Really interested in inter, as. What are you finding are the vulnerables of imbedded devices. Ive been doing security for a long time. City vulnerables have come back in imbedded devices. So, to export are modern phone, smartphone or even a computer, takes pretty high level sophistication now, but to exploit devices i pretty easy. Host give us an example. Infusion popeye had no password. You can just connect to it and make the inpump do what youre the device that is controlling the amount of drugs a patient is getting when theyre laying in a hospital bed. Literally have in password. You can connect to it however you wanted. You can make the pump do whatever you want, including administering high rates of drugs. So, were able to demonstrate that to folks like fda and they work out the vulnerabilities and appalled as well. So they issued a Cyber Security safetied advisory but dont fine those things in modern software but you see them in imbedded devices ialso tested pacemakers. Guest we have. A variety of pacemakeres. From four different manufacturers to see what the commonalities were there are lot of commonalities and theres probably a lot of crosspollennization and sharing amongst the engineers what i can those devices. The thing we saw in the pacemaker industry were surprising. Host what did you find. Guest first, we had to get these devices so we went to displays like ebay and other webses and bought pacemakers, programmers, home monitoring devices. Its easy get ahold of if youre willing to spend a couple hundred or couple thousand dollars. We looked at the amount of software on these devices so, for example, a pacemaker programmer, the device that a doctor is going to use to basically set the parameters for the pacemaker inside of your body, its really just a computer. In fact, one of the pacemaker programs you looked at was literally running windows, an old version of windows. So, windows xp. So end of life, microsoft no longer supports that operating system, but was still being used in this pacemaker programmer. So the operating system you are run on your laptop ten years ago is the operating system running a pacemaker program for one over to largest manufacturers in the world. Host why do drug infusion pumps and pacemakers nod to be online . Guest right. Its a question i am asked every day. There is some benefit to this. I dont want to make it to where its pure doom and gloom. Heaving devices talk to each other and be able to get the right information to a physician or nurse at the right time, thats a really valuable thing. It can save a lot of peoples lives and thats why theyre connected. There are inherent risks when a device is connected. If theyre talking to each other or the internet, there some inherent risk is involved with that regardless of what you do or how well you engineer the device or your intentions. We look at the inherent risks and its hard. Its not easy to create a secure device, but i think right now, the benefits probably outweigh the risk, but if were not careful, the risks could overtake the benefits and thats a situation we dont want. Host why would somebody want to hack a drug infusion device . Guest thats a good question. And i try not to answer the question why. Because to be honest the technology is complicated in itself but try to understand why a human being would do something is even more complicated and i try not to play that game there. So, what i do know is that its technically possible. And so if someone wants to do this for a variety of devices, like a drug infusion pump, they can. So whether they are mentally unstable, emotionally imbalanced, whether they have a vendetta, message they want to send, whether they are a government trying to do something or present harm to somebody, i dont know. Thats not something i try answer. What i do know is that technically, from a technical standpoint, its possible. And so honest someone that the motive or means or whether someone wants to do this is totally different question. Cant answer that question as to why but they can do it. Host billy rios, wore moving into a world of the internet of things. Imbeded devices everywhere. What does that mean. Guest it means a lot of different things. One thing well be talking about this week are safety issues associated with internet of things . Internet of things can connect devices. Theyre all around us. If you think you can live in a World Without being exposed to a connected device youre naive. When you go to the grocery store, get your car washed, those are connected devices, computers doing that for you. When you get on the airplane to fly to las vegas, whatever, thats a flying computer. So, sected devices around us. Internet of thing its robbed us. Fakes you life, whether you want it to or not. So thats a very interesting situation for a lot of people. A very interesting situation for us to take a look at how these devices impact the diely lives of people and whether or not there are risks that people dont realize are there because of these connected devices. Host would you work with a company, when whitescope works for a company, do you try to penetrate their defenses. Depends on what the organization wants. So some organizations higher to us look at their devices to help them improve the security engineering of their devices. Some organizations more operational. They have facility or build organize data center or stadium know that these devices are there and they want us to help demonstrate what can be done if those devices are hacked. Depends on what the organization wants but we do a variety of services for different people. Host are you hack sneer at the end of the day we have to find vulnerabilities and in most case wes have to write exploits of the vulnerabilities. Thats what a hacker die. Wouldnt call myself a hacker. Theres a difference between walt we do and a hack were die. We find victories and may