Presented at INCYCON, 2015 (NCDRC) by Praveen Joseph Vackayil

1. Security Challenges
in Emerging
Technologies
Praveen Joseph Vackayil
CISSP, PCI QSA cert., CCNA, ISO 27001 LA, MS - Warwick, BE

2. DISCLAIMER

3. Ground Rules
• Questions are welcome
• Share your knowledge
• Mobile phones – you know
what to do

4. Session Objectives
• Exploratory look at emergent technologies
• Identification of associated security
challenges
• Bottom-line:
Incite the thought process on upcoming
challenges and opportunities in information
security.

5. Session Plan
•The Evolution of Information
Security
•4 Emerging Areas of Technology
and Associated Security
Challenges

6. So Let’s Go

7. The Evolution of Information
Security

8. C
I
A
Quick Reminder
• The fundamental objective of information security is to
protect the C, I and A of data.
However, it wasn’t always this way.

9. The Shifting Focus of
Information Security
• The early days of data security focused primarily on
Confidentiality of Data
• Cryptography dates back to around 2000 B.C. in Egypt when
encrypted hieroglyphic messages were etched on tombs

10. The Shifting Focus of
Information Security
• Military applications of cryptography were developed in the
1800s.
• Cryptography was extensively used to encrypt tactical
communications during World Wars I and II.
Can you Identify This Machine?

11. The Shifting Focus of
Information Security
• With the computing era, the way people use information in
their daily lives evolved.
And with it, so did information security.
1944 Today

12. Today’s InfoSec Focals – How is
Data Transmitted
Accessed
Shared
Retained
Used
Stored
Processed

13. What Does The Future Hold?
Wearables
Self Driving Cars 3D Printing

14. What This All Means
• The same trend from the 60s and 70s is repeating itself.
• Just like how computers spread out from a few offices to the
common man, advanced technology is becoming cheaper and
easily available.

15. From Greater Pervasiveness to
Greater Power
• Technology’s control over a common man’s life is increasing.
• Today we use mobile phones to keep us connected, and
process information.
• Tomorrow, we will use technology to drive our cars to work.

16. Shift in the Goal of Information
Security
• Today, the end objective of information security is mainly to
protect assets like
• money
• trade secrets
• business productivity
• organizations’ reputations, etc.
In future, the end objective will shift towards the protection
of
• Human Life

17. Example Scenario
I’ve hacked into your Core
Banking Database. Pay me
$500,000 or I will crash it.
I’ve hacked into your self-driven
car. All I ask is $10 million. I’ve
texted you my Account Number.
Choose not to comply and I WILL
crash your car.
Cyber extortion TODAY Cyber extortion of the FUTURE

18. 4 Emergent Technologies and
Their Security Challenges

19. Discussion Plan
• Review of 4 Emergent Technologies
Robotics
3D Printing
The Internet of Things
Wearables

20. Robotics

21. Robots Have Been Around A
Very Long Time
First Robot Ever Made:
Archytas’ Bird
• Steam powered wooden bird
• Dates back to 360 BC
• First known attempt at
automation
First Industrial Robot
• 1961 – General Motors developed
a robot to move hot car parts into a
cooling liquid

22. Robotics: Applications Today
• Industrial Applications:
• Factories – manufacture of cars,
packaging material, processed
foods, etc.
• Automation of repetitive tasks
with high precision
• Medical Applications:
• Robotic surgery allows doctors
to control and automate
complex procedures with high
precision, sometimes even
remotely.

23. Military Applications of
Robotics • TALON
• Built by a company called Foster-
Miller
• Most common military robot in use
• Can travel through sand, water, and
snow.
• Has Audio-visual listening devices and
a mechanical arm
• Primarily used in search and rescue
operations. Was used in 911.
• Controlled remotely by a human.
Upcoming versions of TALON will include a weapons system
holding guns and grenade launchers.

24. What Are The Security
Implications?
• End-Points – ie the
equipment at the
doctor’s end or at the
patient’s end is
compromised. This is
less common since the
end-points are usually
physically guarded.
• Network Attacks – the
channel of
communication
between the doctor and
patient is compromised.
This is more common.
Ref: http://arxiv.org/pdf/1504.04339v2.pdf
Consider a Tele-Robotic Surgery. How can it be attacked?

25. Types of Network Attack
Intention Modification
Intention Manipulation
Hijacking Attack

26. How Bad Can It Get?
• The above was just one example, but it
can be extrapolated to other scenarios
where robots are used.
• Most robots today are not entirely
autonomous – ie. they must be instructed
by a human entity over a communication
channel.
• If this process is compromised, the impact
can be death and/or serious physical
damage.

