do have that ability it's pretty easy to set up most of the time has done through NFC you know so you need close proximity

type access to do it so definitely use that within Android so how do we fix some of the other communication channel issues well pls pls pls pls to us right how many times have you heard that lots I don't know why they're still not using it or you can use dtls which is the lighter version the coop version of TLS it definitely does not have the overhead that your HTTP protocol does I would love to see cert pinning wherever you can especially when highly sensitive data is involved so you know for sure what device is talking to what device is great I usually recommend start pinning in any mobile app anymore depending on the app and who the client

is will probably depend on what the risk is if they don't a lot of the frameworks say like Alamo fire for iOS if you had almost developer it's like five lines of code and you're doing syrup inning it's so easy to do now there are some downfalls and drawbacks but in my opinion it's worth doing with the drawbacks like for instance one of the drawbacks is if you update your certificate on the server you obviously have to update your app right if that server sir changes I need to know about in the application and that could cause issues if someone's not tracking when that expires right but other than that there's no reason to not

do it so DTLS since no one really here raised their hair I said co-op it's the Datagram transport layer security alright it's at a lower level it's much lighter weight it is very closely related to TLS its support strong cipher suites right so we're seeing more of this thankfully there are different security modes for DTLS no sec disables it so let's not do that right and then there's pre-shared key which you know authenticates both endpoints while public feet uses some sort of public key encryption to encrypt the traffic and then you can actually set your own search so it's fairly similar to TLS you know if you're you know certificate face you're talking like clients sir communication things

like that but that gets a little heavier as you go down that stack right most of the implementations I've seen use pre-shared key so how do we prevent the tax against a mobile device anyone here have to deal with managing many many mobile devices that work yeah how fun is that it's not you know it's been a problem for a while do with you BYOD or do we do we purchase and distribute company devices but it's really all about the device and the app protections and the app applications that you're allowing them to download you know using the olas mobile top 10 controls it's a little bit different top 10 list talks about how you can control

and and where those a minute what throughout the ecosystem of a mobile device disconnecting from peripherals when you don't need to be talking to them it's probably a good idea you know like not having those channels exposed if you don't need them is probably a best practice here when you do need them you should scan for the devices in this order you should first retrieve any that are already connected you should if there's nothing connected then retrieve known peripherals whatever they might be and then scan right that's like your last ditch effort and that will help from a you know overhead standpoint as well you know if you scan first you're probably using a whole lot more resources than is

necessary what about the apps themselves right apps are definitely a problem child when it comes to your security so I like to talk about the olas top nine hear anyone else familiar with a loss and all the political issues going on right now so I stadio lost top nine for the mobile because number ten is in my opinion not something we need to talk about but the one thing I will mention here is if you look at the first 1 m 1 week server-side controls is the number one issue with mobile apps right something to remember when you're assessing mobile applications and all of that and there's a top 10 for cloud as well how do we protect our

back-end so you know these are probably talks all in and of themselves so I don't like to go into detail but if you have questions we can talk afterward about some of this stuff but definitely check them out as that will help so what about the future we're in an interesting time like I said I think Mobile is driven as agile the world speed and doing everything kind of in a process and getting away from waterfall approach to everything from security to development right and I think the key of the future and the problem child is going to be applications and when I'm going to have probably mobile apps it will definitely be an issue

especially in the wearable world beware of those that just exploded and they're not going anywhere I mean I think like they said 500 billion or in use or something like that that's insane starting to add stuff to locking systems so this was at one of the most recent CES master lock has all these connected locks now that connect right to the internet and you can unlock them from wherever that's pretty awesome ranks not sure about that I let my dog out and they shouldn't sleep helped this has been huge like sensors are built into everything now they're someone's bad it's so bad has sensors built into it that are then connected to the Internet interesting

how about all the appliances we're connecting all of them because you definitely need a toaster that you can connect to the internet right why oh and nirmal talking no right all the appliances are talking now to each other about hey it's time to change your your laundry and get a beer from the fridge right I could get a notification you know so this is the one that I see is is most problematic but also something really cool right we're getting more about data facilitated care you know with all of the health care issues we have this is something really need 90s doin a lot of the word it all started with you know athletic stuff

right like we're going to build sensors into our clothing or shoes everything else targeting athletes to monitor things for muscle growth and and how much they're being used and all that stuff but now they're building it out more you know for doctors and things like that hi mirror which is the other picture here is an interesting one at first it was touted as this this mirror that changes the lighting like for women to put their makeup on so they see how they look different in different lighting but it's actually being used now to detect skin health problems right so they're touting this but there's all these apps and sensors and things now that will allow you to communicate