demonstrate them to you if theyre exploited, whether it could hurt someone or cause physical affect like a fire, an explosion. Well do that. But we wont ever do that to actually really her somebody, or to actually damage your equipment in an uncontrolled way. Thats not something we do as a researcher or company thatter is third do something. Real hacker would summit a device to actually hurt or kill someone. A real hack were exploit a device to take down an organization or to send an organization a message to destroy equipment. Theyll do that. Thats the line we dont cross. Host you mentioned that you have been in this field in security for quite a while. Where did you start and what were you doing. Guest ive had a pretty colored career. Active dutying in the marine corps, served in a signals Intelligence Unit in hawaii, subdutiy, not everybody can survive. Thats whereow learn the foundational pieces prove Operational Security and Computer Security and spent time at the Defense Information Agency doing indrugs detake, nice way of saying catching hackers. Doing penetration test, which is where Companies Hire you to break into their systems and show theme their weaknesses are. Worked for microsoft as a Security Program manager there, worked for goggle as a tech weed, led a team there. So started created a startup that was acquired. This miss second startup so been doing thats while. Its sol i loved. If tomorrow all the resources and money dried up in Cyber Security, id probably still be doing it, just something i have a passion for. Host is the military the lead agency in protecting americans against Cyber Attacks . Guest its a good question. Something that the government is struggling with to be honest. Probably the hardest problem in Cyber Security is not a technical problem. Its actually a work force problem. Win i worked at google and Silicon Valley, it was basically us just trading security engineers to other Companies Back and forth because there is a shortage of Cyber Security professionals and the amount of money and resources and freedom that is begin to a lot of these individuals that know what theyre doing in Cyber Security is astounding. The salaries and things they can ask for. So we find yourselves at the federal government and u. S. Military, they have a hard time keeping up and retaining this talent. So they may provide some foundational skills and training and then they rule fine themselves losing these the top talent they have in organizations to places like microsoft and google and facebook, which all have great top security teams working for their organizations. So, its a struggle. Its very much a struggle for the federal government, very much a struggle for the department of defense right no. Host well, would you be an example, somebody who was trained by the military and now that youre out, youre doing it privately. Guest yeah. I still keep ties with a lot of folks in the federal government. Still work with a lot of folks in dod but i can tell you right now, theyre very much struggling. They understand that to train someone to do this is an investment. Theres a certain level of aptitude required. So even if you do invest a lot ofman and training you may not get an individual to the level you want them to be at and then those folks who demonstrated a capability of being able to understand the concepts and pieces and take it to the next level, theyre highly recruited bay lot of other places. So if that individual is motivated by more or more stability or just a better lifestyle or different lifestyle than the federal government or dod, theyre going to be recruited. So, its a really tough place to be in. Just kind of highlights the biggest problem in Cyber Security, which is work force, theres a tremendous, tremendous shortage in talented Cyber Security individual and so everybody is kind of fighting over the same pool of people. That makes it really tough proposition for wokes who are not as agile as a Silicon Valley company, like the dod. Its going to be something they will be struggling with over the next decade or two. Host do you need at least masters in computerson is. Guest i have the three but there empoo who did not good for college, Undergrad College or anything lyle that who know Cyber Security really well. So i wouldnt say you need a formal education to enter Cyber Security. I personally know people who are in that situation. It could certainly help. Im not saying thats the path youll want to take is got to school. Having a Solid Foundation in Computer Science or Electrical Engineering is a good thing but not a requirement. Host what is your role here at black hat . Guest im giving a talk this week. We are going show exploitation of a connected device and cause a connected device to attack somebody, physically attack somebody. Host can you tell us what the connected device is . Guest i wont say what the device is. Well reveal that during our talk. But we had three criteria for the device were looking. A number one, had to be czeched to the internet so well be able to control the device from anywhere in the world. Sit to a starbucks in asian and control the device in in united states. Have to be publicly sack accessible, which means average person walk down the street would be able to see one of these devices. We dont want it in a secure area or a manufacturing plant or anything like that. In a public space. Used by the public. And the last piece of the criteria was we wanted to demonstrate a safety issue. So i know that a lot of Cyber Security issues are connected with privacy and things like that and those things are very important. Dont get me wrong. When you lose your credit card information its a bad day for you, when your hospital is breeched and you lose your health care informationing thats bad day for you as well. Some of the connected devices have safety implications and so were going to show what those