Internet And The Insecurity Of Things | A Live Experts Panel At RSAC | Recap

By Selena Templeton


  • Chenxi Wang


  • Billy Rios, Founder of WhiteScope LLC

  • Ryan O'Leary, VP Threat Research Center at WhiteHat Security

  • Rich Mason, President & Chief Security Officer, Critical Infrastructure

  • Josh Corman, Director, Cyber Statecraft Initiative at Atlantic Council



The Internet of Things (IoT) is rapidly changing the way we look at everything. The advantages we gain with smart devices are driving us to new levels of convenience in healthcare, manufacturing and automation, but IoT also presents many security challenges. The problem is, the average person simply is not aware of how real the potential damage is, and not just to large institutions, but to individuals like them. For example, last month, a luxury hotel was held hostage and all guests were locked out of their rooms until the hotel paid a ransom. So how do we regulate the IoT? How do we efficiently manage thousands of devices? How do we know what is trustworthy and what is not? And most of all, how do we do this at massive scale? This expert panel explores the challenges that we all face in this Wild West landscape of IoT and the solutions that we can implement today for a more secure future.



IoT security has been a challenge for some time. Chenxi pointed out that while nobody cared when refrigerators were sending spam, the recent Mirai attack that threw a million users off the Internet when cybercriminals hacked home routers made people suddenly take notice. Was this just the tip of the iceberg and a preview of worse things to come? Rich says that in the critical infrastructure sphere, though more so on the consumer side, in the next twelve months we’ll only be seeing a rise of ransomware. The worst to come in the medical sector, says Billy, is that someone – or some millions – is/are going to get killed.

Regarding Mirai, Josh mentioned the public policy implications, and said what was really worrisome in this attack was that the maintenance passwords in multi-million dollar devices are freely reachable from the Internet – and that’s the norm. Ryan added that the thing about IoT is that it’s difficult to test and therefore difficult for the industry to have standards around all these applications. IoT is a new way of interacting with things and it’s just another link in the chain in this ever-evolving landscape of moving technology in our everyday lives.

Chenxi asked about implementing minimal viable standards so that a device that fails those standards simply can’t come to market. The panel discussed making devices patchable – or at least labeled, like nutrition labels on foods so that consumers know what they’re getting. In the case of video games, popular music and movies, warnings labels were consumer driven, but unfortunately we’re not seeing a lot of consumer concern over IoT devices because they are still very ignorant about what can actually happen. You buy a smart security camera for your home and think that you’re safe, never understanding the risk you just opened yourself or your family – or even your community – up to.

Chenxi ended the panel on a lighter note by asking about the positive side of IoT. They all agreed that the devices that are coming out on the market and what they can do are pretty amazing; like medical devices or smart cars that factor out a lot (if not all) of the human error. But none of them could resist adding that although right now we still have a pretty good benefit-to-risk ratio, it’s definitely slipping away. What we need is not to slow innovation, but to implement conscientious innovation.



The worst [scenario] is that someone’s going to get killed. These devices have physical consequences to them. So if it’s a medical device that’s connected to you... if it’s a car that you’re driving and is connected in some way, and something goes wrong, the device could kill you.
— Billy Rios

What people don’t realize is, when you take a look at Mirai, only a fraction of its power was used to do that damage. The next target could be a critical medical environment and as we saw about this time last year, Hollywood Presbyterian Hospital shut its doors and turned ambulances away due to a ransomware accidental infection.
— Josh Corman

[When it comes to security,] the mobile applications we see are horrendous. They just have flaws left and right. In a mobile application we just...did an assessment on, if you registered with a username that was already in the system, and you put a new password in, you overwrote their password and you just logged in as them. And that’s a mobile application that people use every day.
— Ryan O’Leary

Our original sin was meaningful use. We required that you be hyper-connected to transmit electronic health records before they were ever threat-model designed or implemented securely. Great intention, but we basically threw gas at the fire.
— Josh Corman

We’re in such a race to get things out the door as quickly as we can that security is, at best, an afterthought and, at worst, never thought about at all.
— Ryan O’Leary

I certainly think our community’s being challenged to grow revenue while also mitigating risk, and those have traditionally been seen as competing objectives. But I think by leveraging platforms you can allow developers to actually develop at speed with security...and truly deliver a world-class product faster and more securely.
— Rich Mason

Watch the video of this panel discussion right here: Internet and the Insecurity of Things | A Live Experts Panel at RSAC and see some of the answers to questions asked during the panel.