29 March 2023: Security for Networked Devices

David Rogers MBE, Chair of the GSMA Fraud and Security Group, joins us for a conversation about the internet of things (IoT) and the need to improve security surrounding networked devices. Whether it is your car, your refrigerator or your fitness monitor, many more machines are collecting data and communicating with networks in a bid to make life safer and more convenient. But how well is this data secured, and what are the risks of hackers taking over these devices? David talks about developments in international security standards for networked products, the first steps towards enforcing tougher laws on device manufacturers, and the results of the latest annual survey on IoT vulnerability disclosure policies.

Topical news items will also be debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hello, you're watching the Communications Risk Show and I'm your host, Eric Priezkalns.
Each Wednesday we discuss the risks facing communications providers and their customers
with experts from around the world and we broadcast live so you can also join the conversation
by submitting your questions and observations.
We'll try to read out as many as we can before the end of the show.
To ask a question just type into the box immediately beneath the streaming window at our website
tv.commsrisk.com.
Messages on the website are anonymous so include your name if you want me to read it out.
This show is also streamed live on LinkedIn so feel free to leave a comment over there
if you like.
Our team will also keep an eye on those comments and try to make sure that I cover as many
as I possibly can.
Though last week we had way too many so apologies if you didn't get a chance last week.
Maybe you'll have more luck this week.
Later in the show we'll be joined by David Rogers who was recently re-elected chair of
the GSMA's Fraud and Security Group.
He's also one of the architects of the UK's strategy for securing consumer devices powered
by the Internet of Things and he'll be telling us about progress with enforcing security
standards for those products worldwide as well.
But first let me introduce my co-presenters Ed Finegold and Lee Scargill.
Ed joins us from Chicago where he's an author, analyst, strategic advisor to tech and telecoms
business and Lee is joining us from Cleethorps sadly today.
Not the exotic locations we normally associate with Lee but back in Cleethorps if you don't
know where Cleethorps is that's for the best.
I'm not going to tell you where it is because you really don't want to go.
When he's not in Cleethorps Lee is a globe trotting executive and consultant with experience
of working for a wide range of communication providers in the Middle East, Europe, Caribbean
and Asia.
So hello Ed, hello Lee.
Now straight in with our first topic of conversation we've got so many amazing topics to talk about
today.
So much is happening in the industry.
Ed I really want to get your opinion on this first but let me just explain what's happening
with flash calls and Facebook first for the viewers who are not familiar.
Now users of the Facebook Lite app, an app designed for use on 2G networks, are being
asked to give the app permission to manage calls and check the call log.
If they do their identity will now be authenticated by what Facebook is calling a missed call
and which most of the comms industry refers to as a flash call, an ultra-short call made
with no intention of the recipient picking up.
Now flash calls are really controversial because many argue they violate the contractual terms
imposed by network providers by consuming resources like phone numbers and network signaling
but without any intention to use them for the reasons provided.
They're also attractive to businesses like Meta because they offer a free alternative
to sending one-time passwords by SMS.
Arguably they're more convenient for users because there's no need for the user to retype
each password.
However, the threat to ATP SMS revenues leads many to characterize flash calls as a form
of by-passport.
Starting with you, Ed, do you see advantages to the consumer in being able to authenticate
themselves without needing to read and respond to an SMS or do you see any downsides to these
attempts to popularize flash calls?
I actually think those are two separate questions but let me start by saying that the more I've
read this story and the way that you've presented it, the more it makes my blood boil because
there's no direction of it that makes any kind of sense at all.
So now let me answer your question.
So the first part is, does it make sense to have a consumer be able to authenticate themselves
with something other than an SMS?
Absolutely.
And I think the whole security community knows that that's been called for since what, like
2016, that SMS is fundamentally not meant to be used in any way as a security mechanism.
It shouldn't be.
It still is because it's popular.
You obviously broke the story about what was happening with Twitter that's made it a bit
controversial but especially in the US, the numbers are overwhelming that people in the
US especially still really like to use SMS because they're used to it and it should be
replaced with something more secure.
So the other part of the question though that you want to get to is about flash calling.
And the reason I find this frustrating is because, let's break it down a couple of pieces.
One, so you mentioned it's a free way to do authentication.
You're consuming a service and you're not paying for it.
So that's either bad business or it's fraud or whatever, it's a hole that should be addressed.
So it's like in a sense that if you were going to have a free market solution to it, that
somehow there's a hole here that isn't a free market solution because someone's getting
away with something for free and they shouldn't.
Now the fact that it rubs up against something that can be used fraudulently that relates
to this other fraud problem of things related to flash calling and I guess Wangiri probably
falls in there as well, all those kinds of behavior type things, that gets me very uncomfortable.
It automatically makes you think that we're trying to solve a security problem with something
cheap and broken that doesn't work that piles onto a bunch of other security problems.
So that's why I get frustrated that none of this makes sense.
The only thing that makes sense to me is going back to the beginning, which is that, yeah,
we should be using something and there are such things at the separate discussion.
We should be using things other than SMS, right, legitimately that are secure and probably
paid for.
So you have some skin in the game, right, to address the problems that stem from things
like flash calling and things like SMS's account takeover resulting from one-time SMS passcode.
Well, I agree with everything you say, so I've got nothing to say on that topic.
Hopefully Lee's got something more to say on that.
Now Lee, you've of course, apart from when you're in Cleethops, you work in all sorts
of countries that are normally hostile to places where flash calls may occur.
What's your reading on this in terms of flash calls being used?
Basically Facebook is thinking 2G, certain parts of the world, the users will be using
2G there, maybe places where ATP SMS is a lot more expensive, those countries.
But what's your reading on how big companies, big telcos are going to react to this?
What's your reading on how certain governments will react to this?
Well, I honestly agree with Ed on this.
This is going to be boring.
Everyone's agreeing all of a sudden.
This is what I'm thinking.
I was going to try and come up with something really controversial here, but unfortunately
it's not going to be the case on this topic.
So look, some operators, they're looking to monetize it.
So they're working with these flash calling providers to try to facilitate this service,
to get it in so it's a good user experience for the customers.
Now some other operators, they're trying to ban it.
