IoT Podcast _enhanced_

Welcome to the scene, where bytes and fools can be. We'll talk about code and hacks, we'll really miss the facts. Security ain't tight, we got clowns in the night. They don't know what's what, but they'll give it a shot. Hello everybody, welcome to the Imbeciles Operating Technology Podcast. Here today we have our friends Cholo, Brian, Jonathan, and Evan, and myself, Brett. We are going to be discussing a few different IoT topics with you today. So if you settle down, we're going to run through a bunch of different things for you. So to start off everybody, what are your guys' first kind of thoughts and initial opinions of just IoT in general? Honestly, I always think those smart, color-changing Philips light bulbs were my first IoT device. After I actually saw it, it blew my mind as a 12-year-old. Yeah, they're pretty cool. What about you guys? I probably like the thermostats better nowadays. It's all much more convenient to rise by itself. Yeah, so it seems like we all have exposure to home IoT devices because they're very common. Yeah, home. And that's the biggest one, trying to increase the comfort at home. But it's kind of interesting because IoT isn't mostly used at home. It's actually mostly used in industry. So the medical industry, industrial industry, and the vehicle industry tends to be the biggest users of different types of IoT devices. So it's kind of interesting. What are your guys' thoughts about these different areas of IoT? For example, medical IoT. That's a huge, massive field, and it's kind of interesting to think about because that's related to people's lives. So it's kind of different in the sense of other IT things. If something messes up in a medical environment, people could die. No one dies at home because your Alexa won't connect. I actually have experience with that when I was working as a paramedic. We were using defibrillators for our patients whenever we transport them, and that is their lifeline. You can never leave our hospital without that. If you do leave, though, make sure they're not in the phases where they're almost there, where they're almost ending. But it is a lifesaver for us. So it's like an IoT defib? Yes. How does it work? So you carry it around. It monitors everything. It monitors your heart rate, your oxygen levels as well, everything that needs for the patient to survive that travel time. Then once after that, you can hook them back up into the rooms where the monitors are. That's super interesting. I know that IoT for medical devices has been very critical for pacemakers, because even my stepfather actually has a very specialized pacemaker. But because it has a Bluetooth, instead of having to have either an external connection of some kind or to remove the pacemaker fully, the doctors will literally just wave a wand over it, and it reconfigures the device. They just simply upload settings to sort of like a Bluetooth communication device, and you just put it near the pacemaker, and the pacemaker will update its settings. NSC data transfer? Basically. Except I think it's Bluetooth. Wow, that is very interesting. Yeah, I guess that is a significantly better option than having to go through multiple surgeries every time you need an update. Yeah, yeah. It's far cheaper too, right? Like saying, yeah, having a pacemaker and then having multiple adoptive deployments. It's also significantly better for the patient too, right? Because stepdad gets one pacemaker put in, as opposed to every five years, they have to cut him open and add a new one. So that's significantly better for patient care and quality of life too, because you don't have to be dreading about your five-year surgery. Yeah. And you also, that's the other problem with pacemakers is that because of the way the body treats wires and foreign objects, it'll actually grow over the wires, so they can't remove it. They just cut it and leave it in. Yeah. So eventually you'll start having like a bit of copper stuck. Drive up your net worth. Yeah. So that's the implication of like medical rights, life-saving, it's convenience. But now what about the security part, right? What happens if somebody gets in the pacemaker or somebody gets in the defibrillator? Now they want your dad to pay money. Yeah, you can ransom, right? Sell one's pacemaker. Exactly. Very interestingly, actually, one of our classmates, that is their capstone project. Ransom-wiring pacemakers. No, they're trying to intercept the communication protocol used in hearing aids. Yeah, that's what Akiles and Hassan are working on. And that's actually a really, really interesting project. Because also the thing with the device, especially a hearing device, that's primarily going to be used from people who are relatively disconnected from technology and wouldn't have the ability to secure it themselves anyways. So that's another slight danger of the product. This is a product, generally speaking, that's aimed at older populations. So it needs to be self-secured. You can't provide a product that then they're going to have to configure and think about themselves because they don't have the knowledge or skill sets to do so. And it's not fair to expect them to either. I think in the term of the OS that they're exploring, because I did ask them about it, I think they're exploring Android OS that is quite related to the hearing aid, apparently. Okay. Does