Ashley Madison – meet Tom Brady

The following interview was conducted by Napier University’s, Professor Bill Buchanan (see his bio below), in response to the buzz that has been created by Connect in Private Corp. CEO, Bill Montgomery, through his recent blog stories Future Shock and The 5th Wave.

Professor Buchanan: First, Bill, congratulations on the success of your recent blogs. They are highly thought-provoking. I particularly liked Future Shock and your vision as to how IoT will impact all of our lives in the next decade and beyond.

Bill Montgomery: Thank you, Professor Buchanan. I’ve always been a fan of futurists like Alvin Toffler, as I believe that projecting the future can often inspire others to build a path to get there.

Professor: I agree. You present a very positive view of our IoT future, but there’s an undercurrent in your stories that I’d like you to comment on: the threats that lack of IoT security will pose.

Bill: I didn’t want my vision to get mired in the negative aspects of IoT, but the harsh reality is that if we continue down the path that we’re currently on, we are going to usher in a whole new era of cyber-terrorism. We can’t be blind to this, nor can we slip into a reactive mode that has us trying to patch things once the damage is done.

Professor: Give me an example.

Bill: Well, the one that immediately comes to mind is the incident where a security expert hacked into an aircraft through its on-board entertainment system, and then overwrote computer code for the plane’s thrust management system, allowing him to make the plane respond to his commands. He claims to have done this on numerous different aircraft, which is downright scary.

Professor And leads you to conclude?

Bill: That the Internet of Things is going to create as much bad as it does good if we don’t embrace ironclad and manageable security as the foundation for every application. I’ve coined the term ‘The Internet of Secure Things’ because I truly believe it’s the only way we can fully realize the potential good that can stem from the IoT.

Professor: So, let’s explore today’s security landscape in that context. Tell me what’s broken.

Bill: Frankly, everything, and not just in the IoT world. Just look at the massive security breaches that have been made public in the past year alone. eBay. Sony. Anthem. Home Depot. JP Morgan Chase. British Airways. Japan Air. European Central Government. US Office of Personnel Management, the US president’s email. The list goes on and on. 

Professor: And now Ashley Madison.

Bill: And that one got more media coverage than all the others that I mentioned, combined, which says a lot about the collective attitude toward security breaches. They happen with such regularity now that the general public has become numb to them. Late last year a German steel plant was breached through email phishing and the plant suffered massive physical damage, yet the story went largely unnoticed. In contrast, we have people and the media obsessing over the Ashley Madison breach simply because it’s juicy.

Professor: I’ll grant you that. So, back to what’s broken...

Bill: First, we continue to rely on security that was first introduced in the last century. We’re talking about very old protocols that have been updated here and there, but are essentially useless when it comes to protecting us from today’s sophisticated hackers.

Professor: Let’s start with SSL/TLS

Bill: For those who might not know, TLS or Transport Layer Security - a channel used to prevent interception of secure data being exchanged - is the successor to Secure Sockets Layer - SSL. One of the problems with SSL is that its protocol was deliberately designed to be broken. In the 1990’s when SSL was first invented at Netscape, the US Government had strict restrictions on the export of cryptography. In order to distribute cryptography outside of the US, companies were required to deliberately weaken the strength of encryption keys to a maximum of 512 bits. Back then a 512-bit key was considered more than capable of securing commercial e-communication. Today, an SSL key that length can be cracked in less than 8 hours.

Professor: And TLS?

Bill: RC4 is the most widely used cipher in TLS, and it’s 28 years old - first introduced in 1987. Think about that. We’re relying on technology that has been around for what can be called forever in the high-tech world. That is incomprehensible. Just last week we learned of a new vulnerability with TLS, concerning RC4.

Professor: And given that most of the world’s websites rely on SSL/TLS, that’s rather scary.

Bill: It is, and it’s also very dangerous. Cyber-crime is today larger than the global drug industry. Imagine that. It’s like we are all living in a giant crime-ridden neighbourhood where nobody locks their doors. Or rather they think they do, but they’ve really just secured the door with a tired piece of masking tape. It’s the illusion of security - not real security.

Professor: The emperor has no clothes.

Bill: Exactly. And he’s about to lose his entire empire.

Professor: What are your thoughts on PKI?

Bill: A lot of what I know about this I learned from you Professor Buchanan. I recall you stating “I think the public key infrastructure that we have created for the Internet is deeply flawed, especially in the cryptographic methods used.” I agree. PKI is the playground for “man-in-the-middle” attacks. The problem has more to do with the certificate authorities and the lack of CA transparency, than PKI itself. Many of the biggest security breaches have come from individuals obtaining certificates illegally. And given that I am primarily an IoT security guy, this concerns me greatly as PKI is being positioned as the IoT security foundation by many leading companies like Symantec and Certicom.

And when you consider the complexity of managing literally tens of billions of certificates, and tens of billions of keys which would be required in a fully-engaged IoT world, PKI becomes entirely impractical. The world needs a certificate-less security schema, with greatly simplified key management and – one that is ‘social-by-design’. My friend, Blake Wood, says, "We have to evolve beyond using certificates because they are as much work to manage as symmetric keys, require more CPU cycles to process, and provide much less encryption strength per bit. For instance a certificate would have to be 15k bits in size to provide the same cryptographic protection as a 256 bit key."

Professor: You know my feelings on this matter. I fully align with your and Blake’s view. What can you tell me about the term ‘Social By Design’? - a term you’ve used in some of your LinkedIn posts?