And if we go back, say I think about two weeks ago when we just briefly touched on this comment,
we had a comment coming in from a European operator who was saying that they were going
to block it.
Right.
They would not allow it.
Now that might be the case.
You might want to block it.
However, there's a second dimension here and that really comes back down to the regulator.
And will the regulator allow you to block it?
Because regulators get a little bit antsy, right, when you start blocking people's access
to a telecommunications network.
So personally, I think what Meta's doing, I think this is a great approach and I'd like
others to kind of follow their lead on this because, you know, it could be a...
I'm going to jump in now because Meta does ask you to hand over a lot of permission on
your phone to be able to use flash calls.
So I would say if you were a privacy nut and you're worried about a business like Facebook
grabbing your data, the last thing you want to do is let an app from Facebook start deciding
whether your call is going to be accepted or not.
It's basically hanging up phone calls for you without letting you decide to hang up
on them.
And then it's going through all your list of log of all the phone calls you've received
and you've made for however many years.
So surely there's a big downside there to flash calls because a business like Facebook
is not just going to go, oh, we're only checking this data because you want to make sure we
authenticate you.
They're going to be downloading all and analyzing all the contacts you've got all around the
world.
Yeah, but what's the alternative then?
We stick with SMS, do we?
App-based authentication so that everyone knows where they are.
Apps are good, right?
I'm all for apps as well, right?
So it's anything.
We just have to move away from SMS OTPs, right?
Now we've got a comment straight in here, so the audience is getting wound up by this
topic.
It seems like we've lost our host.
Why don't we wait a minute and see if we get Eric back?
Okay, but I'll just, I'll continue.
Just what the point I was trying to make here is, you know, you could potentially take this
situation, you know, it's into, you turn it into a win-win, right?
Okay.
So the consumers would be happy because you have this like seamless, invisible authentication
process which is going on in the background, right?
And then if the operators can actually monetize it, then obviously they're going to benefit
by not losing so much revenue on the A2P side of things.
Yeah, Lee, I think, you know, one of the things that stood out to me when I've looked more
closely at like the interrelated security issues that tie into SMS, and there's a lot
of different ones.
When I've talked to folks that I felt like had a sense of understanding the technology,
understanding what a practical solution might be that would improve, right?
No one commits to it being 100%, but if you can improve the scenario overall and drive
better behaviors, most of the time I felt like those people were talking about things
that are token-based and that leverage successful models like certificate authorities, like
that there are models out there that are massively better, right, for the purpose of what we're
using SMS for that should be used, and the barrier tends to be incentivizing people to
use them.
You know, it's more of an ease of use thing, but there are, there's a lot of smart literature
about how to solve this problem, right, that we can do a whole show around.
Welcome back, Eric.
We've been tap-dancing.
Welcome back.
In case anyone's wondering there about who you might want to use as your home broadband
supplier, that was not an advert for Virgin Media.
Virgin Media is my home broadband provider, so all of you out there in the UK, you might
want to be thinking twice about whether that long-haired bearded fool who runs that company
is the kind of guy who you want to be buying for.
Not that there's anything wrong with being a long-haired bearded fool.
I know all about that topic, obviously.
So apologies.
Thank you guys for continuing.
You didn't need me anywhere in the conversation.
I hardly know why I bothered turning up.
I only turn up to do the adverts, and speaking of which, let me now do an advert for our
main sponsor, Blue Gem.
Blue Gem is a global provider of testing services for telecoms, government, and software businesses,
creating real test events like voice, SMS, and data calls.
They also support a variety of LTE-M and narrowband IoT network protocols to connect
low-energy devices.
Blue Gem gives you insights into a number of key areas, such as IoT product validation,
network and satellite security, service assurance, billing accuracy, and SIM box detection.
They can measure in precise detail how many data bytes are sent across networks in order
to provide a customer with a certain kind of service, such as IoT SIM cards connected
to multiple devices, to track the usage across concurrent data sessions.
Or suppose your business is planning a major platform migration.
You don't want customers to identify issues that you could have spotted earlier within
the migration release cycle.
Using Blue Gem's test services means you have confidence that everything is running smoothly
in every three before any changeover affects your customers.
Some businesses rely on internal testing, but a bespoke solution approach gives more
precise results, ensures a more comprehensive test plan is covered, and prevents issues
that may impact your customers.
So whether you want to ensure your customers are able to use an IoT product, or you want
to check how much data traffic is generated by a new device, then you should call upon
the experienced team of specialists at Blue Gem.
Okay, guys, back to the chat.
And my gosh, I'm really keen for input from the viewers on this next topic, especially
anybody living in France.
If anybody living in France wants to wear the next one, I'd really be keen on those
points for you.
I'd love to hear from you in France, because last few weeks have witnessed a sharp separation
between the experts have been talking about SMS vulnerabilities in different parts of
the world.
In the Anglosphere, many have been banging on and on and on about the need for ever more
passwords to be sent by SMS, obviously not the people on this show, because we've got
more sense.
But nevertheless, lots of people who claim to be security experts say we need more and
more passwords sent by SMS, and they got angry that Twitter switched off free use of SMS
to factor authentication for the 2% of the customers used it.
But in France, the biggest issue of last few weeks has been the gendarmerie arresting members
of a gang who drove multiple vehicles around Paris, each with a $20,000 MZ catcher in the
back, sending SMS messages in total to over 400,000 Parisians in an attempt to lure them
into typing their personal information into a fake national health insurance website.
Now, the story first emerged at the very end of 2022 with a car stop of a woman driver
who was found to be on drugs and an MZ catcher in a backseat, though initially the police
mistook it for a bomb.
Five suspected gang members were arrested in February, and the second MZ catcher was
then discovered in relation to an old ambulance which had been driven around the suburbs of
Paris.
And then a sixth suspect was arrested in Montpellier two weeks ago.
But what's the really shocking aspect of this story?
Well, these MZ catchers were circling Paris.
They were purchased by the criminals in April 2021, implying that they were used for over
a year and a half before a lucky car stop first found one of these MZ catchers.
Now, Ed, I see lots of fuss about stingrays in the American press, as Americans like to
call it MZ catchers, but mostly it's from lawyer types who are worried about government
agencies overstepping the mark.
