Everything is an embedded device. Connected tv, a car, locomotives, airplanes, drones. Everything around you is pretty much an embedded device. Its a device with a computer inside of it. Everything that runs the world we live in is essential advice with a computer in it. Many of those devices can make to the internet, some talk to each other. We are interested in those interactions. Host what are you finding are the vulnerabilities of embedded devices . Guest ive been doing security for a long time, probably before it was cool, and a lot of the vulnerabilities weve seen from 15, 20 just go with that were extinct, if actually come back in embedded devices. Surprising. To export a modern phone, smartphone or even a computer, takes pretty highlevel sophistication. An example is infusion product i look at a few you to go had no password. You could make it to whatever you want. Try and what you medical device . Guest yes. The device that is controlling the amount of drug the patient is getting window length in a hospital bed literally have no password. You can connect to it however you wanted. You can make the puppy wouldve you want including administering high rates of drugs. We were able to demonstrate to folks like at the fda. They looked at these the momens and were pretty appalled. They issued a cybersecurity safety advisory are some of the things we talked about but just generally speaking, usually dont find those things in modern software anymore but you can see this in embedded devices for some reason. Host youve tested pacemakers . Guest sure have. Looked at a variety of pacemakers can look at pacemakers from four different manufacturers to see what the commonalities were between them. Surprisingly there are a lot of commonalities. Some of the things we saw indicate theres probably a lot of cross polarization and sharing amongst engineers who make those devices, but some the things we saw in the pacemaker industry were pretty surprising as well. Host what did you find . Guest for software to get some of these devices so we went to some places like ebay and other auction websites and bought pacemakers, pacemaker programs, so its pretty easy to get hold of surprisingly if youre willing to spend a couple hundred or a couple thousand dollars. One of the first things we looked at was just the amount of software that on some of these devices. So for example, a pacemaker program the device that a doctors going to use to basically set the parameters for the pacemaker inside of your body is really just a computer. In fact, one of pacemaker programs we looked at was literally running windows, and old version of windows. Windows xp, so endoflife microsoft no longer supports the operating system but would still be used in this pacemaker programmer. The operating system youre running under laptop ten years ago is the operating system thats running a pacemaker program for one of the largest manufacturers in the world. Host why do drug Infusion Pumps and pacemakers need to be online . Guest its a question i ask myself every day. There is some benefit to this. I dont want to make it to where its pure doom and clue. But having these devices talk to each other, be able to get the right information to position or a nurse at the right time, thats a really valuable thing. It can save a lot of peoples lives and thats why these are being connected. There are inherent risks you take when you connect the device. If the device is talking to another device or talking to the internet there are some inherent risks that are involved with that regardless of what you do. Regardless of how will you engineer the device can what your intentions are. Thats a look at. Theres inherent risk in connected devices and its really hard. Its not easy to create secure device but right now the benefits probably outweigh the risk but if were not careful the risks could overtake the benefits and thats the situation we dont want. Host why would somebody want to hack a drug infusion device . Guest thats a good question, and i try not to answer the question why because to be honest the technology is pretty complicated but trying to understand why a human being would do something is even more collocated. I try not to play that game. What i do know is its technically possible and so if someone wants to do this for a variety of devices like a drug Infusion Pump they can. Whether they are mentally unstable, whether theyre emotionally imbalanced, whether have a vendetta or message they want to send, whether they are a government trying to do something or present harm to somebody, i dont know. Thats something i could answer. What i do know is technically, from a technical standpoint its possible. Whether or not someone has the motive or means, whether someone wants to do this as a totally different question. I cant answer that as to why someone would want to do this but i can tell you they can do it. Host we are moving into world of the internet of things. Embedded devices everywhere. What does that mean . Guest it means a lot of different things. One of the things will be talking about this week our safeties associate with the internet of things. So internet of things, connected devices all around us. If you think you live in a World Without being too connected five you are not when you go to the computer, get your car washed, those are connected devices, computers that are doing it for you. When you get on the airplane to fly to las vegas, thats a flying computer. Connected devices are all around us. Internet of things all around us. Us. It affect your life whether you want to or not. Thats a very interesting situation for a lot of people, for us to take a look at how these devices impact the daily lives of people and whether or not there are risks people dont realize that are either becausf these connected devices. Host when you work with a company, when whitescope works with the company do you try to penetrate their defenses . Guest that depends on what their organization wants. Some organizations hire us to take a look the devices