Podcast
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Links
Follow Me
Follow Me
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Hacking airplanes, ships and IoT devices with Ken Munro
Play On
03 NOV • 2024
1 hour 4 mins
Share:
In this captivating episode of Nerding Out with Viktor, host Viktor Petersson sits down with Ken Munro, a renowned cybersecurity expert and penetration tester. Together, they embark on an insightful journey into the uncharted world of aviation cybersecurity, shedding light on the intricacies and vulnerabilities that exist within modern aircraft systems.
As they delve deeper into the realm of aviation security, Ken shares his vast experience in testing aircraft systems, revealing surprising tales of hacking decommissioned planes in a scrapyard. This unique approach allowed his team to practice without compromising passenger safety or active fleets.
One of the most pressing security concerns in aviation today is the Electronic Flight Bag (EFB), a system that has replaced traditional paper-based navigation tools with digital equivalents. However, as Ken astutely points out, EFBs have introduced new vulnerabilities that can be exploited by attackers. By manipulating data within the performance calculators, hackers can mislead pilots about crucial factors like runway length or engine thrust. Viktor and Ken explore the dire implications of these weaknesses and discuss the sophisticated tactics used to secure these systems.
GPS spoofing is another critical topic discussed in this episode. Ken explains how malicious actors can use this technique to confuse an aircraft’s navigation system, leaving pilots with outdated or incorrect data until they’re able to safely land. The complexity of GPS spoofing and jamming are also explored, highlighting the need for advanced security measures to counter these threats.
The conversation then turns to responsible disclosure in the aviation industry, where Ken shares his experience working with manufacturers like Boeing and Airbus. He emphasizes the delicate balance between informing manufacturers about security issues while respecting their time-consuming processes for safety certification. Viktor is impressed by Ken’s commitment to transparency and collaboration, which has led to significant improvements in aviation security.
Viktor and Ken also discuss the industry’s gradual shift towards transparency in handling disclosures and threats. They highlight the importance of collaboration between cybersecurity professionals, manufacturers, and government regulators to continuously enhance aviation security. Ken emphasizes that, while security is critical, safety remains paramount in aviation, often requiring extended timelines for vulnerability patches.
This episode of Nerding Out with Viktor offers a compelling deep dive into the world of aviation cybersecurity, showcasing Ken Munro’s expertise and passion for making aviation safer. For anyone fascinated by cybersecurity, aviation, or the hidden challenges of keeping the skies secure, this conversation is an eye-opening exploration that reveals both the resilience and risks of modern aircraft systems.
Transcript
Show/Hide Transcript
Welcome back to another episode of Nerding out with Victor.
Today I have Ken Munro with me on the show and he's going to speak all about pen testing and security.
So welcome to the show.
Hey, nice to meet you.
How's it going?
Good, good.
So we first met at Bsides Bristol, what a few months ago.
We both spoke there and I caught your talk about hacking planes, which I thought was a fantastic talk.
And it definitely opened my eyes up to like the security in that space in general.
So I think that something I can wanna kick the show off with.
Like what?
How did you even get into the space of hacking airplanes?
It's a great story.
So my background, I was supposed to be a commercial pilot.
So back in the day I first started working, oh my gosh, in the 90s in the antivirus industry.
And I was using that to fund my pilot's license.
So I got up and I was supposed to go commercial and the company I was working for at the time went belly up and that was the end of my commercial pilot's career.
So yeah, given the number of near accidents I caused, that's probably actually a good thing for all you passengers out there.
I do still fly general aviation, so light aircraft does crazy things in crazy places.
But yeah, no more commercial flying.
So instead I ended up starting a pen testing firm.
A long time ago now and end of the 2000 and tens, my sort of two passions started to come back together.
I'd say collide, but that doesn't sound great in flying, does it?
And one of my colleagues, an amazing guy called Alex Lomas, who's also a general aviation pilot, but also an aeronautical engineer and a really good pen tester.
We started chatting and Raspberry had a lot of common interest in planes.
Where'd you go with this?
How do you go about lent hack planes?
We picked up the phone to one of the breakers yards in the UK and said, those planes that come and land at your place and don't fly again, what happens?
Well, they sit around until we take them apart and that's about it.
We said, well, okay, if I'm never going to fly again.
If we gave you some cash to pay for the power, so running the power unit, could we come and have a learn?
They were like, yeah, knock yourselves out, go for it.
At this really weird situation where we rocked up first time to one of the airport breakers and they said, well, what do you want to have a go at?
We said, what have you got?
Well, we've got some 737s and some A320s.
I was like, great, off we go.
And we literally turned up with some laptops, a bunch of connectors, some scopes, and just started learning because there's really not very much online about how you hack a plane.
The good news is it's actually very difficult and long may it stay that way.
But, yeah, we just started learning.
And then, as we all know, the world went sideways with COVID which was awful for everybody.
But there was this kind of weird silver lining in the airplane cybersecurity space was that the breakage yards got really backed up.
Really backed up.
And also I think some of them were struggling with it because no one wanted to buy the parts because no one was flying airplanes.
And so that's kind of when things accelerated a bit for us is we had, for example, British Airways, entire 747 fleet was retired early.
So they were all laid up.
Believe it or not, were actually offered one for just over a quarter of a million dollars.
But parking was going to be a problem.
Yeah, I don't know.
I think we struggled to get that one in the driveway.
So.
Yes, but it just meant that from chasing down to one of the breakers yards to hopefully get your hands on a plane to learn a bunch of stuff, and then you'd need to go away and really understand what you found, think about exploits and packaging attacks to come back a month later and find the plane was in bits.
But now we had the breaker's yards backed up.
So actually the planes that we got to look at were still there six months, 12 months, 18 months later, because there was no market for the parts.
They were backed up in terms of taking them apart.
And that's when things start to get really interesting and things start to accelerate for us.
That's super fascinating.
Right.
But you got your keys to, well, your fidget keys to the planes.
And where do you start?
How much did you know about internal communication?
Like possible attack vectors?
Like even you mentioned cabling and ports and all that.
Like even that is probably.
These are not things that you have.
These are not USB or ethernet cables.
I presume that you plug into these, like internal system.
They're probably a lot of custom casing, couple of custom cases, custom cabling and all that, right?
Yeah, absolutely right.
I mean, before we go there, I should say, look, we talk about hacking planes.
It's actually insanely difficult.
And a lot of that has to do with the thought that the manufacturers have given to it.
And Airbus aren't stupid.
They get cyber and there's a lot of effort put into segmenting the plane network.
So the bit in the back where you and I sit, right, that's considered a very dirty network.
The wireless networks we connect to, they're untrusted.
So that's called the passenger and information entertainment services domain.
And what goes on there, frankly, who cares, because it's no different to a wifi hotspot, a cafe, whatever.
Then things get a bit more interesting when you go to the halfway house, which is the information services domain, aisd.