They might have a point, a recent audit of the Department of Homeland Security identified
occasions when their agents, secret service agents and staff at the Immigration and Customs
Enforcement Agency, have all broken the law by using MZ catchers without necessarily legal
warrants.
However, putting aside our concerns about big government and too much surveillance,
does the scale and nature of the Paris scam, where organised criminals are using MZ catchers,
does it come as a shock?
Or have we been neglectful about the risks surrounding MZ catchers?
It doesn't surprise me at all, and it's actually for like a natural selection reason, because
just think about like this, the way that you're characterising the story as well, talking
about it was mistaken for a bomb.
So what are the police looking for?
The gendarmerie, you know, what are they looking for?
They're looking for bombs, they're looking for drugs, like that's what they're tasked
with looking for.
That's what's on the checklist.
Are you looking for MZ catchers?
What's an MZ catcher?
When they found the thing, what do you think the response was?
It was, I don't know what this is, but it looks like something somebody with expertise
needs to look at, because there's something going on here, right?
You're sharp enough to know you don't know what you're looking at, and so therefore it's
dangerous.
I can't imagine it's any more than that, but it doesn't surprise me at all that they drove
around with impunity, because what are they doing?
They're just driving around.
You're not even making a delivery.
You're not doing anything suspicious that someone that's dealing in terrorism or drugs
is probably doing, right?
Like you said, and this division of the gendarmerie, who eventually did pick up and start to follow
through with the investigation, relatively new, you know, a new division.
If I was to compare that, say, with the police in the UK or police forces in many other parts
of the world, they simply wouldn't have anybody with the skills and the knowledge to deal
with this.
So Lee, let's bring you in here.
You've got in-laws in France because you're such a cosmopolitan guy.
What's your take on the way that this story's being perceived in France, and how does it
compare to the way that it's actually largely been ignored in other parts of the world?
So what's your reading here?
Are the French overly panicking, or is the rest of the world a bit too complacent?
No, I don't think they're overly panicking, but I find this actually really fascinating,
Eric, because when this case first broke, I kind of, I was reading through it and I
was trying to work out why are they using an IMSI capture to commit this type of fraud?
Because the normal way you do this is you just send out spam messages, right?
But why would you use an IMSI capture?
And then I started to think, well, okay, maybe if they wanted to target a wealthy suburb
in Paris, they'd just probably drive around there.
But then when I looked at the number of SMS messages that were sent, it was about 400,000
messages.
So then I started to think, well, hang on a minute, you're not targeting a particular
suburb here.
So I did a bit of research.
I went onto the internet and I looked up, you know, can you actually purchase IMSI captures?
And it turns out you can.
And you mentioned one there for $20,000.
The ones that I were looking at were $8,000 US dollars.
Now the thing about these IMSI catches is in some countries they are legal and companies
use them for kind of sending out SMS messages.
If you have a shop, somebody walks past your shop, you'd latch onto this IMSI capture,
then they send you an SMS, maybe to kind of advertise or promote something, right?
So in some countries they're perfectly legal.
However, the interesting thing about this is that when those SMS messages are sent,
they don't go through the operator's network.
It's going directly from the IMSI capture to the handset, right?
So these messages, one is they're not going through the network.
So it doesn't create a CDR, right?
So very hard to detect.
And the second thing is they're completely free to send.
So you wouldn't get charged for those.
Now this is where it gets interesting, right?
Because how do you detect something that you cannot see, right?
Now I was trying to work out thinking, well, you know, how would we have a, you know, how
would we actually get over this problem?
And I think if you have a national SMS spam reporting service, such as in the UK, we have
7726, I think that's pretty universal across the, well, most of the world anyway.
Somebody would probably report one of these messages to you.
You would then go probably to investigate how many other customers have received this
message, but you wouldn't find that CDR, right?
The CDR is not there.
So this, to me, is, you know, how can we determine we have a bigger issue than what we actually
know we have here?
Now I know in the case of the issue in France-
I've got the answer for you, Lee.
I've got the answer for you.
We should go down, drive down Westminster with a great big SMS blaster and blast SMS
messages at members of parliament and do the same with other politicians around the world.
The problem would be so pretty quick shot then.
It's absolutely outrageous that we're talking about the idea that you should be able to
basically interrupt, intercept, get in the middle of the communications network and blast
out advertising because maybe that's okay and we don't see anything wrong with that.
And as viewers are pointing out, an important comment here that I'm going to read out, the
most interesting part of this was the fact that they were able to downgrade 4G signals
to 2G, which allowed to strip out some of the inherent security protocols.
So this is not even just about blasting out SMS messages and detecting it.
It's about downgrading the quality of the security around the network too, which opens
us up to far more vulnerability.
So my attitude is let's go out and blast the politicians until they start taking it seriously.
I'm game for it.
I think you should do that, Eric.
I'm not going to participate in that, but if you want to do that, then go ahead.
You've got a proper job, that's why you don't want to do it.
And if you did it around the Middle East, they'd probably put you behind bars if you
did it there.
I think the politicians are way, way behind the curve.
And this is why I'm saying to you, are now the French in the lead because there's been
a major scandal and now at last somebody's taking some notice of it, though suddenly
everybody who doesn't speak French is ignoring the story still.
Yeah, I don't think it's just in France as well.
There was some, there was other cases which had been reported in Vietnam as well.
I just think, you know, how bad of a problem or an issue do we have here?
Now, if you can purchase these for 8,000 US and they're freely available on the Internet,
then, you know, it's not going to be long before fraudsters turn to this way, right?
Because if you look at the old traditional ways of just spamming, spamming people, which
actually only has a success rate of about 1%, by the way, of people who would click
on that link.
Now, now this is a lot more cost effective approach to that, that kind of fraud.
And it's just, it's almost invisible to detect, right?
So it's inevitable.
We've got, we've got things like SMS registries being used to try and stop the spamming now.
Well, if there is any success with a technique like an SMS registry, what's the next step?
Drive around the vehicle, do the SMS spamming that way.