27. Recent Events
Ref: http://time.com/3944181/robot-kills-man-volkswagen-
plant/

28. Security Approach
• Go Back to the Basics
• Strong encryption of the network link between
the Operator and the Operated Device.
• Use secure communication protocols like TLS
v1.3 and above, SSH, WPA2, etc.
• Strong authentication of source and
destination IPs
• Harden the end-point devices
• Perform network and app level pen-testing

29. 3D Printing

30. What Is It?
Technology that allows you to fabricate three
dimensional objects using plastic, metal, ceramics,
powders, liquids, or even living cells provided you
have a blueprint of the object created with CAD
software.
3D Printing has been around
since the late 80s. Since 2006,
the technology has started to
become cheaper and more
accessible.

31. You Will Need A 3D Printer and
a “.stl” Template
http://www.thingiverse.com
3D printing is also called Stereolithography and the CAD templates are created in the
.stl format.

32. Applications
• Automobile Manufacture
Manufacture and testing of
prototypes and auto
parts/components
• Medical Sector
Manufacture of low cost prosthetic
limbs, dental implants and even living
tissue.
• Defence, Education, etc.

33. 3D Printed Weapons?
• Defense Distributed is an open source company that provides .stl designs for
3D printed firearms – for FREE.

34. 3D Printed Weapons?
• Plastic 3D printed guns can actually be used to fire rounds.
• Liberator 3D is a functioning 3D printed gun developed by Defense
Distributed.
• Plastic guns – don’t show up under a metal detector scan. So this means
everyone with a 3D Printer can create and own an invisible weapon.
Ref:
https://www.youtube.com/watch?feature=player_embedded&v=drPz6n6UXQY

35. 3D Printed ATM Skimmers
• An ATM skimmer fits into an ATM card
slot and can capture Track data from a
swiped credit/debit card.
• A pinhole camera/ keypad overlay
captures the PIN as it is keyed in by the
cardholder
• This is transmitted wirelessly to criminals
located within a 100m range of the ATM.
• Unless cardholders are alert, the
skimmer will pass off as a genuine part of
the ATM itself.
• 3D printing allows ATM skimmer devices
to be made faster, more accurately and
efficiently by crooks.

36. How About Your Car Keys?
• All it takes is a few photographs of a key to
create the .stl design and 3D print a
duplicate set.
• Burglars, car thieves, etc. are jumping at
the opportunities.

37. What’s Next?
•There are 6 million parts that go
into a Boeing 747. What if
tomorrow one of those is a 3D
printed fake?
•Counterfeit coins
•Fake ID Cards ???

38. And By The Way…
• The world’s first fully 3D printed car is on its way out in 2016.
• LocalMotors is working on a road-ready model.

39. Solutions?
•The technology is still evolving
•Regulation and Legislation is yet
to catch up with ethical, legal,
privacy and security challenges.
•It is going to be difficult to predict,
let alone prevent the mis-use of
this technology.

40. Wearables

41. Recognize This?
Casio CFX-400 Calculator Watch. 1995.

42. How Do We Understand
Wearables?
What’s Common to All Wearables
,
which are carried either of
a user’s body.
What’s Different
Primary Function of the device
• Smart Glasses- Augmented
Reality Device
• Smart Watch - Makes calls,
plays music, etc.
• Smart Pills – monitor health
stats
Device Capability
• Does it have a camera?
• Can it make calls?
• Is it online?
• Does it keep you alive?

43. Most Popular Wearables Today
• Smart Watches
• Samsung Gear, Apple Watch, Pebble, etc.
• They account for 40% of the wearables market
• Fitness Bands
• FitBit, Garmin, etc.
• Smart Glasses
• Vuzix, Google Glass
Ref: http://www.gartner.com/document/2847117

44. The Security Challenge with
Wearables
I. For a Personal User – Data
Privacy is the primary concern
with Wearables
II. At an Organizational Level –
Data Security is the key concern

45. I. Personal Users: The Privacy
Challenge
• Wearable technology is still evolving.
• The primary design focus is more on
functionality and less on privacy.
• Imagine the data available to a stalker who
has hacked into your fitness band:
• Location of your house
• Places you frequent the most
• Your sleep patterns
• Your food habits
• Your exercise habits
• Your health data: heart rate, BP, etc.

