Really interested in inter, as. What are you finding are the vulnerables of imbedded devices. Ive been doing security for a long time. City vulnerables have come back in imbedded devices. So, to export are modern phone, smartphone or even a computer, takes pretty high level sophistication now, but to exploit devices i pretty easy. Host give us an example. Infusion popeye had no password. You can just connect to it and make the inpump do what youre the device that is controlling the amount of drugs a patient is getting when theyre laying in a hospital bed. Literally have in password. You can connect to it however you wanted. You can make the pump do whatever you want, including administering high rates of drugs. So, were able to demonstrate that to folks like fda and they work out the vulnerabilities and appalled as well. So they issued a Cyber Security safetied advisory but dont fine those things in modern software but you see them in imbedded devices ialso tested pacemakers. Guest we have. A variety of pacemakeres. From four different manufacturers to see what the commonalities were there are lot of commonalities and theres probably a lot of crosspollennization and sharing amongst the engineers what i can those devices. The thing we saw in the pacemaker industry were surprising. Host what did you find. Guest first, we had to get these devices so we went to displays like ebay and other webses and bought pacemakers, programmers, home monitoring devices. Its easy get ahold of if youre willing to spend a couple hundred or couple thousand dollars. We looked at the amount of software on these devices so, for example, a pacemaker programmer, the device that a doctor is going to use to basically set the parameters for the pacemaker inside of your body, its really just a computer. In fact, one of the pacemaker programs you looked at was literally running windows, an old version of windows. So, windows xp. So end of life, microsoft no longer supports that operating system, but was still being used in this pacemaker programmer. So the operating system you are run on your laptop ten years ago is the operating system running a pacemaker program for one over to largest manufacturers in the world. Host why do drug infusion pumps and pacemakers nod to be online . Guest right. Its a question i am asked every day. There is some benefit to this. I dont want to make it to where its pure doom and gloom. Heaving devices talk to each other and be able to get the right information to a physician or nurse at the right time, thats a really valuable thing. It can save a lot of peoples lives and thats why theyre connected. There are inherent risks when a device is connected. If theyre talking to each other or the internet, there some inherent risk is involved with that regardless of what you do or how well you engineer the device or your intentions. We look at the inherent risks and its hard. Its not easy to create a secure device, but i think right now, the benefits probably outweigh the risk, but if were not careful, the risks could overtake the benefits and thats a situation we dont want. Host why would somebody want to hack a drug infusion device . Guest thats a good question. And i try not to answer the question why. Because to be honest the technology is complicated in itself but try to understand why a human being would do something is even more complicated and i try not to play that game there. So, what i do know is that its technically possible. And so if someone wants to do this for a variety of devices, like a drug infusion pump, they can. So whether they are mentally unstable, emotionally imbalanced, whether they have a vendetta, message they want to send, whether they are a government trying to do something or present harm to somebody, i dont know. Thats not something i try answer. What i do know is that technically, from a technical standpoint, its possible. And so honest someone that the motive or means or whether someone wants to do this is totally different question. Cant answer that question as to why but they can do it. Host billy rios, wore moving into a world of the internet of things. Imbeded devices everywhere. What does that mean. Guest it means a lot of different things. One thing well be talking about this week are safety issues associated with internet of things . Internet of things can connect devices. Theyre all around us. If you think you can live in a World Without being exposed to a connected device youre naive. When you go to the grocery store, get your car washed, those are connected devices, computers doing that for you. When you get on the airplane to fly to las vegas, whatever, thats a flying computer. So, sected devices around us. Internet of thing its robbed us. Fakes you life, whether you want it to or not. So thats a very interesting situation for a lot of people. A very interesting situation for us to take a look at how these devices impact the diely lives of people and whether or not there are risks that people dont realize are there because of these connected devices. Host would you work with a company, when whitescope works for a company, do you try to penetrate their defenses. Depends on what the organization wants. So some organizations higher to us look at their devices to help them improve the security engineering of their devices. Some organizations more operational. They have facility or build organize data center or stadium know that these devices are there and they want us to help demonstrate what can be done if those devices are hacked. Depends on what the organization wants but we do a variety of services for different people. Host are you hack sneer at the end of the day we have to find vulnerabilities and in most case wes have to write exploits of the vulnerabilities. Thats what a hacker die. Wouldnt