safety implications can be by causing a device to literally attack an occupant. Host billy rios, founder and security researcher for whitescope. Thank you for being on the communicators. Guest thank you for having me. Appreciate it. True joining us on the communicators from the black Hat Convention in las vegas is robert leale. What do you do sunny hack cars. Host what is name . Can bust is the name of the network found inside of vehicles and hack, obviously, for hacking. Host are cars basically rolling computers anymore . Guest well, its hard to call them rolling computer. Theyre a fusion of mechanical and Electronic Component and a lot hoff those are very Small Computers that control the mechanical aspects of the vehicle. Host on a typical american car, how many socalled computers are in there. Guest between, like, 15 some 30. Host what would they control. Guest everything from the engine to the displays to the lights, the door locks, the suspension, ride handling, really every component i controlled with excuser. Host is security bake bid a cars computers. Guest sometimes. Security is a word theyre starting to use a lot more in terms of Electronic Security. A lot of times when oems refer to security theyre talking about securing the passenger, seatbelts. Making sure that they dont get in accidents. Securing the person when the hate wall, with air bags. Now theyre talking more about the Electronic Security of the systems. Host is it a growing problem. Guest its more noticed it if that makes more sense the issues always have been there but now because of recent hacks, its become a lot more noticed in the media, and by the average consumer. Host a youre or two back a couple from wired magazine hacked a car on the road. Guest they did. Host did that send up flares for people . Guest yes. Think that awoken a sleeping beast in a lot of way us. Absolutely a very well put together hack, and what the gentleman at wire did was very novel. Host if we went down in the parking lot here of mandalay bay, could you hack into any car down there . I wouldnt say i mean, its tough to quantify what the word hack is. Theres a lot of preparation that happens behind the scenes when youre doing a hack. You have to spend a lot of months or maybe even several week not months to figure out how the systems work. Once you figure that out you can do certain things across one vehicle or another vehicle that might be unlocking the doors or might be shutting the vehicle down remotely. Might be making so the vehicle cant start. Just depends on how you define hack. Host if we went down there could you start a vehicle or unlock it doors. Guest absolutely. Host how long it would take you. Guest depends on which vehicle it is. Some vehicles wind a matter of seconds. Some vehicles main would require me to have the person who owns the vehicle hit a button on their and then could i capture that information and replay it back to the vehicle late. Host who hires you. Guest whoever wants to. Its a really tough question to answer. I get hired by companies who are looking to integrate Electronic Devices into vehicles. Hooshed by automotive Companies Looking to secure their vehicles. Im also hired by lawyers looking to make sure that their vehicles of their customers are secure as well. Host how did you get into this business . Guest ive been doing it since i was 16. So ive been host breaking into cars. Guest hacking cars. Ive been hacking cars. But when i say hack host century self trained. Guest yes. When i say hack i mean figuring out holiday the Electronic Systems work and using that to my advantage. Host is it a reverse engineering. Guest a big part of the process. Reverse engineering is the first part of the process, figuring out how to the systems, and then after that we use that information that we learned to do something on the vehicle, whatever it is our target is, maybe unlocking the doors, maybe its turning on the windshield wiper turning the light us on, something benign like that, or turning the car off while its driving. Depends on the application. Host has that happened besides the wired story that came out a couple of years ago . Guest has host has it happened in a bad way, has a car been hacked in a bad way while driving. Guest not that im aware of. We have done hacking since before and since that host in a controlled environment. Guest in a controlled environment for different customers, whether theyre government, state, local customers, oems, after market, just depends on the Different Levels of the requirements and whoever is contacting us. Host what does oem. Guest original equipment manufacturer. Thats the vehicle manufacture are. Host mr. Leale, how did you train yourself to do this . Guest its been so long. A lot of internet resources help. Theres in the past a lot of good web sites that described individual systems. Used to work for a Company Called intrepid control systems and that Company Supplies tools to the Automotive Industry for vehicle interfaces. So i worked a lot with the oems in detroit to train the manufacturer on their own systems, so i learned a lot about their individual systems, how they work. Learned a lot about the vehicle networks. So it was just a learning process over the past, i guess, about 12, 13 users ive been doing that. Host whats is your role here at black hat. Guest im right to training for the car hacking handson training. Host what kind of train doing you do and who is in in the audience . The audience, at black hat we dont ask the audience who they are because sometimes they dont answer. A lot of times they dont answer. If you ever read a name tag on a black hat person theyll have a name, mcqs mark, something simple. So we learned to not ask them who they are because etheir theyre coming from military or coming from private industry and they dont want to really know they dont want the rest of the choose know who they are. So, o