it run Android? I think so. What is it? So how does that work then? Would it just be a firmware? That's their research. Well, they've got a firmware. They don't have much in terms of, like, storage. Yeah, there's not that big. The Bluetooth, apparently, that's what they're... Oh, that's the Bluetooth. Bluetooth is, like, a terribly, terribly secured standard. Yeah. Yeah, that's true. This could be one of those things as our cellular data protocols get stronger that can kind of help mitigate some of those because, like, Bluetooth may lose favor if 6G and 7G are as strong as the advances of 5 and 4 were. And if we can keep making steps in wireless connectivity that are that significant every new iteration, we might lose a lot of these old insecure protocols, too, right? Like, we might start losing Bluetooth in ZigBee, MED, even MQTT. Thank you. That one. Well, I think the biggest consideration will be resource consumption. Because security in IoT tends to be an afterthought. But it's like if you can develop a communication protocol that's nice and lightweight on the power supply, that's going to be the one to implement it. And I think the beauty of IoT devices in general is that is, like, probably one of their largest upsides, is they can be as power efficient as you make them be. Right? Because you don't need the extra frills of a full operating system. You don't need all these extra processes running in the background. It can be streamlined to your specific niche and then just stay there and live its life. I also think security is an afterthought right now because there's no actual big attacks on IoTs yet. It's like if there's a major incident that happens with IoT, then I think a company that would be like, if they get bounced right off an athlete, they just absolutely thought that there was a recent, one of the more recent cyber attacks on the Ontario hospitals was done through a heartbreak monitor. Oh, was it? That's actually extremely interesting. I think so. If I remember. There's like three or four of them. I can't remember the bite death attacks, but they were about somewhere for, like, quite a bit of money. Yeah. There was also, oh, Newfoundland and Labrador had a massive shutdown a year or two ago. But I'm not 100% sure how they got on on that one. But we'd have to see for sure. Here's a fun fact, actually. You guys know that there's 14 billion IoT devices around the globe compared to the human population, which is only 8 billion. I mean, really? I wonder if they count cell phones as IoT devices. Interesting. It's technically a cell phone. A cell phone is an IoT device. Yeah. Or it's not a computer, really. But it is. It is now. That's true, right? Like, your phone is currently stronger than a laptop from 12 years ago. Yeah. I guess, yeah, if we start classifying that, if they're IoT devices, then we start saying our laptops are IoT devices. No. Yeah, exactly. If your phone is an IoT device, then so is a laptop. I bet you there was a Chromebook. So was a tablet, right? I bet you they count all the stuff in cars and stuff, right? But they're just counting IoT devices. How many devices in a car? Oh, hundreds, right? Yeah. That alone would, like... Yeah. The modern car now has 14 million lines of code. And the reason it has so many lines of code is, well, the reason why is because it's filled with thousands of sensors from all different vendors. So all those codes have to mash together with all the error correcting and all the crap in there for them so that it runs cohesively. And the reason why it's so big and cumbersome is because they're using IoT the whole way. So a car is actually kind of a perfect example of where IoT goes bad, because a car is an exclusive IoT device. There isn't one single computer in your car. It's a decentralized computer network with a bunch of ECUs and basically actually more like microcontrollers than computers. Right. And because of that, you get to see what happens. Cars are an absolute security nightmare. They're absolutely garbage at security. There's a million ways to get into any car. There's guides online how to get in from your headlights, how to get in from your tire pressure monitor sensor. And all of these can be done with the average individual who has... Oh, this is actually an even better one. Do you know how you can steal someone's key fob code to their car? Mm-hmm. All you need is a single piece of copper wire and a USB port on your computer. You stab that copper wire into the USB port on your computer. You fire up Audacity and you hit record and you keep on clicking the button. At all the high points, those are all your ones. All the low points, those are all your zeros. You now have a code to somebody's key fob. All you needed was a single piece of a copper wire and a recording program. And that's how easy it is. And it is actually that easy. So, for example, for myself, I locked my keys in my car camping last summer. I've never broken into a car. I've never done it before. But we decided to try because we're out camping. It would take six hours for the key lock guy to come out and get us anyways. Using two spoons, a lighter, and a coke hook, I was able to unlock my car in ten seconds. I'm a shiver over here. Yeah, I was going to say, do you have cameras on you recording this? Yeah. So, unlock this car. That's why car theft is such a big issue in Toronto, right? In