And that's where in some planes you have slightly more privilege for members of the cabin crew to do stuff.
So when you walk onto a plane and you look left or right as you walk on, you probably see a panel there and that's the panel that the cabin crew have more access to and can do a bit more.
And you might remember an old 747, certainly on BA and a few other operators, they had a little terminal under the stairs and that could do quite a bit more.
That was called the cabin management terminal.
So you could do things like send messages.
Funniest bit of all, one of the planes we worked on, 2020, this was running windows NT351 on that terminal.
Yeah.
And so that's the bit that kind of in the middle and then you get to what we call the aircraft control domain.
And that's, you know, that's the flight controls.
And that bit is essentially completely isolated.
So there is no practical way, as has been suggested in the media, of hacking an airplane from the seat in coach.
Just doesn't work.
So even you spoke about wifi, but even the infotainment device in the headrest in front of you, that's all on the same threat, I guess.
Network.
Yeah, absolutely right.
So it's all in the passenger entertainment services domain.
So historically, you might remember if you get unlucky in economy and you get the seat with a box underneath the seat in front that's basically an ethernet hub.
So essentially that's switching old video protocols.
But I've actually got one in a box just there randomly, but it's in bits.
I won't bother.
But again, turning back the clock, last one of those we took apart was running docsis.
So really old cable protocols that you won't have seen for years.
It's essentially just a switch.
So there'll be a media server on the plane, older servers, there'll be a set of disks and they'll be distributing video content out to your seat.
More recently, you've tended to Find that seatback device is now going to be android tablet, basically dressed up.
So I'm sure many of you seen those Android icons when you power it up.
What's the worst you could do with that?
There have been a few demonstrated hacks and in fact, we've successfully done it ourselves as well.
But what could you do?
All you've got access to is the video content, so I suppose you could stream some porn.
And that accidentally happened a little while ago.
I see.
It's more like in the Rickrolling domain of attack.
Nothing serious can actually come from that.
Yeah, there was an interesting discussion we had at an aviation cyber event with one of the airlines and we're trying to work out if you broadcast something that caused everyone to panic, could you create a fire safety incident?
I mean, it'd be pretty scary, but could you broadcast something that said, hey, the plane's been hijacked, you need to break into the cockpit, don't trust the crew, or there's a bomb at the front of the plane, run to the back.
So then you end up with this challenge.
You end up with the plane out of weight and balance.
So with everyone in the back actually forces the nose up.
And in certain plane types, in certain flight configurations, you could cause it to nose up and stall.
But practically that's very difficult.
I would only apply at very specific parts of the flight when the fuel tanks are quite empty.
So I don't think that system.
I don't think that the infotainment system is really a practical safety.
Safety.
Relevant vector.
Right.
Okay.
So you, I guess excluded that from your experiments relatively quickly.
And after done some assessments, so you moved on.
Oh, no, we hacked them.
Come on.
The opportunity knocked.
I mean, you know, we've got some video which I think you might have seen at BSides.
Gig is we successfully managed to get every seat back seat showing, I think.
What was it?
It was the pilot episod Scorpion.
We managed to get streaming.
It was more to prove a point that you could.
Is there a practical impact to that?
No, not really.
It was fun to do.
Yeah, yeah, fair enough.
And in your talk, you kind of moved on to kind of go into what you call electric flight bag is what you kind of ended up as a real attack vector.
Right?
Yeah.
So if you are have physical access to plane, access to cockpit systems, access to the cargo hold, access to the avionics bay, which is very unlikely, it's virtually impossible in flight.
And even if you had that sort of access, you'd still Having to be injecting onto three separate networks concurrently with incredible precision timing, which is on the bounds of practicality.
So a real world hack of aircraft control domain is.
It's not there.
It's really not there.
And despite in the Netflix MH370 documentary where they suggested a Russian special ops team took control of the plane, just no.
So instead we spent our time looking at some of the connected systems that planes now use.
Now, the reason that planes are connected is for you and me, we want to watch movies in the back, we want to get our email when we're flying around.
So passenger connectivity is important, but actually in terms of safety, connectivity is really important for modern airplanes.
So it could be things as simple as weather routing, so you're avoiding turbulence or getting the best tailwind.
So we're using less fuel and less carbon dioxide through to simple things like calculating weight and balance.
Or the one that was most important to us was around what we call engine performance.
And that gets to your point about electronic flight bags.
Now the efb, if you ever poked your head in the cockpit when you board, you'll probably see the pilots are working on a tablet together.
And that tablet is the electronic flight bag.
And it replaces kilograms of paper that we used to carry around.
So I used to have to carry a physical approach chart, so it's the map that tells you how to land.
I used to have to carry charts of the airspace so I could navigate correctly.
I needed maps of the airport, charts of the airport so I could taxi correctly.
And those are incredibly heavy and also very complicated to update because by law, what's called the Airac update cycle mandates that they're updated every 28 days or so.
Right.
Which can you imagine the complexity of pushing bits of paper around the world?
So every pilot's got the latest maps.
So the overhead of that, the practicality, that was huge.
So what we use nowadays, we do it all online.
We use electronic flight bags to download those apps, to download those maps so that we don't have to carry around reams of paper that quickly gets out of date.
So it saves a fortune, saves weight, which saves fuel and makes us more efficient.
So we then started going, hang on, all right, these connected tablets, how secure are they?
And that's when things got really interesting.
Right.
To give you some examples.
So the average electronic flight backs probably got between 10 and 20 different applications on them.
And probably the most common is going to be a charting application.
So something that products from people like Jeppesen or Lufthansa systems, they're very popular charting applications.
But the one that intrigued us was what's called the performance calculator.
Now, when you're sat there at the end of the Runway on your plane, it's about to go, what you might not appreciate is that we very rarely use full power, right?
And the reason we don't use full power is it wears the engines quite a bit when we're caning them.
It burns a lot of fuel, so it's expensive, and it chucks out a lot of carbon dioxide when we don't want to do that, right?
So if the Runway is long enough and what we call the density altitude, so that's the thickness of the air is good, and maybe we've got a nice headwind and we're not too heavy, we'll do what's called a performance calculation.
In the case of Airbus, that's called a.
It's called a flex temp.
And when you actually look at the throttles on an Airbus plane, you'll see a setting that says flx, that's flex temp.
And at Boeing, it's called the D rate.
And probably in Boeing, it's a bit more logical.
What we're saying is we de rate from 100% down to whatever D rate percentage we want of thrust.
And so we're sat there in the Runway, pilots go, right, my D rate or flex temp is X.
Put the correct amount of power and the plane trundles off down the Runway, reaches V1, which we can brake safely, go past that, get to VR rotation speed, and finally we get to V2, which is the point at which we can safely climb away with one engine.
The gap between V1 and V2, scary place.
If it goes wrong, you're going off the end.
