Everything is an embedded device. Connected tv, a car, locomotives, airplanes, drones. Everything around you is pretty much an embedded device. Its a device with a computer inside of it. Everything that runs the world we live in is essential advice with a computer in it. Many of those devices can make to the internet, some talk to each other. We are interested in those interactions. Host what are you finding are the vulnerabilities of embedded devices . Guest ive been doing security for a long time, probably before it was cool, and a lot of the vulnerabilities weve seen from 15, 20 just go with that were extinct, if actually come back in embedded devices. Surprising. To export a modern phone, smartphone or even a computer, takes pretty highlevel sophistication. An example is infusion product i look at a few you to go had no password. You could make it to whatever you want. Try and what you medical device . Guest yes. The device that is controlling the amount of drug the patient is getting window length in a hospital bed literally have no password. You can connect to it however you wanted. You can make the puppy wouldve you want including administering high rates of drugs. We were able to demonstrate to folks like at the fda. They looked at these the momens and were pretty appalled. They issued a cybersecurity safety advisory are some of the things we talked about but just generally speaking, usually dont find those things in modern software anymore but you can see this in embedded devices for some reason. Host youve tested pacemakers . Guest sure have. Looked at a variety of pacemakers can look at pacemakers from four different manufacturers to see what the commonalities were between them. Surprisingly there are a lot of commonalities. Some of the things we saw indicate theres probably a lot of cross polarization and sharing amongst engineers who make those devices, but some the things we saw in the pacemaker industry were pretty surprising as well. Host what did you find . Guest for software to get some of these devices so we went to some places like ebay and other auction websites and bought pacemakers, pacemaker programs, so its pretty easy to get hold of surprisingly if youre willing to spend a couple hundred or a couple thousand dollars. One of the first things we looked at was just the amount of software that on some of these devices. So for example, a pacemaker program the device that a doctors going to use to basically set the parameters for the pacemaker inside of your body is really just a computer. In fact, one of pacemaker programs we looked at was literally running windows, and old version of windows. Windows xp, so endoflife microsoft no longer supports the operating system but would still be used in this pacemaker programmer. The operating system youre running under laptop ten years ago is the operating system thats running a pacemaker program for one of the largest manufacturers in the world. Host why do drug Infusion Pumps and pacemakers need to be online . Guest its a question i ask myself every day. There is some benefit to this. I dont want to make it to where its pure doom and clue. But having these devices talk to each other, be able to get the right information to position or a nurse at the right time, thats a really valuable thing. It can save a lot of peoples lives and thats why these are being connected. There are inherent risks you take when you connect the device. If the device is talking to another device or talking to the internet there are some inherent risks that are involved with that regardless of what you do. Regardless of how will you engineer the device can what your intentions are. Thats a look at. Theres inherent risk in connected devices and its really hard. Its not easy to create secure device but right now the benefits probably outweigh the risk but if were not careful the risks could overtake the benefits and thats the situation we dont want. Host why would somebody want to hack a drug infusion device . Guest thats a good question, and i try not to answer the question why because to be honest the technology is pretty complicated but trying to understand why a human being would do something is even more collocated. I try not to play that game. What i do know is its technically possible and so if someone wants to do this for a variety of devices like a drug Infusion Pump they can. Whether they are mentally unstable, whether theyre emotionally imbalanced, whether have a vendetta or message they want to send, whether they are a government trying to do something or present harm to somebody, i dont know. Thats something i could answer. What i do know is technically, from a technical standpoint its possible. Whether or not someone has the motive or means, whether someone wants to do this as a totally different question. I cant answer that as to why someone would want to do this but i can tell you they can do it. Host we are moving into world of the internet of things. Embedded devices everywhere. What does that mean . Guest it means a lot of different things. One of the things will be talking about this week our safeties associate with the internet of things. So internet of things, connected devices all around us. If you think you live in a World Without being too connected five you are not when you go to the computer, get your car washed, those are connected devices, computers that are doing it for you. When you get on the airplane to fly to las vegas, thats a flying computer. Connected devices are all around us. Internet of things all around us. Us. It affect your life whether you want to or not. Thats a very interesting situation for a lot of people, for us to take a look at how these devices impact the daily lives of people and whether or not there are risks people dont realize that are either becausf these connected devices. Host when you work with a company, when whitescope works with the company do you try to penetrate their defenses . Guest that depends on what their organization wants. Some organizations hire us to take a look the devices to help them improve the security engineering other devices. Some are really more operational. They have the facility or building or data center or stadium they know these devices are there