David Rogers MBE, Chair of the GSMA Fraud and Security Group, joins us for a conversation about the internet of things (IoT) and the need to improve security surrounding networked devices. Whether it is your car, your refrigerator or your fitness monitor, many more machines are collecting data and communicating with networks in a bid to make life safer and more convenient. But how well is this data secured, and what are the risks of hackers taking over these devices? David talks about developments in international security standards for networked products, the first steps towards enforcing tougher laws on device manufacturers, and the results of the latest annual survey on IoT vulnerability disclosure policies.
Topical news items will also be debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hello, you're watching the Communications Risk Show and I'm your host, Eric Priezkalns. Each Wednesday we discuss the risks facing communications providers and their customers with experts from around the world and we broadcast live so you can also join the conversation by submitting your questions and observations. We'll try to read out as many as we can before the end of the show. To ask a question just type into the box immediately beneath the streaming window at our website tv.commsrisk.com. Messages on the website are anonymous so include your name if you want me to read it out. This show is also streamed live on LinkedIn so feel free to leave a comment over there if you like. Our team will also keep an eye on those comments and try to make sure that I cover as many as I possibly can. Though last week we had way too many so apologies if you didn't get a chance last week. Maybe you'll have more luck this week. Later in the show we'll be joined by David Rogers who was recently re-elected chair of the GSMA's Fraud and Security Group. He's also one of the architects of the UK's strategy for securing consumer devices powered by the Internet of Things and he'll be telling us about progress with enforcing security standards for those products worldwide as well. But first let me introduce my co-presenters Ed Finegold and Lee Scargill. Ed joins us from Chicago where he's an author, analyst, strategic advisor to tech and telecoms business and Lee is joining us from Cleethorps sadly today. Not the exotic locations we normally associate with Lee but back in Cleethorps if you don't know where Cleethorps is that's for the best. I'm not going to tell you where it is because you really don't want to go. When he's not in Cleethorps Lee is a globe trotting executive and consultant with experience of working for a wide range of communication providers in the Middle East, Europe, Caribbean and Asia. So hello Ed, hello Lee. Now straight in with our first topic of conversation we've got so many amazing topics to talk about today. So much is happening in the industry. Ed I really want to get your opinion on this first but let me just explain what's happening with flash calls and Facebook first for the viewers who are not familiar. Now users of the Facebook Lite app, an app designed for use on 2G networks, are being asked to give the app permission to manage calls and check the call log. If they do their identity will now be authenticated by what Facebook is calling a missed call and which most of the comms industry refers to as a flash call, an ultra-short call made with no intention of the recipient picking up. Now flash calls are really controversial because many argue they violate the contractual terms imposed by network providers by consuming resources like phone numbers and network signaling but without any intention to use them for the reasons provided. They're also attractive to businesses like Meta because they offer a free alternative to sending one-time passwords by SMS. Arguably they're more convenient for users because there's no need for the user to retype each password. However, the threat to ATP SMS revenues leads many to characterize flash calls as a form of by-passport. Starting with you, Ed, do you see advantages to the consumer in being able to authenticate themselves without needing to read and respond to an SMS or do you see any downsides to these attempts to popularize flash calls? I actually think those are two separate questions but let me start by saying that the more I've read this story and the way that you've presented it, the more it makes my blood boil because there's no direction of it that makes any kind of sense at all. So now let me answer your question. So the first part is, does it make sense to have a consumer be able to authenticate themselves with something other than an SMS? Absolutely. And I think the whole security community knows that that's been called for since what, like 2016, that SMS is fundamentally not meant to be used in any way as a security mechanism. It shouldn't be. It still is because it's popular. You obviously broke the story about what was happening with Twitter that's made it a bit controversial but especially in the US, the numbers are overwhelming that people in the US especially still really like to use SMS because they're used to it and it should be replaced with something more secure. So the other part of the question though that you want to get to is about flash calling. And the reason I find this