But anyway, so that calculator is really important, and that's one of the core applications on your efb.
And one of the first vulnerabilities we found was in one of the Boeing performance calculators called opt, or the Onboard Performance Tool, very well known in Boeing types.
And it takes lots and lots of data.
The obvious ones like Runway length, weight, wind direction, so crosswind, headwind, tailwind, but lots of other things like which things on the plane that use power are working.
So are you going to have your air conditioning packs running because they use a bit of power, and that then spits out all the data we need to make a safe departure.
And what we discovered early on was the ability, effectively, it wasn't protecting its own data very well.
So There was no signing mechanism on the database, which meant you could tamper with the data and therefore pilots would potentially use wrong data.
And the simplest example of that is we could make the Runway appear longer than it actually was.
Right.
Which of course, so the plane thinks it's got longer to get up to speed and therefore commands use of less power.
Right.
And that's scary.
But in terms of the communication between this device and that, your plane, are they completely air gapped or are they like, are they actually on the same wifi or how is intercommunication looking?
Like, are they air gapped?
Yes, but not always.
So when you get onto a plane, you see the pilot using a tablet.
Typically that tablet is air gapped.
It may have Internet access through the sat comms, but there's no practical route from that tablet back into the systems.
And there's some good reasons for that, is it means you're not exposing the airplane, excuse me, to the security of Android or iOS or Windows tablets.
So what will happen is the pilots will take the data needs, spit it into the iPad, typically for safety and security reasons, they'll then switch and check the data input and then go, okay, I agree.
Calculate what's my D rate.
Right, okay, so that's great.
And then they transpose it into the flight management systems to program them to use the right amount of power.
Problem is, sometimes pilots make mistakes even when you cross check.
Very occasionally we've seen cases where pilots have made the same mistake in the calculation or made the same mistake transposing it.
It's very rare, but it does happen.
And every one of those is investigated.
And you'll see that the most common flaw is forgetting to change the weight of the plane when you've done a hot, an interim stop.
And there's a very sad instant in Nova Scotia, I think it was, where some cargo pilots of a cargo 747 didn't change the weight of the plane between landing and filling up the cargo.
They got the weight wrong by, I think, £100,000.
The error wasn't seen by either the captain or the co pilot.
Didn't get a cross check by the loadmaster, and very sadly, that plane never actually took off and crashed into the end of the Runway and everyone very sadly died, which is awful.
And again, the pilots were at the end of a long duty day, they were tired.
It's quite easy to make a mistake, and that's to your point.
Are the EFBs connected or not?
And one way to reduce the ability to make mistakes at Transposition is to connect them.
And that's what a couple of the latest plane types.
So the Airbus A350 has an A semi installed electronic flight back.
So the idea being is you actually remove that layer of error.
But of course the next you then create a potential vector.
Yes.
You no longer have an air gap.
Yes.
Right, interesting.
And so that tech vector is essentially to remotely kind of attack these devices and then tamp with the data on.
Well, with data on the device and then basically tamper with the data points there.
So that was the most serious attack vector you found so far, or did you find anything else in your findings on hacking planes in general?
Well, so that was just one example.
So that was Boeing's OPT package.
We also found very similar sets of vulnerabilities in a similar Airbus product.
We also found a couple of vulnerabilities in Airbus products, one of which wasn't just a local attack.
It could be done over WI fi.
So WI fi attacks man in the middle.
Not really practical anymore, are they?
I mean, modern application design, HSTS, etc.
Man in the middle doesn't really work.
You would hope, but they still do.
Yeah, except.
So one of the apps we looked at, Airbus, had intentionally disabled application transport security, which amazingly re enabled a man in the middle attack.
So yeah, you remove the one protection that stops man in the middle working.
Yeah.
And the logic there being that I guess they are using some untrusted network where those would fail.
So they might want the fallback.
Yeah, well, we challenged them on this.
It was a bit of interesting disclosure.
Obviously the practicality of a man in the middle tack.
Normally if you're actually targeting someone specifically, you've really got to follow them.
But there's a really weird quirk in aviation, is that pilots typically always go to the same layover of a hotel.
And every plane that's coming down route, the pilot, the airline will have a contract with whichever hotel and they'll go to the same hotel.
So if you go to an airport hotel on a particular night, you know that a pilot from airline X is there.
And it might even be more than that because we are creature habits.
And if you are staying at the same with hello over and over, you might even stay at the same room over and over.
Absolutely.
Which makes it quite easy to target pilots if that's what you wanted to do.
So it's just this weird quirk.
Now, Airbus did fix that vulnerability quite quickly once we flagged it.
We think it was there because one of their airline clients was probably having Some compatibility problems, but like all these things, maybe they enabled something and then forgot to disable it once the problem had been troubleshot.
Familiar story, isn't it?
Yeah.
So that brings me to my next talking point here.
I was curious about responsible disclosures.
How did that work in the aviation industry?
And I presume people weren't too happy about people digging in their trash, so to speak.
Yeah, it's always a difficult one, disclosing vulnerabilities.
I mean, certainly in many industries which perhaps aren't that familiar with disclosures, they react in quite a hostile way sometimes.
I get it though.
I mean, we are perceived to be criticizing everything they've worked and put blood, sweat and tears into creating.
So you're effectively telling them their baby's ugly.
Right.
Who's going to like that?
But actually we started to see a change.
We're seeing better responses.
And actually I want to give Boeing a hat tip here.
And given they're experiencing some other challenges in the market right now, I think they could do with some good pr, frankly.
Boeing were really good.
When we disclose those vulnerabilities to them, they were incredibly responsive.
They acknowledged, validated the vulnerability within about three days, as I recall, which is impressive.
The challenging bit.
They said, yeah, great, we found the vulnerability.
We agree with you.
Thank you.
It's going to take us two years to fix it.
We're like, what?
No, no.
Google Project Zero says you get 90 days, then we go public.
Right.
And they said, yeah, but the problem is that code is certified, so we have to go.
Even if we make one tiny change to remove the vulnerability, you find we've got to go and recertify the code, which means we have to test it in every possible scenario that an airplane could experience to make sure we don't accidentally bring in a bug that blue screens it.
And these are not, we're not talking integration tests here.
We're talking everything right going all the way back through.
Because what could be worse, we found a vulnerability, but by fixing it, they introduced something that bricks a plane.
Of course, of course.
And that was a learning point for us.
Actually, that was one of the very first vulnerabilities we disclosed in aviation.
And were like, Boeing came back and they got in touch with us every month and said, proactively, said, look, this is where we're at, this is what we're doing, this is how we're getting on with it.
And I think in the end it took just shy of two years to fix.
But that was a massive learning point for us.
And it meant that when we started the next disclosure, I think were a lot more accommodating and understanding that.
You see, it takes time in planes because safety is king.
Security is really important, but safety is king.
Yeah, no, I get that.