to help them improve the security engineering other devices. Some are really more operational. They have the facility or building or data center or stadium they know these devices are there and they want us to help demonstrate what can be done if those devices are hacked. It depends what the organization wants but we do a variety of services for different people. Host are you a hacker . Guest at the end of the day we have to find bold abilities. In most cases where to write exports for those vulnerabilities. I wouldnt, so back to because theres a a difference between what we do and what a real hacker would do. We find vulnerabilities and we may demonstrate to you what those photos might be if there exploited. We wont ever do that to really hurt somebody or we will do that to damage your equipment. Thats not something will do as a researcher or accompanied the time to do something. I real hacker would. A real hacker would exploit a device to hurt or kill someone. I real act would exploit a device to take that an organization or descendent or position a message to destroy equipment. They would do that and so thats a line we dont cost. Host you mention youve been in this field in security for quite a while. When did you start and what were you doing . Guest i that a pretty colored career. I was in active duty office in the marine corps. I searched in signal Intelligence Unit in hawaii. Thats were you when the foundational of Operational Security and computer security. Spent some time at the Defense Information Agency doing intrusion detection which is a nice way saying catching hackers. Did a lot of time doing Penetration Testing which is where Companies Hire you to break into their systems and show them where the weaknesses are. Worked for microsoft, Security Program manager there, worked for google as a tech lead. So started, twitter a startup that was acquired. This is my second start of and the cybersecurity world. Been doing this for a while. Its something i love to be honest, if tomorrow all the resources and money dried up in service. I would probably still be doing it. Just something i have a passion for. Host is the military the lead agency in protecting americans against Cyber Attacks . Guest thats a good question. Its something the government is struggling with to be honest. Probably the hardest problem in cybersecurity is not a technical problem. The hardest baba in cybersecurity is a workforce problem. When i worked at google and Silicon Valley, it was basically us just training security interest engineers to other Companies Back and forth because there is a shortage of cybersecurity professionals. The amount of money and resources and freedom thats given to a lot of these individuals that know what theyre doing in cybersecurity is pretty astounding, the salaries of the things they can ask for. We find her since the u. S. Government and the strap a hard time keeping up and retaining some of that talent. They may provide foundational skills and training and then they will find themselves losing these top talent they have in organizations to places like microsoft and google and facebook which all have great top security teams working for their organizations. Its a struggle. Its very much a struggle for the federal government, a struggle for the department of defense. Host would you be an example of . You were somebody who was trained by the military and now youre out youre doing it privately. Guest ice to keep ties with a lot of folks in the federal government. I still work with a lot of folks in dod but i can tell you now they are very much struggling. They understand to train someone to do this is an investment. Theres a certain level of aptitude required. Even if you invest money in training you may not get an individual to the level you want them to be at. Those folks have demonstrated the capability of being able to understand this opportunity concept and foundational pieces really well, take it to the next level, they are highly recruited by a lot of other places. If the individual is motivated by money or just a lifestyle or different lifestyle than the federal government or dod they would be recruited by those organizations. Its a tough place to be. It highlights the biggest problem in cybersecurity which is workforce. Theres a tremendous shortage in individuals. Everyone is fighting over the same pool of people. That makes it a tough proposition for folks who are not as agile as a Silicon Valley company like the dod for example. It will be something there will be struggle over the next decade or two. Host do you need at least a masters in Computer Science . Guest definitely not. I have three masters degrees but enough people who have no degrees who are much smarter than i do kind of folks who literally did not go to college, undergraduate college or anything like that who know cybersecurity really, really well. I wouldnt say you need a formal education to enter cybersecurity. I personally know people who are in that situation. It could certainly help. Im not saying that the path you want to take is not go to school, having a Solid Foundation in Computer Science or Electrical Engineering is a good thing but its not a requirement. Host whats your role at black hat . Guest im giving a talk later this week. Were going to show exploitation of the connected device and were going to cause the connected device to attack somebody physically attack somebody. Host can you tell us what the connected device is . Guest i wont say what it is pure we will reveal that during our talk. We have three criteria for the device were looking at. Number one it had to be connected to the internet. We will be able to control the device of anywhere in the world. We can set at a starbucks in asia and control it in the united states. It had to be publicly accessible which means an average person walking down the street would be able to see one of these devices. We dont want it in a secured area or a manufacturing plant. We won in a public space that will be used by the public. The last piece of