frustrating is because, let's break it down a couple of pieces. One, so you mentioned it's a free way to do authentication. You're consuming a service and you're not paying for it. So that's either bad business or it's fraud or whatever, it's a hole that should be addressed. So it's like in a sense that if you were going to have a free market solution to it, that somehow there's a hole here that isn't a free market solution because someone's getting away with something for free and they shouldn't. Now the fact that it rubs up against something that can be used fraudulently that relates to this other fraud problem of things related to flash calling and I guess Wangiri probably falls in there as well, all those kinds of behavior type things, that gets me very uncomfortable. It automatically makes you think that we're trying to solve a security problem with something cheap and broken that doesn't work that piles onto a bunch of other security problems. So that's why I get frustrated that none of this makes sense. The only thing that makes sense to me is going back to the beginning, which is that, yeah, we should be using something and there are such things at the separate discussion. We should be using things other than SMS, right, legitimately that are secure and probably paid for. So you have some skin in the game, right, to address the problems that stem from things like flash calling and things like SMS's account takeover resulting from one-time SMS passcode. Well, I agree with everything you say, so I've got nothing to say on that topic. Hopefully Lee's got something more to say on that. Now Lee, you've of course, apart from when you're in Cleethops, you work in all sorts of countries that are normally hostile to places where flash calls may occur. What's your reading on this in terms of flash calls being used? Basically Facebook is thinking 2G, certain parts of the world, the users will be using 2G there, maybe places where ATP SMS is a lot more expensive, those countries. But what's your reading on how big companies, big telcos are going to react to this? What's your reading on how certain governments will react to this? Well, I honestly agree with Ed on this. This is going to be boring. Everyone's agreeing all of a sudden. This is what I'm thinking. I was going to try and come up with something really controversial here, but unfortunately it's not going to be the case on this topic. So look, some operators, they're looking to monetize it. So they're working with these flash calling providers to try to facilitate this service, to get it in so it's a good user experience for the customers. Now some other operators, they're trying to ban it. And if we go back, say I think about two weeks ago when we just briefly touched on this comment, we had a comment coming in from a European operator who was saying that they were going to block it. Right. They would not allow it. Now that might be the case. You might want to block it. However, there's a second dimension here and that really comes back down to the regulator. And will the regulator allow you to block it? Because regulators get a little bit antsy, right, when you start blocking people's access to a telecommunications network. So personally, I think what Meta's doing, I think this is a great approach and I'd like others to kind of follow their lead on this because, you know, it could be a... I'm going to jump in now because Meta does ask you to hand over a lot of permission on your phone to be able to use flash calls. So I would say if you were a privacy nut and you're worried about a business like Facebook grabbing your data, the last thing you want to do is let an app from Facebook start deciding whether your call is going to be accepted or not. It's basically hanging up phone calls for you without letting you decide to hang up on them. And then it's going through all your list of log of all the phone calls you've received and you've made for however many years. So surely there's a big downside there to flash calls because a business like Facebook is not just going to go, oh, we're only checking this data because you want to make sure we authenticate you. They're going to be downloading all and analyzing all the contacts you've got all around the world. Yeah, but what's the alternative then? We stick with SMS, do we? App-based authentication so that everyone knows where they are. Apps are good, right? I'm all for apps as well, right? So it's anything. We just have to move away from SMS OTPs, right? Now we've got a comment straight in here, so the audience is getting wound up by this topic. It seems like we've lost our host. Why don't we wait a minute and see if we get Eric back? Okay, but I'll just, I'll continue. Just what the point I was trying to make here is, you know, you could potentially take this situation, you know, it's into, you turn it into a win-win, right? Okay. So the consumers would be happy because you have this like seamless, invisible authentication process which is going on in the background, right? And then if the operators can actually monetize it, then obviously they're going to benefit by not losing so much revenue on the A2P side of things. Yeah, Lee, I think, you know, one of the things that stood out to me when I've looked more closely at like the interrelated security