I mean, and I've had previous guests on the podcast speaking about like hardware firmware, for instance.
Right.
And that like even something like a bias or disclosing issues involve in firmware in general.
Like, yeah, what we are used to in the software world is very different from what in the firmware world.
Right.
Like you're talking a year or so.
I think that's what they want to actually fix these things.
So, yeah, I definitely see that it is more complicated, for sure.
And yeah, so the other thing I want to chat about, because you had some press around this recently, relatively recently, about GPS spoofing in planes, which I found interesting.
Right.
So I'm familiar with the concept, but how would that even go about to work?
Right.
Because there are some territories that are actually voided entirely by certain airlines for that reason.
Right.
So let's talk a bit about that because I found that super fascinating, kind of in the realm of security of planes.
Yeah, a real surprise.
It was an eye opener for me right now.
I've been around aviation for nearly 30 years now.
I was there as GPS first emerged in the cockpit of light airplanes.
I was there when GPS first started taking over inertial reference systems, for example.
And we have been well aware of GPS jamming for years.
So it was more of a problem in maritime actually.
So you go to certain installations around the Black Sea and all of a sudden you either GPS would drop out or you get a very coarse position spoof.
So you might be 20 nautical miles away on GPS compared to where you thought you were.
And certainly over the last few years, things have really picked up and there's some very good data from the Ops group, which is a collaboration between lots of airlines, where they've got a group together that analyzes frequency impacts.
And there's a fantastic report they've published since I gave my talk at DEFCON this summer, which actually even that opened my eyes even further.
Right, so what's the problem?
We think about GPS spoofing as being, okay, my plane GPS says I'm in the wrong place.
Okay, well, that's fine.
I can look out of the window or I can dial in my radio nav aids, or I can talk to the ground and everything's fine.
But actually, it's a lot more complicated than that.
And lots of weird side effects have been happening when planes have been experiencing jamming and spoofing.
So the first problem we noticed were a number of planes would fly through an area of jamming or an area of spoofing caused problems to the pilots, particularly if they're flying relatively close to perceived hostile airspace.
Wouldn't take long to get out of position.
But once they come through the area of spoofing, they were having problems in that the GPS wouldn't reacquire.
And that was intriguing because you've come from a position where you knew where you were, your GPS was accurate, you came to the spoofing area, you get out the far side, great, everything's fine.
It's not.
And one of the reasons for that is your GPS almanac.
So that's the bit that tells the GPS receiver roughly where to look for the satellites so it can acquire them.
That almanac was out of date.
So in certain older airplane types, the GPS receiver, which in this case is what's called an MMR or multimode receiver, kind of didn't quite know where to look and therefore couldn't reacquire GPS while it's hacking along at, say, 550 miles an hour.
And that caused some problems.
So that couldn't be reset until the plane was on the ground.
Everything was stationary.
And you could then reset the almanac plane, go, oh, yeah, I can see.
I can see the satellites again.
Right.
So that caused problems.
So planes would be potentially on the ground for maintenance for a time, so they couldn't depart.
And another weird thing started happening.
So we think of GPS being that source of position, and the reason we use GPS is more accurate.
It's more accurate than all the international reference systems we used to use.
So inertial reference was typically, most recently spinning laser gyros, and they could accept the detect acceleration, deceleration and gave you pretty accurate position.
So you could fly over the Atlantic from the UK to the US coming towards jfk, and you might be just one nautical mile out of position.
They were that accurate.
But of course, GPS is better.
Right?
And so of course, what you do, you update your inertial reference system with the better source of navigation, which is gps.
Hang on a minute.
We've now got a problem because we've now got a GPS that's had a position, that's now updated our inertial reference system.
That was our backup system.
Domino effect.
Yes.
So we've now lost our secondary navigational aid as well.
Interesting.
All right, Interesting problem.
Space for sure.
But let's go back to like, I mean, jamming is pretty obvious how that works.
Just basically send the signal stronger than whatever you're trying to pick up on and like jam the receiving signal that you're trying to pick up on.
So that's pretty straightforward in terms of spoofing when it comes to gps.
How does it actually work from a technical perspective?
So I'm not going to go into that because I don't want to be accused of showing people how easy it is to spoof planes.
But you will find a matter of few minutes on YouTube and a software defined radio and you probably have enough to do it quite effectively.
And the scary bit is you probably know GPS have very weak signal, so it doesn't take very much to do it.
So let's not go into that in too much detail, shall we?
Fair enough.
All right, that's fair enough.
All right, let's.
Yeah, well, there's definitely more to go on the whole GPS thing as well, because we've seen this weird situation where we're seeing a secondary navigational mode be affected, poisoning if you like.
So when that happens, so the last thing we've got at our disposal is what we call radio navigation, and that's where we use beacons on the ground.
A good example of this, you might have heard what's called a VOR or a very high frequency omnidirectional radio range that was invented in the US in the late 40s and we still use them.
And if you actually look at the airways across various continents, they typically meet at points where there's a vor, so it's fine.
So we've lost gps, we've lost inertial reference, we can use old school radio navigation, except there's a problem because those VORS are really expensive to maintain, so they're gradually being retired.
We've now got a problem where we've lost our primary, our secondary and now our tertiary net mode of navigation.
So old school, they're now starting to be retired because they're expensive to run.
And it gets worse.
Right, so that's navigation at altitude.
Right.
And those VORs can also be used to what's called a non precision approach, where we can approach as long as there's enough visibility, we can come through cloud and land safely.
So we then move on to instrument landing systems, which, as I'm sure you know, allow the plane to land when it's foggy.
Those instrument landing systems are really expensive to run and calibrate and Keep running.
So particularly in perhaps secondary airports around.
So perhaps, you know, regional airports around the world, they're starting to be retarded because GPS is more accurate.
Right.
But hang on, we've now got a spoofing problem and there's even a documented case in Estonia airfield called Tartu.
It might be Finland.
Trying to remember Tartu Airport.
You can read up on it, where they actually had to retire the approach for a period of time because they're very close to the Russian border and there was so much spoofing going on and they've retired instrument landing system.
Planes couldn't land there for a while.
So it's happened.
Yeah, so that's a problem.
And then you start getting into other crazy things.
So your primary navigation GPS has gone down.
Your secondary navigational inertial reference isn't working anymore.
So.
So your ground receivers aren't working anymore because they've been retired because they're expensive.
So what you do, well, the last thing you've got is you can speak to the controller on the ground and go, hey, tell me which way to go.
And that's called a radar vector.
And so the controller goes, oh, you're all right, I've got you on primary radar, secondary radar, turn right, bearing 270.
Right.
Great.
Maintain altitude X.
Great.
And you go the right way and everything's fine.
Except that GPS spoofing happens in defined areas, so it's going to happen to lots of planes at once.
And there's been some really interesting research to show that controller workload can increase by five times for one plane, requiring radar vectors.
