Intel’s Cyber Security Inside Podcast – Tampering at the Edge

Listen to Episode 24 – Tampering at the Edge

 

Tom G: Thanks for joining me today for Cyber Security Inside. As always I’m here with my co-host and colleague Camille Morhardt. So, how are you doing today, Camille?

Camille: [00:00:49] I’m doing well, Tom, it’s dripping rain as usual here in Oregon in the middle of winter, but I’m doing well.

Tom G: [00:00:56] This is the stereotypical day for why people think they don’t want to live in the Northwest. But, uh, let’s put that aside. And, uh, and what topics do you have in mind for today?

Camille: [00:01:11]  I’m interested in this proliferation of devices that we have outside of the firewall, um, and what we’re doing to deal with them. And I think this is, you know, includes when I think of it, I think of internet of things and smart cities and smart meters. And this could be anything from parking meters to electrical meters or gas meters to anything really cameras, mounted in intersections.

What are some of the techniques that are actually in practice today to securing those? And I expect you may have a perspective for things that we’re using within an enterprise, but again, outside the firewall.

Tom G: [00:01:54] Yeah. It’s a good topic because this particular area more so than many others requires really rethinking how we manage and therefore secure devices, because the way we’ve, we’ve done both management and security of devices in the past, just can’t scale to the level that we’re talking about–where, you know, quite literally every home might have tens or hundreds of these types of devices over time.

How do you secure those? And, and, um, we just know for sure it can’t be the way we’ve done it in the past. So this is interesting. And, and, uh, I’ll be intrigued to hear some of the ideas and concepts that are out there to tackle this problem cause it is a big one.

Camille: [00:02:45] Not only that, but all of these different devices or many of them connect with one another. And so, you know, if you sort of bring one in that’s any kind of an issue and it’s on your network or even direct connection through protocols that connect devices to one another–separate from a wifi–you know, how are we making sure this kind of thing is secure, especially if that’s then connected into the enterprise network somehow?

Tom G: [00:03:13] Yeah. And, and, and there’s the other element too, which, you know, we don’t talk much about, but it’s the whole privacy angle where, you know, we talk about bringing either things into our home, in a consumer setting or devices that have cameras, for example, in an enterprise setting or a consumer setting.

You know, we don’t want people watching us. That’s just one simple use case, but, uh, as these devices become    interconnected to themselves, it can be sort of the weakest link, uh, where just one other device is seemingly unrelated, but still connected in some fashion to another device may lead to sort of a cascading failure.

And so it’s, it’s very much a big problem on, how do you, how do you manage the devices?–so managing meaning how do you keep them updated and protected from attacks and so forth, but also just managed in the traditional context of when something breaks–how do you fix it? You know, you can’t have everybody on the phone calling tech support to fix these things. So how, how do you do that? Can you automate things? and how do you clamp down the device so that it’s not capable of doing too much damage if it is, in fact, somehow compromised?

So, yeah, it’s an interesting topic. I think this is a good one.

Camille: [00:04:32] Yeah. And is there any way we could talk to somebody who’s actually implementing some of these security methods for this particular conversation?

Tom G: [00:04:41] Let’s see, let’s check the Rolodex and find a person that’s actually in this space and see what we can learn from them.

Camille: I would love that.

Tom G: All right, great. Let’s go for it. It’s a great topic.

Our guest today is Eran Fine. Eran has remained at the forefront of changes in the IOT mobile software industries and has more than 20 years of international experience in founding, managing, and leading high-tech companies.  Eran’s current company, NanoLock Security, is a ground-breaking cyber security company, delivering protection and management of the connected devices and systems that are crucial to the success of key industries, like infrastructure, smart cities and telecom.

As the CEO and co-founder of NanoLock Security, Eran has led the company to a position of esteem, credibility in the cyber security industry, taking home a number of awards and accolades. Eran is the author of 22 patents and has created five successful comedy television shows, including the popular and long running Israeli sitcom “Unleashed.” So welcome to the show, Eran.

Eran F: [00:05:54]  Thanks for having me.

Tom G: [00:05:56] That is quite a background Uh, you know, we don’t have time today, but five different sitcoms. That’s pretty incredible.

Eran F: [00:06:05] Yeah. Two of them were funny by the way.

Tom G: Two out of five (laughs).

Eran F: But 2 out 5 is not bad.

Tom G: [00:06:11] That’s a pretty good hit rate (laughs).  So, uh, today on the podcast, I wanted to just start by maybe asking you about the overarching security challenge that your current company is attempting to go after?