Ontario, it's just like... Was it their car that got stolen or something ridiculous? Yeah. What makes it so easy is because there's so many ways to get into a car quickly. And so, basically, every single electronic interface in a car is a vector of attack that you can get in. Now, the issue in Ontario, why it's so high, is because Ontario has ports. And the reason why thefts are so prevalent there is because these thefts aren't being kept by thieves and kidnap. They're shipwrecked. Yeah. They get all the money they brought. Yes. They take the car. They're taking it down to the ports of Toronto, the ports of Montreal. And then they're sending it over to wherever else that they're going to get the most money out of it from. So, it's funny. It's actually these criminals are exploiting the IoT inside of vehicles to create this criminal enterprise. And the funny thing is you could solve this even on the back end. You just need stronger port authorities, right? Yeah. Because the honest-to-God truth is to solve the IoT issues in cars is not possible. So, it's almost like to solve IoT security, it's not IoT itself. It's all other channels. It's a different way. Yeah. I think it's kind of looking at it from a macro perspective versus a micro perspective. If you're trying to micro control the security of your IoT devices, there's no point. They're so small and insignificant. Any of this is pointless. You need to think about the macro concept of how do I protect an environment, not just one single device. How do I protect all of it? Do you guys think that regulation plays a big part on that instance? I think the fact that they're completely unregulated is, yeah, 100%. Although, it's tough to say because there's not much in terms of computer security that's regulated unless you're dealing with sensitive data. Because no government has gone to Intel and said you need to implement these security measures. You need to do these security steps. Well, in terms of that, as of right now, the only things that would even apply to it are the normal internet-safe, personal safety things. So, CureSock, LC27, PIPEDA, PIPA. And then the only other thing regulating IoT devices would be the radio standards that are defined for use over Wi-Fi. So, other than that, there literally is zero regulation on these devices. Yeah. To regulate these devices, you need to introduce brand new regulation that no tech industry has seen. I actually think that actually gets into a very interesting categorical issue. Because the IoT devices of industrial and home are so completely different that to regulate them both the same way would hurt both. That's why I think maybe it's different regulations for different industries. Well, and your medical would be regulated differently from your own industry. Yeah. Because the medical, you got very sensitive data, right? You got personal data. They're eating, they're sleeping, whatever. And medical, too, is like if these devices have flaws or issues, they can kill people. Yeah. The other issue is the timeline it takes to make these regulations. By the time they're put on paper, the technology is already bypassed. Yeah. And I think that we might be obsolete the moment they get deployed. Exactly. A perfect example. Bill C-27 still hasn't passed. And that was first put on the table, if I remember correctly, in like 2016 or something like that. So, eight years. And it's already been long in the tooth. And it hasn't even been approved yet. Yeah. So, there's another barrier that you're fighting with regulation as well. And how many standards have been introduced since 2016? So, there have been updates. I know a couple, like, and encryption has been broken at least since then. Yeah. It's just amazing how we, as a country, isn't as productive as the European Union. We're just like multiple countries and they just got the GDPR. It's like a finger in the air. Yeah. It's crazy. We try to appease industry that doesn't like being regulated a little bit too much. Don't worry about lobbying at the Orologopoly. Well, even, like, look at the Canadian Standards Act. Like, compliance is completely voluntary for that. It's not even much of a law. It's more of a guideline. It's not. It's their guidelines. But now I want to ask, what do you guys think of IoT and industry? IoT and industry is probably the most interesting because, in a certain sense, it's probably you could argue it's the most logical to use because a lot of industrial sites are so remote. They're so far away. And especially when you're talking about having IT workers work on your systems and networks and stuff. Yeah. Those people are, generally speaking, not going to be living in small towns near the industrial facilities where they're going to be. So, it's a really weird thing that, like, industrial systems are probably the most likely to have IoT systems. But the dangerous thing is those are mission critical. You cannot suffer attack on your water sewage system. Right. Look at how much of an issue Calgary had from that one pipeline at being reduced to 50% for those few weeks. Imagine if the hack was able to kill all the water treatment plants. Yeah, just shut it right off. So, now you're actually starting to measure deaths in mega numbers. Right. That's the really scary thing about moving industrial systems to IoT. And that's actually one scary thing in the 2023 and the 