So all of a sudden you've gone from controllers very happy to massively overworked with a bunch of planes all experiencing the same problem, all needing radar vectors.
And that then creates problems where overloaded controller can make mistakes.
Oh, wow.
But it gets worse.
Oh, dear.
So now, and this is really where I was going with the talk at DEFCON was we think about GPS position, all right, we think of spoofing and jamming as loss of position.
But actually, gps, as you well know, is actually simply a very precise source of time.
Yes.
All right, so where does the airplane source its time from?
Well, it used to source it from a local clock.
Right.
Even the most precise clocks on planes, very slowly, they drift a little bit over time.
Particularly as we're flying at altitude and high speed, you see a very small amount of clock drift.
So what, you update it from gps.
Right.
So the primary source of time sync in most modern airplanes is light to be gps.
Based and we saw a really interesting incident that I won't go into detail of who or what or when because it's quite sensitive.
Is a plane experienced not just position spoofing, but experienced a time spoof.
GPS is time and they spoofed the time into the future.
And of course because GPS was a single trusted source of time, it then effectively updated various other systems and caused a lot of the digital certificates on the airplane to expire.
So now all your communications have gone as well.
Because a good example, sorry is control the pilot data link which requires very precise price time.
You can't be more than a second adrift for the digital communications between the controller and the pilot to work.
But there's lots of other things think about.
There was a case where the cabin WI fi went down.
Why?
Because the source of time was wrong.
So all the certificates were expired.
Well the ones strictly expired because it was the future.
But yeah, they just weren't valid.
And then that gets even more complicated because you've now got a bunch of clocks on the plane that are now updated from the GPS clock that are now out of date.
But time GPS particularly is protected from rolling back.
You can roll full, but you can't roll back.
So this caused a lot of trouble because for the first time a bunch of components on a plane had to be reflashed to get the time back to the correct point in time so the plane could then fly again.
And that caused an outage on the plane for a significant period of time.
It took a couple of weeks of downtime.
Oh yeah.
So it's mind blowing.
And the instructions right now, so if you go to the.
What's called the quick reference handbook.
So it's on the EFB that we talked about.
So if I'm experiencing GPS spoofing, what I do first thing to do is change the clock to local plane time.
So you're not using GPS anymore.
But that involves the pilots to be like on it.
You're flying a plane, you're doing something else.
All of something weird happens with gps.
Oh, got to do that.
By which time it could easily.
Time sync is like milliseconds to take to complete.
Right.
You just need one packet to come through really.
And there's some also some good advice coming out about, you know, if you're going to be entering an area of known spoofing, you'll switch to local clock anyway.
So that's good.
But it's still.
It worries me that it's reliant on the Pilots.
Right.
Now the good news is that there is a future for all this and that's what we call hybrid gps.
So we correlate GPS from satellites with certain position broadcasts from the ground as well.
A good example of that.
Remember those radio based navigational layers I talked about?
What we do is we actually correlate GPS with where the radio transmitter on the ground is as well, which is great because that allows us to check.
Well, hang on, there's a coarse error in my position and time up here and the ground based navigator is saying I'm there, that's just radius.
Well, so you could in theory spoof that as well.
But it's two things, right?
Yeah, fair enough.
Yeah, it's more complicated and actually the ground based nav aids have got a lot of radio power, so you need a big transmitter to overwhelm that.
But this is again where I'm worried about ground based nav aids being retired because we're retiring them for reasons of cost because GPS was better.
But actually now we're finding out that GPS is quite vulnerable to certain attacks.
So we need to rely on those ground based navigation aids again.
But if they've all been retired because they're too expensive, we've got no way to have a hybrid GPS system.
And I guess in these attacks of spoofing, because you have two GPS systems, right?
You have, I forgot what they call the different types of GPS systems.
Like it's like even the smartwatches, like for athletes, like they use dual systems, right.
In these attack vectors.
Are they spoofing both systems or are planes using both systems or how does that look like?
Yeah, so we talk about gps, but gps, we're typically talking about the US Global positioning system.
But actually it would better to talk about gnss, which is all of the various countries satellite systems.
So for example GLONASS I believe is on the Russian ones, you've got European version, you've got us one.
I think there's a Chinese version too, which name escapes me.
So we talk about GNSS as being the aggregation actually pretty much every receiver on every plane.
And most used to art watches will pick up every one of those if they need to for precise reasons.
Right.
But the fundamental principles are the same.
Are the roughly the same as well.
That'S a great question.
They operate in a similar space.
The technical challenges are the same to chance.
SDR could do easily do both.
All of them.
Yeah.
Okay, fair enough.
Yeah, that's interesting.
Oh wow, that's some interesting Cascading impacts or jamming about.
If anyone wants to read more, what probably the best source of information right now.
It wasn't available when I did my talk in the US at defcon.
It is now.
It's from the Ops group.
It's an amazing website.
They've got their report.
There's 150 pages of stuff.
Absolutely fascinating, particularly some of the cascade consequences that we're now seeing direct evidence of in certain planes.
I'll make sure to link that up in the show notes because that sounds like a good read and that let me switch topic to maritime security because that's another topic that you guys have been on.
Another odd area of, I guess pen testing, right?
Because you guys have got your hands into some strange pen testing really.
But it's super fascinating, right?
How does that look in that world?
Is it very similar to the aviation space or completely different?
It's completely different.
And the reason is that back in the day, until about five, 10 years ago, ships weren't connected.
So none of it mattered.
It didn't really matter.
So if you wanted to use a sat phone or you needed satellite comms, you had to use what's called fleet broadband, which was insanely expensive.
So it was reserved for use in emergencies only.
Right?
Stupidly expensive and slow.
Yeah, you're talking dollars a kilobyte.
It was that expensive.
So that was your emergency stuff.
But everything changed with vsat.
So went from insanely expensive connectivity to always on, everywhere connectivity.
And it got to the point where if you wanted good crew, you had to have VSAT because they wanted to be always on, they wanted to be doing email, in touch with their families, doing social media, surfing, Internet.
You had to have good VSAT and give them access to it.
If you didn't have good vsat, you didn't get good crews.
But that changed everything.
So the ship's operators went, okay, we'll do vsat.
That's a really good idea.
It means we can do least cost routing, avoiding headwinds, we can avoid storms.
At last minute we can have routing changes.
So we're up loading and unloading our cargoes more efficiently.
Great, fantastic.
So they connected their ships, which frankly had such out of date technology on board.
I mean we're talking 20 years of technical debt.
Unbelievable issues.
So bad.
I mean, my colleague Andrew Tierney, who's giving a talk at the International Maritime Organization this Wednesday, in fact about exit, he says in the last five years of testing ships, he's never once had to use an exploit.
It's that Bad?
Yeah.
It's gone from public Internet through to taking control of the rudder, the helm, the engines on a vessel.