46. Security vs Functionality
• We all know the Google Glass story. A host of great new
features… but privacy??
Eye Tracking Feature Recording Feature
What you see – Glass sees. People that you see – Glass
sees (and can record).
Ref: https://www.youtube.com/watch?t=85&v=9c6W4CCU9M4
Come Jan 2015, Google eventually had to pull the plug on Glass

47. II. Organizational Context –
Security Challenge
The primary challenge with allowing wearables within an
office workspace is Data Security
Mobile phones have already changed the
security landscape within organizations. How
hard is it to take pictures of your screen using a
mobile camera?
The main issue with wearables is they make it
difficult to find out when they are used to steal
data - taking pictures at the blink of an eye, for
instance.

48. The Next Level of Wearables
•Implantables
•Ingestibles

49. Implantables
Jiya Bavishi's auditory brainstem implant is helping her hear
sounds for the first time.
Auditory Brain-Stem
Implant consists of a
i. mic attached to the
ear and
ii. a sensor implanted in
the brain
to process sound signals
in hearing impaired
patients.
Ref: http://www.npr.org/sections/health-shots/2015/06/01/410065053/new-hearing-technology-brings-sound-to-a-litte-
girl

50. Ingestibles
• The Pill communicates with a
wearable sensor on the skin
called a Patch.
• The technology will track the
patient’s physiological stats
about medication ingestion,
heart rate, activity, rest, and skin
temperature
• The digital health information
can be viewed on a synced
Mobile/Tablet.
Ref: proteus.com
Proteus, a company specializing in Digital Medicine, has received FDA
approval for its Digital Pills – sensors which can be swallowed by a patient.

51. What are the Security Threats?
• Can someone hack into your internet connected pacemaker
and speed your heart up till you die? According to the former
US Vice President’s advisors…
Ref:
https://www.washingtonpost.com/news/the-
switch/wp/2013/10/21/yes-terrorists-could-
have-hacked-dick-cheneys-heart/

52. Securing Wearable Technology
Manufacturers of Wearable Technology
• Manufacturers are being pushed by security researchers to look at
security and privacy at the design stage of their devices.
• Devices must anticipate and inform users of privacy compromises they
will make at every stage of using a device
Organizations/Work Places
• Organizations must understand the risks introduced by allowing
wearables within their premises.
• A risk assessment must be done to identify controls ranging from
restricted permission to use these devices to fully denying access
End-Users:
• Users must be aware that privacy will be compromised when they use a
wearable device.
• Children and senior citizens are more vulnerable.

53. The Internet of Things

54. What Is It?
Technology today consists of a number of devices
of different kinds, each with a certain level of
computing power and memory.

55. The IoT is a
ecosystem of
hardware and embedded
within which data can be
and
How Do We Define the IoT?

56. Interesting Statistic
• The IoT s is projected to consist of 30 billion connected
“things” by 2020.
Ref: IDC
The world’s human population is projected to be almost 8
billion by 2020.
Ref: United Nations Population Fund

57. What This Means

58. The Big Challenge – Securing
the IoT
• BMW patches security flaw on their ConnectedDrive software,
that would have allowed a hacker to unlock car doors
Ref: http://www.bmw.com/com/en/insights/technology/connecteddrive/2013/

59. The Big Challenge – Securing
the IoT
Jul 22, 2015: Hack moving Jeep. Switch off engine.
Ref: http://www.cbc.ca/news/technology/hackers-kill-engine-of-moving-jeep-on-highway-in-security-demo-
1.3162944

60. The Challenges are Many
• Complexity
A heterogeneous network means devices on the IoT are
different, with unique designs, software, operating
protocols, etc. Where does a security attempt even begin?
• Uniform Standards
On the IoT, we will need to develop a uniform standard for
devices to communicate. A uniform standard/protocol
makes the IoT that much easier to hack into.
• Monitoring
Currently, organizations have SOCs with IPS/DLP, etc. Who
will monitor the IoT network?

61. IBM Model for the IoT

62. Each Layer Is Susceptible to a
Variety of Attacks

63. • Recommends a holistic approach
• Focus not only on securing the Device, but also,
• The IoT Environment it operates in
• It looks at:
• The Device
• The Cloud
• The Mobile Application
• Network Interfaces
• Software
• Use of Encryption
• Use of Authentication
• Physical Security
• USB Ports
Ref: OWASP Internet of Things Top Ten
OWASP – Internet of Things
Top Ten

64. THANK YOU
&
STAY IN TOUCH
Linkedin.com/in/vackayil
Praveen.jvc@gmail.com