2024 presidential reports on cybersecurity posture. They are mentioned multiple times that the intent moving forward is to move all industrial systems to be IoT devices. Now, it makes a strong argument. What type of IoT are you creating? So, for example, in Russia and China, they have a way that they shut off their internet from the entire rest of the world. They can control their in and out of all their things. The United States and Canada, we don't have that strength. We don't have that power. So, that means if we put our industrial systems as IoT devices, we're leaving them exposed to the world. And every single one of our enemies has full unfettered access to try and find them. I mean, just look at the Russian-Ukrainian war. Supposedly, Sandworm's been knocking out power systems across Ukraine. Is it because they have the government-owned infrastructure? Yes. And we, the corporate-owned, so we can't just shut things off. You hit tougher to centralize. Yeah. You hit the exact nail on the head is that they have, you know, government authoritarianism and we have a corporate authoritarianism. And they just turn you off. Victor Poison. Yes. In terms of industrial IoT, I think there is huge benefit to it, though. Because I was talking with a student here at SAIT, and he was trying to get up a wireless sensor that was for safety. So, if that sensor tripped, it would shut that entire line down because that means there's a person standing where they shouldn't be, instead of that person finding out by getting clubbed by a giant industrial robotic arm. But it was a continuous keep-alive connection that had to ping all the time. So, you could, it also introduced a new security flaw to the factory running it. Because suddenly, you flip the network with a DDoS attack, and you will shutter the entire thing. Because if it doesn't keyshot keep-alive signal, it will fail by default. I also don't know how much of this has an impact, too. But industrial systems are very, very different from information systems. Operational technology and information technology, while they're very similar, are also very, very different, too. One thing about operational technology is it's so much older. Things do not change as quickly as they do. So, it's another thing, too. You're also working backwards. So, part of the current security of a lot of old industrial devices is exactly that. They're old. You can't even interact with them anymore if you wanted to. There is no communication protocol for a Commodore 64. But that Commodore 64 is keeping that pump jack alive. So, that's actually another one of those issues, too. A lot of really good security is done through obscurity. So, these current industrial systems, we're moving them to IoT out of convenience for us. But by doing that, we're sacrificing safety and resilience. So, how do we build in safety and resilience? Is there any way to find that out? Risk versus reward. It's like how much you want to risk and what kind of reward you're getting at this point. Exactly. I think it's all that is right now. Do you want to open your networks to it and then get more of a convenience? Or do you want to keep it less convenient and just more secure? I think it becomes more of a department and almost industry-based for now with no regulations or anything forward. Wow, they even actually have completely different security architectures. OT and IT? Yeah. Yeah, they do. I think IoT security is three layers at most, and you get five or six in OT security. Yeah, I was learning that doing some of the checkpoint safeties because I was reading some of their OT firewalls. And the way they work is totally different. They do so much more, and they're so much bigger and more expensive. They're also, bizarrely enough, two mobile devices. They bring them around. They don't stay stationed on their network. So, are they IoT as well? This is a great question. Now we're getting back into the question, what is an IoT device? Is that OT firewall that's actually, it's not even a hardwire firewall. They're mostly wireless firewalls anyways, and they're designed to be moved. That sounds like an IoT device, but is it too smart to be an IoT device? Because that is actually basically a computer, too. And then, of course, you look at phones, and they're classified IoT, but they're just as capable as some laptops. And then that's how I'll get in that laptop. Yeah, yeah. Well, Chromebooks, they're absolutely powerful than Chromebooks. It's getting to the point where it blows the line a little bit. The Motorola, especially for regulation, the Motorola Edge has 512 megabytes of storage, 64 gigabytes of RAM. Yeah, so that is already, that is stronger than any computer from even 10 years ago. Dude, that's got more RAM than my desktop. So, that's technically an IoT device, but it's not an IoT device. What do you guys think about an IoT city? Like the one that they're doing in Saudi Arabia, the line? Oh, my gosh, Mark. Well, I think that city's ridiculous, but I do appreciate that it's got a giant train. Yeah, but could you imagine the security that's, you've got to deal with that? Yeah. Every point would be a breakthrough attack, and you can shut down the entire city. And it would be in the desert, either part. Yeah, could you imagine, it would be like, take out the water resources, and that entire city is done for, like. Well, now you're