So there's a propaganda, like a anti-propaganda piece to this too, where you have to look
at it as something that's from a US perspective, an MZ catcher needs to be branded as like
a weapon of mass destruction in the cyber war that needs to be stopped, right?
It needs to be, and there needs to be use cases given, you know, for how they're not
made in China, can we not just play that card?
And so in that sense, the lawyer types you're talking about before, who were concerned about
government surveillance, they're not super far off, but I would challenge them to broaden
their perspective, right?
To think about like the global world you're living in, right?
And the way that people are using technologies to attack infrastructure and attack people,
right?
Individuals.
And this is one of them.
And so the more that you understand, like what are all the arrows in the quiver that
need to be squished?
You know, I think that's part of, I think what motivates, you know, we need to stop
drugs.
We need to stop terrorism or bombs.
Yeah.
You need to stop the weapon of mass destruction of the cyber war, the MZ catcher and its friends
make a list, right?
And that at least in the US, like people act, yes, make an enemy.
We'll blow it up.
Good.
MZ catcher.
Right.
It's just, it's just sort of like a more primitive way of motivating people to do the right thing
than trying to go at it the sort of logical way.
That's like engineering.
That's not how the US works.
Nobody solves any problem in the US for less than $10 billion.
If somebody could come up with a $10 billion solution to this problem, there'll be straight
on it.
But anything that costs less than that, they just don't bother, do they?
I think in the US.
Anyway, enough with my cheekiness because I have to do another ad for it now.
And it is relevant to what we're saying because here's another one of our weekly features,
the symmetry prism factor that we can, it's a very pertinent fact this week from symmetry.
So we appreciate the symmetry solutions guys with their facts, introducing very, very important
insights into our debates here.
So courtesy of their prison fraud intelligence service, they've shared this amazing fact
with us all.
Did you know that SMS scammers recruit stooges through messaging services like a WhatsApp
and Telegram?
Typical quoted rates on those platforms are one euro for every 10 SMS messages sent or
hourly fees of between 100 and 350 US dollars per hour.
According to the scammers, working for them can generate an income of 12,000 US dollars
a month.
And that was disturbing to me because as my producer Matt pointed out, that's a lot more
than I pay him to do this show.
So this show might not be continuing very much longer if we were to let Matt get onto
these Telegram channels.
Now on with the topical chat, international anti-spam agreements.
Do you see what I did there in terms of linking things?
The Australian comms regulator, ACMA, recently signed a memorandum of understanding with
the UK's privacy watchdog, IKO.
That's the latest in the string of similar memorandums of understanding involving such
countries as the USA, Canada, Singapore, Australia, and the UK.
Now Ed, Lee, most commentators welcome all these agreements.
I point that out because obviously I'm not going to be welcoming it.
Am I alone in starting to question the point of all these agreements?
Because they all seem to say that information sharing involves a lot of arranging foreign
documents, arranging foreign fact-finding trips, arranging lots of conference calls
and press releases about how everyone's doing a great job, but no actual prosecutions of
anybody breaking the law.
Am I wrong to be cynical, Ed?
I don't think so just because historically that's what tends to happen.
I think the thing I'm trying to figure out is if along with the wining and dining that
you're kind of pointing to, there is an end result that says there's some kind of legal
framework in place that helps us, right, to enforce rules around all the time.
No, they exclude that.
Yeah.
They exclude that from the agreement.
It's like if that piece of work doesn't get done and it's just about the getting together
to schmooze, then yeah, I'm with you and I feel like there's an awful lot of that going
on here and elsewhere.
Now, Lee, they're much better in the Middle East at prosecuting things.
What's happening over there in terms of comparison?
Are they going to lead the way with taking more of a sensible stance on stopping all
this nuisance messaging or are we all just doomed to spending the rest of our lives reading
press releases about people travelling around the world not prosecuting anyone?
Well, it does sound like jobs for the boys, doesn't it?
But look, the only thing which I found a little bit strange about this is that if you look
at the Australian ACMA, which is the regulator over there, they're not actually talking to
the UK regulator, which is Ofcom.
They've actually signed this MOU with the information commissioner's office, right?
So it's a little bit strange as to why Ofcom's not involved in this.
Well, it's just more reasons to travel around the world, isn't it?
I mean, you've hit the nail on the head.
I mean, Australia's got a privacy regulator very much modelled on the same model as the
UK's privacy regulator.
So why is it not an agreement between the two privacy regulators?
However you cut this, this is a very strange deal that seems to involve yet more reasons
for people to travel backwards and forwards.
Although the Australian regulator, if say they get involved in something like blocking
traffic, well, that's not the kind of provision that the UK's privacy regulator can do because
the UK's privacy regulator is not in a position to order telcos to block traffic.
Vice versa.
The UK's privacy regulator, data protection at GDPR here in Europe, well, there's a lot
of theory about how that can be used to prosecute companies around the world.
Theory, no actual fact because they never do prosecute anybody outside of the UK.
Absolute nightmare to try and persuade them to actually take on anybody who's not based
in the UK.
So why do they need to swap information with Australians?
Is the information commission in the UK like to be prosecuting somebody in Australia?
Not very likely, I would say.
And a comment here from one of the viewers, BEREC does nothing on fraud, but they do love
their whining and dannying.
It says, sorry, apologies, I forgot to mention BEREC, the Club for European Regulators has
also signed one of these bilateral MOU agreements.
Although I always found that one really amusing because that was the one where the FCC wrote
that it was all about stopping robocalls and BEREC managed to just not mention robocalls
at all in their version of what was otherwise, word for word, the same press release.
So even when they're agreeing to swap notes, they don't seem to know what they're swapping
notes about.
Right.
Enough of the ranting because we're behind schedule because I disappeared off screen
for a few minutes.
So two minutes of somebody who's the least ranty person in the world.
Before we introduce our next guest, Geoffrey Ross of Coal Authentication, Fraud Prevention
and Geolocation Specialist, One Root, he likes to take us on a tour of the world.
And he always sees the good in people like me.
And he sees the world not just in the good of people, but through the phones that they
use.
This week, Geoffrey is going to take us to one of his favourite countries, Mozambique.
So producer Matt, roll VT.
Hey, everyone from One Root, I'm Geoffrey Ross, and this is the world in your phone.