issues that tie into SMS, and there's a lot of different ones. When I've talked to folks that I felt like had a sense of understanding the technology, understanding what a practical solution might be that would improve, right? No one commits to it being 100%, but if you can improve the scenario overall and drive better behaviors, most of the time I felt like those people were talking about things that are token-based and that leverage successful models like certificate authorities, like that there are models out there that are massively better, right, for the purpose of what we're using SMS for that should be used, and the barrier tends to be incentivizing people to use them. You know, it's more of an ease of use thing, but there are, there's a lot of smart literature about how to solve this problem, right, that we can do a whole show around. Welcome back, Eric. We've been tap-dancing. Welcome back. In case anyone's wondering there about who you might want to use as your home broadband supplier, that was not an advert for Virgin Media. Virgin Media is my home broadband provider, so all of you out there in the UK, you might want to be thinking twice about whether that long-haired bearded fool who runs that company is the kind of guy who you want to be buying for. Not that there's anything wrong with being a long-haired bearded fool. I know all about that topic, obviously. So apologies. Thank you guys for continuing. You didn't need me anywhere in the conversation. I hardly know why I bothered turning up. I only turn up to do the adverts, and speaking of which, let me now do an advert for our main sponsor, Blue Gem. Blue Gem is a global provider of testing services for telecoms, government, and software businesses, creating real test events like voice, SMS, and data calls. They also support a variety of LTE-M and narrowband IoT network protocols to connect low-energy devices. Blue Gem gives you insights into a number of key areas, such as IoT product validation, network and satellite security, service assurance, billing accuracy, and SIM box detection. They can measure in precise detail how many data bytes are sent across networks in order to provide a customer with a certain kind of service, such as IoT SIM cards connected to multiple devices, to track the usage across concurrent data sessions. Or suppose your business is planning a major platform migration. You don't want customers to identify issues that you could have spotted earlier within the migration release cycle. Using Blue Gem's test services means you have confidence that everything is running smoothly in every three before any changeover affects your customers. Some businesses rely on internal testing, but a bespoke solution approach gives more precise results, ensures a more comprehensive test plan is covered, and prevents issues that may impact your customers. So whether you want to ensure your customers are able to use an IoT product, or you want to check how much data traffic is generated by a new device, then you should call upon the experienced team of specialists at Blue Gem. Okay, guys, back to the chat. And my gosh, I'm really keen for input from the viewers on this next topic, especially anybody living in France. If anybody living in France wants to wear the next one, I'd really be keen on those points for you. I'd love to hear from you in France, because last few weeks have witnessed a sharp separation between the experts have been talking about SMS vulnerabilities in different parts of the world. In the Anglosphere, many have been banging on and on and on about the need for ever more passwords to be sent by SMS, obviously not the people on this show, because we've got more sense. But nevertheless, lots of people who claim to be security experts say we need more and more passwords sent by SMS, and they got angry that Twitter switched off free use of SMS to factor authentication for the 2% of the customers used it. But in France, the biggest issue of last few weeks has been the gendarmerie arresting members of a gang who drove multiple vehicles around Paris, each with a $20,000 MZ catcher in the back, sending SMS messages in total to over 400,000 Parisians in an attempt to lure them into typing their personal information into a fake national health insurance website. Now, the story first emerged at the very end of 2022 with a car stop of a woman driver who was found to be on drugs and an MZ catcher in a backseat, though initially the police mistook it for a bomb. Five suspected gang members were arrested in February, and the second MZ catcher was then discovered in relation to an old ambulance which had been driven around the suburbs of Paris. And then a sixth suspect was arrested in Montpellier two weeks ago. But what's the really shocking aspect of this story? Well, these MZ catchers were circling Paris. They were purchased by the criminals in April 2021, implying that they were used for over a year and a half before a lucky car stop first found one of these MZ catchers. Now, Ed, I see lots of fuss about stingrays in the American press, as Americans like to call it MZ catchers, but mostly it's from lawyer types who are worried about government agencies overstepping the mark. They might have a point, a recent audit of the Department of Homeland Security identified occasions