directly with your doctors and they can tell how your health has changed over a period of time and I can see that benefiting people but that gets a little scary too because the amount of data and things that's being collected there could be an issue stop smoking Colonel therapeutics is creating this past life thing that's connected with in it it has little doses of the things you need to help you stop smoking that seems like that could be an issue too if you get overdosed right but that's coming breast cancer detection so they're actually building sensors into clothing and broad that can detect small discrepancies for breast cancer detection which is kind of neat so

that's coming as well all that's connected right to their doctors great or at least that's their plan definitely going to be breaches in the future right there is so much data being collected from all these devices probably data that we never thought would be collected right like bows why is Bose collecting data on the songs that I'm listening to I never would have thought they'd be doing that but of course they were and they got called out for it you know why our fitness trackers tracking where you are at any given point in time anyone here use strava

so strava is a way to track things you've done I walked two miles today from point A to point B I ran this course and you can be what they call king of the mountain right the problem with strava is all you need is an account and I can now find anyone that's using strapping anybody right so i can see that that you have now done a three mile run from point A to point B and I have a map showing exactly what you do so me I could now track you over time and find a pattern I mean it's just scary to think about all this data but they've collected about people and it's

just exposed right so I find it different data mining sharing the regulation we're already seeing some of this right they're already trying to regulate or deregulate some things when it comes to data browsing history bring about that's not going to be any different with all the other data that's being collected if I was trying to create a new fitness device for instance it would probably be beneficial to me if I could buy all the fitbit's data right or get it somehow so that's definitely coming whether we like it or not so summary these are tiny devices for the most part some new protocols mostly all the same problems that they were used to it's just more of them they're more

prevalent there's more attack surface it they actually make it easier to find a tack circus than ever before right so we just got to take a breath step back get out of this speed mentality and use what we already know about architectures app security cloud security all that stuff and start implementing that instead of oh well we got to be first to market so we're going to think about that stuff last or not at all because it's like it's like when mobile first came out we've been harping for years on network security and app security and then mobile dropped and it was it was a shitshow it's horrible when when the apple app store opened in 2008

I was like oh this is this is going to be bad and I'm sure enough it was right you know that's it's been something of a passion of mine forever and I don't see that going away you know mobile apps have gotten a little better but it's still a speed thing for the most part so securing out it feels hard try harder right questions comments concerns tell me I'm stupid that's fine come on don't be shy nothing yeah um no the ones I have I've assessed so I'm comfortable with them from a security standpoint but like if I'm going away for a while I might just shut my router off because it's a little concerning but you know I've got a few

things like net scams they're pretty good from a security standpoint as long as you don't open it publicly which people do and not know it but other than that I don't really have a whole lot else that's really connected other than little wearables and stuff I

mean they're segmented through a single router it's just a different SSID but yeah anything else yeah

well considering that hospitals or one of the most insecure places there are I don't know it's going to have to get better I think hip is going to change probably sooner than later that's going to force them it's going to force their hand I hope it is right i mean their hand basically has to be forced they're finally getting money and health care to help secure things but it's it's a slow process you know i mean they're they're behind the times if you try to compare them to say financial companies right but it's scary I mean you know they're going to start doing some interesting stuff with health care I mean the fact that you know we're losing doctors we're

not allowing you know smart people from all over the world to come in and be our doctors it costs too much if I don't have to go into the doctor and I can just push a button and it sends everything I need to send it to my doctor I don't know it might be worth it all right yeah oh yeah baby cam dolls you name it there was actually I remember to some doll in Germany or something in there was a yeah right right right and then they said something about well if you don't destroy these now and you're found with one you're going to be find a bunch of money but but yeah baby cans have been a

known target for a while because they just expose things with some known address and whatever else trying to think if there's anything else off the top of my head i mean the bose thing was a pretty big hub of the last couple of days but there i mean it's not it's more privacy than security right because what they're grabbing all your data and sunning and who knows where nothing real big yet i mean frankly guys with oh

which one the one the one in texas oh

yeah i mean there was the the one in it was it houston to where they they sent off all of the tornado sirens were going on

oh

yeah cars

[Music]

does it have it on it

oh yeah oh it's been around forever I mean the the first anyone have an idea when the first wearable was created it was like in 1960 yeah to MIT researchers created a device that helps them successfully predict the outcome of roulette they got caught doing it right the one guy wrote a book about it actually but when it was if it had some belt saying and something like in their shoe and then they had a little earpiece in here and basically you know on whatever came up he would he would tap his foot a different way and it would help them they won like the one night is like 80 grand or something so two

minutes one more question again [Music] know what computing

yep

it's s'more the same I mean it's not really any different than what we're used to you know cloud is just a fancy term for a back-end network if you will with different technologies you know different types of data stores as someone who wants data I'm always going to attack the back end because there's going to be more data accessible so fix sequel injection damn it ah i'm talking about that for 20 years we still can't get a rush hi guys thank you appreciate it [Applause]