Let's talk about Mozambique.
Mozambique is known for its rich culture and history and beautiful coastlines.
It's located over in southeastern Africa and border six countries, Tanzania, Zambia, Zimbabwe,
Malawi, East Watine and South Africa.
Did you know just a few years ago that Vodacom Mozambique partnered with Google's parent company
Alphabet to bring network access to previously uncovered populations via stratospheric internet
balloons?
Balloons?
Who knew?
So I'd be willing to bet that there are parts of Mozambique that probably have better connectivity
than rural parts right here in Texas.
Also found it interesting that the name Mozambique comes from the name of an Arab trader, Musa
Albeek, who settled on an offshore island in the 15th century.
At that time, the capital city was located on this island until 1898, when it was moved
to Maputo.
Mozambique's also home to our own Cali Kautz.
Cali's an incredible guy, and you can find him in the capital city or hanging out in
the bush there in northern Mozambique.
You never know with that guy, but we appreciate him and Cali, obrigado.
Mozambique has an incredible economy with a vast resource of agriculture and has one
of the largest natural gas planes.
Be sure to tune in and subscribe to One Route on YouTube, where you can catch up all these
video series and watch the One Route Roundup, where we interview people making an incredible
difference in the telecom industry.
Now on to another great communications risk show.
Well, thanks to Jeffrey and to One Route for the world in your phone, their regular weekly
contribution to our program.
And now let's welcome today's expert contributor, David Rogers, chair of the GSMA Fraud and
Security Group.
He's a thought leader, he's a researcher into security, and one of the areas that there's
a lot of work in is the Internet of Things.
So David, thanks for joining us again on the show.
It's a pleasure to have you here.
Thanks for having me, Eric, and nice to see you all again.
Now I know that you probably think that everything we said in the first half hour of the show
was a load of old rubbish, but that's why we have you on the show to tell us how things
really are.
Amazing advances are being made, but I'm the kind of guy who gets worried about my privacy,
okay?
So when more and more devices like your Amazon devices, your connected cars and everything
is circling me with their cameras and microphones, I think to myself, you really don't want to
hear more of what I've got to think about the world.
I hope people aren't listening to me the whole time as I'm speaking to myself on my own.
They're gathering a lot more data.
It causes me worry.
People are, pregnant women are wearing harnesses that are listening to their unborn kids.
We've got cars producing, what is it, five terabytes of data per hour.
Am I the mad one here with worrying about all this data being collected about people,
or are there serious reasons to fear about the privacy implications for the Internet
of Things?
Oh, I think they're entirely legitimate concerns and you see that played out in sort of consumer
concerns and consumer behavior.
I think there's an increasing awareness and in some cases, paranoia that individual privacy
is kind of gone and that these big companies are just having a field day with whatever
they want.
And to a certain extent, that is probably true.
We've been working on some really, really basic concerns around IOT security.
And it's always worrying that as the technology advances that some of these companies don't
necessarily want to do anything about privacy or that's what's being projected to customers.
It's steps, isn't it?
You have to make steps in the right direction.
If they won't make the initial steps, they will never get to the further protections
that are needed.
So putting privacy to one side, what about safety for network devices?
For example, the supposed benefits of connected cars is that they'll be safer for drivers
and passengers.
But how wary should we be of the risks to safety if devices like a connected car can
be hacked?
Yeah.
Again, I think this is something that's playing on people's minds, both privacy and safety.
And there have been some quite widely publicized hacks, maybe class of stunt hacks in the security
research world.
But I think they served a very, very good purpose in raising awareness of the types
of issues that could happen if we don't pay attention.
And what's been happening in multiple spaces is governments were waking up to the reality
that their citizens are not being protected adequately.
And so you see right across the world in multiple sectors, action being taken, particularly
around defensive security, protecting those products for the future.
And yeah, that's starting to bear fruit.
Well, let's talk about the research that you do on an annual basis for the IoT Security
Foundation.
For those of viewers who are not familiar, could you please summarize what you've been
trying to learn through this research and your most recent findings?
Yeah, absolutely.
So we conducted this research on behalf of the IoT Security Foundation, and it was supported
by HackerOne, who worked closely with security researchers.
And we've been doing this for five years now.
We've followed a very distinct methodology, and we committed to making this data available
as open data right from the start so that it was fully transparent and that anybody
could use this.
I think that was really important.
The reason we did it in the first place was a lot of people assumed that the IoT security
was really poor.
But there are very few ways of measuring that.
So obviously, you could take a device and you can have a look at it and reverse engineer
it.
But that is relatively difficult.
So what we were looking for was public indicators, or what I call insecurity canaries, and ways
that we can measure how a company approaches security.
So one of those is on something called vulnerability disclosure.
And what that requires the company to do is to have a public-facing way of security researchers
to contact that company.
So what you can conclude from that is if it isn't there, because it is good practice,
then that can tell you a lot about that company's approach to security, as in they probably
don't pay too much attention.
And given that we have regulation and legislation coming around the world specifically asking
for this, it also kind of is worth monitoring.
So we've done that over five years.
We started out when it was about 330 companies, and there was less than 10% of these companies
actually had any kind of way for people to contact them.
We're now up to 27.11%, which is still pretty rubbish, if I'm honest.
We extrapolated that, and I think we worked out it was 2039 before we got to 100%.
It's a very linear line.
So that's really not good enough.
And the fact that even with the threat of regulation, they're still doing nothing is
quite astonishing to me.
And it really shows how broken that market is.
And that's just us taking one public indicator.
What do you think the products really look like?
It's going to be pretty poor.
That's absolutely, I think that's shocking.
I have to say, I think that's absolutely shocking.
If you were to pick on a part, I know that there's variations between different parts
of the world in terms of where manufacturers are doing a better job and a worse job in
terms of being open to independent security research.
Who's leading the way?
Who's doing a good job?
Who's doing a poor job?
How should we be barracking on a regular basis and who gets a round of applause for doing
slightly better than 27% on average?
Well that's also part of our research.
But a couple of years ago, what we wanted to do was to understand to what extent those
companies that were doing this, so we were looking at all of the information that was
available and trying to record as much as we can, how do these companies implement these
things?