when their agents, secret service agents and staff at the Immigration and Customs Enforcement Agency, have all broken the law by using MZ catchers without necessarily legal warrants. However, putting aside our concerns about big government and too much surveillance, does the scale and nature of the Paris scam, where organised criminals are using MZ catchers, does it come as a shock? Or have we been neglectful about the risks surrounding MZ catchers? It doesn't surprise me at all, and it's actually for like a natural selection reason, because just think about like this, the way that you're characterising the story as well, talking about it was mistaken for a bomb. So what are the police looking for? The gendarmerie, you know, what are they looking for? They're looking for bombs, they're looking for drugs, like that's what they're tasked with looking for. That's what's on the checklist. Are you looking for MZ catchers? What's an MZ catcher? When they found the thing, what do you think the response was? It was, I don't know what this is, but it looks like something somebody with expertise needs to look at, because there's something going on here, right? You're sharp enough to know you don't know what you're looking at, and so therefore it's dangerous. I can't imagine it's any more than that, but it doesn't surprise me at all that they drove around with impunity, because what are they doing? They're just driving around. You're not even making a delivery. You're not doing anything suspicious that someone that's dealing in terrorism or drugs is probably doing, right? Like you said, and this division of the gendarmerie, who eventually did pick up and start to follow through with the investigation, relatively new, you know, a new division. If I was to compare that, say, with the police in the UK or police forces in many other parts of the world, they simply wouldn't have anybody with the skills and the knowledge to deal with this. So Lee, let's bring you in here. You've got in-laws in France because you're such a cosmopolitan guy. What's your take on the way that this story's being perceived in France, and how does it compare to the way that it's actually largely been ignored in other parts of the world? So what's your reading here? Are the French overly panicking, or is the rest of the world a bit too complacent? No, I don't think they're overly panicking, but I find this actually really fascinating, Eric, because when this case first broke, I kind of, I was reading through it and I was trying to work out why are they using an IMSI capture to commit this type of fraud? Because the normal way you do this is you just send out spam messages, right? But why would you use an IMSI capture? And then I started to think, well, okay, maybe if they wanted to target a wealthy suburb in Paris, they'd just probably drive around there. But then when I looked at the number of SMS messages that were sent, it was about 400,000 messages. So then I started to think, well, hang on a minute, you're not targeting a particular suburb here. So I did a bit of research. I went onto the internet and I looked up, you know, can you actually purchase IMSI captures? And it turns out you can. And you mentioned one there for $20,000. The ones that I were looking at were $8,000 US dollars. Now the thing about these IMSI catches is in some countries they are legal and companies use them for kind of sending out SMS messages. If you have a shop, somebody walks past your shop, you'd latch onto this IMSI capture, then they send you an SMS, maybe to kind of advertise or promote something, right? So in some countries they're perfectly legal. However, the interesting thing about this is that when those SMS messages are sent, they don't go through the operator's network. It's going directly from the IMSI capture to the handset, right? So these messages, one is they're not going through the network. So it doesn't create a CDR, right? So very hard to detect. And the second thing is they're completely free to send. So you wouldn't get charged for those. Now this is where it gets interesting, right? Because how do you detect something that you cannot see, right? Now I was trying to work out thinking, well, you know, how would we have a, you know, how would we actually get over this problem? And I think if you have a national SMS spam reporting service, such as in the UK, we have 7726, I think that's pretty universal across the, well, most of the world anyway. Somebody would probably report one of these messages to you. You would then go probably to investigate how many other customers have received this message, but you wouldn't find that CDR, right? The CDR is not there. So this, to me, is, you know, how can we determine we have a bigger issue than what we actually know we have here? Now I know in the case of the issue in France- I've got the answer for you, Lee. I've got the answer for you. We should go down, drive down Westminster with a great big SMS blaster and blast SMS messages at members of parliament and do the same with other politicians around the world. The problem would be so pretty quick shot then. It's absolutely outrageous that we're talking about the idea that you should be able to basically interrupt, intercept, get in the middle of the communications network and blast out