Rudy Giuliani, BlackBerry Security, IoT Insecurity and the Changed Unsecure World

This week I’m jumping coast to coast to see the BlackBerry Security Summit.  The guest keynote speaker was ex-New York Mayer Rudy Giuliani and the guy looked beat having flown in himself at 2AM from the Republican National Convention.  There were a couple of things that jumped out at me during the various presentations so I’ll toss in some highlights.

Mutually Assured Destruction Doesn’t Work with Cyber Security

Evidently Giuliani and John Chen, BlackBerry’s Executive Chairman and CEO, have been working together for some time.   After he ended his talk a question came in with regard to State level security attacks and how to prevent them, Chen pointed out that the typical “mutually assured destruction” defense (which has always seemed like it should be a secondary defense because, well, knowing when you are dying that the other guy will die too isn’t all that comforting) doesn’t work with Cyber Security at national scale.   This is because nations use independent, loosely coupled groups to engage in these attacks who don’t seem to think reprisals will affect them much.   It would seem that, if we want this concept to work, we’ll need to significantly emphasize and demonstrate that isn’t the case.

Death by IoT

One of the scariest demonstrations I’ve ever seen was a few years ago at a McAfee event where company reps not only hacked into a phone but, once it was compromised, were able to cause the phone to overheat and catastrophically fail.  Having had a Lithium Ion battery pack nearly burn down my house a few months before this woke me up.

Well, the BlackBerry demo this week was nearly as scary.  They took a connected coffee pot and used it to compromise the enterprise-class secure network it was connected to.  They first set up a rogue Wi-Fi access point with the same SSID as the secure network but boosted its power.  They then blasted out Wi-Fi network disconnect commands at the coffee maker until it disconnected from the secure network and then it reconnected to the unsecure rogue network.  Once connected to the unsecure network, they were able to pull the access ID and password for the secure network off the coffee maker and,  14 minutes later, were into the secure network.

Of course, they then demonstrated that using BlackBerry BES12 they were able to prevent this from happening.   They also likely convinced everyone in the audience that connected coffee pots are a bad idea.

Blackberry + Microsoft

This is one of the more interesting partnerships I’ve seen recently.  Microsoft is one of the major backers of this event and, largely because the firm is making a massive pivot to the cloud, Blackberry’s software focused direction dovetails with Microsoft’s.  Both firms have a massive business focus and both are in the midst of major changes in their strategic vision and focus.  With these changes, the pair are increasingly drawn together. That makes me wonder exactly where this will all end up.

Wrapping Up:

Overall the Blackberry Security Summit was an interesting, if scary event.  I have to admit that security-focused sessions like this have increasingly become rather frightening.  While this clearly showed how Blackberry has become a very different company, it also demonstrates that we are seeing risks increase massively, particularly as we move to IoT and the concept of connecting things where security wasn’t even an afterthought.

This new reality is sparking new partnerships and new solutions like Blackberry BES but it also showcases that we aren’t being aggressive enough about understanding risks and mitigating them.   Traditional methods and approaches to security just aren’t up to the task of protecting us, and even the idea of “Mutually Assured Destruction” gives only a false sense of security.  In the end, we appear to be in a changed world and our ignorance of emerging threats could easily become our epitaph.

OK, this clearly isn’t the most positive ending I’ve ever written…