What kind of features do they have?
What does good look like?
And then we kind of match that against what the regulators or what incoming legislation
would ask for.
We came up with this kind of list.
My idea for this originally was the kind of green piece list that's produced, which is
about sort of ethical sourcing of components and so on.
And so could we have this list of people who did sort of comply with these things?
So I won't kind of name names here because people can go and have a look at it themselves.
But we have got a list of companies that really, really do go above and beyond.
And I think they should be kind of celebrated for what they do.
And one thing I should caveat with this is we can't measure volume of sales in the market.
But you can look at that list and you can probably say, well, actually, you know, of
these 330 companies, there are a couple of very particular ones that you can probably
guess that dominate the market.
And so it's a good way to look at, you know, what are those companies doing?
So we also looked at, we started to look at countries like the UK, where we have legislation
now, what retailers, you know, in that country are stocking what manufacturers?
But actually, in the UK, I think there was over 70% compliant manufacturers in the ones
that they stocked.
So actually, that's a different picture to the overall global situation.
And that's what we're finding is there's a lot of sort of metadata in there that we can
pull out, where actually, you know, the situation in different markets is different assumptions
that you might have are entirely different.
So for example, you know, if we ask the question, where do you think the most compliant manufacturers
would be?
Often we get the answer Europe or the United States, it's completely wrong.
It's actually the Asian region that is really leading the way in terms of vulnerability
disclosure adoption.
So it's quite good to kind of slay those myths with actual evidence and data.
Well, it's up to the Asians then for doing a better job.
I wonder why we're not doing such a good job in Europe or in North America.
You mentioned the UK there.
Now as I understand it, the UK has taken some specific steps to improve the way manufacturers
respond to IoT security concerns.
What's being done?
How far has it progressed?
Yeah, so on the last time we spoke actually, you know, we talked about the UK's Code of
Practice on IoT security, and then that was standardised through Etsy.
It's really taken on a life of its own and, you know, there's been wide adoption across
the globe, but the UK always said if they felt that there was demonstrative market failure,
so we look at our survey results, that is clearly true in that space there, which was
one of the top three requirements, then they would legislate and regulate and they've acted
on that.
So they created something called the Product Security and Telecommunications Infrastructure
Bill or the PSTI Bill, and that's gone through all of its stages in parliament for the, what
they call the primary legislation, so the sort of framework legislation, and that received
royal assent, so it becomes law just before Christmas.
So that is now law in the UK.
What happens next is what's called secondary legislation, which defines the specifics,
so the actual things like we're going to ban default passwords, we're going to mandate
vulnerability disclosure, and we're going to mandate transparency in software updates
for consumers, and that will take place across, you know, the next few months.
So it'll be interesting to see, you know, as that comes out and they've already said
who the enforcement body is and so on, so they're mapping all of that out.
So really these manufacturers have been on notice for a while, but really now the big
stick will come, and I think a lot of other countries will be looking towards the UK and
seeing how they do, because clearly, you know, everybody's got the same problem.
Well, I was going to ask, so is the UK ahead then in terms of like the progress towards
legislation because obviously you've got the primary legislation but not the secondary
legislation?
Are there other countries that have primary legislation in place?
Have any other countries gone to the secondary legislation stage?
Well, I mean, obviously, you know, because of the way, the archaic ways in which legal
system workers and parliaments work across the world is quite different, but I would
say obviously United States have mandated for federal purchasing that there's certain
security requirements in place.
There are other bits of legislation as well, so the CCPA, the Californian Act also bans
default passwords.
We've also seen quite widespread adoption of measures to implement vulnerability disclosure.
So we see that in the draft European Cyber Resilience Act, NIS2, which is for the Network
and Information Security Directive, which is for sort of critical national infrastructure
stuff.
In the US national cybersecurity strategy as well, they're mandating it.
So we're seeing that really, you know, that one specific requirement being spread right
across sectors.
And that's what we have to remember as well.
It's a part of overall cybersecurity.
So some things, you know, businesses get for free because they're already doing it in certain
places or it's asked for in multiple places and the same in the automotive industry.
It's the same requirements because we're talking about connected technology, it's all PCBs
and software, you know.
Yeah, I'm still being a nervous Nelly, I'm sorry to say because does it not sound a little
bit like a patchwork here in terms of a bit of legislation here, a bit of a rule there?
And don't we need better international coordination?
I mean, these are going to be devices that are going to be imported and exported and
connected cars are going to be driven across borders.
Yeah.
I mean, to be honest with you, there is quite widespread, I would say, collaboration in
some cases, but at least looking over the fence of what other countries are doing.
So we've been mapping some of this work, particularly in the IOT space, for example.
So we have a site where we track all of these standards and national legislation.
So it's called iotsecuritymapping.com.
And we produce that deliberately, again, it's all open data, to help to defagment the market
and to help people show, you know, see how, you know, a particular country's standards
maps to another regions.
And that's really helped the manufacturers as well, but it's also helped legislators
in terms of knowing what good looks like.
I don't think anybody wants to create fragmentation.
And yeah, I think my view is quite optimistic, actually, is that we've already taken the
stance across the world that enough is enough.
We want to protect citizens from these safety issues, as you said before.
We specifically call out some of those safety issues in the Etsy standard, for example.
You know, we talk about the possibility that somebody could be locked in their house or
they could be locked out of their house, you know, with a connected door lock.
That's quite an obvious use case.
And there are many others.
You know, there was a lot of concern.
I mean, one of the things that I'm interested in trying to help with is the issue of coercive
and controlling behavior and the tech abuse, as it's called.
I think there's a lot that we could do there.
I didn't really want to put one requirement into our code of practice that just said,
you know, here's how you solve tech abuse, because it would be ridiculous.
And I didn't really want companies saying that they adhered to this and they solved
it.
I think it's a much, much bigger issue in that, and it's really a socio-technical problem
that requires a lot of thought.
But you know, we take things in steps, and I think getting the core foundations of the
security right provides also the foundations of privacy, because you can't have privacy
without security.
That's a great point.
