tv The Communicators Black Hat cybersecurity interviews CSPAN October 7, 2017 6:30pm-7:08pm EDT
>> watch afterwards come as on c-span two book tv. c-span, where history unfolds daily. in 1970 nine, c-span was created as a public service by america's cable television companies. it is proud to you today by your cable or satellite provider. this is the communicators on c-span. we are in las vegas for the black hat convention. we are talking to some of the presenters and people who are here. joining us now is billy rios, he is the founder of a company called white scope mr. rios, what is white scope? we focus onompany, devices. finding vulnerabilities and abetting devices, writing exploits for the vulnerabilities we find. host: what is an embedded device? much everything is an
embedded device. a car, locomotives, airplanes, drones, everything around you is an embedded device. it is a device with a computer inside of it. everything that runs the world that we live is essentially a device with a computer and it. some of those devices talk to each other, we are interested in those interactions. host: what are you finding are the vulnerabilities of embedded devices? guest: i have been doing security for a long time. a lot of the vulnerabilities we have seen from 15, 20 years ago that we thought were extinct, they actually have come back in embedded devices. phone, or a modern even a computer takes a high level of sophistication now. to exploit embedded devices is pretty easy. host: give us an example. looked atusion that i a few years ago had no password. you could just connect to it and
make the infusion do whatever you want. device, yet. the device of that is controlling the amount of drugs a patient is getting when they are laying in a hospital bed. literally have no password, you could connect however you wanted. you can let it do whatever it wanted, including high rates of drugs. we were able to demonstrate that to folks like the fda. they looked at some of these former abilities and were pretty appalled. they issued a cyber security safety advisory for some of the things we talked about. generally speaking, you usually do not find those things and modern software. but you tend to see those in and that it devices, for some reason. host: you have also tested pacemakers. aest: we have looked at variety of pacemakers. we have looked at pacemakers from four different manufacturers to see what the commonalities where. ofre are a lot commonalities, some of the things we saw indicate that
there is probably a lot of cross polymerization in sharing amongst the engineers who make those devices. some of the things we saw is surprising as well. host: 20 do find? -- what did you find? guest: we went to places like ebay and bought pacemakers, isemaker programmers, it easy to get a hold of, if you're willing to spend a couple hundred or couple thousand dollars. and then, one of the first things we looked at was the amount of software that were on these devices, for example, a pacemaker programmer, a device that a doctor is going to use to set the parameters for the pacemaker inside of your body, is really just a computer. in fact, one of the programmers we looked at was literally running windows, an old version of windows. windows xp. microsoft no longer supports that operating system. but it was still being used in this pacemaker programmer.
system you are running on your laptop 10 years ago is the operating system that is running a pacemaker. why do drug infusion pumps and pacemakers need to be online? guest: right. it is a question i ask myself every day. there is some benefit to this. curedt want to make it doom and gloom. having these devices being able to talk to each other, being able to get the right information to a physician at the right time, that is a valuable thing. i can save lives. that is why these devices are being connected. there are inherent risks you connectn you cannot -- a device. if a device is talking to the internet, there are some inherent risks that are involved. regardless of how well you engineer the device. regardless of what your intentions are. that is what we look at. it is really hard. it is not easy to create a
secure device. i think right now, the benefits probably outweighed the risk -- outweighed the risks. host: why would somebody want to hack a drug infusion device? guest: that is a good question. i try not to answer the question why, because to be honest, the technology is pretty complicated. by trying to understand why a human being would do something is even more complicated. i china to play that game. it is technically possible. if someone wants to do this for a variety of devices, they can. whether they are mentally unstable, whether they are emotionally unbalanced, whether they have a vendetta emma or a message, whether they are a government trying to do toething and present harm somebody, i do not know. that is not something i try to answer. what i know is technically, it is possible. whether or not someone has a
motive or means or whether someone wants to do this is a totally different question. i can't answer that question as to why. i can tie your that they can do it. host: we are moving into a world of internet of things. embedded devices everywhere. what does that mean? guest: one of the things we will be talking about this week are safety issues associated with internet of things. internet of things, they are all around us. if you think you can live in a world without being exposed to a connected device, you are really naive. when you go to the grocery store, those are computers that are doing that for you. when you get on an airplane, that is a flying computer. devices are all around us. internet of things is all around us. it affects your life, whether you wanted to or not. that is an interesting situation for a lot of people. it is interesting to take a look at how these devices impact of
the daily lives of people and whether or not there are risks because of these connected devices. host: when you work with a company, do you go in, do you try to penetrate their defenses? guest: buy depends on what the organization wants. some organizations hire us to take a look at their devices, to help them secure their devices. some organizations are more operational. they have a facility or a building or data center or stadium, and they know that these devices are there. and they want us to help demonstrate what can be done if those devices are hacked. it depends on what the organization wants. we do a variety of services. host: are you a hacker? guest: at the end of the day, we have to find vulnerabilities. in most cases, we have to find exploits. that is what a hacker would do. i do, itself a hacker because there is a difference between what we do and what a real hacker would do to we find
vulnerabilities and we may demonstrate to you what those old abilities might be if they are exploited. whether they can hurt someone or cause physical effects like a fire or explosion. but we will never do that to really hurt somebody. we won't do that to damage your equipment. that is not something we will do as a researcher or company that is hired to do something. a real hacker would. a real hacker would ask what a device to hurt or kill someone. a real hacker would exploit a device to take down an organization or send an organization a message. that is a line we do not cross. host: you mentioned you have been in this field and security for quite a while. where did you start and what were you doing? guest: i had a pretty colored career. i was in active duty officer in the marine corps. i served in an intelligence unit in hawaii. you learn the foundational pieces of operational security.