Don't get me wrong, that's not easy.
And you typically need access to vessel to prove the attack path.
But yeah, without using an exploit, taking control of a vessel remotely.
That sounds like a VNC roulette almost.
I'm saying nothing.
Oh wow.
So how does that industry respond to this?
I guess you guys have done some responsible disclosures.
How has that landscape looked like there?
So I think there's a wonderful metaphor in terms of turning the oil tanker.
Shipping takes a long time.
There's been some attempts AT regulation, so MSC 428 for example, there's a couple of others but they really haven't had the effect of really getting shipping operators known as to stand up.
Actually this is important.
There has been a regulation change just happened this summer actually.
What's called IACS UR E26 and 27.
Right.
Have actually made cybersecurity mandatory for new build boats from start of this year, next year.
Sorry.
So there's a little bit of hope and everyone's getting quite excited.
Nope, nope.
So what has to happen is those boats have to come to the end of life and sink or whatever before.
No, I think I'm being facetious.
So yeah, we've got huge problems.
Yeah.
With these life cycle of these vessels I would imagine are in the range of 20 some years.
Right.
Yeah.
Yeah.
You want to sweat that asset for 20 years before it gets broken up.
And of course even if you designed it well on day one, refits, modification, tampering and I can think of one case where we're looking at.
We were working on an exploration drilling rig and one of the engineers responsible for the dynamic propulsion system had his office up on the main deck and in order to administrate things had to walk down a bunch of stairs down to the base of the vessel.
Didn't want to do that, so bypassed all the segregation and as a result of that exposed the ship to remote compromise.
So it's all very well having a good design, but was it designed correctly, was it then built correctly by the shipyard?
Often they don't follow what you intended security wise.
Does it then do what you intended when you shake the vessel down?
Very rarely.
And then what happens over the life of the vessel in terms of maintaining its security?
I mean this sounds so familiar to other industries as well.
Right.
Because they, this tend to come from industry where they don't deem themselves as software companies.
Obviously because they're not.
But they also have, don't have that culture.
They view it as, I guess a one time fee to solve software.
And then there is no ongoing maintenance or life cycle management of these things.
Right.
So that's when these things happen.
Yeah.
Where'd you go?
And I think the really challenging bit is the acceleration that maritime's had to experience is most other industries, financial services being a great example, being a target for attck for 20 plus years.
On the cyber side, they've seen iteration and they've improved their cybersecurity little by little over the last couple of decades.
The problem with maritime is they've gone from zero and need to get to 100% in the space of a year or two.
And that's an incredible ask for a floating environment that is also safety critical, that if it ain't broken, why would you fix it?
Says the average chief engineer on a ship.
Yeah.
And also every time that's in dock that is not generated revenue, that's a massive cost.
Right.
So retiring that for months, just fix security issues or perceived security issues.
You end up with this weird race to the bottom as well.
Because often when you've taken a ship in after say 10 years, it might be coming in for a refit of some of the bridge systems.
So you get some of the advantages of the latest connected bridges which offer you much improved safety, better weather routing, saving money on fuel use for example.
But they still need to work with all the grimy dirty bits down in the bowels of the ship.
And if they've got static credentials on that new sexy bridge, has to have static credentials too to talk to it.
So you introduce exactly the same vulnerability even though you put brand new kit onto that vessel.
Yeah, I mean this is, I think I'm usually not a massive fan of over regulation, but I think in the security space it's one of the only ways to actually make the industry changes.
Like CRA is a good example of this.
I think we might not like it, but it was the only way for our industry to change.
I completely agree.
I'm not a particular fan of regulation either.
I'd far rather see market forces drive behavior.
But to use an example with IoT smart devices is the market pressure doesn't exist because the consumer isn't capable of making a buying decision based upon cybersecurity at the point of sale, therefore the driver's gone.
So that's where I think regulation is important, where the market cannot force behaviors in a good direction.
And that's Where I think, for example, the EU CRA will drive behaviors in a certain direction to actually benefit all of us as consumers.
Yeah, Security is a weird one.
Right.
And you can't touch on that.
The average user is by no means savvy enough to understand what the harm is to have static credentials in their baby cameras.
Right.
Like, oh, very convenient.
It's right here on the packaging.
Yeah.
But then connected Internet and there you go.
Right.
So I think that's a good segue to the work you guys have done in the IoT space because you've done some interesting work there as well.
You found some good, interesting problem with various IoT devices.
By the way, I used to shout that I loved your Chromecast and Alexa hack because I think that was a very clever.
It's an old video, but it's a very clever attack vector where.
Yeah, yeah, recap it for audience.
I think it was a.
It's a clever attack.
Relatively simple, but clever.
It was fun.
Yeah.
So the Chromecast, which you plug into your TV to make it smart, right?
Certainly for older TVs, great device, but it has this weird thing where if you deauth it over WI fi, it would spin up an open access point and you can then connect to it and then you could then cause the TV to stream arbitrary content.
And we thought, hang on, well, that's not very useful, is it?
You know, you can put something rude to appear while your kids are watching the tv.
If you're a dodgy hacker outside, then we thought, hang on, home assistants.
So what about the Echo and Google products?
Actually what you could do is you could call someone's TV that was off, hit the Chromecast, it will power the TV on and you could then stream arbitrary content.
So a blank YouTube video of you saying something that's then recognized by the echo and then trigger stuff to happen in your house.
So it was a very funny TV show where were doing this from outside and causing people.
People's lights to come on, the heating to come on, in some cases, some early smart locks, you could make the front door unlock as well.
So lots of weird things.
And I think for giggles, we also found a third party recipe that would allow you to summon your Tesla, right?
No, but this is what I love with the domain of security because it's always like thinking outside the box, right.
It's like it doesn't seem very harmful, but you chain together these things, you can make unexpected things happen.
Right.
And I think that was a really clever way of looking at that.
And you had another interesting attack with the smart helmet level, I think they call it.
Level.
Oh, yeah, where's that?
I think that might be in my bag of skiing gear at the moment.
Now, what was the vulnerability of that?
I'm trying to remember.
I think.
What did it do?
yeah, I remember now.
So there was.
It's a smart helmet.
Great.
I mean, do you ski?
Do you board?
Yeah, yeah, I do occasionally.
Okay.
And you know what it's like is, you know, you're skiing with your buddies and you lose them and it's like this, gloves off, dial their phone and you never quite get.
It never works.
So the idea was this smart helmet that connected to an app on your phone where you just pressed a button here and then it span up using the app using cellular data, you could then talk to your buddies.
I mean, I'll be honest, it was pretty clunky.
It didn't work very well.
But there was a lack of user authorization, so anyone could jump into any of the groups and just start spouting stuff to each other.
So you could have people creeping on you through your helmet.
Weird.
But then that same functionality also allowed to track people in real time.
So using a very weak authorization key, you could then see where everyone was in the ski resort.