Bill: Presently, most of the world’s communication is point-to-point – an employee of one company connecting with another. A single call between two or more people. And so on. IoT will usher in an era in which things will simultaneously connect with many other things. Think of every connected car on the road, connecting with each other and with the grid. Social-by-design can be translated as accommodating many-to-many applications. A BMW talking to a Volkswagen, talking to the road in many different countries, talking to the infrastructure (smart cities) in venues around the world…

Professor: I’m sure you’ve read about the recent hacking of Jeeps.

Bill: I have, and it’s alarming to think that somebody can hack into a vehicle that is moving at 70 miles per hour. Even the chip makers acknowledge that we need to bake in authentication and strong encryption to the chips used in cars. What’s particularly disappointing is the reaction to this, which I’d characterize as another big collective global yawn.

Professor: It’s as if people truly don’t care about a complete lack of security unless they are personally impacted.

Bill: And if they are waiting to be personally impacted, if we stay on our current path, it won’t be long before that happens. I heard the term cyber home-invasions for the first time this week, and it was coined in the context of a clearly disturbed individual hacking into a baby monitor, and broadcasting a chilling message to the child’s parents.

Professor: That is deeply troubling.

Bill: It is, but maybe that’s what’s needed to wake the world up to the lack of IoT security, and the inherent dangers in staying on our current path. Something very personal like that, or something even more horrific, like a cyber-nine-eleven.

Professor: Perish the thought. Tell me why you believe that your improved Identity-Based Encryption is the best way of protecting our connected world from external threats, specifically in the emerging Internet of Things world.

Bill: Let me clarify. IBE is great, proven technology, but it’s the latest version of IBE – IBE 3.0 – that has rendered this crypto schema ideal for IoT. Not only is IBE 3.0 social-by-design, it provides security end-to-end, and it authenticates at the application layer – features not possible with earlier versions of IBE. IBE 3.0 eliminates the need for SSL/TLS or VPN’s and it authenticates at the application layer. It removes the need to rely on a Certificate Authority and the requirement to store certificates, and it also greatly simplifies key management – eliminating the administrative nightmare that will surely occur if we stay on our current IoT security path.

Professor: So, no more man-in-the-middle attacks with IBE 3.0?

Bill: Precisely.

Professor: Tell me about IBE 3.0 in layman’s terms.

Bill: Think of IBE 2.0 as the best tires on the road today. They are reliable, trusted, can accommodate high speeds, and they enable a smooth ride. Now think of somebody who decides to attack those tires in an attempt to disable vehicles that rely on them, and to harm the vehicle’s occupants. All of a sudden, those tires aren’t quite as safe as we thought they were. They can be slashed, punctured, even sabotaged by someone bent on hacking into the vehicle and reducing tire pressure to dangerous levels while in transit. And, if the bad guys get access to the highways that support these vehicles, they can plant spikes, creating blowouts to multiple vehicles simultaneously, causing significant damage.

Professor: And with IBE 3.0?

Bill: The tires become impenetrable. It’s as simple as that. Remember that 512-bit SSL key that can be cracked in 8 hours. Well, in its current configuration, IBE 3.0 has keys that are 2 to the power of 80 in length. It would take every hacker on the planet using every supercomputer in existence, working 24/7 for 20 years to hack into a single IBE 3.0 key.

Professor:  And hypothetically if that day should come...?

Bill: Then we simply lengthen the key. 2 to the power of 88, or 96, or 104…

Professor: I’ve heard you tell an interesting story about IoT, the NFL’s Tom Brady and DeflateGate.

Bill: For those who don’t know, DeflateGate is the name given to the scandal surrounding America’s National Football League team, the New England Patriots. They are the reigning Super Bowl champions, and in a game leading up to the championship match, the team – and specifically quarterback, Tom Brady, was accused of cheating by using slightly-deflated balls which are known to be much easier to throw and catch.

Professor: And you think this was preventable with IoT technology?

Bill: Picture footballs embedded with a microchip/sensor that could alert officials if balls were under-inflated before or during a game.

Professor: DeflateGate never happens.

Bill: Exactly.

Professor: You offer a flip side of your football story...

Bill: In the NFL, a quarterback’s helmet is wired to allow for in-game communication with the sidelines. Imagine, that connection being hacked by the other team. They would know the plays being called before they were run, giving them the ability to completely shut down their opponent.

Professor: That would dramatically shift the competitive balance.

Bill: Some might say it would ruin the game. And imagine man-in-the-middle attacks with people wagering in-game, as is possible in many parts of the world.

Professor: You’ve described an entirely new kind of breach.

Bill: Maybe that’s what we need to bring the vulnerable state of our connected world to the forefront. Destroy the game of football, mess with people’s illicit sex lives, threaten their children...

Professor: And remotely puncture the tires of every car on the planet?

Bill: That sounds about right...

Professor: And fix a lot of it with IBE 3.0

Bill: Right again...

William Buchanan is a Professor in the School of Computing at Edinburgh Napier University, and a Fellow of the BCS and the IET. He currently leads the Centre for Distributed Computing, Networks, and Security, and works in the areas of security, e-Health, Cloud Security, Web-based infrastructures, e-Crime, cryptography, triage, intrusion detection systems, digital forensics, mobile computing, agent-based systems, and security risk. Professor Buchanan has one of the most extensive academic sites in the World, and is involved in many areas of novel research and teaching in computing. He has published over 27 academic books, and over 200 academic research papers, along with several awards for excellence in knowledge transfer, and for teaching, such as winning at the I ? my Tutor Awards (Student voted), Edinburgh Napier University, 2011 and 2014. 

IBE 3.0/CLAE is patented technology and the patents were acquired by VIBEcyber.com in 2017 and re-branded as Verifiable Identity Based Encryption (VIBE).