i spent times at the agency doing detection, which is a nice way of doing -- of saying catching hackers, doing what we call penetration testing. where companies hire you to break into their systems and tell them where their problems are. a startups -- started that was acquired. this is my second startup in the cyber security world. i have been doing this for a while. it is something i love. if tomorrow all the resources and money dried up in cyber security, i would probably still be doing. the leadthe military agency in protecting americans against cyber attacks? guest: i think that is something the government is struggling with, to be honest. probably the hardest problem in cyber security is not a technical problem. the hardest problem is a workforce problem. and inworked at google
silicon valley, it was basically us trading security engineers to other companies back-and-forth. there is a shortage of cyber security professionals. the amount of money and resources and freedom that is given to a lot of these individuals that know what they are doing in cyber security, it is pretty astounding the salaries and the things they can ask for. find that the was military, they are having a hard time keeping up and retaining that power. they may provide foundational skills and training and then they will find themselves losing twotop talent they have places like microsoft and google or facebook. which all have a great top security teams working for their organizations. it is a struggle. it is very much a struggle for the federal government. would you be an example? trainedsomeone who was by the military another your outcome you are doing a privately. guest: i still keep ties with
folks in the federal government. i still work with folks in dod. i can tell you now, they are very much struggling. they understand to train someone to do this is an investment. there is a level of aptitude that is acquired. even if you invest money in training, you may not get an individual to the level you want them up. those folks who have demonstrated the capability of understanding the cyber security pieces really well and take it to the next level, they are accrued by other places. if that individual is motivated by money or more stability or a better lifestyle than the federal government, or dod, they will be recruited by those organizations. it is a tough place to be. the biggests problem in cyber security which is workforce. there is a tremendous shortage. everyone is fighting over the same pool of people. that makes it a tough proposition for folks who are not as agile as a silicon valley company. it is going to be something they
will be struggling with overnight next decade. host: do you need at least a masters in computer science? guest: definitely not. i have three masters degrees. i know people who have no degrees who are much smarter than i. i know people who never went to college you know cyber security really well. formal not say you need education to enter cyber security. i personally know people who are in that situation. it could certainly help. i am not saying that is the path he will want to take is not going to school. having a solid foundation in electrical engineering is a good thing. it is not a requirement. host: what is your role at black hat? guest: i am giving a talk later this week. we are going to show exploitation of a connected device. going to causally connected device to physically attack somebody. host: can you tell us what the connected devices? guest: we will reveal that during our talk.
we had three criteria for the device we are looking up your number one, it had to be connected to the internet. we will be able to control the device from anywhere in the world. control the device in the united states. it had to be publicly accessible, which means an average person walking down the street would be able to see one of these devices. we don't want it in a secure area. we wanted in a public space that will be used by the public. the last piece of the criteria we wanted was we wanted to demonstrate a safety issue. i know that a lot of cyber security issues are connected with privacy and things like that. those things are important, don't get me wrong. when you lose your credit card information, it is a bad day for you. when your hospital gets breached and you lose your health care information, that is a bad day for you. devicesthese connected have safety implications. we are going to show what their safety implications can it be by
causing these devices to attack a occupant. rios, founder and security researcher for white scope, thank you for being on the communicators. guest: thank you for having me. appreciate it. us on thening communicators from the black hat convention, las vegas is robert lee ally. what do you do for a living? guest: i hack cars. host: what is the name of your company? can bus is the name of the network that is found inside of vehicles. and hack for hacking. host: our cars rolling computers? call: they are hard to them rolling computers. they are a fusion of mechanical and electronic components. a lot of those are very small computers. that control the mechanical aspects of the vehicle. host: on a typical american car, how many so-called computers are in their? guest: between 15 and 30.