going back to the desert. Exactly, it's in the desert. You're in so much trouble. Now you're talking back again where industrial IoT is extremely important, because what do you need in the desert? You need an absolute ton of water. Your air conditioning better be running, because you'll die in the heat if you don't. Yeah, I think the whole city is just a bad idea. You're trying to play God where you don't have to. It's just, well, it's the same thing with the weather, right? Yeah. I mean, your main concern, you won't really see those problems show up until wartime. Because no state's going to say, oh, I'll just casually shutter this water line or the whole power grid, as they know it's going to cause deaths. And that is cast as belly. That's actually a super interesting consideration, too, is we don't know how weak the security is until there's a full attack. Yeah. We haven't been in a war enough that they'll start attacking our infrastructure. We also actually don't know our own strength, too, because in a very bizarre way, Russia and China like to brag about their accomplishment. None of the West do. The Western nation will even tell you when they're successful. So it's actually a riddle to gut our asses handed to us. Ask a couple of them. But in terms of cyber engagements, if you read from the other side, they have the exact same issue with the U.S., too. The U.S. hacks China all the time. The U.S. hacks Russia all the time. The difference is Russia doesn't report it, and China doesn't report it out of shame. And the United States doesn't report it out of, I don't want you to know what I can do. You don't need to know that I can do this. So that's actually a really interesting thing, too. We have a lot of fear about China and the United States because they brag. Well, China, too. China threatens the United States frequently. And when they're successful at stealing stuff, they brag about it. The United States has never once admitted to doing any of that. If anything, they do the opposite. Exactly. In fact, even for ones where they've been caught red-handed, they outright deny that they were a part of it. For example, they were caught in the development of Stuxnet, and they still to this day are like, nope, we had zero part of that, and I don't know what you're talking about. That's a full lie. And so it's really interesting when we go into the war context of IoT, how strong are the actual powers at play? Because no one fully knows yet because we don't have accurate reporting or full-scale combat to even relate these two, right? So what do you do to assess your own strength and your own posture to make sure that your defenses can be shored up to fight an enemy that you don't know what they can do? Yeah. So in terms of, no, but how would AI impact IoT going forward? Well, I think the reason AI has an effect on IoT going forward is IoT devices are the least secure devices. So they're the lowest hanging fruit to attack for automated systems, right? So I know in 2023, there's actually already been an 80% increase in cyber attacks. And obviously, no one has an answer yet. But the speculation is believed to be because AI's automated tools are so much faster now that the amount of attacks are increasing significantly. So, for example, there was a CDE released. It was released at midnight. Within 20 minutes, it had already been used 2,000 times of release. Within 20 minutes of release, it had already been used 2,000 times. So it really goes to show that IoT, or sorry, what makes IoT vulnerable to AI is that AI is so fast and so automated. And IoT is so vulnerable. That it's slow. Yeah. It's just much slower. So it has the problem of having the least security and the most amount of devices. Yeah, but that's a security issue. But then how would AI improve IoT devices in all that personal usage level? Well, there's things like predictive analytics, being able to take the data that it receives. And especially in like the medical field, being able to predict health complications before they arise, be able to predict diseases. We'll probably see more benefit in industry and medical. But I know for a fact that whole, it's just data harvesting. Yes. They're just going to be scraping all of the data they can siphon from those IoT devices. Yeah. It does. It would be a very strong recommendation to anybody to not use an AI IoT device at home. They're already harvesting all your data. You don't need them to harvest any more. Harvest your medical data at the same time. Yeah. So it's useful in the medical field, and then less so poison-wise. Because then they'd just be like harvesting the data that's actually being useful. But again, it's like the wartime thing. We don't know exactly what's going to hit us. It's going to delay our habits. Yeah. Mostly we can just kind of shoot from the hip and armchair speculate. All right. Well, this was some really interesting discussions on IoT and IoT security. We went over from everywhere from medical to industrial IoT to vehicle IoT to the different comforts it brings you and to the different flaws and risks it opens you up to. So it's really fun to have discussions on these growing fields. So thank you all, guys, for being here. And see you next time. See you next time. Thank you. Thanks for joining us. Microsoft Mechanics www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com www.microsoft.com