'Let's Do Security That Matters'

Type threatpost
Reporter Dennis Fisher
Modified 2013-11-22T20:14:26


NEW YORK–A small group of influential security researchers and executives are putting together a grass-roots movement to encourage more research on the emerging breed of connected and potentially vulnerable devices such as pacemakers, insulin pumps and others and help educate users about the security and privacy issues they raise.

The effort is meant to help focus security researchers on the new problem set presented by the rise of the so-called Internet of Things, the emerging network of non-PC devices. These devices, including medical devices, appliances and cars, have largely gone unexamined by security researchers until very recently. Some researchers, such as Charlie Miller and Chris Valasek, have looked at the security issues with the on-board computers in some cars, and there has been some notable research on medical devices, as well. But compared to the volume of work that’s been done on desktop or mobile software, it’s miniscule.

Those in the security community are aware of the potential problems with these devices, of course, but the consumers who use them have little idea of the dangers that an exploitable security bug in something like a pacemaker or car’s computer could present. Josh Corman, director of security intelligence at Akamai, and Nick Percoco, director at KPMG, are trying to change that by imploring security researchers to work on this new set of challenges rather than hammering away at problems that are already well understood.

“We’re facing a different kind of ocean with apex predators. We’re becoming more and more entangled with insecure and indefensible technologies,” Corman said during a talk at the OWASP AppSec USA conference here. “Let’s do security that matters, not just our day jobs. The outside world is part of the solution set. This is security for the public good.”

In some cases, research into security problems with medical devices or cars or other such non-PC devices has been dismissed as stunt hacking because it doesn’t have the immediate effect of finding a bug on iOS or Google Chrome. And Corman and Percoco said they’re well aware that some in the security community will criticize their effort. But that’s beside the point, they said.

“This is about doing research on things that matter rather than on things that frankly don’t matter,” Percoco said. “Today everything is connected, everything is Internet-enabled and the importance of this stuff is growing. If someone with a pacemaker dies, is someone doing forensics on the pacemaker? How are we going to know as a society that these things have flaws?”

The new movement, which is being called We are the Cavalry, got its start at DEF CON this summer, and Corman said it already has attracted a diverse group of researchers, hackers, executives and others with an interest in moving the project forward.

One goal, he said, is to educate the general public about the serious security issues that are likely to arise as more and more devices come online with minimal, if any, security testing.

“The half lives of these things are twenty, thirty, forty years. Even if we just didn’t know better for the last industrial control system software that went out last year, there’s another one going out this year. The question becomes, can we make better risk decisions if we have more information?” Corman said. “Hacking is a new form of power and it’s available to anyone. It’s just to easy to exert your will on other people.”