The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Here's what security researchers want policymakers to know about the Internet of Things

with Bastien Inzaurralde


It’s been almost exactly one year since lawmakers — prompted by a massive cyberattack that disabled huge chunks of the Internet — floated a bipartisan bill to set the first cybersecurity standards for the broad group of devices known as the Internet of Things.

In the time since, Congress hasn’t done much with the legislation from Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.) introduced in August 2017. But security researchers at the Black Hat security conference in Las Vegas tell me there's only more urgency now to boost security of connected devices, which include connected thermostats, smartwatches, pacemakers and even shower heads (yes, really).

“We tend to not want to regulate tech and IoT,” said Josh Corman, founder of I Am The Cavalry, a grass-roots initiative focused on the security of the Internet of Things. “But now that that software can affect public safety and public life, eventually it should get some minimum standards.”

And the risks will keep growing as more and more devices are Internet connected. With that in mind, here are a few things security researchers want policymakers to understand as they consider whether — and how — to regulate the rapidly expanding Internet of Things.

1. More cyberattacks are coming

The Mirai botnet attack in 2016 that inspired Warner and Gardner’s bill offered a powerful lesson in how vulnerability-prone Internet of Things devices can be weaponized by malicious actors. Hackers exploited security flaws in webcams and other devices and used them to launch a series of crippling denial of service attacks, knocking out Twitter, Netflix and other major websites for hours by flooding them with fake traffic.

Until manufacturers start improving device security across the board, hackers will continue to target the same vulnerabilities, meaning more large-scale attacks could be on the horizon. 

Mirai was “the long tail of low-cost, low-hygiene devices doing more damage than the Internet can handle,” Corman said. “Time is the real enemy here.”

2. IoT devices need to be patchable

Just like personal computers, connected devices use software that needs updating every now and then to fix flaws and guard against digital attacks. This is true of everything from refrigerators to wearable fitness trackers to smoke detectors. But on many devices, there's no way to make such patches. 

That has to change, or it’s only going to get easier for hackers to exploit the devices, security researchers say. “If it connects to the Internet, you’re going to have to have a way to update it — for its entire life,” said Caleb Barlow, vice president of IBM Security’s X-Force Threat Intelligence. If manufacturers don’t start allowing devices to be patched with security updates, devices could wind up taking on a “shelf life” beyond which they’re no longer digitally secure, Barlow told me.

3. ‘Smart cities’ are vulnerable

Cities are quickly moving forward with “smart city” technology — everything from Internet-connected surveillance cameras and streetlights to automated waste management pickup to intelligence transportation systems. Those devices need the same types of safeguards.

“The federal government is the [venture capitalist] behind these infrastructure projects, and as we’re building new infrastructure in a city, you have to think of security by design,” said Daniel Crowley, head of research for IBM’s X-Force Red, which conducts vulnerability testing for a range of organizations.

“You might be talking about systems that are embedded in concrete,” he told me. “Before you encase it in concrete — or while it’s encased in concrete — can you update this thing?”

4. Security researchers are your friends

If Internet of Things vendors are going to fix vulnerabilities in their devices, they’d do well to embrace the security researchers — sometimes called “white hat” hackers — who find them and disclose them, experts said. Lawmakers can help on that front by encouraging companies to adopt policies that offer legal protections to researchers who hack into devices in good faith and reveal flaws. Right now, hackers who disclose bugs lack such protections, leaving them exposed to lawsuits or even criminal charges if they expose flaw in a company’s products.

“If you put out a welcome mat to good guy hackers and report vulnerabilities to you, the public is much more likely to have a patch available to them before there’s an attack like Mirai,” Corman told me.

Lawmakers are warming up to the idea of “white hat” hacking, said Corman, who has testified before Congress on Internet of Things security. “Are we done? No,” he said. “But we’ve definitely turned the tide.”


PINGED: Security experts say West Virginia's plan to rely on a smartphone app to allow its military voters overseas to participate in the 2018 midterms doesn't seem to contend with one stubborn fact: There are many, many ways voting via the Internet can go wrong. “Experts who spoke to WIRED doubt that Voatz, the Boston-based start-up whose app will run the West Virginia mobile voting, has figured out how to secure online voting when no one else has,” Wired's Emily Dreyfuss reported on Thursday. “At the very least, they are concerned about the lack of transparency.”

Nimit Sawhney, the chief executive of Voatz, touted the app's reliance on biometrics and blockchain technology and told Wired that election officials print a copy of the votes that are cast via the app so that they leave a paper trail for an audit. But experts remain unconvinced and are concerned about the fact that little is known about how Voatz's app actually works. “'In over a decade, multiple studies by the top experts in the field have concluded that internet voting cannot be made secure with current technology. VOATZ claims to have done something that is not doable with current technology, but WON'T TELL US HOW,' writes Stanford computer scientist and Verified Voting founder David Dill in an email to WIRED," Dreyfuss reported.

PATCHED: Louisiana is taking a step toward modernizing its voting equipment with new machines that leave a paper trail and are equipped with better technology, but the process hasn't gone smoothly. “Louisiana’s pick to replace thousands of decade-old voting machines is the company that was the subject of bid-rigging complaints involving the secretary of state’s office,” the Associated Press's Melinda Deslatte reported on Thursday. “The state’s procurement office sent letters Thursday announcing Colorado-based Dominion Voting Systems is the winning bidder based on 'price and other evaluation factors.' Negotiations are set to begin for a contract now estimated to be worth up to $95 million.”

