[Interview] Yoni Kahana, Nanolock Security: “Even Though It’s Perceived That a More Expensive  IoT Device Is More Secure, It’s Not Always True”

yoni kahana defcamp 2018

Twenty years in the making, Yoni’s experience in information security spans across challenges and roles. His focus: managing, leading and developing large-scale projects in secure telecommunications and embedded systems.
He’s also contributed to defining roadmaps and system requirements for security features for billions of mobile devices, IoT chip, and cars.
His presentation at DefCamp #9 is titled “Defenseless devices in a world of big bad wolves”, and something tells us you’ll want to see it.

Plus, given the current state of IoT security, it’s no wonder that Yoni sees things like this when it comes to how aware IoT makers are of their data security issues:

Due to the fact the major attacks on IoT happened in the last year (e.g. VPNFilter , Mirai, WannaCry), the awareness of the IoT makers raised significantly and it became part of the discussion around IoT device capabilities.

It is now clear that IoT devices need to be protected, and the security should be derived from hardware in order to verify that the software integrity and that it wasn’t tampered with.

It’s interesting to see how Yoni connects the dots when it comes to the clues that attacks like VPNFilter and Mirai provide in terms of how attacks targeting IoT might evolve in the next few years.

Both of those attacks took advantage of the low or lack of security controllers of IoT devices (routers or cameras) and were able to modify the software and in a persistent manner.

It is clear that getting software manipulation in a persistent manner will remain the main goal of the attacker.

It can be assumed that more security controls will be added to IoT devices, and attackers will become more sophisticated – but anyway their final goal is clear as stated.

It is also clear that there are elements or players that have the motivation to invest in those attacks, and this will increase over time.

But IoT makers don’t seem to be making too much progress in this adding new controls on their own. The question around standards and how effectively they could be enforced naturally follows.

IoT is a big term that includes consumer products, automotive ones, industrial ones in some cases, so the answer to this depends on the vertical.

In the more critical, safety-oriented verticals, standards or official guidelines could assist in driving security.
In other verticals, know-how and guidelines will be supportive but, if it is not regulated, it may be hard to enforce it.

Until that happens, we, as everyday users, should ask for security to become the standard. But commodity and security can’t perfectly coexist quite yet in the Internet of Things. The price is always a pain-point, and it can distort perspectives in both ways of the scale, as Yoni explains.

IoT is very sensitive to cost. A device that costs only a few dollars often doesn’t include security solutions that cost dollars too.

It is essential to provide solutions that don’t increase BoM cost (cost of the endpoint), else the pushback will be too big.

Even though it is perceived that a more expensive IoT device is more secure, it is not always true – and it is up to the leaders in this industry to find good solutions that fit IoT without making the cost of the devices more expensive.

However, the cost is not the only issue here. Here’s why Yoni has learned from experience regarding IoT users’ almost oblivious attitude towards the vulnerabilities in their devices.

End users tend to ignore cyber security risk for many reasons: lack of awareness, lack of economic motivation to invest in cyber protection, no accountability, ignorance and more.

End users tend to think that they won’t be targeted and even if they will be, they have no data that matters.

Both are a misconception but it is hard to educate the masses.

IoT security is an area overflowing with questions and the need to answer them, so join us for Yoni’s presentation in Bucharest on November 8-9!
This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.

DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..