host: what do they control? guest: they control everything from the engine to the displays, to the lights, to the door locks, to the suspension, ride handling, really every component nowadays is controlled with computers. host: is security baked in to a car's computer? guest: sometimes. security is a word they are starting to use in terms of electronic security. a lot of times when oem is referred to security, they are talking about securing the passenger seat belts. making sure that they do not get into accidents. securing the person when they hit a wall with their backs. now they are talking more about the electronic security of the systems. host: is it a growing problem? guest: it is more noticed, if that makes sense. the issues have always been there. but now, because of recent tax
has become a lot more noticed. host: a year or two back, a couple of gentlemen from wired magazine hacked a car on the road. did that send up flares for people? guest: yes. i think that really awoke in a sleeping beast in a lot of ways. very, very well put together hack. what to the gentleman at wired did was very novel. host: if we went down to the parking lot at mandalay bay, could you hack into any car down the? -- down there? could i find or do i are ready issues with those individual vehicles? yes. there is a lot of preparation that happens behind the scenes when you are doing a hack. you have to spend a lot of severalr maybe even
weeks, if not months in order to figure out how these systems work. once you figure that out, you can do certain things across one thatle or another vehicle might be unlocking the doors, or it might be shutting the vehicle -- it mighty, mib be making so the vehicle cannot start. it depends i you define hack. host: if we went down there, could you unlock its doors? guest: absolutely. host: how long would it take you? guest: it depends on the vehicle. some vehicles and a matter of seconds, some vehicles it would require me to have the person who owns the vehicle hit a button on their and then i could capture that information and replay it back to the vehicle later. host: who hires you? guest: whoever wants to. [laughter] guest: it is a tough question to answer. i get hired by companies who are looking to integrate electronic devices into vehicles.
i get hired by automotive companies who are looking to secure their vehicles. i am also hired by lawyers looking to make sure that their vehicles of their customers are secure. host: how did you get into this business? guest: i have been doing it since i was 16. host: breaking into cars question mark guest: hacking cars. when i say hack, -- i am self trained. when i say hack, i mean figuring out how the electronic systems work and using that to my advantage. host: is it a reverse engineering? guest: reverse engineering is a big part of the process. it is the first part of the process. figuring out how the system works, and after that, we use that information that we learned on the vehicle. whatever our target is. maybe unlocking the doors, maybe turning on the windshield wipers, turning the lights on, something benign like that.
or turning the car off while it is driving. it depends on the application. host: has that happened behind -- besides the wired story that came out? way?t happened in a bad has the 8 -- has a carbon hacked in a bad way? guest: not that i am aware of it we have done hacking before and since that. in a controlled environment for different customers, whether they are government customers, whether they are state, local customers, whether they are oem's aftermarket. it depends on the different levels of the requirements and you ever is contacting us and hiring us to do the job. guest: what does -- host: what does oem stand for question mark . host: how is it you train yourself to do this? guest: it has been so long. a lot of internet resources
help. in the past, a lot of good websites described individual systems. i used to work for a company called intrepid control systems. that company supplies tools to the automotive industry for vehicle interfaces. i worked a lot with the oem's in detroit to train the manufacturer on their own systems. i learned a lot about their individual systems, how they work, i learned about the vehicle networks. it was just a learning process over the past, i guess, 12, 13 years. host: what is your role at black hat? guest: i am doing the training for the car hacking at black hat. host: what kind of training do you do and who is in the audience? at black hat, we do not ask the onions who they are. sometimes they do not answer. a lot of times you do not
answer. if you read a name tag, and they will have a simple name, and something like that. we have learned over the years to not ask them who they are. either they are coming from military, they are coming from private industry and they do not want to know -- they do not want the rest of the class to know who they are. aren, these people interested in keeping their anonymity because they are either in the security profession or in military or after military applications. host: are people from chrysler there? guest: they are. i have met some suppliers, some oem people that work at oem's. frome met a lot of people industry and our classes. host: as we move into the internet of things world, what