Eran F: [00:06:29] Sure. So, Nanolock is trying to prevent modifications in the performance of connected edge devices–like smart meters, smart lighting, smart sensors. And we are trying to combat outsiders, but also people coming from the inside or insider attacks and even supply chain attacks.

So the target that we put for ourselves is to maintain the integrity of the performance of those devices by protecting against any manipulation on the code and data stored into those devices.

Tom G: [00:07:03] Interesting. So you’re focused on the, uh, as I understand it, the data that’s in the devices and making it difficult or impossible for an attacker to modify the data that those devices are using. Is that correct?

Eran F: [00:07:19] Yeah the write commands, or the write manipulation is the outcome. So the target of the adversaries is to change the parameters. So if something is doing and moving from right to left, many adversaries is wanting to make it move from left to right. So that requires a change of parameters inside the device. What we’re making sure is that the devices stay as the owner and the originator designed these devices to work as.

The challenge is that many of those devices are low in computational power, low in energy, and using operating system which are low-end operating system.  Thus protecting from inside the device is pretty complicated and that’s the challenge we overcame.

Tom G: [00:08:00] And so, you mentioned before things like edge devices, so is most of your focus right now is around like IOT, is that correct?

Eran F: [00:08:08] Yeah. IOT is a flavour of the connected devices, right? IOT commonly thought of as devices connected to the internet, however you have a lot of different networks from indie to proprietary networks and so fourth, or we’d rather look at that as connected devices in general.  You know what, even putting a USB inside a device makes it connected. So our assumption is that connectivity can come in various shapes and forms and adversaries can come in various shapes and forms. And our target is to protect from the known and unknown manipulations.

Tom G: [00:08:46] And so for our listeners here, uh, you know, they come from all different industries. I wonder if you could give them sort of an example of the type of threat that they should be more aware of, uh, in their environments, maybe something they haven’t thought of before.

Eran F: [00:09:06] Sure.  Um, well, smart meters, whether it’s electricity or water.  Electricity meters are operated by electricity. Water meters are operated by battery.  So that’s a challenge. So example, for example, in, um, August 2020, there was a cut-off of about 30,000 meters in India putting 300,000 homes without electricity. People don’t know, um, whether that was a cyber attack, fraudulent event, or was a mistake.  But in any case, somebody sent a “kill command” to 30,000 smart meters. The outcome was devastating. 300,000 homes without electricity.  But the smart meter initiative in India got a big hit. So that’s one simple attack.

There were attacks where people manipulated meters for fraud and theft. It doesn’t have to be a state level attack to be for financial gain that happened in Malta that happened in Puerto Rico.  And in many cases it’s still happening because many of those attacks or events are un-noticeable because they’re inside the device—they’re embedded inside the performance of the device–and many of them can not be detected by common and standard protection methods.

Camille: [00:10:18] [Are you ] So Eran, are you just worried about the security of the water meter itself ? or are you also worried that someone might be able to access personal information about, say me, through the water meter that sits outside of my house?

Eran F: [00:10:35] So I think both.  So number one, tampering the water meter.  But let’s assume that the tampering is changing the IP address that the personal information is sent to. So that’s a kind of tampering you can look. So I can brick the device. I can make it an un-operational. But I can send the stored device into another place, or if this meter or sensor is responsible for the ratio between water and chlorine, I can make a state level devastating attack.

So it’s all the way from a simple manipulation stealing personal information to bricking the device, to making something which is harmful beyond the specific device itself.

Camille: [00:11:14] And what if the, the water company or electric company actually needs to make an update to devices?

Eran F: [00:11:20] So that’s the second layer that we’re offering, which is actually to secure the optics. So our claim to fame is that we’re also impacting performance and operational aspects of the customer. So usually in many cases, they’re sending a technician. We’re saying, “let us help you and make sure that what is being sent from headquarters will reach safely to the edge device.”  So we’re not trying to encrypt the data. What we’re trying to do is sign it in a way that what came out of the headquarters and sent over the air, when it gets to the device, it has the same signature, the same parameters.  And then we verify, and that’s our secret sauce, we verify with very low resources that the originated content is truly the one that was sent.

Tom G: [00:12:07] So, you know, I’m thinking about the more general case here, where in this connected world that we all live in now, uh, devices are devices of all types, not just IOT devices, but PCs and servers and, and other devices they need to get updated on a regular basis because you know, new attacks get formed all the time. So you need to update machines regularly.

So is this type of checking that you are talking about, is this a relatively new field of study or has this been around for some time?