call myself a hacker. Theres a difference between walt we do and a hack were die. We find victories and may demonstrate them to you if theyre exploited, whether it could hurt someone or cause physical affect like a fire, an explosion. Well do that. But we wont ever do that to actually really her somebody, or to actually damage your equipment in an uncontrolled way. Thats not something we do as a researcher or company thatter is third do something. Real hacker would summit a device to actually hurt or kill someone. A real hack were exploit a device to take down an organization or to send an organization a message to destroy equipment. Theyll do that. Thats the line we dont cross. Host you mentioned that you have been in this field in security for quite a while. Where did you start and what were you doing. Guest ive had a pretty colored career. Active dutying in the marine corps, served in a signals Intelligence Unit in hawaii, subdutiy, not everybody can survive. Thats whereow learn the foundational pieces prove Operational Security and Computer Security and spent time at the Defense Information Agency doing indrugs detake, nice way of saying catching hackers. Doing penetration test, which is where Companies Hire you to break into their systems and show theme their weaknesses are. Worked for microsoft as a Security Program manager there, worked for goggle as a tech weed, led a team there. So started created a startup that was acquired. This miss second startup so been doing thats while. Its sol i loved. If tomorrow all the resources and money dried up in Cyber Security, id probably still be doing it, just something i have a passion for. Host is the military the lead agency in protecting americans against Cyber Attacks . Guest its a good question. Something that the government is struggling with to be honest. Probably the hardest problem in Cyber Security is not a technical problem. Its actually a work force problem. Win i worked at google and Silicon Valley, it was basically us just trading security engineers to other Companies Back and forth because there is a shortage of Cyber Security professionals and the amount of money and resources and freedom that is begin to a lot of these individuals that know what theyre doing in Cyber Security is astounding. The salaries and things they can ask for. So we find yourselves at the federal government and u. S. Military, they have a hard time keeping up and retaining this talent. So they may provide some foundational skills and training and then they rule fine themselves losing these the top talent they have in organizations to places like microsoft and google and facebook, which all have great top security teams working for their organizations. So, its a struggle. Its very much a struggle for the federal government, very much a struggle for the department of defense right no. Host well, would you be an example, somebody who was trained by the military and now that youre out, youre doing it privately. Guest yeah. I still keep ties with a lot of folks in the federal government. Still work with a lot of folks in dod but i can tell you right now, theyre very much struggling. They understand that to train someone to do this is an investment. Theres a certain level of aptitude required. So even if you do invest a lot ofman and training you may not get an individual to the level you want them to be at and then those folks who demonstrated a capability of being able to understand the concepts and pieces and take it to the next level, theyre highly recruited bay lot of other places. So if that individual is motivated by more or more stability or just a better lifestyle or different lifestyle than the federal government or dod, theyre going to be recruited. So, its a really tough place to be in. Just kind of highlights the biggest problem in Cyber Security, which is work force, theres a tremendous, tremendous shortage in talented Cyber Security individual and so everybody is kind of fighting over the same pool of people. That makes it really tough proposition for wokes who are not as agile as a Silicon Valley company, like the dod. Its going to be something they will be struggling with over the next decade or two. Host do you need at least masters in computerson is. Guest i have the three but there empoo who did not good for college, Undergrad College or anything lyle that who know Cyber Security really well. So i wouldnt say you need a formal education to enter Cyber Security. I personally know people who are in that situation. It could certainly help. Im not saying thats the path youll want to take is got to school. Having a Solid Foundation in Computer Science or Electrical Engineering is a good thing but not a requirement. Host what is your role here at black hat . Guest im giving a talk this week. We are going show exploitation of a connected device and cause a connected device to attack somebody, physically attack somebody. Host can you tell us what the connected device is . Guest i wont say what the device is. Well reveal that during our talk. But we had three criteria for the device were looking. A number one, had to be czeched to the internet so well be able to control the device from anywhere in the world. Sit to a starbucks in asian and control the device in in united states. Have to be publicly sack accessible, which means average person walk down the street would be able to see one of these devices. We dont want it in a secure area or a manufacturing plant or anything like that. In a public space. Used by the public. And the last piece of the criteria was we wanted to demonstrate a safety issue. So i know that a lot of Cyber Security issues are connected with privacy and things like that and those things are very important. Dont get me wrong. When you lose your credit card information