and they want us to help demonstrate what can be done if those devices are hacked. It depends what the organization wants but we do a variety of services for different people. Host are you a hacker . Guest at the end of the day we have to find bold abilities. In most cases where to write exports for those vulnerabilities. I wouldnt, so back to because theres a a difference between what we do and what a real hacker would do. We find vulnerabilities and we may demonstrate to you what those photos might be if there exploited. We wont ever do that to really hurt somebody or we will do that to damage your equipment. Thats not something will do as a researcher or accompanied the time to do something. I real hacker would. A real hacker would exploit a device to hurt or kill someone. I real act would exploit a device to take that an organization or descendent or position a message to destroy equipment. They would do that and so thats a line we dont cost. Host you mention youve been in this field in security for quite a while. When did you start and what were you doing . Guest i that a pretty colored career. I was in active duty office in the marine corps. I searched in signal Intelligence Unit in hawaii. Thats were you when the foundational of Operational Security and computer security. Spent some time at the Defense Information Agency doing intrusion detection which is a nice way saying catching hackers. Did a lot of time doing Penetration Testing which is where Companies Hire you to break into their systems and show them where the weaknesses are. Worked for microsoft, Security Program manager there, worked for google as a tech lead. So started, twitter a startup that was acquired. This is my second start of and the cybersecurity world. Been doing this for a while. Its something i love to be honest, if tomorrow all the resources and money dried up in service. I would probably still be doing it. Just something i have a passion for. Host is the military the lead agency in protecting americans against Cyber Attacks . Guest thats a good question. Its something the government is struggling with to be honest. Probably the hardest problem in cybersecurity is not a technical problem. The hardest baba in cybersecurity is a workforce problem. When i worked at google and Silicon Valley, it was basically us just training security interest engineers to other Companies Back and forth because there is a shortage of cybersecurity professionals. The amount of money and resources and freedom thats given to a lot of these individuals that know what theyre doing in cybersecurity is pretty astounding, the salaries of the things they can ask for. We find her since the u. S. Government and the strap a hard time keeping up and retaining some of that talent. They may provide foundational skills and training and then they will find themselves losing these top talent they have in organizations to places like microsoft and google and facebook which all have great top security teams working for their organizations. Its a struggle. Its very much a struggle for the federal government, a struggle for the department of defense. Host would you be an example of . You were somebody who was trained by the military and now youre out youre doing it privately. Guest ice to keep ties with a lot of folks in the federal government. I still work with a lot of folks in dod but i can tell you now they are very much struggling. They understand to train someone to do this is an investment. Theres a certain level of aptitude required. Even if you invest money in training you may not get an individual to the level you want them to be at. Those folks have demonstrated the capability of being able to understand this opportunity concept and foundational pieces really well, take it to the next level, they are highly recruited by a lot of other places. If the individual is motivated by money or just a lifestyle or different lifestyle than the federal government or dod they would be recruited by those organizations. Its a tough place to be. It highlights the biggest problem in cybersecurity which is workforce. Theres a tremendous shortage in individuals. Everyone is fighting over the same pool of people. That makes it a tough proposition for folks who are not as agile as a Silicon Valley company like the dod for example. It will be something there will be struggle over the next decade or two. Host do you need at least a masters in Computer Science . Guest definitely not. I have three masters degrees but enough people who have no degrees who are much smarter than i do kind of folks who literally did not go to college, undergraduate college or anything like that who know cybersecurity really, really well. I wouldnt say you need a formal education to enter cybersecurity. I personally know people who are in that situation. It could certainly help. Im not saying that the path you want to take is not go to school, having a Solid Foundation in Computer Science or Electrical Engineering is a good thing but its not a requirement. Host whats your role at black hat . Guest im giving a talk later this week. Were going to show exploitation of the connected device and were going to cause the connected device to attack somebody physically attack somebody. Host can you tell us what the connected device is . Guest i wont say what it is pure we will reveal that during our talk. We have three criteria for the device were looking at. Number one it had to be connected to the internet. We will be able to control the device of anywhere in the world. We can set at a starbucks in asia and control it in the united states. It had to be publicly accessible which means an average person walking down the street would be able to see one of these devices. We dont want it in a secured area or a manufacturing plant. We won in a public space that will be used by the public. The last piece of the country we wanted was we wanted to demonstrate a safety issue. I know that a lot of cypress good issues are connected with privacy and things like that. Those things are important, dont get me wrong. When you lose your critical information its a bad day for you. When your hospital gets breached annually to Health Information thats a bad day for you as well. Some of these connected