The traitor in your pocket

The hardware product design industry and security industry are totally separate. They should be combined, says Joe Grand, product designer and president of Grand Idea Studio and speaker at next month's ITWeb Security Summit.

Read time 6min 00sec

The hardware device in your pocket is probably the weakest link in your security chain. It probably also has your most personal and valuable information on it. Unlike software and system, which have had a security element built into them for years, hardware is still out in the cold, security-wise.

So says Joe Grand, product designer and president of Grand Idea Studio, and previously of the L0pht, a hacker think tank which famously testified before the Congress of the US that they could shut down the Internet in 30 minutes.

Speaking to ITWeb in the run-up to the annual ITWeb Security Summit (13-15 May), Grand highlighted how things have changed, and how they've stayed the same.

“When I started in the security industry, a lot of the things that happened were curious hackers and people pushing the limits and trying to find problems in hardware and software and get those fixed. The kinds of things we did at the Lopht in the 90s” says Grand, who is known in the hacker community as Kingpin. “It was just for fun, no one paid us; we were trying to make security better. Nowadays, we're all entrenched in the Internet - so much has gone online - and there are huge amounts to be made by fraud, phishing, and illegitimate activity. Criminals are targeting users - and it's not just techies online anymore, it's everyone. It's scary.”

Grand says if every security product punted by a vendor worked, we wouldn't have a need for security at all. “The problem is we have so many attack scenarios and each piece of software or network, etcetera, is different. There's no silver bullet for the security problem.

“People are all using hardware devices these days and rely on them to be secure, but they aren't. You have Internet, application and hardware security - whether it's a phone, authentication token or router on your network - and thus so many ways a hacker can gain access to your system. Protecting yourself comes down to understanding what your risk is. Each instance and implementation is going to require a new solution.”

More aware, not more secure

Grand says people are far more aware these days of potential security problems, and that there have been advancements in terms of people writing better code and implementing better network security. But, he says: “Many of the types of attacks possible back then are still possible today. People have become more aware but not necessarily more secure.”

When it comes to device security, the picture is even gloomier.

“In the last 10 years, with regard to hardware and electronics, nothing has changed. We seem to be 10 years behind network and software in terms of how to design products securely and having a response to security problems. At the Lopht we were often the first to find a security hole and we'd go to the vendor and suggest they fix it. They'd come back saying it's a theoretical problem that no one would ever exploit, so we'd go off and write some code and show them it could be done. Over time, companies like Microsoft would have mailing lists to which you could submit vulnerabilities and they'd look at it and maybe release a patch.

“Hardware is far behind this. Engineers there are not familiar with security at all. Vendors aren't sure what to do if we find a problem - they get defensive or blow it off. These problems are often not as easy to fix as issuing a patch. There's a lot more riding on a product and more invested in it. If we find something, it's a big problem, and there's no real response.

“I've found problems in some high-profile hardware over the last 10 years and no vendor has ever said 'thanks, we'll fix that'. It seems hardware vendors are reluctant to fix problems, more so than software vendors, who seem to at least acknowledge the fact that people are trying to defeat their security. Whether a curious hacker or malicious attacker, they acknowledge people are trying to break the system. Hardware is not like that; it is really a problem.”

If every security product punted by a vendor worked, we wouldn't have a need for security at all.

Joe Grand, product designer and president of Grand Idea Studio<b></b>

And if Grand is right, it's not a problem that anyone is likely to fix anytime soon.

“From a hardware perspective, security costs. Everything costs. Product designers have time constraints in terms of getting to market fast enough. There's always new products, new features, the new cool thing. And none of them have a grasp of security. The product design industry and security industry are totally separate. They should be combined. I'm both and I understand the need for both.

“Even if they just implemented basic techniques and removed the low-hanging fruit - things the script kiddies would go after - or add a sensor to detect if it's been tampered with, it would make a huge difference. The vendors think it's not worth the money to secure upfront. They release a product and if there's a problem, they deal with it. Software vendors and the like understand the risk because they see it on a daily basis. The hardware guys don't. They're so far removed from it that they almost don't want to realise there's a threat. Even if there is a catastrophic attack on a product, the other vendors will just say, 'Oh well, they were high profile, it won't happen to us'.

“I don't know how to convince people to take it seriously. Each hardware product today has an embedded system running software, so basically it's a computer. And you don't need to be an electrical engineer to vandalise it. It's a computer and hackers can use the same tools they use on PCs on hardware and reverse-engineer it without even understanding low-level engineering. That will open the door to a lot of types of attacks.”

As Grand rightly says, everyone takes the technology for granted, and no one thinks of the ramifications of an attack. He says people and organisations need to know if the devices they use are secure or not, and should do their own testing to make sure.

“You can't always rely on the vendor to tell you what you want to know or even to tell you the truth,” he adds. “You need to determine for yourself if a product is what its marketing material says it is.”

So, just how secure is that phone in your pocket?

* This article will appear in the May issue of ITWeb Brainstorm magazine.

See also