So privacy invasion.
Bit of fun.
Good excuse to mess around with some smart connected ski gear.
Yeah, absolutely.
That brings me to another topic, which is like, you guys obviously do solve these things for shits and giggles, I would imagine, because she's like, oh, this is fun.
But when you approach one of these projects, like, you forget a new device.
How do you guys approach it?
Where do you start?
You get a new shiny IoT gear.
How do you start poking at it?
Like, what's the process like?
Is there a such thing?
This is going to sound really weird, but through 10 years experience of looking at smart devices, many of the team here, you get a feel for what's going to be wrong with it before you've even got the product.
You can often do stuff like pulling the firmware from online resources.
First, you can use open sources.
So the FCC Referral Communications Commission website is actually really good for getting useful data off it.
You get a sixth sense of what's going to be wrong with something based upon other devices you've seen.
Sometimes it'll be esoteric stuff in the firmware, other times it'll be really stupid stuff to do with lack of Bluetooth pairing security.
I brought this along for reasons.
You probably have one of these as a kid.
I certainly did mine was made of wood though, and it certainly wasn't smart because I'm old.
This is the new Bluetooth connected version of the Fisher Price chatterbox phone.
And you can connect it to your phone over Bluetooth.
And I kid you not, you can genuinely then pick up and start making calls on this from your cell phone, which I love.
You can even use the rotary dial.
And my kids looked at this going, what's one of those, Daddy?
I've not used one of those.
But the problem being is they put no thought into Bluetooth pairing security.
So it was always on.
The battery lasts a couple of months and any Bluetooth device in range could just connect and wow, once that, you know, the kids are probably playing with it.
If they leave the headset off, the handset off, the microphone, speaker are continuously enabled.
So you can just bug and spy bug on people.
I think that's really silly that Fisher Price would make such a mistake.
I think my thinking on all these smart things that most things are better stupid than smart.
There is often very little reason to make things smart because the more smart they are, the more stupid they become.
Yeah.
Don't get me wrong, you know, I do have some, finally have some smart products in my own home.
So I have a connected heating system which I use, and we haven't battered the security of it, so it's one I'm very happy with.
And I think there's definitely a case for connectivity in certain areas.
I mean, as a result, I use less fuel, I save carbon dioxide.
You know, the heating works for me now.
And I think there's also a really strong case in certain areas of assisted living for our elderly.
I think there's a strong case for Iot there.
And I also think there's a strong case for IoT in healthcare.
I think we will live longer, better, more fulfilled lives with connectivity.
But those areas that we need to be really careful of.
Healthcare and elderly people.
We need to be really careful about the cybersecurity of those communities.
Yeah, absolutely.
I guess to elaborate, what about smart TVs are usually worse than a dumb TV.
And like, you guys had a post about this while doing some research before the show about.
I think it's an old post, but Samsung's Tizen asks you to do like a virus check on their TVs.
And it's just like if my TV requires me to run a virus scan, it's the wrong tool for the job.
Yeah.
Oh, this is years ago.
I think it's been 2014.
Maybe there was a Press story that someone had read the Samson terms of use for their TV and it said something about voice data, personal data.
And so hang on, I remember that story.
Yeah, I've got one of those TVs.
So literally the next morning I walked out of my home carrying my tv, much to the confusion of my wife, brought it to the office and we set it up and started looking at it in real detail to see how it was doing voice recognition.
And it turned out the TV was pretty much constantly listening to you.
And because it didn't have enough processing power on board, it would offload the processing of voice to text to a third party in the usa.
And it was making.
Right there.
Yeah.
And it was doing that communication over plain text.
Wow.
So not only was the TV listening, it was also capturing our data, sending to the US without permission, and doing it in the clear.
So yeah, that was a bad day, I think.
Yeah.
I mean, there have been so many bad stories about smart TVs.
Like I used to use stupid TVs because of that reason in particular, but.
And if you do have a smart tv, never turn it on.
Wi fi.
Right.
There was this story that I broke, I think two weeks ago, where I forgot which brand of TVs it was.
But you would think that if you use an external input like an HDMI as your, like an Apple TV or something, that you're in better position.
But turns out that this TV actually like fingerprinting content coming into hdmi.
So it could actually, even if you are not using the smart TV functionality, they could actually understand your viewing behaviors and send that off upstream, which is terrifying.
It's when you realize that actually the margins for making TVs are so tight that actually it's monetization of your data is the way that the TV manufacturers actually make money.
They'd far rather sell the TV at almost no margin and make it out of the back.
So I've got a frustration at the moment.
I've got a Samsung smart TV and it keeps spinning up Samsung's own content platforms.
I don't want to watch that.
I want to watch Netflix.
Leave me alone.
Yeah, yeah, exactly.
It's all upsell, right?
Yeah, it's scary.
No, it's.
Yeah, I don't trust these TVs.
That's my point for good reason.
Particularly if it has a microphone as well.
Absolutely not.
So they did start removing microphones not long after the piece of research that we published.
I thought that was a good thing, actually.
I think the first step was actually make it A push button on the remote.
So if you didn't push it, didn't listen.
That was a good step.
And then I think they gradually realized that actually people don't want microphones on their tv.
Shocking, isn't it?
Yeah.
Quite happy to press the button on the remote.
Thank you.
Yeah, exactly.
It's crazy.
One of the last things I wanted to cover.
Well, not one last thing I want to cover is the home alarm attack factor.
You did sometime the jamming stuff there, which kind of leads kind of a segue from the airplane spoofing, but on a much more similar level.
Right.
How widespread is this?
Like just to recap the story, like you could jam a gps.
A jam, sorry, with an SDR jab, an alarm, home alarm system, essentially.
Is that still how.
What's the verdict of that as of 2024?
So that was a wonderful piece of research by my colleague Andrew Tierney, who goes by the hashtag of cybergibbons.
So do give him a follow.
He does some amazingly clever stuff.
He had been looking at wireless house alarms.
So looking at how the pir, the sensor connects to the main board and for ease of installation, a lot of companies were offering this over RF rather than wired.
It's a lot easier to do at radio than it is drill lots of holes.
So started looking at this and realized that the way that many of the PRs were connecting was extremely vulnerable to jamming.
So even if you jammed the communication, the board wouldn't do anything about it.
So you could literally work, turn up with an SDR or optimize something into the size of a cigarette packet and you jam the alarm.
It was.
Certain brands were really bad.
What I was impressed with is see certain higher end brands that started addressing this directly.
So they were having two way communication with the pirates.
So they were checking the integrity of the pir, checking the integrity of the signal.
And if one of them dropped off, it would set an alert.
So you could go, is the battery on out or is it actually being jammed?
So it would.
Yeah, that's a good point because that's a valid scenario where it would drop off.
And you don't want alarm go off every time the battery is out either.
Yes, absolutely.