devices have safety implications. We are going to show what the safety implications can be by causing this device to attack an occupant. Host billy rios, found a security researcher from whitescope. Thanks living on the communicators. Guest thanks having it. Appreciate it. Host now joining on the communicators from the block at Convention Las Vegas is robert leale. What do you do for a living . Guest i have cars. Host on purpose . What sting of your company . Can bus tack. Its done inside vehicles and had argosy fracking. Host our cars basically rolling computers anymore . Guest its hard to call the bullet computers. They are a fusion of mechanical and electronic components. A lot of those are very Small Computers that control the mechanical aspects of the vehicle. Host on a typical american car how many socalled computers are in their . Guest between like 15 and 30. Host what do they control . Guest everything from the engine to the displays, to the lights, to the door locks, to the suspension, right handling. Really every component nowadays is controlled with computers. Host is security make in to a cars computer . Guest sometimes. Security is a word they are starting to use a lot more in terms of Electronic Security. A lot of times when oem is referred to security theyre talking about securing the passenger seat belt, making sure that they dont get to accident securing when the hit a wall with their back but rather talking more about the Electronic Security of the systems. Host is it a growing problem . Guest its more noticed, if that makes more sense. The issues always have been there, but now is of recent hacks, its become a lot more noticed in the media and by the average consumer. Host a year or two back a couple of gentlemen from wired magazine hacked a car on the road. Did that sendup flares for people . Guest yes. I think that really awoken a sleeping beast in a lot of ways. It was absolutely a very, very well put together hack. And what the gentleman at wired did was very novel. Host if we went down in the parking lot at mandalay bay, could you hack into any car down there . Guest i i wouldnt say, its tough to quantify what the word hacks is. Could a fight or do i already know issues with those individual vehicles . Yes. Theres a lot of preparation that happens behind the scenes when youre doing a hack. You have to spend a lot of months or maybe you know, several weeks if not months in order to figure out how these systems work. Once you figure that out you can do certain things across one vehicle or another vehicle that might be unlocking the doors or a mighty shutting the vehicle down remotely. It might be making so the vehicle cant start. It depends on how you define hack. Host that if we went down there could you started vehicle or unlock its doors . Guest absolutely. Host how long would it take you . Guest depends on which vehicle it is. Some vehicles within a matter of seconds. Some of vehicles may be it would require me to have the person who owned the vehicle hit a button and then i could capture that information and we replayt back to the vehicle later. Host who hired you . Guest whoever wants to. Its a really tough question to answer. I get hired by companies who are looking to integrate Electronic Devices into vehicles. I get hired by Automotive Companies are looking to secure their vehicles. I actually am also hired by lawyers looking to make sure that their vehicles of the customers are secure. Host how did you get into this business . Guest ive been doing it since i was 16. Host breaking into cars . Guest hacking cars. Ive been hacking cars. When i say hack, i mean i am self trained. When i say hack i really mean figuring out have Electronic Systems work and then using that to my advantage, whatever that is. Host is it a reverse engineering . Guest reverse engineering is a big part of the process. Reverse in cheating is a first part, keeping out of the systems work through reverse engineering, then after that we use that information that we learned to do something on the vehicle, whatever it is our target is. Maybe its unlocking the doors, maybe its during the windshield wipers or turning the lights on or something benign like that. Or turn the car off while its driving. Depends on the application. Host has that happened besides the wired story that came out a couple years ago . Guest has host hasnt happened in a bad way . Has a carbon hack in a bad way while driving . Guest not that im aware of. Weve done hacking since before and since that in a controlled environment for different customers, whether their government customers, whether they are state, local customers, whether they are oems aftermarket. It just depends on the Different Levels of the requirements and whoever is contacting us and hiring us to do the job. Host what does oem stand for . Guest original equipment manufacturer. Thats the vehicle manufacturer. Host how is it that you train yourself to do this . Guest its been so long. So a lot of internet resources help. In the past theres a lot of good websites that described individual systems. I used to work for a Company Called intrepid control systems, and that Company Supplies tools to the Automotive Industry for vehicle interfaces. So i worked a lot with the oems in detroit to train the manufacturer on their own systems. So i learned a lot about their individual systems, that it worked. I learned a lot about their vehicle networks. It was just a learning process over the past i guess about 12, 13 years. Host what is your role here at black hat . Guest on doing the training for the car hacking handson training at black cat. Host what kind of training do you do and who was in the audience . Guest the audience, so at black cat we dont really ask the audience to the are because sometimes they dont answer. A lot of times they donated. If you have read the name on it name tag on a black cat person, they have a simple name come something simple. Weve learned over the years to not ask them who they are, because either they are coming from military, coming from private industry and they dont want to really know, they dont want the rest of the class to know who they are. Often people are interested in keeping their anonymity because they