Is Your Treadmill Running Without You?—Secure Your IoT Secrets : Detect ‘18 Presentation Series

Good morning, everybody.

So we have a nice, small, tight-knit group here.

So I may change things up a little bit-- make it a bit more conversational as opposed to just me sitting up here and talking the entire time.

The point of this discussion is that-- I hope that you walk away with some thoughts along the ways of internet of things.

And that's really what this discussion is about.

How do we protect ourselves?

What is the risk?

And are we prepared for that type of risk?

So that's the ultimate goal of this.

So I'm going to leave it open, so if, at any point in time, you see something on a slide, you hear me say something, you want to have a conversation about it, just raise your hand.

We're close enough that I think it'll work out.

And so any questions with that?

Yeah?

All right.

Let's see if this clicker works.

So my name is Nicholas Hayden.

I am the senior director of threat intelligence for Anomali.

I've spent the last 20 years in cyber security.

And I am a cyberwarfare officer for the US Air Force.

I have-- oh, I can hear somebody else next door.

Great.

So I still am a cyberwarfare officer for the United States Air Force or Air National Guard.

So when we come on two weeks a year, I put my uniform on, and I go and I train Nation State defenders.

And I had some success in the past 10 years at various cyber exercises with Cyber Shields, Cyber Yankee-- both teaching as well as mentoring and building teams.

Two years ago, I took a team of individuals that had no cyber security experience, but they were what I would call technicians-- someone who worked on servers, someone who worked on switches, routers, things like that.

And they'd never seen an attack in their entire life.

And we actually discovered and mitigated more attacks than-- we were number three in the entire United States, which I thought was pretty impressive by them-- beating up people like the NSA.

Is anyone here from the NSA?

No, good.

Beating up people like the NSA and things like that.

I've had a lot of fun doing this for the last 20 years.

It's changing.

It's changed a lot.

I can remember the Melissa virus years ago, and just how everything has evolved and progressed throughout the last 20 years.

I'm currently on the STIX and TAXII drafting committee.

So anyone here on OASIS by any chance?

No?

OK.

So I'm helping to participate in the drafting of the STIX and TAXII standard as an Anomali employee to assist with the integration of all of our devices-- getting communication, sharing communication.

I mentioned that I had participated and helped set up a lot of exercises in the past.

And I saw the value of threat intelligence sharing at a micro level because we had all these little enclaves.

Each state had their own.

And when we found something-- detected something, and passed that information on, the next team down the road was able to block-- or at least identify it quicker, mitigate it quicker.

So that's really one of the reasons why I came into threat intelligence.

And that threat intelligence sharing piece is a real passion for mine, because I think that the ability to share information quicker, faster is just going to make us that much better.

And I make WINE.

That's my analog.

I make WINE.

Any questions?

Comments?

All right.

So I said we're going to make this a little bit more interactive.

So I want to-- everyone uses a different term for internet of things.

So anyone want to take a stab at what their opinion is of what internet of things is or are?

No one?

Taraq-- since I see you in the back.

What's your definition of internet of things?

[INAUDIBLE] Could be anything.

[INAUDIBLE] Yes sir.

I think of it about consumer devices which connect to some management, because somewhere on the internet, you have no control over it.

It's under some other member's control.

Excellent, yep, yep.

Absolutely.

A lot of little micro devices-- Apple watches, Fitbits, cameras, door locks, heart monitors.

I mean, you name it.

It's any little device, or any device, technically speaking, that connects out to the internet.

Yes, thermostats, smoke alarms, things like that.

It's pretty scary what's going on in our lives and what we're making-- connected to the internet and what we're sending out for information, and what other people also could potentially have access to.

I think some of the even scarier pieces are medical devices, heart monitors, life support.

I know there are-- years and years ago, when I was helping with a fiber network, one doctor from one location was trying to-- they were trying to set up a pipeline to another location so that they could monitor their patients' life support.

So we're transmitting that information.

And they actually had the ability to silence alarms, things like that, remotely.

So it's pretty scary.

The other scary piece is-- so I spent a large portion of my career in the critical infrastructure space inside the energy sector, helping with NERC CIP Version 5 and 6-- helping to write them, helping to design the first industrial control system firewall, things like that.

So there's not a large difference between the devices that we have inside of our home and the devices that we have that are supporting our critical infrastructure.