I want to bring in Lee here, because your experience, you've been working with some
regulators out in the Middle East, Lee, and of course, the Middle East is notoriously
sensitive to the topic of spying devices and invasion of privacy and surveillance taking
place.
What's the situation in terms of the Middle East in terms of are they following what's
happening in other parts of the world?
Is there perhaps a greater sense of concern that more and more devices could be used to
monitor people's movements, monitor what people are doing in their own homes?
They are.
I mean, I can talk about, in particular, Bahrain at the moment.
So the regulator in Bahrain, the TRA, they've just established a safety working group, which
involves all the other operators over there, and this working group is going to be looking
at all of these types of issues.
So I know for certain that's going to be a new working group, and that's going to start
within the next two, well, one to two months.
So they are looking at it.
Sorry, I've seen requirements from multiple states in the Middle East on IoT security
specifically.
So I think they are taking it as seriously as other countries, and they are clearly adopting
the best practices from other countries as well.
But bringing in Ed on to this one, too.
It's not usually the elephant in the room, the USA, because they always have to have
different rules to everybody else.
And you mentioned about how in the US, one approach that's often taken is that the government
will set a code for what's purchased by the government.
It won't necessarily be rules that are imposed on all the products being purchased by consumers.
So Ed, do you have any reason to fear, as an American, that there's this patchwork within
the USA?
This may be Californians that are protected, but the rest of Americans, no consistency
in how they're being protected.
Yeah.
I mean, I think, realistically, there's an enormous amount of electronics that communicate
in various ways, including wirelessly, that are subject to all kinds of certification
and what have you.
They get imported every single day, and how much of that is actually tested for compliance
or that it is what it says it is.
I think there's so many different ways for that to be violated.
And when you're talking about the importation of, like we said, all the consumer electronics,
how much of that is IoT or other connected devices, or have things built into them like
voice assistants, things like that, that most people aren't even aware of the fact that
they're on your TVs listening to you, those kinds of things.
All that's happening all the time.
I feel like that when I talk to security researchers about it, and they always talk about the growth
and the extension of the attack surface being the big issue in IoT.
So that even if you did lock down certifications and agreements and security standards, and
we should do all those things, there's still an element of so many layers of there's implementation
of it.
And then what are you implementing?
Are you implementing defense in depth?
All those other types of concepts that go into it, it gets very overwhelming quickly.
But coming back to the center point of what you're saying, yeah, I think just in my experience
of working in businesses that import stuff from other countries that are going to connect
to us, you know, mobile networks, for example, things like hotspots and phones or anything
else.
I don't know that there's like, incredibly tight enforcement over the fact that the sticker
that's on the thing that says that it complies means that actually complies.
Well, anyone has a real sense of what's inside the box.
But let me start you there.
So that I think, I mean, obviously, it's easy for me to say it's easy, right?
But we do know what good looks like.
And we do know how to create secure products.
And that across all of the sort of, you know, developments that are going on in engineering,
that there are a lot of really cool things going on right now, we have, you know, much
better programming languages as well, Rust is an example of that, but but specifically
on labeling.
So the current movement around labeling is to move towards a live label.
So what that means is there's no static certification.
And I really, really support this.
So you know, conceptually, you might have something like a QR code that you can scan
in some way.
But what that really means is that you can at any point, check the life status of that
product, you know, the software updates and so on, rather than kind of having this useless
label, which is six months old from when the thing was shipped, it doesn't have any value
really in saying whether product is secure or not, because it's not, it can change over
time, right?
Yeah, it's very hard for the buyer.
And I would add to that, too, that sometimes what you'll see in the certification documentation
that's provided is not necessarily for the product name or the product number, you know,
that you're trying to buy.
And then sometimes the person on the other end with the other organization who's trying
to sell you something, you don't know if they're either confused because it's complex or deliberately
trying to deceive you because they want to make a sale, right?
And then some of those things, that's what I'm saying.
I'm not trying to be overly cynical because I am with you, David, that's a wonderful way
to solve the problem, right?
Having that live sense of certification where people have to be bought into it, right?
I could see a blockchain application for that kind of thing, for example, something that's
live and that you have to support and be participating in at all times.
That makes sense to me.
It's the flip side of it where the chinks come into it, right?
Is all those little things we're talking about where do people understand it?
Is there down to the level of I'm the person buying it and importing it because I have
an order to fill or, you know, a business that I'm trying to build, is the person I'm
communicating with, are they trustworthy, right?
Like having more visibility and even the purchasing process for those kinds of things that I think
you're talking about collecting from a data point of view would be tremendously helpful,
right?
So that at least all the well-intended people are allowed to make proper well-intended decisions
and do business with people that are on the up and up.
Well, I mean, it also opens up new possibilities technically as well.
So for example, if a device, you know, if a device can communicate its state, it may
be within a network could communicate its state as well.
So if it goes insecure, then that could be isolated in some way.
So I think there's a huge range of sort of future opportunities here for sort of engineering
that go beyond this kind of just this thing that you haven't a clue what it is or it does.
And then that, you know, links to supply chain security aspects as well, like you say.
And I think one of the things that you're saying I take away from it too is the more
friction that we can create for the person that has an ill intent, right?
I think that's actually, that's usually a good concept.
I realize sometimes people push back against that because then are you stopping innovation,
what have you.
But I think we've probably proven to ourselves in this environment that we need to put the
clamps on a little bit more.
And I like what you're saying too about the idea of being able to isolate something that
is stepping out or acting out, right?
And the only way you know that is if you're monitoring the whole situation.
And like you said, if you have a standard to measure that against, and then thereby
to know that something is not behaving the way it should and have a mechanism for stopping
it, calling it out, preventing it, right?
And I think that's, again, that to me is another element of defensive depth as well, though.
And like how we start, when I've talked to this, I won't get too into it, but as I start
to talk to security researchers, it's those kinds of concepts that go into like continuity,
right?
And it's interesting if I tie this all back, all of that goes back even to the whole change
we've seen in software development.
You know, going into the idea of continuous improvement and some of the concepts you're
talking about, David, I'd like that are taking things that were paper certifications and
paper agreements and no, let's make this a live thing that's part of this continuous
improvement method that we should have in technology all the time and we can keep an
eye on it.
That's an interesting concept.