its a bad day for you, when your hospital is breeched and you lose your health care informationing thats bad day for you as well. Some of the connected devices have safety implications and so were going to show what those safety implications can be by causing a device to literally attack an occupant. Host billy rios, founder and security researcher for whitescope. Thank you for being on the communicators. Guest thank you for having me. Appreciate it. True joining us on the communicators from the black Hat Convention in las vegas is robert leale. What do you do sunny hack cars. Host what is name . Can bust is the name of the network found inside of vehicles and hack, obviously, for hacking. Host are cars basically rolling computers anymore . Guest well, its hard to call them rolling computer. Theyre a fusion of mechanical and Electronic Component and a lot hoff those are very Small Computers that control the mechanical aspects of the vehicle. Host on a typical american car, how many socalled computers are in there. Guest between, like, 15 some 30. Host what would they control. Guest everything from the engine to the displays to the lights, the door locks, the suspension, ride handling, really every component i controlled with excuser. Host is security bake bid a cars computers. Guest sometimes. Security is a word theyre starting to use a lot more in terms of Electronic Security. A lot of times when oems refer to security theyre talking about securing the passenger, seatbelts. Making sure that they dont get in accidents. Securing the person when the hate wall, with air bags. Now theyre talking more about the Electronic Security of the systems. Host is it a growing problem. Guest its more noticed it if that makes more sense the issues always have been there but now because of recent hacks, its become a lot more noticed in the media, and by the average consumer. Host a youre or two back a couple from wired magazine hacked a car on the road. Guest they did. Host did that send up flares for people . Guest yes. Think that awoken a sleeping beast in a lot of way us. Absolutely a very well put together hack, and what the gentleman at wire did was very novel. Host if we went down in the parking lot here of mandalay bay, could you hack into any car down there . I wouldnt say i mean, its tough to quantify what the word hack is. Theres a lot of preparation that happens behind the scenes when youre doing a hack. You have to spend a lot of months or maybe even several week not months to figure out how the systems work. Once you figure that out you can do certain things across one vehicle or another vehicle that might be unlocking the doors or might be shutting the vehicle down remotely. Might be making so the vehicle cant start. Just depends on how you define hack. Host if we went down there could you start a vehicle or unlock it doors. Guest absolutely. Host how long it would take you. Guest depends on which vehicle it is. Some vehicles wind a matter of seconds. Some vehicles main would require me to have the person who owns the vehicle hit a button on their and then could i capture that information and replay it back to the vehicle late. Host who hires you. Guest whoever wants to. Its a really tough question to answer. I get hired by companies who are looking to integrate Electronic Devices into vehicles. Hooshed by automotive Companies Looking to secure their vehicles. Im also hired by lawyers looking to make sure that their vehicles of their customers are secure as well. Host how did you get into this business . Guest ive been doing it since i was 16. So ive been host breaking into cars. Guest hacking cars. Ive been hacking cars. But when i say hack host century self trained. Guest yes. When i say hack i mean figuring out holiday the Electronic Systems work and using that to my advantage. Host is it a reverse engineering. Guest a big part of the process. Reverse engineering is the first part of the process, figuring out how to the systems, and then after that we use that information that we learned to do something on the vehicle, whatever it is our target is, maybe unlocking the doors, maybe its turning on the windshield wiper turning the light us on, something benign like that, or turning the car off while its driving. Depends on the application. Host has that happened besides the wired story that came out a couple of years ago . Guest has host has it happened in a bad way, has a car been hacked in a bad way while driving. Guest not that im aware of. We have done hacking since before and since that host in a controlled environment. Guest in a controlled environment for different customers, whether theyre government, state, local customers, oems, after market, just depends on the Different Levels of the requirements and whoever is contacting us. Host what does oem. Guest original equipment manufacturer. Thats the vehicle manufacture are. Host mr. Leale, how did you train yourself to do this . Guest its been so long. A lot of internet resources help. Theres in the past a lot of good web sites that described individual systems. Used to work for a Company Called intrepid control systems and that Company Supplies tools to the Automotive Industry for vehicle interfaces. So i worked a lot with the oems in detroit to train the manufacturer on their own systems, so i learned a lot about their individual systems, how they work. Learned a lot about the vehicle networks. So it was just a learning process over the past, i guess, about 12, 13 users ive been doing that. Host whats is your role here at black hat. Guest im right to training for the car hacking handson training. Host what kind of train doing you do and who is in in the audience . The audience, at black hat we dont ask the audience who they are because sometimes they dont answer. A lot of times