So my question is-- we have all these devices out there, and we're all beaconing information.

We're all sending information.

And every one of you right now has a cell phone on you.

You're beaconing information in this room.

You can throw up a sniffer, and you can see-- half of you-- what your home wireless networks are.

It's crazy.

But is there a risk to that?

Anyone want to take a stab at it?

Yes?

Yeah?

Why?

People that need to have them.

If you're sending information out, absolutely.

It can either be intercepted, it can be manipulated.

Or if there's a control aspect to it, it can be controlled.

A couple slides ago I mentioned the Nest smoke detector, right?

So what if somebody just silences the alarm on you?

Because you can do that from your phone, right?

You have that control.

So here I am in my home, nice and cozy.

I got my wood stove running.

I go to bed.

And I wake up, and my whole house is emblazoned and the alarms never went off.

It's scary.

It really is scary.

So is there a risk?

Yeah, absolutely.

Anytime you connect a device, anytime you connect anything externally, anytime you're sharing information, I think there is a risk.

So I mentioned a little bit about the smoke alarm.

Another one-- if this plays.

Nope.

I don't think we have audio.

OK, so anyway, I will-- apparently we don't have audio with the computer.

So this is a live news story where somebody hacked a baby camera.

And so somebody else was sitting there looking at a baby, and they're actually screaming at the baby while the baby was sleeping.

And now being a parent, that freaks me out.

I mean, we have this protective nature to take care of our children.

And by me wanting to see my children when I'm away, I'm putting them at risk.

I mean, I think-- again, I'm paraphrasing from this video, but the child woke up screaming, had nightmares, things like that-- of course.

And the other thing is, that's also an identifier to know if someone's home or not.

Because if the baby's there, then someone's going to be there.

If the baby's not there, it's a good indication that someone's not home.

A couple other incidents that have happened recently-- Ring doorbell hack.

Amazon-- they rolled out this service of, hey, the delivery guy can just open up your door and drop off your package for you.

What is wrong with that?

[LAUGHTER] That's perfectly safe, I swear.

You know, it's crazy.

It's absolutely crazy.

Some other additional risks-- just recently, actually, the FDA recalled 500,000 pacemakers.

with a life support device in them that can be hacked.

I mean, somebody hits a button, boop, and you just see somebody walking and just fall down.

I mean, it's crazy.

It's crazy.

So they have 500,000 additional surgeries [INAUDIBLE]??

[LAUGHS] It is-- it's crazy.

Right.

And those people probably aren't in that good shape [INAUDIBLE]..

Yep.

But all because we want to have the convenience and availability of being able to monitor somebody's condition.

The other threat to internet of things is most of them are one and dumb-- one and done, not dumb-- could be dumb-- one and done.

So when you put them out there, when you deploy them-- wherever you're going-- you deploy them into somebody's chest, it's not like you have a cord that comes out and says, oh, excuse me, I need to do a firmware update.

And you sit there and tap around.

So it prevents-- it causes a security risk.

We see every day all the different vulnerabilities that are out there that affect all these different devices-- because no one can write the perfect code.

And even in someone who does write the perfect code, they're using a library that isn't written perfectly.

It's impossible.

It's absolutely impossible.

So there is always going to be vulnerabilities.

But we don't update these devices.

A lot of times, we can't update these devices.

So it prevents-- it causes a challenge.

You can't do vulnerability management on them, so you can't secure them.

So there's a risk.

The other piece to that is, how many heart monitors can you install antivirus software on?

I don't know too many.

It'd be pretty cool.

Oh yeah, you have the flu, and it kicks the information back out to you.

Use an antivirus [INAUDIBLE].

That's right, antivirus, you know.

It just takes care of it for you.

The nanobots.

[LAUGHTER] Little nanobots going out.

[LAUGHTER] Exactly, exactly.

So that creates a risk, right?

So everything we know about network security, everything we know about security in general is-- you got to throw it out the door because it's not there.

You can't do your vulnerability management.

If we go back to the risk equation-- risk equals a threat times a vulnerability, and then I use a impact score or criticality score, which is a criticality of the asset.

But if you can't mitigate the vulnerability, you can't monitor the device, you can't reduce risk.

So you really only have one option-- is you have to identify the risk and identify whether or not you're willing to take that risk-- whether that risk is acceptable for you.

I'm going to go off the cuff here.

If you all were there yesterday, and General Powell had a speech that he was talking about-- he talked about the difference between availability and security.

We always go back to that CIA triangle.

And this really is what this is talking about, is you have-- do you want to make the information available to you?

And if so, are you prepared to accept that risk in order to make that information available to you?

So my question is, is the risk real?

And this is something I stumbled upon when I was working with my team.

I just happened to be showing off one of our products.

And I'm like, what is my treadmill doing?

It blew me away, because my treadmill is just supposed to sit there.

And I push a button, it turns on, and I get to run.

But what I discovered is that it was actually running without me.

Let me see if we can see some of this.

So I pulled this from-- yeah, I guess you can see a little bit on the side.

So I pulled this from one of my network sensors.

I should probably preface this.

What you're seeing is actually my own home, so I apologize.

I don't know where my treadmill has been.

I don't know where it's going.

So if you see something on here, I'm sorry.

So this is just a network monitor that I have running in my house.

And what I thought was very interesting is that, why is my treadmill beaconing out to answers.com?

I get the fact that it's going to iFit.

Great.

I get the fact that it's probably going to Google, MSN, ESPN-- yeah, OK-- because you have the little screen on there, and you want to see your sports, things like that.

I get that.

But why is it going to answers.com?

What question is my treadmill asking that it needs to go get an answer for?

Crazy.

So then-- and this is actually from the same shot.

I just moved it down.

All of a sudden, it's learning how to code.

It's going to php.net.

It's a smart treadmill.

It's going to Google.ru, jp, France.

I mean, listen, my treadmill gets around more than I do.

It's crazy.

Crazy.

Bidoo.com.

All right, all right.

Good for you.

It's a world traveler.

And actually, this is the wrong slide deck, so I'm going to have to do this impromptu.

So unfortunately-- I don't know why this is the old slide deck, but we're not doing a live demo.

So what I did is, I started grabbing some network packet captures.

And what I found was, beltow.com.

I mean, that's even more odd than what I'm seeing here for this information.

So I plug that in.

And then there was an ftp.

It was ftp.mcaff dot Mr.

Face, or something like that.

I'm like, that's odd, that's really odd.

So I took those into ThreatStream and inside the R-Explorer feature, and I just popped them in there.

And some of you saw that functionality earlier.

And maybe if we have internet-- do we have internet here?

No?

All right, I guess I can't do it.

So I plugged those into the Explorer functionality, and then I did a passive DNS onto it.

And it did this thing.

I did a passive DNS on it and went in and did its thing.

And then when I started ThreatStream, all of a sudden I got a couple of connections.

OK.

So there's threat intelligence on my treadmill, or at least what my treadmill is beaconing out to.

And then I went and dug a little deeper, and then all of a sudden it went, whoosh.

And in my previous slide, you would have seen that there were five different connections.

One of them happened to be APT10.

So, again, on my other slides, you would've saw that APT10-- their primary targets are military members.

Previously, I also worked for a company called BAE, and BAE is a hard target for APT10.

So by using threat intelligence and by using that pattern recognition, I found out that-- and having to do packet captures-- because, actually, the malware that is on the treadmill itself is so sophisticated that the domains didn't come up here.

They also didn't come up in some of my other network sensors, like Snort, things like that.

So I had to literally set up a packet capture and just run packet captures, and then do a DNS filter using Wireshark, and I found those others.

So it was fascinating.

And so I found out that it was APT10.

So APT10 wrote this malware for my treadmill.

So as part of my investigation, I realized that it's actually scanning my network for all my other devices.

And it's trying to exploit all of my other devices, and it's trying to gather information on me.

And it's so targeted because I'm military.

But this is my treadmill.

This is the crazy thing.

I go out and buy a treadmill because I want to stay fit.

I want to stay healthy.

I don't want my treadmill out running without me.

It blows my mind.

And what do I do?

I can't install antivirus software on it.

I called the manufacturer.

We can't help you.

There's no patches and there's no updates.

They don't think there's anything wrong with it.

I'm like, but why is my treadmill trying to code?

So the risk is real.

And part of the reason why I wanted to show off this is that I always think that it's great to show a real-life use case.

And this was something that Ryan happened to be-- is in the back here-- who works for me.

We just happened to be messing around on the network.

And you start looking at all this, and you're like, wait a second.

This doesn't make any sense.

And then you start digging a little deeper and a little deeper.

So I actually found this by chance.

And then when I dug a little deeper, I found out what it was.

So my question is, how do we protect ourselves?

How do we protect ourselves from the IoT?

Now, when we talk about IoT of things, I think of it as two separate-- there are actually two separate types of devices.

There are ones that leave your network and send it out to the cloud.

Then there are ones that stay local into your network.

So if you have just a local wireless access, you can access what you want to.

So like network attached storage devices-- maybe you want to stream iTunes from your local computer to your phone or to your Apple TV or things like that.

So they're the ones that communicate inside the network, then there are ones that communicate outside the network.

And those are really the two separate-- I like to put them in two separate buckets in terms of internet of things.

So as you can see, really the only true solution is a network-based solution, because you can't do firmware updates, you can't install antivirus software.

So when I come home, and my heart monitor or my pacemaker is going off and calling out to php.net because apparently my heart needs to start learning how to code, that's the only time that you're going to really be able to see that traffic.

So the approach that I propose-- and it's the same approach that I used years ago, and it really hasn't changed-- and I mentioned this about the critical infrastructure-- is that you have to take a network-based approach.

You have to utilize threat intelligence.

You have to utilize the information that you do have in order to develop a defense in depth strategy.

So you have to whitelist.

You can set it on a separate network.

So most of our home wireless devices, most of our business devices, have the capability of creating guest networks.

So if the device leaves your network, that's great.

Just put it on a guest network and go that way.

So at least it's not spying on the rest of the stuff that's in your network.

But it's not preventing someone from spying on you.

So that's only one type of mitigation risk.

The other one is trying to block it-- trying to whitelist.

So the strategy I took with my treadmill was I blocked out all of China, Russia-- all of the countries that I don't think that it needs to go out to.

And then I whitelisted iFit.com so that it has the capability of going out.

So I tried to mitigate that risk as much as possible.

And then, finally, I just got to the point where it's like, I really don't need it to connect to the internet.

So I can't download my Google Maps when I go for runs now.

But again, it goes back to what I was talking about in terms of availability and risk.

At that point in time, once I discovered what was going on, that shifted that needle away from me-- that the availability wasn't as important to me as the risk that I was taking by leaving it up and running and going.

So that's the solution for the treadmill, but not for the pacemakers.

You're right, you're right.

Yep.

Or you're walking around with a firewall system [LAUGHS]..

But that brings up a very valid point.

What do you do with those life threatening devices?

What do you do?

It has to go back to identifying what the device is, where it should be going.

And I think the only way you really can do it is a network-based solution.

And we did the same thing back in the critical infrastructure days, where we-- many of you have probably heard of this-- called waterfall firewalls, where the data only goes in one direction so that no one can get into the-- so the information is leaving the network, but you can't control-- so someone can't just push a button and knock out something, like the Super Bowl a couple years ago, with a button-- things like that.

Any solution that we have for these devices are really just network-based.

That's it.

So the one thing that I want to leave you here, and I started up in this-- I'm glad that General Powell came up with this-- is you really have to adjust what your risk threshold is.

Is that Nest device that you have at your home, at your office-- is that pacemaker-- that particular pacemaker, the one that you want, the one that you need, the one that you feel is going to make you feel secure-- after seeing the FDA recall 500,000 pacemakers, I'd be maybe a little skeptical about getting an internet-connected pacemaker.

But again, it goes back to security over convenience.

Maybe that person has such a life-threatening disease that they need to have an on-call medical physician right there and then.

OK, well, the availability now outweighs the risk of somebody exploiting it-- maybe?

I really wish that for some reason my other slide deck was here, but-- I could have actually showed you the technical piece to it.

Any questions at all?

Yes, go ahead.

In other presentations, it talks about internet-connected dolls for girls, cribs for babies.

The big one they're talking about right now are all these little palm Echo Spot devices.

Any comments about all these smart devices now that are listening to us?

They are dirty.

They are dirty, dirty devices.

So I have an Echo in my home.

And for some odd reason, it seems to go out to VPN sites, VPN proxies.

I haven't quite narrowed down what it's doing.

But yeah, they're listening to you.

They're listening to you now.

Amazon claims that you can go on and see everything they say.

I doubt that.

I mean, maybe.

Maybe they're doing their due diligence.

But yeah, you can see what it recognized when you said-- but I'm pretty sure it's picking up everything.

And previously, a year or two ago, it wasn't the Alexa devices or the Google Homes, it was TVs.

All the Samsung TVs, every single one of them-- you go out and buy this new, big, flat screen LCD panel for the Super Bowl, and it's sitting there monitoring everything you're saying-- everything.

Every word, everything is going back to-- I think it was China, but yeah.

So same thing-- it goes back to the same thing.

Is having that device connected as important to you as the risk?

Is that convenience of saying, Alexa, order me some milk, or something like that, or Alexa, I need some toilet paper-- is having that availability there as important as the security risk of somebody listening to you-- someone monitoring you?

Yeah, I agree, and that's all of these devices.

I just used my treadmill as an example.

But believe it or not, I think the worst one I've seen is the Ring doorbell.

So I got one of those really cool Ring doorbells, because if I was traveling, I wanted to see who's coming up to my door, who's trying to steal my package-- as all the commercials try to say.

I live out in the middle of nowhere, so it's kind of a funny joke, because if someone's coming up, they've just walked like But the Ring doorbell-- I mean, where is it sending all this information to?

And it seems to change, so I can't whitelist it.

So at that point, I had to pull it out of my house and not use it, because I couldn't trust it.

So yeah, they're dirty.

They're really, really dirty.

Did you have a question?

Yeah.

Comment?

[INAUDIBLE] OK, I like weird ones.

And [INAUDIBLE].

Yes.

And I'm really interested in the internet of things contributes into the amount of data that [INAUDIBLE] and [INAUDIBLE] on the one hand, [INAUDIBLE] we are worried about the privacy issues.

Another security consideration for me is artificial intelligence [INAUDIBLE] and the future of artificial intelligence, and the need for data to train the algorithms [INAUDIBLE]..

OK.

And so is there something in a similar threat by not producing [INAUDIBLE] so that [INAUDIBLE] the US requires more massive data in order to advance an area that the US doesn't if China has a global base [INAUDIBLE] and the contribution to that as a citizen [INAUDIBLE].

OK, so if I'm hearing you, you're saying that the collection of the data for the purpose of assisting machine-learning languages in order to help automate defenses, or at least gain enough information inside the intelligence community-- [INAUDIBLE] robbing the US of [INAUDIBLE] advance [INAUDIBLE] the data that can be [INAUDIBLE] that progress, [INAUDIBLE] I feel like it's a security consideration for the future in terms of which countries advance [INAUDIBLE] fastest rate.

So China, obviously being [INAUDIBLE] the data in a way that we might not, [INAUDIBLE] but [INAUDIBLE] in terms of [INAUDIBLE] OK, so I'm going to change your question a little bit, and tell me if I'm wrong.

But I'm going to flip it.

And so the heart monitor, right?

So we're going to take that data from the heart monitor, and maybe it helps us break through-- gather enough information to make a breakthrough in cardiology.

So is this kind of the same lines?

So that data is valuable.

That's one use case.

So it could-- that information that is gathered, that is being gotten-- that is being received, rather-- from these devices could potentially save millions and millions of people's lives down the road.

So again, so is that risk worth it, or is it not?

And I think that if that's-- I'm kind of twisting it, but is that kind of the same concept of what you're saying?

Yeah.

It's almost like [INAUDIBLE] connect in the way it used to [INAUDIBLE] but there's also the strategic risk [INAUDIBLE] Does that make sense?

Yeah.

[INAUDIBLE] No, it's a theoretical problem.

Yeah, I mean, it is a real problem.

And there is a risk reward that comes with that.

I think you bring up a very valuable point, and one that I didn't think of.

But I think ultimately what it amounts to is most of the IoT devices-- most of them tend to be in our homes-- not so much outside.

We do have them in the offices.

I know a lot of-- I can see the thermostat back there.

I guarantee you that it's probably a Honeywell, and it's probably connected to one of the control systems here for the HVAC.

I guarantee you, that's connected.

So yes, there are some.

But the majority of the IoT of things that we generally think of IoT of things tend to be home-based.

So I think the question is-- personally, you have to identify is the risk worth it for you?

Is releasing that information worth it to you?

What's your opinion?

And you need to think about the level of risk and understand, truly, when you're buying these devices, is-- it's cool, it's shiny, it's the new shiny, I got to have it-- as a lot of us tend to be.

But at the end of the day, stop and think about what it's doing, what it's giving you for information, where that information is going.

And know that, as we talked about earlier today, it's a risk.

It's a risk every time you send that information out.

It's a risk giving someone that control of that information.

Do you want to be a advocate to sharing that information with the world?

I think that it really has to-- you have to self-reflect on that one and think about it.

[INAUDIBLE] I have not.

--where everything [INAUDIBLE] it limits your travel.

It limits your ability, for example, to buy a house [INAUDIBLE] incredible [INAUDIBLE] to everything [INAUDIBLE] in a way that I thought was quite remarkable [INAUDIBLE] associated with [INAUDIBLE]..

I would say that probably in that case, that is an extreme [LAUGHS].

I hope that the US never gets to that point with information sharing.

I'm sure that we are.

Honestly, anyone here who is related to a foreign national or has contact with someone who's a foreign national, everything you do is recorded, point blank.

It doesn't matter what you're doing.

It doesn't matter where you are.

It's all being recorded, just so you know.

Full disclosure.

And I know that because my wife happens to be a Norwegian citizen.

So I know what information is being captured and stored on me.

But yeah.

I think that what you're talking about with the China situation is really an unethical situation.

What's the purpose of getting all that information?

Why?

It sounds like control more so than anything else.

[INAUDIBLE] her house.

[INAUDIBLE] to get access [INAUDIBLE]..

Yeah, yeah.

And you see that in the [INAUDIBLE]..

Did you have a question?

Comment?

I just-- as this conversation is occurring to me-- most everyone who's here is involved in cyber security and [INAUDIBLE], right?

Yep.

And really I think-- I'm thinking more about [INAUDIBLE] intelligence and other kinds of cyber security [INAUDIBLE] create and use in our businesses [INAUDIBLE] down to the consumer level because we don't really have access at the consumer level [INAUDIBLE] pacemakers and treadmills and doorbells and whatever.

You know what I mean?

Absolutely, yeah.

And-- --it seems like there would be a demand for that.

Yep, and historically that's exactly what we've seen-- antivirus software, firewalls.

We've seen these firewalls-- they were all corporate things.

You don't have a firewall in your home.

I still have my 24 KB modem.

Antivirus software, things like that-- host-based firewalls, network-based firewalls, routers.

I mean, we didn't have routers.

Now you have routers with firewalls built into them at the home level.

So yes, I think you're right in that-- in fact, and you're starting to see that.

I apologize, I'm drawing a blank.

But there's a little device you can get for your home that supposedly blocks everything-- all the bad stuff.

You don't have to do anything.

Just plug it in.

It's a-- It's listed as [INAUDIBLE] had it as a [INAUDIBLE]..

OK, yeah, yeah.

It's just like a little box you plug in, and it's like a-- almost like an IP IDS that just handles it all.

Disney came up with one.

You can put a Disney device in so that you can monitor your kid's activity.

You can shut the network off, things like that.

So to bring this back around to what you're saying, I think that threat intelligence in the next couple of years is going to trickle down to consumer-based devices.

We're going to start seeing more affordable routers that have a cloud-based approach to blocking something with a certain severity score-- something that has been known APT.

That information is going to eventually trickle down to these devices in there.

And it, again, is going to be based on what you set for a risk.

In my mind, you have this little meter.

It's like low, medium high, open these days.

So if you want to block everything, you put it up higher.

So something with a low yield block-- things with a lower confidence score.

If you want to allow more things to go through, essentially since you're-- what you want to block with a higher confidence score, things like that.

But yeah, it's going to happen.

It has to, because you only-- we just talked about the risk.

We just talked about these devices.

It's the only way you can do it.

It has to be a network-based solution.

But again, that's not going to help things like pacemakers, when you take that device out of the network [INAUDIBLE].

Yep, yep.

So it goes back to that-- how risk-- Unless they build in a firewall in the [INAUDIBLE] into the [INAUDIBLE].

And we'll probably see it.

Yes, Evan.

Do you think that-- so we have this additional cost, right-- where IoT is sort of cheaper because they're lax on security [INAUDIBLE].

Correct.

Do you think that as the future of IoT gets-- starts paying more attention to security, do you see that changing at all-- that cheaper and less insecure costs of products?

Do you see those products normalizing such that they start investing in security?

Do you think those two are related at all?

I do.

I think that with any type of device and from a product standpoint, there is a certain price point that you have to hit.

Otherwise, consumers aren't going to buy it.

I can't speak to all the devices.

For some reason, Apple seems to be able to blow those prices right out of the water.

You go buy a watch for $800 now-- I think this last announcement.

For a watch, I mean, crazy.

So yes, I think that it could.

But I think that the majority of them are just going to keep doing what they're doing until there's some form of regulation, or there's something more stringent upon them to enable or to force those type of controls.

I mean, the whole point is that it boils down to convenience versus security-- that CIA.

And, in fact, we're seeing it in the Air Force now.

So for the last 50 years, and the DoD in general, everything has been risk adverse-- no risk, no risk, can't be a risk.

You see that in the purchasing of the software.

You see that in everything.

All the system requirements are being derived for the government for all these products, and why are-- the purchase cycle takes so long.

And that whole shift is going backwards the other way.

And we're seeing that now, both on the government side and the military side so-- sorry, the government side and the civilian side, where we have this ebb and flow when it comes to security.

Right now, all of us are really relaxed because we want this-- it's new shiny.

It's shiny.

It works.

It's cool.

I can see my kids.

So that availability is there.

That shininess is there.

And then all of a sudden we start to realize the effects of that, and then we start to sway back the other direction.

And so insecurity since the early 80s, 90s-- we've seen this over and over again, and it doesn't change-- same pattern.

Any other questions?

Probably not a question but more of a comment.

Sure.

I don't think there will ever be a time where consumer-grade IoT-type products will have built-in security.

I think there's too much money to be made, too much data to be collected.

But I think the issue for organizations is that we have senior executives who aren't security-minded.

And they want to bring in new products to help deliver a service to customers faster or more convenient, or to be the new thing-- sell for payments.

There's no fraud detection at all.

But we're going to be able to send money to other people through a cell, through an app, so stuff like that.

So I think the bigger challenge is just trying to wrangle all the things that organizations are trying to do to be first to market.

We can red team something all day, shoot at the walls.

And there's still just risk acceptance to say, well, there's going to be risk.

It's not worth that much, so we're just going to ship it anyway.

As far as home products go, I think everyone just needs to assume that they're being listened to.

Alexa is getting subpoenaed for murder cases now.

Did you hear about that?

Some guy killed another guy in his house, and Alexa was on.

It wasn't actively listening, but the police were able to successfully subpoena Alexa to listen to the recording of a guy killing another guy.

So it wasn't intentional.

It wasn't self-defense.

Like what was going on?

So it's funny you say that because literally this morning, I got an email that said that Amazon was opening up their capabilities so that it can identify if there's anything bad going on in your house.

I kid you not.

I literally got the email this morning.

So yeah, it's crazy.

And convenience, right?

Do you need that convenience?

Well, those people aren't security-minded.

No.

The convenience outweighs everything when [INAUDIBLE] key location services on.

I have Alexa in the house, a treadmill, my light bulbs.

Everything is connected to everything else.

So I think people just want cool tech, cool gadgets, and Nest and everything else.

Me personally-- I would like to see-- it'd never happen.

This is in my opinion-- is you know how when you download an app on Android or iPhone, and it comes up and notifies you and says, this is the information we're gathering, and this is where it's going?

Why can't we have that on a box of one of these devices so that at least we're making people aware of what the risk is?

And I think that's the fundamental principle that we're lacking in these consumer products.

Because most people-- I mean, all of us-- I would say most of us-- I think all of us here are very-- are inside this cyber security domain, so we think about risk.

We think about that.

You talk about the CEO level and how a lot of them aren't thinking about the risk, but we are for them.

But if they had something when they first popped it up and said, this is what this is doing, and this is where the information is going, well, maybe then someone can come up with a way that you can scan it.

And all of a sudden, it sets all those whitelists, all the firewalls, all the network detection things for you so that it only allows the traffic that it's supposed to be allowing-- just a QR code, boop.

There, my router's now secure.

We're running out of time.

Maybe I have time for one more question.

Anyone else?

All right.

Thank you.