Hackers for hire, and why 100% security is a myth
Imagine breaking into a bank, cracking the vault and looting the safety deposit boxes, without the threat of prosecution, just to see if you can do it…. For one man, that is his job! We spoke to an ex-NSA hacker about cybersecurity in 2019.
Dave Kennedy (@HackingDave) is now the founder and Senior Principal Security Consultant of TrustedSec, a company you can hire to hack your connected products, networks and computer systems. Why would you do that? To find holes in your security, of course.
Kennedy calls this service “information security consulting”. His team is full of hackers that have made breaking into computer systems an art form. Having Dave and his team slip through your security allows you to better anticipate and protect against real criminal attacks.
Kennedy himself used to be a hacker for the NSA. He struggled to get excited by traditional education, preferring instead to focus on programming, tinkering with computers and trying to figure out how things worked. Rather than go to college, Dave opted for the United States Marine Corps (USMC), working with the intelligence community on cyber operations.
He was in the military for five years and was deployed to Iraq twice for intelligence related missions, before leaving and eventually starting TrustedSec. He has testified in front of Congress on cybersecurity too.
We spoke to Dave Kennedy to hear his insight into the security issues facing some of the tech areas we are interested in for 2019, namely; smart home, autonomous driving and 5G.
In 2019 where it seems like everything is becoming ‘connected’, a major security problem is that a lot of companies are manufacturers first, and IT companies second.
“Nothing is ever 100% secure and there are always exposures, especially in a connected world,” says Kennedy, before explaining that the hope is to minimize exposures ahead of time, by building security from the start. “It’s much more difficult to address security threats when they are already in production or released,” he says. “We find it a common practice to get a technology out the door as fast as possible and worry about the implications later.”
Kennedy says that companies need to do more to secure their technology, especially in 2019 when everything we are doing is directly connected to the Internet.
That doesn’t mean that there aren’t companies working the other way around. Dave Kennedy, a Tesla owner himself, cites the biggest name in EVs as an example:
“Companies like Tesla are a software company first, manufacturer second. While they have had their own track record for security problems in the past, the response and the ability to address security threats as they arise has been exceptional and swift whereas responses from other manufacturers often times are unprepared, slow, and offer no quick way to solve the issue.”
Autonomous driving is one of the most exciting technological advancements for the TrustedSec team. Kennedy told me he believes that true integration into leveraging big data sets for learning how machines can drive us from point A to point B will really revolutionize the driving experience.
Dave predicts that within 10 years, you’ll be able to summon a car that has no driver and takes you to your destination: “Think of not even owning a car, you are getting ready for work – you hit a button on your smart device and a car without a driver picks you up and takes you to work.”
However, there is a catch: “For autonomous driving to work, it is an insane amount of data that has to be in direct communication with the car manufacturers or infrastructure that supports that driving.”
This is what is known as telemetry data, as Dave explained to me, and he says that it is something that everyone is focusing on. “The ability to extract large amounts of data and leverage that data to make decisions or improve a technology,” he says, is the goal. But it comes with a huge risk.
“This data and the protection around it is a large concern. If a hacker breaks into the servers that control all of the autonomous cars, it would be absolutely possible to impact mass fleets of vehicles and for example - have all cars drive off the road without any driver interaction.”
Dave Kennedy says that whilst autonomy is going to change our driving experience, if we don’t protect these systems from tampering, “it is going to be a long road for us”.
Advances in 5G will increase download speeds, reduce latency and provide better access for regular consumers, but these benefits are also available to those with darker intentions. There is little doubt, 5G will allow a hacker to get access to your system faster, and to sustain it for longer. That’s quite a big problem.
Dave Kennedy expressed concerns about Huawei and the Chinese company’s influence on 5G networks, a story that has received no shortage of press in both the US and Europe, but he also spoke about expected security issues when upgrading a network.
“Whenever there is a new standard, security often lacks behind. I would expect there to be implementation issues with 5G that directly expose security concerns or vulnerabilities as the technology is rolled out.”
He added that several companies are “truly banking a ton on 5G” in a bid for faster integration of autonomous vehicles and IoT products. “Most of these companies were manufacturers first, software developers second and usually lack a substantial amount of controls around security.”
Dave does envision 5G as a ‘large attack surface’ where the ability to establish long-range and fast communications to devices that traditionally never had these types of connections, will create significant exposure for consumers.
The softwarization of 5G and our increasing appetite for IoT products creates more entry points for invasion. The principle is exactly the same as guarding a room - the more doors and windows you have, the more difficult it becomes to keep intruders out.
Tell me more about the bank heists
In a recent interview with the Guardian’s Chips With Everything podcast, host Jordan Erica Webber asked Dave Kennedy how far he and his company were allowed to go when testing a client’s security. Kennedy explained how he works for some of the worlds largest companies, simulating hackers, break-ins and attacks.
And when I say break-ins, I mean actual break-ins. Breaking into buildings, smashing windows, crowbarring doors and forcing entry to places with supposedly tight security.
TrustedSec and its clients agree on a set of parameters or rules for how far the hackers can take things. The team has broken into a bank vault before, lock-picking the safety deposit boxes and helping themselves to what was inside. Unfortunately, they had to put the cash back.
Sounds like a pretty cool job to me! What do you think about cybersecurity in 2019? Share your concerns in the comments below.
As so many race to be served by tech, a careless idea to be carefree, too much is overlooked and ignored. Penetration testing is necessary to discover where vulnerabilities lie. It's just not possible to plan and audit our way to an environment that is "secure". Applaud the ethical hackers, pen-testers with "get out of jail free" cards, who expose the real monsters under the bed.