Hey, well, I want to jump in here and say that complexity is where criminals thrive.
If things are simple, then at least there is a chance that the consumer or the authorities
can do something about protecting the consumer from harm, can do something about weeding
out the bad actors.
So I'm still getting the feeling, I'm still getting angst about the complexity here.
And whenever I deal with complexity, my answer is always, who should I be emulating?
Who is a good example?
So let's not just talk about who's bad or who's failing, but who are the examples that
stick out for you, David, in your mind when you talk about the best practice in the industry,
whether that's a business, whether that's a country, whether that's a legislative environment.
If we were to condense it down to messages that this audience can take away two or three
messages in terms of be like this person, be like this country, who would you pick out?
Well, obviously being British, it's got to be the United Kingdom.
I mean that genuinely because, you know, all the intellectual leadership on this has taken
place in the UK.
And I think part of that is because the UK had this world leading organisation, the National
Cybersecurity Centre that was set up, and the work they do is unbelievably good.
And the way that they work as the sort of glue between all the different government
departments means that they are really able to sort of accelerate the work that they do
and protect the UK and make it, you know, a safe place to work and live and they're
acting on that.
So, you know, what we're seeing is other countries and not just in this space, but in the telecom
space as well, looking to all of that work and the UK saying, yeah, take it because we
want, you know, everybody, if everybody adopts this, then it's just general good practice.
And then we're generally safer as a global community.
So that's the first thing I would say.
And then, you know, I think, you know, there are specific companies that are at the leading
edge and that might be because they're also, you know, they have the money to be able to
sort of break new ground on this, but they also help to provide that back to the community.
So, you know, when we come to things like software updates, you know, Google have actually
led the way on that.
And I've sort of cited them as an example for years because particularly around the
transparency of updates, and that was one big thing for me with all this code of practice
work was if we can push transparency to the user.
And so in the legislation, for example, you know, transparency of updates, we're not mandating
software updates, but if a customer can see that this device is never going to get any
updates, they can make their own choice.
They can make their own decision because they can see that information and it's pretty simple.
But even if they don't know, and I know, you know, you're saying that you're nervous and
early, Eric, but that sort of light of transparency may therefore mean that some other organization,
like which, for example, who are a sort of consumer protection organization can take
a look at that data and help you make an effective decision.
But if that is totally opaque, if you can't see it, then nobody can make a proper decision.
So I want to shine the light of transparency on everything, whether it's, you know, software
bill of materials or supply chain transparency, I think it's really, really healthy.
I think you make a great point there because it's very easy to be critical about Google
and I often am, but in this particular area, in this particular facet of how they do their
business, they are a great example to others.
And I think it's absolutely vital because then it opens the door for independent researchers
like yourself, independent evaluation bodies to be able to step up and look and examine
the detail.
So we shouldn't always be critical about businesses like you.
Apologies, guys.
I could talk all day about this subject, but I'm conscious of time.
Just read out a couple of comments from some of the viewers.
Somebody's managed to get their bingo card completed thanks to, I think it was Ed mentioning
the word blockchain.
So thank you, Ed, for mentioning the word blockchain.
So we've completed our bingo card today.
And somebody else asks about Asia being a very general term.
Can we get some more specifics about where in Asia is doing well?
That might be a bit harsh for you, David.
I don't know.
Yeah.
I mean, I'll point you to our website.
So if you go to copperhorse.co.uk, you can download the open data and you can see exactly
where these places are.
So of course, yeah, we had to regionalize some of the data because we had, you know,
huge amounts of data, but absolutely go and have a look at the open data and you'll see
directly.
Okay.
So, well, thank you for your time, David.
I'm just going to let the viewers know where they can get more of the information from
the IoT Security Foundation.
So producer Matt will make some magic occur now so that everyone can see the URL.
The URL is iotsecurityfoundation.org, best, forward slash best dash practice dash guidelines.
If you go to there, you'll be able to download a whole bunch of different documents.
Two of the ones that you might want to pick out in particular are the review that David's
just performed for vulnerability disclosure policies worldwide.
And you can also download the latest version of the IoT Security Assurance Framework, a
practical and detailed 57 page guide for IoT vendors.
So I can't thank you enough, David.
Thank you so much for all the hard work you're doing for the industry and thank you for taking
a lead on this topic.
It is much appreciated.
Thanks for having you on the show today.
Thanks great chatting with you and maybe we'll chat about some other telecoms issues next
time.
Absolutely.
I always welcome to have you back.
I was glad to have you back on the show anytime, David.
Thanks a lot.
So that's all for episode three of the Communications Risk Show.
We'll be back next Wednesday with a show that discusses the supply of forensic network data
to law enforcement.
Our guests were two experts of Lattro, Tom Beiser, Director of Lattro's Cellular Forensics
Lab and Lattro Chief Executive Donald Reinhart.
Tune in for the live stream on Wednesday 5th of April at 4 p.m. UK, 6 p.m. Saudi Arabia
and 10 a.m. US Central.
You can save the show to your diary by clicking on the link on the Communications Risk Show
web page or automatically save the details of every show to your diary by simply subscribing
to the Communications Risk Show broadcast schedule.
Thanks again to today's guest, David Rogers, MBE, Chair of the GSMA Fraud and Security
Group and a leading member of the IoT Security Foundation.
Thanks also to my co-presenters, especially for filling in while I disappeared there briefly,
Ed Finegold, Lee Scargall.
You've shared your invaluable experience again and the audience, thanks, I'm seeing lots
of comments over saying that they've had a good show today despite our technical hitches.
And thanks to Matt Carter, who's been able to keep this on the line despite people kept
having their internet cut out here, there and everywhere.
Thank you, Matt, for being producer of today's show.
You've been watching episode three of the Communications Risk Show and I've been your
host, Eric Priezkalns.
Visit the Communications Risk Show website, tv.commsrisk.com for recordings of previous
interviews, check our news website, commsrisk.com for all the latest updates and opinion about
risks in the comms industry and be sure to make good use of the free resources supplied
by the Risk and Assurance Group, RAG, through their website at riskandassurancegroup.org.
Thanks for being with us today.
We look forward to seeing you next Wednesday.