Eran F: [00:12:43] It’s pretty new. So what we’re trying to do is we employ a zero trust.  It’s below zero trust. Zero trust usually has an anchor. I trust a processor. I trust something. We actually came with the approach of trusting nothing–neither, the device, nor the processor, not the network, even the operators, the owner; we just don’t trust anything within the flow.

And what we also applied is that we are not protecting the processor, the CPU. We are a gatekeeper in front of the non-volatile memory, which is even one level lower. And what we’re saying is we don’t know what we’re trying to protect against. We’re assuming the following. If this is not signed properly, if we don’t recognize the signature, we will make sure that it will never get to the non-vaulted memory. And we’re pretty aggressive in the way we cut this, um, chain of data into the non-volatile memory. So you can hack the network. You can even hack the processor. You know what? I can even steal your password.  And still, even if I’m inside with all the credentials, we can still prevent from catastrophic manipulation to occur by the sheer fact that the commands are sending will not get through.

Tom G: [00:13:59] You have, then you’re protecting against even phishing types of attacks where you can, you can trick me, uh, to give you my password. And even in those scenarios where you’ve done those kind of multi-layered attacks , you know, phishing coupled with some other types of, uh, vulnerabilities, you can protect even in those scenarios?

Eran F: [00:14:22] I want to say yes, but it’s a little bit more complicated. So phishing is not an attack. Phishing is the first part of the attack. Phishing is the way to lure you into doing something. And if I ended up doing only this, okay, so I have the credentials. But then comes the second part where I have your credentials and I’m trying to make a change or own your device. Let’s assume you have a smart meter and I have your credentials. Now I own your device through a phishing process. We prevent that. So we prevent the end point where the preparations are turned into an attack. That’s where we stop this kill chain, quote unquote, when a preparation turns into a true attack, that’s where we stop it and say, you cannot become a persistent owner of malicious code inside a device.

Camille: [00:15:11] Have we now somehow migrated, um, the trust, though, to Nanolock? If, if Nanolock is responsible as the gatekeeper?

Eran F: [00:15:21] Well, we’re, we’re a humble gatekeeper. So only with the only thing we want to know is that you came from a trusted area, a trusted place. That’s where we’ll sign and you are coming in peace. So we don’t have a sort of SaaS service. It’s a mechanism to say here’s a root of trust between the non-volatile memory and a trusted server. And NanoLock  guarantees that only things that came from this trusted server, signed in a proper way , are not trying to harm the device,  will go through.  But that’s the only intervening that we’re employing the device.

We’re not trying to understand the content. We’re not trying to understand who’s the owner – we’re just making sure that the behaviour of changing code is properly signed. That’s the only humble work we’re trying to do.

Camille: [00:16:13] Okay. And what do you think are the motivations of the attackers in this case? Is it just to cause mayhem? You’re talking mostly about critical infrastructure.

Eran F: [00:16:24] No. We’ve seen attacks all the way from state level attacks on critical infrastructure. So our customers are all the way from smart lighting, smart infrastructure, industrial. My favorite, by the way, is for financial gain. So I’m manipulating the devices so the measurement is lower than what it should be and I’m splitting the difference. Um, I’m, I’m doing a ransomware attack. That’s a very known and very clear motivation. “If you don’t pay me your device will either brick or be un-operational.  With meters when I need to send a technician to a remote area, and that will cost me about a hundred dollars just for the technician and $150 per device. That’s a pretty catastrophic event.

So the motivations vary from, I want to destroy, to I want to own, or I want to manipulate. And there’s probably other motivation, which I’m not aware of. Um, I want to, I want to play, I want to test my skills. Um, I’m pissed. I want to harm my employer. There’s so many ways of so many reasons for somebody there was so many insider attacks, for example, but people pissed off of their employers or, uh, sponsored by an adversary who gave him the money and said, “just going to harm this organization.”

What we’re trying to do again, is say, we don’t know the motivation. We don’t know what you’re trying to do, but just make sure that you cannot do that.

Tom G: [00:17:50] So where do you think this is going, uh, in the future? So this is kind of a solution that you have today that you’re, you’re working to drive through the industry.  But I I’m thinking maybe even beyond your company, but just in general for the industry, what are the sort of horizons that are, you know, forward-looking that, that we should be thinking about in the years to come?

Eran F: [00:18:15] From a, from a  protection perspective, it’s a multi-layer approach. You need to protect the backend, you need to protect the network and you need to, to protect the devices. And of course it will be also be deep packet inspection and AI coming in, and a lot of ideas to try and understand whether somebody is about to make an attack or the attack already happened and, um, it’s below your threshold and to understand it. So we are a great layer of defence, but we not the only layer of defence, you need to have a multi-layer approach.