are either in the security profession or a military, or after military applications. Host are people from chrysler, gm, ford in the audience . Guest they are. I did meet, ive met some suppliers, oem people to work at oems. Ive met a lot of people from industry at our classes as well. Host as we move into the internet of things world, what are your thoughts . Guest i mean, as long as we dont keep making the same mistakes, i think security is possible. It can be improved, and with the help of people like me, hackers, we can make the systems better by doing responsible disclosure by making sure that the companies we are working with know how it is the system can be more secure. So i think we are on a good bet. They are deathly heading in the right direction. Host the fact that gm has onstar and can unlock and start cars remotely, is that a security issue that it is probably over wifi . Guest the onstar systems typically dont send that information over the wifi that im aware of. A lot of this stuff works over the Cellular Network but the Cellular Network has and also exploited as well. As long as the systems use proper encryption, they can secure a quickly. Not every manufacturer does it correctly. So were helping work, where working with the manufacturers to open make their systems all of it more secure. Host if somebody is listening to this and is wondering if the car can be hacked, is anything they can do at this point . Guest thats a really challenging question. I mean, at a small level every car can be hacked in the way and maybe thats a good thing. If you want to add features to car coming to want something extra to your car. Maybe hack it yourself. But as far as some malicious hacker breaking into their car, that, it doesnt work as easily as alice for someone breaking to car it doesnt work as these are simply just waiting a want and you can open the door. Theres a lot of investment in time and effort, and tools in order to figure out how car hacking works. So unless you are a target of some malicious hacker, you probably dont have to worry too much. But as with the g g pack that happened in the past, the wired hack your document earlier, that was with the jeep come one of y favorite quotes from the kaiser did that was it was easier to hack all of the cars than one of the cars. They found an issue that was actually easier to rollout in a massive scale then it wouldve taken extra work to target a specific person. In that scenario if somebody finds a problem or a bug or a security hole with a particular vehicle and they just feel like pressing the red button and making everything not work anymore, turning peoples wheels, the steering wheels to write as a driving come its easier to in some cases go after everybody, not one person. That was a big take away that is learned from that. Host the communicators has visited in city as well were connected cars are being worked and develop. What kind of dangers are there and connected cars that are connected to stop lights and roadsigns . Guest theres quite a bit more. This is a big concern. We are currently working really hard on catching up with this technology. Its just being released now. As you know a lot of the other vehicletovehicle, Vehicle Infrastructure type radios that are happening across stoplights and roadsigns is very new. It hasnt been tested in a security setting it. At least not in the real world. Maybe the laboratory but not in the real world. So as the cost of tools becomes less and less, more and more people can access these tools, and as more and more people have access to tools to communicate with vehicletoVehicle Infrastructure, radio connectivity, i think we will find a lot more problems with it. I think its a really good idea that they try to keep their mind on security as they will be systems out. I am a little bit nervous thats that happening yet. Because security is very difficult. Its difficult to have security. Its difficult to maintain it and its difficult to integrate it across a lot of different manufacturers. We are going to have some growing pains i think initially, and hope that it doesnt cause a slowdown in the promise of equal to vehicle, vehicle to infrastructure technology. Host our Car Manufacturers working together to set regulations and Safety Standards . Guest as far as im aware yes. There is, sae has come as a Steering Committee, and Automotive Cybersecurity initiative. It still hasnt been released yet. The actual paper isnt that they will but there Steering Committee to try to make it more streamline so that security can be, part of the process of designing and developing a vehicle. Host robert liao has been our guest on the communicators. Host and now on the committee caters we want to introduce you to aaron rouse who is the special agent in charge in las vegas for the fbi. What does that entail . Guest it means im going to run the fbi operations for the state of nevada. Host whats the major focus here in nevada for the fbi . Guest well, for fbi has to be good at everything. Our focus has to be in the Top Priorities the fbi has set out and its what we can do the most with. So for us our number one priority is always going to be counterterrorism, keeping people safe. Host you are attending black black cat. Why are you attending . Guest i think its important for us to know what technologies are out there, what people are involved in industry, for good or not so good, what they are involved in. And what kind of things are interesting to them, what kind of technology is the latest and greatest that they see out there. There. And what kind of discussion groups do they have the gift that wants to be a part of that. Host are you welcomed here . Guest most definitely. Most definitely. Host what do you spend your time doing . Guest a lot of it is outreach like interviews like this. We want to make sure the fbi is seen as a partner with industry and partner with protecting people. We want to understand what is important to them and see how we can plug and play. Host how big is cybercrime in las vegas and in nevada . Guest cybercrime is big everywhere. Because as we are seeing, the best part about the internet is also some of the worst things about it. We see it from everyone with infected emails