But it would have a two way communication.
So you as a user, you could look at your mobile app and go like, okay, the battery's running down, I need to go and look at that.
Or I'll disable that PIR in the interim.
But yeah, we have this crazy situation where all sorts of relatively cheap alarms were Very vulnerable to attacks.
There are even some funny things.
I think with like a remote fob, you'd have your alarm turning off and on.
Actually, you could spoof that as well, so you could disable the alarm just by some spoofing and jamming.
So, yeah, really poor attempt by a number of manufacturers.
But the good news is a number of alarms are now doing much better authorization and validation of the pirs to make sure they're actually there and doing the right thing and not being jammed.
That is good indeed.
All right, good.
So at least it's not as bad as it used to.
SDRs are getting cheaper and cheaper, so hopefully that makes it a little bit harder at least to leverage these things.
The last thing I want to wrap up on is kind of legislation, how you see kind of this playing out in particular in the IoT space.
We mentioned CRA already from your vantage point, how will this change the industry?
Like, how do you.
Do you actually think they will have an impact?
Or do you think this is people just going to ignore this or how do you see that?
So I've been very vocal about this.
So the first regulation I was aware of was California Senate bill 327.
Bizarrely, actually, that's the IOT one.
Yeah.
Yeah.
I've actually quoted our work on the swearing Dolly, my friend Kayla, as the inspiration to the bill, which was lovely, but I'm not aware of any enforcement.
And more recently in the uk led the world with the Product Security Telecommunications Infrastructure Bill, or psti.
That's a mouthful, isn't it?
And it came up with three basic principles which were supposed to drive behaviors.
So no default passwords, a statement about length of support for the product, and a vulnerability disclosure program.
So pretty light touch, but should drive behavior in the right way.
I'm still not aware of any enforcement action and it's lovely having regulations, but if someone's not prepared to enforce and enforce publicly, then the bill's toothless EU cra.
Really interested to see where that goes.
You've got Psti over here in terms of complexity, pretty light.
And then the cra, which is huge.
So it's going to be interesting.
It's got to drive behaviors, but it will only drive them if the EU and the UK and other enforcement agencies around the world actually grab some of these errant manufacturers by the scruff of the neck and go, no.
Yeah.
And I think if it does drive behavior, I mean, at least I'm starting to see a bit of behavioral change.
And I think more on the proactive buyers and S bombs is something that I think is kind of a direct consequence of legislation when executive order was the one driving that to start with.
But that's something I think would not have happened without these legal pushbacks really from the industry.
So I'm not sure how you see that.
If that's something that you see as well or like if you're bullish on that.
How do you see that shaping up?
I think the SBOM project has been really good.
I think that's a massive step forward to understand what you're building off.
It's huge, for example, in automotive right now because the complexity of an automotive ECU is massive.
You think about the number of dependencies that sit on the average ecu.
I think having that S bom and truly understanding it is great because you immediately go, right, well I've got a new CVE and it applies to all these different ECUs.
That is huge, massive overhead on manufacturers.
But I hope they flow that back up their supply chains and go like, well, when you're in the procurement process, I want to know what sboms you're using, document it and send it to me.
And that needs to be part of the life cycle.
I think that's my biggest beef when I have a lot of conversation with people about S bombs because people think them as a one time thing, but it's actually, it's a dynamic element.
Right.
Every time you push an update, you need to push that S bomb as well as an artifact.
And you've seen some developments in the medical space in the US actually, they've been actually pretty proactive on this stuff, at least some of the vendors there.
But again, that only came after pretty heavy handed regulation because they didn't do anything for so long.
Right?
Yeah, it's certainly on the MedTech side of things.
I think the FDA in the US has done some really good things of late.
I think of any industry where cybersecurity is critical, crikey, it's got to be MedTech, right?
And I remember a very silly vulnerability we found in a connected hot tub.
Why does it matter?
But actually it was the cloud platform behind it had a bunch of authorization flaws and we found some connected medtech on the same cloud platform with very similar vulnerabilities.
I think one of them was in fact a cranial stimulator.
So we think about of any industry that needs to get cybersecurity, right, it's got to be connected medtech.
I remember another vulnerability one of my colleagues found in very early 2020 he found an exposed S3 bucket read write permissions and looking at the data figured actually it was a closed loop insulin pump trial read write data.
You're like holy cow.
All you have to do is tamper with the insulin readings so they're high and you auto dose a fatal dose of insulin.
Thank goodness the manufacturer, they fixed that within an hour of us reporting to it, reporting it and that was on a Sunday.
So yeah, the vulnerability disclosure process worked really well.
It's a shame because development didn't quite get there so quickly.
Yeah, yeah, no it is crazy.
So I think that's there are light, I think there is a light end of the tunnel and hopefully I think their next wave of legal framework, the compliance frameworks, my gut feeling is that the next generation of ISO and well NISTA just got updated this year stopped just shy of mandating it.
But I think I'm bullish on the next generation of these framework will kind of mandate a lot stronger security posture and transparency.
Really?
Yeah.
I think can only drive good behaviors.
And for the large manufacturers who typically get it right because they've got a brand at stake, I cannot see why this would cause them a problem because what it does is it forces the cheaper the me too brands who aren't maybe spending as much time on cybersecurity to actually start to behave.
So actually their costs for the product get it right will increase and actually it's excuse me, a good thing for larger manufacturers who do cybersecurity right.
Because it forces everybody to not cut corners.
And I think that's a really good thing.
I think so too.
The biggest argument I've heard that I can kind of not sympathize with but understand is that why people bigger organizations, particular legacy organizations are so against S bombs is because.
Because the second they generate nest bomb that means they have no longer plausible deniability about what goes in there.
And I think that's actually a big reason why there's a big pushback.
I can see that too.
Although this is going to sound crazy but I think in IoT actually cybersecurity genuinely is an enabler.
I really do and I'll tell you why.
I saw lots of objection during the UK IoT bill about it would get in the way of sales and it would slow the market down.
Actually now hang on a minute.
They did some really interesting research showing this the government did and showed that cybersecurity was actually the number two objection by many consumers for buying smart product.
So hang on a minute.
So if you can tick that box and reassure consumers they'll buy more of your products.
Yeah.
I mean, actually, the number one objection was they didn't need it but couldn't see the benefit.
But yeah.
That is crazy.
Ken, this has been super interesting.
If somebody want to learn more about you and Pen Test Partners, can they find more information?
Oh, sure.
Hit us up pentestpartners.com There's 150 of us based around the UK and USA.
We can help with pen testing, instant response and broader GRC consulting.
So we'd love to help out, if only to tell you lots more funny stories about hacking smart devices.
Love it.
Perfect.
I very much appreciate this, Ken.
So thanks so much for coming on the show.
Have a good one.
Cheers.
Thank you.
Bye.
Found an error or typo? File PR against this file or the transcript.