When you’re getting into more complicated devices, servers, laptop, PCs–things which are more powerful and more open with stronger operating system–it’s becoming much more complicated. We have a simple work. Uh, the edge devices that we’re working with are single-purpose devices. It’s easier to protect those devices. When you speak about a server, you’ll have so many attack vectors–some of them are physical network, um, applications running inside–it’s almost impossible to protect those devices.  And more and more capabilities will have to be developed.

I think AI. And, and machine learning patterns and recognition of what is malicious and what is normal, I think that’s the wave of the future. Um, and mostly, I think a common understanding that we need a cyber hygiene, um, from the device to the network, to the IT, and they have to work in harmony together.

Camille: [00:19:48] What kinds of things would you say, um, designers can think about to, to help prevent these kinds of attacks?

Eran F: [00:19:58] Um, they have to stay humble. The assumption is that the adversaries are smarter. And if you think that way, you’re better off. Designers of devices have to take into consideration that there, if there is a motivation, people will be able to do and penetrate your device. And they’re always smarter than you are. So have multiple-layer their approaches, assume that [what] you think is friendly is not necessarily friendly and apply a zero trust approach.

Tom G: [00:20:44] So we do a, a fun thing on their podcast, uh, where we offer the opportunity to have guests share something they’ve learned. And Camille and I partake in this as well. Something that we think would be interesting for the listeners, maybe something you learned about, or maybe a show you’ve watched or whatever.

So I’m wondering, do you have anything that you’d like to share with our listeners?

Eran F: [00:21:06] Go and watch “Tenet.”  It’s an amazing movie. And, um, it just reminds me that movies can be great. It can be enlightening, can be stimulating, make you think. And this is the only movie I’ve seen the last 10 years, which I sort of saw three days consecutive.

Tom G: [00:21:24] Oh my goodness. “Tenant” is on my list of things to watch. So now it’s really on my list of things, but it looks a lot like “Inception.” Uh,

Eran F: [00:21:34] it’s not, it’s, it’s much smarter than inception. It’s much more complicated. And again, I’m not sure it’s a great movie, but it’s one that makes you think, and you enjoy the fact that there’s somebody out there like Christopher Nolan that is smart enough to play with your mind.

I’ll see it again and maybe again, and try to send what he’s trying to tell me. And it’s very rewarding.

Tom G: [00:22:03] Excellent. All right. Well, I’m gonna, I’m going to piggyback on that one cause I’m going to stay in the world of entertainment and, uh, I, I think that everyone that’s listening to this should watch the show called the “The Queen’s Gambit.”

Sure. It’s like a little, it’s a mini series. It’s kind of basically like a movie, but it’s told in a series. Uh, it is fantastic. So highly, highly recommend “The Queen’s Gambit.

Camille: [00:22:30] In the area of entertainment, last year when I was in New York City, I went to the Gajillion Bubbles Show, um, where the guy blew bubbles for, I don’t know, 45 minutes, and the, there were about 80,000 bubbles in the auditorium. And since then I’ve been interested in bubbles. And, um, I recently learned that you can blow bubbles outside when it’s very, very cold, like negative 12 to negative 30 Fahrenheit, or about negative 20 Celsius, and they freeze.

Tom G: Really?

Eran F: [00:23:04] And actually the physics of bubbles is pretty amazing. I was trying to find fun, find something funny to say about this, but it’s actually a brilliant idea. And you were in New York. I envy you. I haven’t seen an airplane for a year.

Camille: [00:23:20] Yeah, that was, that was almost exactly a year ago now.

Tom G: [00:23:24] Wow, so Camille, your frozen bubble thing. Once it freezes. Can you like, hold it in your hand? Well, I guess it had melted since the touches, but—

Camille: [00:23:33] I’m going to, I’m going to punt to Eran. It sounds like he knows more about it (laughs).

Eran F: [00:23:38] I don’t know your bubbles, Camille.  My bubble is exploded. It has, it has. It has a second though. They do have a second and then they broke.

Tom G: [00:23:48] Yeah, that’s fascinating.  Cool. All right. Well, that’s the point of this segment in the podcast is to get people to think.  So, Eran, thank you again for taking the time to join us today. And, uh, it was a great topic and we learned something, which is always the goal of this podcast.

Eran F: [00:24:02] Thanks, Tom. Thanks Camille.