are your thoughts? do not keepng as we making the same mistakes, i think security is possible. it can be improved. people like me, hackers, we can actually make these systems better by doing responsible disclosure, by making sure that the companies we are working with know how it is their systems can be more secure. i think we are in a good path. they are heading in the right direction. that gm hasct onstar and can unlock and start cars remotely, is that a security issue? the onstar systems typically do not send that information over the wi-fi, that i am aware of. a lot of that stuff works over the cellular network. the cell europe network has -- the cellular network has been exploited, as well. as long as these systems use proper encryption, they can
secure it correctly. not every manufacturer does it correctly. we are helping -- we are working with the manufacturers to help them make their systems are little more secure. host: if somebody is listening to this end is wondering if their car can be hacked, is there anything they can do? guest: that is a really challenging question. every car canel, be hacked, anyway. maybe that is a good thing. if you want to add features to your car, if you want to do something extra to your car, maybe you can hack it to yourself. but as far as some malicious hacker breaking into their car, easily asnot work as -- as far as someone breaking into the car, it does not work as simply as waving a wand and you can open the door. there is a lot of investment in
time and effort and tools in order to figure out how car hacking works. are a target, you probably do not have to worry too much. but, as with of the past, -- the wired hack you were talking about. one of my favorite quotes from the guys who did that was, it was easier to hack all of the cars than one of the cars. they found an issue that was in a massivel out scale than it would have taken extra work to target a specific person. in that scenario, if somebody or a bug orlem security hole with a particular vehicle, and they just feel like
pressing the red button and making everything not work anymore, turning people's wheels to the right as they are driving, it is actually easier to go after everybody, not one person. that was a big take away that i learned. host: the communicators has visited and city as well where connected cars are being worked and developed. what kind of dangers are there in connected cars that are connected to stop lights and roadsigns? guest: there is quite a bit more -- this is a big sick -- big concern. we are currently working really hard on catching up with the technology. it is just being released now. density and a lot of these other vehicle to vehicle infrastructure type of radios -- you know,ening stop lights, and roadsigns, is very new. it has not been tested in a security setting yet. at least not in the real world.
cost of tools become less peoples, more and more can access these tools. as more and more people have to communicate with vehicle to vehicle infrastructure, radio connectivity, i think we are going to find a lot more problems with it. i think it is a good idea that ony try to keep their mind security as they roll these systems out. i am a little bit nervous but that is not happening yet. security is very difficult. it is difficult to have security -- it is difficult to maintain it and integrated a -- across a lot of different manufacturers. we are going to have growing pains. initially. i hope it does not cause a slowdown in the promise of vehicle to vehicle infrastructure technology.
our car manufacturers working together to such regulations and safety standards? guest: as far as i'm aware, yes. committee,teering is an automotive cyber security initiative. it still has not been released yet. the actual paper is not available. there is a steering committee to try to make it a little more streamlined so that security can become part of the process of designing and developing a vehicle. host: robert has been our guest on the communicators. now on the communicators, we want to introduce you to aaron roust who is the special agent in charge of las vegas for the fbi. what does that entail? guest: it means i will run the fbi operations for the state of nevada. host: what is the major focus
here in nevada for the fbi? unfortunately, the fbi has to be good at everything. our focus has to be in the top priorities that the fbi has set out on what we can do the most with. for us, our number one priority is always going to be counterterrorism, pete -- keeping people safe. -- you areere attending black hat, why? guest: i think it is important for us to know what technologies are out there and what people who are involved in the industry for good or not so good, what they are involved in. and what kind of things are interesting them and what kind of things are the latest and greatest that they see up there. and what kind of discussion groups do they have. the fbi wants to be a part of that. host: are you welcomed here? guest: most definitely. host: 20 you spend your time doing? guest: a lot of it is outraged. we want to make sure that the
fbi is seen as a partner in protecting people. we want to understand what is important to them and see how we can plug and play? big is cybercrime in las vegas and nevada? guest: cybercrime is big everywhere. as we are seeing, the best part about the internet is also some of the worst things about it. we see it from everyone with infected emails that they get from somebody that they thought was a relative or a friend, and they click on the link or the attachment and they see that, now i am subject to ransomware. or now my identity has been stolen because i am sharing a lot of information. for my business computer has been compromised. those things are of keen interest to us because it is our job to protect that. host: is there a unit within the fbi that works on these issues? guest: the cyber division has the task with making sure we are all focused on the right things.
host: what about the casinos? you an fbi perspective, do work with the casinos to protect them from cyber attacks? guest: we have great relationships with of the casinos. all of them. they want to be good partners with us because they do not want to be the victims of crime or the conduit by which the people that good to their casinos are victimized. they want to work with us to make sure that when people come , and if to recreate necessary, gamble, but they are doing so safely. can you learn things from how the casinos protect themselves? guest: absolutely. the best part about the fbi for our outreach program is we are industry.rning from we are always learning from private citizens. every interaction we have allows us to learn that much more, because you can't be the master of everything. there are people out there that will spend their entire lives
preparing for the worse case scenario for their particular industry. the casinos are no different. we partner with them to learn what are they seeing? what are the threats they see? and then, how can we prioritize that in the fbi response? host: is the cybercrime aspect of your job growing? guest: always. we are seeing that cyber is a part of absolutely everything we do now. the amount of data that we collect would probably shock your audiences. host: hoover dam is close to where we are now. does that keep you up at night? guest: no. we have great partnerships with the state, local, and federal agencies around here. we are focused on the same thing. americano protect the people. when we see critical infrastructure pieces like the hoover dam, we focus on that, just like a laser beam. we make sure that we are doing everything we can that comes in the form of tabletop exercises.
a lot of interactions between the department that come through the river dam, and we are always looking at the intelligence. both domestically and with our foreign partners. and how do we stop them. does section 702 assist you in your work? guest: it is a critical part of our work. section, 702, is allowed to expire at the end of this year, america will be less safe. the fbi will not have access to information that we critically need to protect the united states. host: essentially, that is allowing you to listen in to phone calls made from overseas? guest: yes. but i want to mention to all of your viewers, the fbi does not do anything without judicial review. a judge will look at it and give us a warrant to do so. host: when we were talking with jeff moss, the founder of lack hat, he was telling us about an
estonian operation where the estonians were trying to get money and trying to get trade sick -- trade secrets from ceo's, and it is very cloak and dagger. guest: it is. we will see, not just through business email compromises, but we will see that people will do a lot of their homework on the suspected -- on the target they want to go after. they will know about their social media habits, they will know everything they can. and many cases, what they are able to do is mimic through subverting their email system, being able to get in there and send out any mail pretending to be somebody else to allow for wire transfers. from company to company. way of very ingenious subverting the safeguards of a corporate entity. it is something we have to help people be on the lookout for. billion in $1.3
cyber losses last year, according to the fbi? guest: i think that is a conservative estimate. host: agent rows, would you go into black hat on the convention floor, do you bring your phone? guest: no. host: why not? guest: i think it should be apparent. but not everyone is here with the same reasons. doing allne is here legitimate work. karen rouse is a special agent in charge in las vegas. this is the communicators. on c-span. c-span, where history unfolds daily. in 1979, c-span was created as a public service i america's cable television companies. and is brought to you today by your cable or satellite provider.
announcer: c-span's washington journal, live every day with news and policy issues that impact you. coming up sunday morning, the latest and the senate intelligence committee russia investigation with todd shepherd of the washington examiner. a look at the fbi's newly released violent crimes statistic. statistic. thomas apt will join us to discuss that. also, an examination of u.s. cuba tensions after the so-called sonic attacks on u.s. the comments in nevada. with frank more of florida international university. c-span'so watch washington journal, live at 7:00 eastern sunday morning. join the discussion. announcer: sunday night, on afterwards. radio host and contributor charles sykes discusses his book "how the right lost its mind." he is interviewed by fox news and a host. >> donald trump represented
something. he certainly represented what the big middle finger from voters to the establishment. wantedyou really, really to deal with some of these issues, the public electorate would have gone with marco rubio or ted cruz, and they didn't. in terms of communication, yes, he is a master of twitter. but he is crude, rude, he was a serial liar, he is a thin-skinned, he is a fraud. this was relatively well-known. conservatives, who not that long ago used to argue that character matters, but the president was a role model, has somehow found a way to rationalize the behavior of somebody who insults women, mocks the disabled, mocks pows, paid a multimillion dollar fine for defrauding students who just wanted to get an education. watch afterwards, zen and
night, at 9:00 p.m. eastern, on c-span twos book tv. earlier today, louisiana governor john l edwards briefed reporters on hurricane preparations in his state. forecasters say hurricane nate could make landfall in that area overnight as a category two hurricane. this is 20 minutes. gov. edwards: good afternoon, everyone. thank you for being with us today as we talk about hurricane nate. we just completed a briefing with the unified command group here. as many of you may know, hurricane nate is gaining strength and is now expected to make landfall with -- as a category two storm. in addition to that, it is moving at an extremely fast rate, a speed of 26 miles per hour. almost