they dont answer. If you ever read a name tag on a black hat person theyll have a name, mcqs mark, something simple. So we learned to not ask them who they are because etheir theyre coming from military or coming from private industry and they dont want to really know they dont want the rest of the choose know who they are. So, often these people are interested in keeping their anonymity because theyre in the security profession or in military or after military applications. Host are people from chrysler, gm, ford in the audience. Guest they are. Did meet some dish have met some supplies, oem people that work at owe oems. Met a lot of people from industry at our classes as well. Host as we move into the internet of things world, what are your thoughts . Guest well, i mean, as long as we dont keep making the same mistakes i think security is possible. It can be improved. And with the help of people like me, hackers, we can actually make the systems better by doing responsibility disclose sure, by making sure that the companies were working with know how it is their systems can be more secure. So, i think we are in a good path if i think theyre definitely heading in the right direction. Host the fact that gm has onstar and can unlock and start cars remotely, is that a security issue that its traveling over wifi. Well, the onstar systems typically dont send the information over the wifi im aware of. A lot of that stuff worked over the Cellular Network but the Cellular Network has been exploited as well. As long as the systems use proper encryption, they can secure it correctly. Not every manufacturer does it correctly, and so were helping we are working with the manufacturers to help them make their systems a little bit more secure. Host if somebody is listening to this and wondering if their car can be hacked, is there anything they can do. Guest thats a really challenging question. At a small level every car can be hacked in a way and maybe thats a good thing. You want to add features to your car or do something extra to your car, maybe you can hack it yourself. As far as malicious hacker, breaking into their car, that doesnt it doesnt work as easily as as far as somebody breaking into a car, it doesnt work as easily as simply just wafering a wand and you can open the door. Theres a lot of investment in time and effort and tools in order to figure out how car hacking works. So, unless youre a tarring of some ma a target of a malicious hacker you probably dont have to worry too but at with the g pack host g pack. Guest the wired hack you were talking about earlier. That is with jeep. One however favorite quotes from the guys who did that was it was easier to hack all of the cars than one of the cars. So, they found an issue that was actually easier to roll out in a massive scale than it would have taken extra work to target a specific person. So, in that scenario, if somebody finds a problem or a bug or security hole, with a particular vehicle, and they just feel like pressing the red button and making everything not work anymore, turning peoples wheels to the right as theyre driving, its actually easier just to in some cases go after everybody, not one person. So that was a big takeaway i learn from that hack. Host the communicators has visited m city as well where connected cars are being worked and developed. What kind of dangers are there in connected cars that are connected to stoplights and road signs . Guest theres actually quite a bit more this is a big concern. We are currently working really hard on catching up with this Technology Japan is been released. M city and other vehicletovehicle, vehicletoinfrastructure time of radios that are happening across stoplights and road side is is very knew and has not been tested in a secure setting, not in the real world. Maybe in a lab tomorrow as the cost of tools become less and less, more and more people can access these tools, and as more and more people have access to tools to communicate with vehicletovehicle infrastructure, radio connectivity, i think well find a lot more problems with it. So, i think that its a really good idea that they try to keep their mind on security as they roll these systems out, and i am a little bit nervous thats not happening yet, because security is very difficult. Its difficult to have security, rick to maintain, and difficult to integrate it across a lot of different manufacturers. So, were going to have some growing pains, i think, initially, and i hope that it doesnt cause a slowdown in the promise of vehicletovehicle and vehicle to vehicle technology. Host are car marverrers working together regulate safety standards. Guest yes. Sae has a searing committee called je3601, i believe its called. That is an automotive Cyber Security initiative. It still has not been released yet. The actual paper isnt available but theres a Steering Committee to make it a little more streamlined so security can become part of the process of designing and developing a vehicle. Host robert leale has been our guest on the communicators. Host now on the communicators we want to introduce you to aaron rouse the special agent in charge in las vegas for the fbi. What does that entail no it mean its im going run the fbi operations for the state of nevada. Host what is the major focus here in nevada for the fbi . Guest well, unfortunately the fbi has to be good at everything, and so our focus has to be in the Top Priorities of the fbi has set out and its what we can do the most with, and so for us our number one priority is always going to be counterterrorism, keeping people safe. Host youre attending black hat. Why . Guest i think its important for us to know what technologies are out there, what people who are involved in the industry, for good or not so good, what