Security Technology Executive

MAY-JUN 2018

Issue link: https://securitytechnologyexecutive.epubxp.com/i/994589

Contents of this Issue

Navigation

Page 5 of 79

6 SECURIT Y TECHNOLOGY E XECUTIVE • May/June 2018 • www. SecurityInfoWatch.com MY POINT OF VIEW By Steve Lask y, Editorial Director • slasky@Southcomm.com Steve Lasky If you have any comments for Steve regarding this or any other securit y industry-related issue, please e-mail him at slask y@southcomm.com. I 'm one of those baby-boomer technology aficio - nados who consider himself a minimalist when it comes to personal tech gadgets. Don't do the whiz-bang digital watches that do everything from phone home to check your IQ , and I still haven't figured out how to program the universal remote my kid got me for Father's Day back before 74-inch Smart televisions were a must-have item. Late last fall, my wife and I were across town visiting friends who fancy themselves pretty tech savvy folks. Both are devotees of their recent purchase of the Ama- zon Echo. You know, that indispensable personal- assis- tance device housed in a desktop speaker that can tell you knock-knock jokes, recite the Gettysburg Address or provide you the latest Martha Stewart muffin recipe. Our long-time friends had just sent their son off up north to college and were settling into the life of fresh- ly minted empty-nesters. So after a couple of bever- ages out on the deck, they proceed with a story of how their far-away freshman had tapped into their Echo and began tormenting them at inopportune moments by throwing his disembodied voice like some sort of Alexa ventriloquist through the various Echo stations about the house. At first, it seemed funny, two weeks later, not so much. That revelation was enough to solidify my stand that we would not be taking in Alexa as a boarder in our home. But the potential privacy issues related to the Echo go far beyond a bored son messing with his parents from his col- lege dorm room. This past spring a team of Israeli cybersecurity resea rchers tapped into a hidden appli- cation related to the voice activation assis- tant on Amazon's Echo device allowing hackers to eavesdrop on its users. The researchers manipulated the 'ShouldEndSession' query code so it remained open even when the user assumed it was closed. The research hackers were not only able to physi- cally eavesdrop on unsuspecting users but were also able to transcribe all spoken words aimed at Alexa, saying that they simply took advantage of a design flaw in the software. Amazon has since announced that it has addressed the issue and eliminated any further exploitation threats. So is the breach of Amazon's Echo device the first domino in the IoT chain to fall or was it no more than an overstated techno stunt that has few real- world ramifications? I posed this question to a group of salty and expe- rienced cybersecurity professionals known as the #CyberAvengers. This intrepid band of cyber do- gooders includes Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos. Their first reaction was that this was really no surprise. "IoT devices, as related to privacy breaches, have been on shaky ground for some time and for good reason. The problem has two streams: one techno- logical, the other, human. The following statement is wide-reaching, but not necessarily inaccurate either: IoT devices, and the systems they rely on to operate, are inherently insecure. Whether it's insecure code or preprogrammed default passwords and everything else in between, these issues fall into the technologi- cal stream of the problem. Here's the short version: IoT devices rarely are designed with security in mind. In fact, it's the opposite: get to market as soon as pos- sible and that usually means cutting corners," say the CyberAvengers. They insist that the race to get devices to market involves cutting corners. That corner-cutting comes at a cost, but the cost is not so transparent. Saving a few bucks in the R&D phase, in turn, the retail phase could cost the user at the personal level. "That's where your privacy issues come in, a human stream problem. So unless the industry adopts a secu- rity-by-design mindset – which admittedly is more expensive up front and potentially to the end user in terms of dollars – we will have real-world ramifica- tions and we are experiencing them today. No clowning around here. The issue is real," the cyber team says. So guys, is it a toy or must-have tech? "Some of us enjoy the tech but understand it comes with a cost. Others of us though cringe, not only at the thought of using personal assistant technology but being inadvertently caught up in somebody else's per- sonal assistant technology," says the CyberAvengers. "Fully disabling the features is just not good enough for some of us; we want to rid some of our devices of all associated personal assistant technology software. But that's another market force we are dealing with. Apparently consumers like these "toys for big kids" which is why the technology is nearly ubiquitous on all new devices. But here's something else we think too: we don't consider the technology a toy, even if some feel that way." » Some of us enjoy the tech, but understand it comes with a cost. « — #CyberAvengers Alexa, Where's My Privacy?

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2018