The last time Louisiana bought voting equipment was in 2005 and the state plans to replace nearly 10,000 machines by 2020, according to the AP. “Competition among companies to replace and service voting machines is fierce,” Deslatte wrote. “The contracts are lucrative, only a handful of vendors do the work and states hang onto their machines for decades.”

PWNED: The National Association of Secretaries of State (NASS) on Thursday expressed reservations about DEF CON's Vote Hacking Village and said it amounted to an unrealistic exercise. “Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security,” NASS said in a statement. “Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.”

The purpose of the village, according to the security conference's website, is to “simulate a Board of Elections office where participants can defend or hack mock office network and voter registration databases.” DEF CON calls the voting village a place “to learn about election security” and says most of the pieces of electronic voting equipment that will be featured are still in use. NASS praised the security conference for trying “to find and report vulnerabilities in election systems” before adding that “states have been hard at work” to improve election security.

The association also noted that boards of elections across the country rely on different office networks and voter registrations databases. “It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” NASS's statement said.

Below is a response from the DEF CON voting village via Twitter to NASS's statement:


— With hackers gathering this week in Las Vegas, here are some security research highlights from Black Hat:

  • “Department of Homeland Security funded research has found that phones sold by Chinese telecommunications firm ZTE are among those to have manufacturing vulnerabilities that allow a hacker to gain access to a user’s data, emails and text messages, Fifth Domain has learned,” Fifth Domain's Justin Lynch reported. “'ZTE has already delivered and/or is working with carriers today to deliver the maintenance releases that fix these identified issues,' Andrew Elliot, a spokesman for ZTE told Fifth Domain in an email Aug. 9.”
  • “Throughout November and December last year, Ruben Santamarta was sat in front of his computer peeking inside the technical bowels of hundreds of aircraft flying thousands of meters above him,” Forbes's Thomas Fox-Brewster wrote. “That included commercial aircraft operated by some of the biggest airlines in the world. He believes it may've been the first time anyone had hacked planes from the ground by taking advantage of weaknesses in satellite equipment.”
  • Two researchers, Billy Rios and Jonathan Butts, found that pacemakers from the company Medtronic could be hacked with malware, Wired's Lily Hay Newman reported. “Rios and Butts say that they've discovered a chain of vulnerabilities in Medtronic's infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don't need or withhold ones they do, and cause real harm,” Hay Newman reported.
  • Citing research from Jesse Endahl and Max Bélanger, Wired’s Hay Newman wrote that “it's possible to remotely compromise a brand new Mac the first time it connects to Wi-Fi.”

— The Department of Homeland Security and the FBI on Thursday released an analysis of Trojan malware, called “KEYMARBLE,” that the North Korean government uses in cyberattacks. DHS and the FBI published details about one remote-access Trojan file that “is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.”

— Two Democrats on the House Oversight Committee are asking Rep. Trey Gowdy (R-S.C.), the panel's chairman, to issue a subpoena for State Department documents related to a plan last year to close the agency's Office of the Coordinator for Cyber Issues. Reps. Elijah E. Cummings (Md.), the committee' ranking Democrat, and Robin L. Kelly (Ill.) told Gowdy in a letter on Thursday that the State Department has yet to comply with a request for documents sent last year following reports in July 2017 that the department was considering closing the office.

“The Department has not produced a single document in 2018 in response to our request,” Cummings and Kelly wrote. “As a result, we still do not have documents showing the basis of the Department’s decision to shutter CCI, planning for the reorganization of these functions, or any actions taken to implement the recommendations of an August 2017 Inspector General report warning that 77% of the Department’s reportable IT assets do not comply with the Federal Information Security Management Act.”

— More cybersecurity news from the public sector:

Florida officials want info about election hacking claims (The Associated Press)

Judge dismisses Trump ally’s hacking lawsuit against Qatar (Ellen Nakashima)

Judge in Manafort trial concedes mistake after berating Mueller’s prosecutors (Rachel Weiner, Matt Zapotosky, Lynh Bui and Devlin Barrett)

NARA is doing great at email, website security. Maybe (FCW)

DARPA is racing against time to develop a tool that can spot 'deepfakes' (FedScoop)


Google Hacker Asks Tim Cook to Donate $2.45 Million In Unpaid iPhone Bug Bounties (Motherboard)

Bots vs. Trolls: How AI Could Clean Up Social Media (The Wall Street Journal)

InfoWars app will stay in the iOS App Store—here’s Apple’s reason why (Ars Technica)


North Korea reuses code in major hacks, researchers find (CyberScoop)

Zero-Day Shop Opens the Floodgates for People to Sell Exploits to Governments (Motherboard)

Ecuador's All-Seeing Eye Is Made in China (Foreign Policy)


How to Look for Proof of a Spoof (The New York Times)



  • DEF CON security conference through Aug. 12 in Las Vegas.

Coming soon


Devin Nunes just tied the Mueller probe to the 2018 midterms:

The Fix’s Aaron Blake analyzes the key takeaways from a secret recording of House Intelligence Committee Chairman Devin Nunes. (Video: JM Rieger/The Washington Post)

D.C. mayor on white nationalist rally: “We denounce hate”

Mayor Muriel E. Bowser (D) discussed logistics and preparations for the white nationalist rally and counter protests scheduled for Aug. 12. (Video: Reuters)

Everything to know about the Samsung Galaxy Note 9:

Samsung unveiled the new phone at its Unpacked event. It has upgraded performance at almost every level, but there are only a few new features. (Video: Samsung)