theyre involved in, and what kind of things are interesting them and what kind of technology is the latest and greatest that they see out there, and what kind of discussion groups do they have . The fbi wants to be part of that. Host are you welcomed here . Guest definitely. Most definitely. Host that do you spend your time doing . A lot of it is outreach, like interviews like this. We want to make sure the fbi is seen as a partner withry and a partner with protecting people. We want to understand what is important to them and see how we can plug and play. Host how big i cyber crime in explosion nevada . Guest its big everywhere because as were seeing the best part about the internet is also some of the worst things about it. And we see it from everyone with infected emails they get from somebody that they thought was a relative or friend, and they click on the link or at the same time and see that, oh, now im subject to ransom ware or now my identity has been stolen because im sharing a lot of information or my business computer has been compromised. Those things are keen interest to us because its our job to protect people from those type of compromises. Host there is a unit with u wind the fbi that work on these issues. Guest the Cyber Division has the task with making sure that were all focused on the right things. Host what about the casinos . From an fbi perspective, do you work with the casinos to protect them from cyber attack. Guest we have great relationshipped with the casinos. All of them. And they want to be good partners with us beau they dont want to be the victim of crime or the conduit by which the people that go to their casinos are victimized. They want to work with to us make sure that when people come to vegas to recreating and if is in gamble, theyre doing so safely and their identity is safe. Host can you learn things from how the casinos protect themselves. Guest absolutely. The best part of about the fbi through our outreach program, were always learning from industry, even private citizens. Every interaction we have allows us to learn that much more because you cant be the master of everything, and there are people out there that will spend their entire lives preparing for the worst Case Scenario for their industry. The casinos nor different. We partner with them to learn what theyre seeing, the threats they see, and then how can we prioritize that in the fbi response. Host is the cyber crime aspect of your job growing . Guest always. Always. Were seeing that cyber is a part of absolutely everything that we do now. The amount of data that we collect would probably shock your audiences. Host hoover dam is very close to where we are right now. Is that does that keep you up at night. Guest snow and ill tell you whyment we have great partnerships with the state, local and federal agencies. Were all focus it on the same thing, protecting the american people. So when we see Critical Infrastructure pieces leak the hoover dam, we focus on them. Just like a laser beam. We make sure that were doing everything that we can that comes in norm of table top exercises, a lot of interaction between the depths that cover the hoover dam, and were always looking at the intelligence, both domestically and with foreign partners to understand who may be trying to target our Critical Infrastructure and then how to stop them. Host agent rouse, does fisa section 702 assist you in your work. Guest it is a critical part of our work, and if that section, 702, is allowed to expire at the end of this year, america will be less safe because the fbi will not have access to information that we critically need to protect the united states. Host essentially that is allowing you to listen into phone calls made from overseas. Guest yes. But i want to mention to all of your viewers, the fbi doesnt do anything without judicial review. A judge will look at it and give us a warrant to do so. Host when we were talking with jeff moss, the founder of black hat, he was telling us about an estonian operation where the estonians are trying to get money and or trying to get trade secrets from ceos and its very cloak and dagger. Guest it is. Well see through not just business email compromises but well see that people will do a lot of their homework on the suspected on the target they want to go after. Theyll know about their social media habits, know everything they can. And in many cases what theyre able to do is theyre able to mimic through subverting their email system, being able to get there and actually send out an email pretending to be somebody else to allow for wire transfers from company to company, and its a very ingenious way of subverting the safeguards of a corporate entity and its something we have to help people be on the look out for. Host according to the fbi, about 1. 3 billion in cyber losses last year. Guest i think thats a conservative estimate. Host agent rouse, when you go into black hat on to the convention floor, do you bring your phone with you . Guest no. Host why not . Guest i think that it should be apparent, but not everyone is here with the same reasons, for the same reasons, should say. Not everyone is here doing all legitimate work. Host aaron rouse, special agent in charge in las vegas. This is the communicators on cspan. Each year since 1950, the National Book foundation has selected what they consider to be the best books in poetry, young peoples literature, fiction, and nonfiction. The winner offered this years National Book award will be announce its on november 15th november 15th in new york city. And beginning now on booktv, one of this years finalists for nonfiction, Pulitzer Prize winning author Frances Fitzgerald discusses her history of event alcalism in america. Evangelicalism in america. [inaudible discussion]