advertising because maybe that's okay and we don't see anything wrong with that. And as viewers are pointing out, an important comment here that I'm going to read out, the most interesting part of this was the fact that they were able to downgrade 4G signals to 2G, which allowed to strip out some of the inherent security protocols. So this is not even just about blasting out SMS messages and detecting it. It's about downgrading the quality of the security around the network too, which opens us up to far more vulnerability. So my attitude is let's go out and blast the politicians until they start taking it seriously. I'm game for it. I think you should do that, Eric. I'm not going to participate in that, but if you want to do that, then go ahead. You've got a proper job, that's why you don't want to do it. And if you did it around the Middle East, they'd probably put you behind bars if you did it there. I think the politicians are way, way behind the curve. And this is why I'm saying to you, are now the French in the lead because there's been a major scandal and now at last somebody's taking some notice of it, though suddenly everybody who doesn't speak French is ignoring the story still. Yeah, I don't think it's just in France as well. There was some, there was other cases which had been reported in Vietnam as well. I just think, you know, how bad of a problem or an issue do we have here? Now, if you can purchase these for 8,000 US and they're freely available on the Internet, then, you know, it's not going to be long before fraudsters turn to this way, right? Because if you look at the old traditional ways of just spamming, spamming people, which actually only has a success rate of about 1%, by the way, of people who would click on that link. Now, now this is a lot more cost effective approach to that, that kind of fraud. And it's just, it's almost invisible to detect, right? So it's inevitable. We've got, we've got things like SMS registries being used to try and stop the spamming now. Well, if there is any success with a technique like an SMS registry, what's the next step? Drive around the vehicle, do the SMS spamming that way. So there's a propaganda, like a anti-propaganda piece to this too, where you have to look at it as something that's from a US perspective, an MZ catcher needs to be branded as like a weapon of mass destruction in the cyber war that needs to be stopped, right? It needs to be, and there needs to be use cases given, you know, for how they're not made in China, can we not just play that card? And so in that sense, the lawyer types you're talking about before, who were concerned about government surveillance, they're not super far off, but I would challenge them to broaden their perspective, right? To think about like the global world you're living in, right? And the way that people are using technologies to attack infrastructure and attack people, right? Individuals. And this is one of them. And so the more that you understand, like what are all the arrows in the quiver that need to be squished? You know, I think that's part of, I think what motivates, you know, we need to stop drugs. We need to stop terrorism or bombs. Yeah. You need to stop the weapon of mass destruction of the cyber war, the MZ catcher and its friends make a list, right? And that at least in the US, like people act, yes, make an enemy. We'll blow it up. Good. MZ catcher. Right. It's just, it's just sort of like a more primitive way of motivating people to do the right thing than trying to go at it the sort of logical way. That's like engineering. That's not how the US works. Nobody solves any problem in the US for less than $10 billion. If somebody could come up with a $10 billion solution to this problem, there'll be straight on it. But anything that costs less than that, they just don't bother, do they? I think in the US. Anyway, enough with my cheekiness because I have to do another ad for it now. And it is relevant to what we're saying because here's another one of our weekly features, the symmetry prism factor that we can, it's a very pertinent fact this week from symmetry. So we appreciate the symmetry solutions guys with their facts, introducing very, very important insights into our debates here. So courtesy of their prison fraud intelligence service, they've shared this amazing fact with us all. Did you know that SMS scammers recruit stooges through messaging services like a WhatsApp and Telegram? Typical quoted rates on those platforms are one euro for every 10 SMS messages sent or hourly fees of between 100 and 350 US dollars per hour. According to the scammers, working for them can generate an income of 12,000 US dollars a month. And that was disturbing to me because as my producer Matt pointed out, that's a lot more than I pay him to do this show. So this show might not be continuing very much longer if we were to let Matt get onto these Telegram channels. Now on with the topical chat, international anti-spam agreements. Do you see what I did there in terms of linking things? The Australian comms regulator, ACMA, recently signed a memorandum of understanding with the UK's privacy watchdog, IKO. That's the latest in the string of similar memorandums of understanding involving such countries as the USA, Canada, Singapore, Australia, and the UK. