Interview Exclusive of Antriksh D Shah, Co-Founder – hardwear.io - Hardware Security Conference
June 2016 by Marc Jacob
Can you introduce Hardwear.io?
As the security incidents encompassing Healthcare, Telecom systems, IoT devices, Automotive, Smart meter, Industry controls are hitting headlines and target shifting from breaching data to controlling the systems. This trend are posing a serious safety and security to organization but also our lives. Hardwear.io was conceptualized to provide the IT and security community with a platform to discuss and solve issues pertaining to hardware security. The objective of the conference revolves around key concerns in hardware, firmware and related protocols i.e. backdoors, exploits, trust and attacks (BETA).
2015 witnessed 180 participants from all over, with our KeySpeaker like Jon Callas, Harald Welte, Jaya Baloo, Javier Vidal, Florian Grunow, Beau Woods with a thought to emphasis the need of hardware security in todays worlds.
Can you introduce yourself?
Security enthusiast, love organising nullcon & hardwear.io security conference, which brings together both ends i.e Industry experts and the community to exchange notes, solve a larger problem to build things securely. Co-Founder of Payatu Technologies Pvt Ltd a boutique for security research and testing company in India. The Co-Founder of null The Open Security Community along with other 8 members (Aseem, Murtuja, Akash, Ajit, Parshant, Smriti, Shashidhar, Himanshu) registered this non for profit community, having 12 active chapters which are entirely driven by volunteers globaly to spread/discuss research in the field of cyber security.
How did you first get into hacking and on to computer security?
I was introduced with the security and hacking topics during my college days when i learnt about SubSeven RAT and the famous Cain & Able tools while doing a certification course - MSCE. But being more realistic it was when I met Aseem wearing a हैकर tshirt which kicked off my career and introduced me to Null The Open Security Community. I started working/helping with the local Police to investigate cyber crime cases and got myself into the community to spread the word and organize the 1st ever nullcon International Security Conference, in Goa 2010.
Technology grew up, can you talk about how the landscape has changed and what the real threats are now?
It started with the “SMART” revolution. By connecting smart things to Internet and then other devices to orchestrate an all new level of user experience. Imagine your are about to leave from your office to home and its 30 mins before you reach there, you can start your oven, put on AC to cool the room to your preferred temperature, check the inventory in your refrigerator to order groceries... We are talking of Home Automation which is a reality, thanks to Internet of Things. You can manage all your “SMART” devices at any time, from anywhere.
This “SMART” revolution has taken all and every field in its fold. Transportation, Irrigation, Industrial controls, Health and Medical Services, surveillance, ticketing you just name it.
Now, imagine someone remotely taking control of your Home’s devices. Scary? It’s just the beginning. In the recent case, medical devices and computer systems at Presbyterian Medical Center in Los Angeles were taken over by cyber criminals. Hospital decided to pay a ransom in order to regain access. Just to give another example, you probably remember that story when two hackers remotely hijacked a Jeep Cherokee on the highway from ten miles away, that experience was a result of security research by Charlie Miller and Chris Valasek. They have been sharing their research with Chrysler for several months, then the company were able to release their patches.
We hear about hacking every day, there are serious data and communication security lapses in today’s SMART devices, which can lead to complete take over and pose serious hazards to our safety and threaten lives. So the threats are huge and real.
There is a lot of hype about the security of the IoT in industry. How secure are IoT devices?
Let’s understand this, IoT Devices were designed for features and simplicity and never for security. With limited power and computing power its difficult for IoT devices to keep its data and communication secure. So, yes, by very nature the current IoT devices have serious security issues.
We are working to change this. As with any other discipline, the security curve follows the innovation curve and its not the industry but the security community which initiates and puts security in each of the upcoming technologies. IoT is not an exception.
Which industry verticals should be most concerned about the security of the IoT?
Right from the devices installed at your home to medical devices... Endpoint spending will be dominated by connected cars, other machines and vehicles, commercial aircraft, and various construction equipment. We think that every industrial vertical whose product can disturb privacy or pose a safety hazard due to hacking or manipulation of device, should be concerned and work on security. Gartner says that spending on IoT security is expected to reach $547 million in 2018. Gartner forecasts that 6.4 billion connected things will be in use worldwide this year, up 30% from 2015. Gartner also predicts that by 2020, more than 25 % of identified attacks in enterprises will involve IoT.
What have been the main barriers to securing the IoT?
We face too many obstacles with securing the IoT technology, there are security and privacy challenges, design constraints, budget and also end users. Its an early stage technology, it’s difficult for people to understand how a smart TV or a toaster can harm the users yet. The security problems with these devices is not intuitive. We are also trying to overcome this with improved awareness.
Regarding IT industry, IoT devices are cheaper and easier to build there has been a burst in number of manufacturers and each one has developed their offerings in an ad-hoc manner. So currently there is a lack of a common security or regulatory standards which can fit all of the IoT devices. Some companies are tempted to keep projects on schedule and avoid security audits. This makes security efforts very difficult.
Hardwear.io is our efforts to bring Manufacturers, Security Researchers, Regulators and the community on a common platform. Here we collaborate, we share, present case studies, latest research, disclosures, publish advisories, best practices and discuss the future of the IoT Security. We had great response for last year‘s Pilot edition and we are expecting to take to the next level this year.
What about research, do you see more ethical hackers focus in this field?
Like I said earlier security community first brings out the concern/issues of these devices manufactured by the industry leaders, hence yes there is a lot of focus and importance given by companies, hackers towards research and innovative way to secure them by attacks.
Govt Defence Agencies always encourage research and most of the leading/developing countries economy is spend on research and defence. Conferences are a great place to meet people and the govt/industry(CXO) should not shy away and work in silos from the hackers community.
Is there anything else to discuss about hardware security, cybersecurity, and IoT?
Hardware security is gathering focus and a lot of consulting companies are work towards building capabilities in this area since the primary aim of companies manufacturing IoT devices first it to sell/launch their product on time rather than focusing much on security issues. We know hacking software, now it’s time to focus on hardware hacking.