that they get from somebody that they thought was a relative or a friend, and click on the link for the attachment and they see that, now im subject to ransomware, or now my identity has been stolen guess im sharing a lot of information. Or my business computer has been compromised. Those things are a keen interest to us because its our job to protect people from those type of compromises. Host is their unit within the fbi that works on these issues . Guest the Cyber Division has got the task with making sure we are all focused on the right things. Host what about the casinos . From fbi perspective, we will do you work with the casinos to protect them from Cyber Attacks . Guest we have great relationships with the casinos, all of them. They want to be good partners with this because they dont want to be the victims of crime or the conduit by which the people that go to the casinos are victimized. They want to work with us to make sure when people come to vegas to recreate, and if necessary, gamble, that they are doing so safely and their identity is safe. Host can you learn things from how the casinos protect themselves . Guest absolutely. The best part about the fbi to our Outreach Program is we are always learning from industry. We are always learning from even private citizen. Every interaction we have allows us to learn that much more. You cant be a master of everything. There are people out there who will spend their entire lives preparing for the worst Case Scenario for their particular industry. The casinos are no different. We partner with them to learn what are they saying, what are the threats they see . And then how can we prioritize that in the fbi response. Host is cybercrime aspect of your java growing . Guest always. Always. We are seeing cyber is a part of absolutely everything we do now. The method data we collect would probably shock your audiences. Host hoover dam is very close to where we are right now. Does they keep you up at night . Guest no. And i tell you why. We have great partnerships with the state, local and federal agencies. We are all focused on dissenting. We want to protect the american people. When we see Critical Infrastructure pieces like the hoover dam, we focus on them just like a laser beam and we make sure that were we doing everything that we can that comes in the form of tabletop exercises. A lot of interaction between the departments that cover the hoover dam, and would we alwayk at the intelligence. Both domestically and with our foreign partners, to understand who may be trying to target our Critical Infrastructure, and then how do we stop them. Host does fisa section seven to assist you in your work . Guest it is a critical part of our work. If 702 is allowed to expire at the end of the america would be less safe because the fbi will not have access to information that we critically need to protect the united states. Host essentially thats allowing you to listen in to phone calls made from overseas . Guest yes, but i want to mention to all of your viewers to the fbi doesnt do anything without judicial review. A judge will look at and give us a warrant to do so. Host when we were talking to the founder of black hat, he was telling us about an estonian operation where the estonians are trying to get money and or trying to get trade secret some ceos and its very cloak and dagger. Guest it is. We will see through not just business email compromises, but we will see that people do on lot of their homework on the suspected, on the target they want to go after. They will wonder about their sl media habits. They will know everything they can, and in many cases what theyre able to do is they are able to mimic through subverting their email system, being able to get in and actually send out an email pretending to be somebody else to allow for wire transfers. From company to company. Its a very ingenious way of subverting the safeguards of the corporate entity and did something wet help people be on the lookout for. Host according to the fbi about 1. 3 billion in cyber losses last year. Trench i think thats a conservative estimate. Host when you go into black cat onto the contingent floor, do you bring your phone with you . Guest no. Host why not . Guest well, i think it should be apparent, but not everyone is you with the same reasons. For the same reasons i should say. Not everyone is here doing all legitimate work. Host aaron rouse as a special agent in charge in las vegas. This is the communicators on cspan. Heres a look at some upcoming fairs and festivals happening around the country. Should be deciding city citf hell that were based on idea. They object to the idea. They reject the value of the declaration of independence rather explicitly. They dont believe america is an idea. They believe it is a geographical location. People by people of certain ethnic and racial backgrounds. And theres a real dark side. The reality is that throughout the campaign, donald trump had more than one opportunity to repudiate them, reject them, speak out against them, and he dodged and delayed and went again and again and again. Its a pattern. Its not, this is not a one off. This is a problem. This is a cancer at the heart of the conservative movement if we are not willing to say that the left is not right if we tolerate these people. There are these moral judgments, these key moment in every movement. Liberalism had to expel the communists in the late 1940s. Conservatism had to expel the birchers and 60. 60. We have to do with the altright. After words airs on booktv every saturday at 10 p. M. And sunday at 9 p. M. Eastern. You can watch all after words programs on our website, booktv. Org. Each year since 1950, the National Book foundation has selected what they consider to be the best books in poetry, young peoples literature, fiction and nonfiction. The winners of this years National Book award will be announced on november 15 in new york city. Now on booktv one of this years finalist for nonfiction is university of delaware history professor Eric Armstrong dunbar who come and her book never caught recounts the life of ona judge, slate owned by george and Martha Washington whose escape initiated a man that ordered by the first president. Welcome