These projects and other work by BRK Security and Brian Knopf have been reported in the following publications.
How do you rate the security, safety, and privacy of a consumer electronics device? How do you educate consumers on whether manufactures are following security, safety, and privacy best practices for the products they offer? While most consumers have seen and heard about numerous breaches involving products in their homes, they don't know how to evaluate products between different manufactures. It's time the security researcher community implement a 5-star rating to educate consumers without requiring that consumers become security experts. Our job as security professionals is to make sure that consumers do not have to think about security, but know that we constantly do.
When you buy a car, you look at the 5-star crash rating to know if it's safe. It's time that consumer IoT devices have a similar rating system that is independently verified, where the manufacturer is not allowed to pay any money to the testing body. Removing the payment from the manufacturer to the testing body eliminates any bias towards specific manufactures. Publishing the criteria so anyone can review it and retest it makes the entire process easy to independently validate to remove any implication of bias.
Reported on in Ars Technica
Using small or almost non-existent budgets as an excuse for not running application and product security programs is not acceptable. The rapid growth of low margin IoT devices from startups changed the way security teams have to operate. Instead, I learned to leverage external researchers by incentivizing them with free products, thanking and embracing researchers for their help, and promising transparency into our direction and enhancements, with the goal of secure consumer devices for everyone.
This talk will walk through the creation of two successful application and product security teams built in organizations without many resources or large budgets. Those programs included regular threat modeling, bug bounty programs, proactive engagement with researchers, security analytics monitoring, and vuln research. Even with the budgetary and staffing constraints, the teams were able to deliver increasingly more secure products that continue to push the boundaries of consumer device security in a market where consumers refuse to pay more for the cost of securing them. This discussion is not about the companies themselves, but instead as a model any startup company can adopt to deliver solid products, rather than using excuses to defer action.
Presented at DEF CON 23, IoT Village, August 2015
This was an updated version of my previous talk that was given at IEEE Buenaventura, November 2014.
This talk discusses what I went through when my wife needed to have a pain management device implanted in her back to make her mobile again. From building a threat model to weighing the benefits versus the potential risk and how I overcame security paranoia to better her life. I will talk about the differences between these devices and other devices that have known wireless exploits. While cameras and other IoT devices can be compromised, there is not the same safety concern as when a device is necessary to provide quality of life. Unlike an insulin pump, there is no manual alternative available to make those with chronic pain mobile again.
Presented at BSides LA, September 2014
IoT (Internet of Things) is the latest keyword being thrown around to describe networked devices. What classifies a device as IoT and are they different than other devices that have been connected to networks for decades? This talk covers security issues affecting IoT devices and challenges IT teams will face supporting these devices. This presentation is based on research by our founder and CEO, Brian Knopf.
Presented at ISSA OC, July 2014