the country we wanted was we wanted to demonstrate a safety issue. I know that a lot of cypress good issues are connected with privacy and things like that. Those things are important, dont get me wrong. When you lose your critical information its a bad day for you. When your hospital gets breached annually to Health Information thats a bad day for you as well. Some of these connected devices have safety implications. We are going to show what the safety implications can be by causing this device to attack an occupant. Host billy rios, found a security researcher from whitescope. Thanks living on the communicators. Guest thanks having it. Appreciate it. Host now joining on the communicators from the block at Convention Las Vegas is robert leale. What do you do for a living . Guest i have cars. Host on purpose . What sting of your company . Can bus tack. Its done inside vehicles and had argosy fracking. Host our cars basically rolling computers anymore . Guest its hard to call the bullet computers. They are a fusion of mechanical and electronic components. A lot of those are very Small Computers that control the mechanical aspects of the vehicle. Host on a typical american car how many socalled computers are in their . Guest between like 15 and 30. Host what do they control . Guest everything from the engine to the displays, to the lights, to the door locks, to the suspension, right handling. Really every component nowadays is controlled with computers. Host is security make in to a cars computer . Guest sometimes. Security is a word they are starting to use a lot more in terms of Electronic Security. A lot of times when oem is referred to security theyre talking about securing the passenger seat belt, making sure that they dont get to accident securing when the hit a wall with their back but rather talking more about the Electronic Security of the systems. Host is it a growing problem . Guest its more noticed, if that makes more sense. The issues always have been there, but now is of recent hacks, its become a lot more noticed in the media and by the average consumer. Host a year or two back a couple of gentlemen from wired magazine hacked a car on the road. Did that sendup flares for people . Guest yes. I think that really awoken a sleeping beast in a lot of ways. It was absolutely a very, very well put together hack. And what the gentleman at wired did was very novel. Host if we went down in the parking lot at mandalay bay, could you hack into any car down there . Guest i i wouldnt say, its tough to quantify what the word hacks is. Could a fight or do i already know issues with those individual vehicles . Yes. Theres a lot of preparation that happens behind the scenes when youre doing a hack. You have to spend a lot of months or maybe you know, several weeks if not months in order to figure out how these systems work. Once you figure that out you can do certain things across one vehicle or another vehicle that might be unlocking the doors or a mighty shutting the vehicle down remotely. It might be making so the vehicle cant start. It depends on how you define hack. Host that if we went down there could you started vehicle or unlock its doors . Guest absolutely. Host how long would it take you . Guest depends on which vehicle it is. Some vehicles within a matter of seconds. Some of vehicles may be it would require me to have the person who owned the vehicle hit a button and then i could capture that information and we replayt back to the vehicle later. Host who hired you . Guest whoever wants to. Its a really tough question to answer. I get hired by companies who are looking to integrate Electronic Devices into vehicles. I get hired by Automotive Companies are looking to secure their vehicles. I actually am also hired by lawyers looking to make sure that their vehicles of the customers are secure. Host how did you get into this business . Guest ive been doing it since i was 16. Host breaking into cars . Guest hacking cars. Ive been hacking cars. When i say hack, i mean i am self trained. When i say hack i really mean figuring out have Electronic Systems work and then using that to my advantage, whatever that is. Host is it a reverse engineering . Guest reverse engineering is a big part of the process. Reverse in cheating is a first part, keeping out of the systems work through reverse engineering, then after that we use that information that we learned to do something on the vehicle, whatever it is our target is. Maybe its unlocking the doors, maybe its during the windshield wipers or turning the lights on or something benign like that. Or turn the car off while its driving. Depends on the application. Host has that happened besides the wired story that came out a couple years ago . Guest has host hasnt happened in a bad way . Has a carbon hack in a bad way while driving . Guest not that im aware of. Weve done hacking since before and since that in a controlled environment for different customers, whether their government customers, whether they are state, local customers, whether they are oems aftermarket. It just depends on the Different Levels of the requirements and whoever is contacting us and hiring us to do the job. Host what does oem stand for . Guest original equipment manufacturer. Thats the vehicle manufacturer. Host how is it that you train yourself to do this . Guest its been so long. So a lot of internet resources help. In the past theres a lot of good websites that described individual systems. I used to work for a Company Called intrepid control systems, and that Company Supplies tools to the Automotive Industry for vehicle interfaces. So i worked a lot with the oems in detroit to train the manufacturer on their own systems. So i learned a lot about their individual systems, that it worked. I learned a lot about their vehicle networks. It was just a learning process over the past i guess about 12, 13 years. Host what is your role here at black hat . Guest on doing the training for the car hacking handson training at black cat. Host what kind of training do you do and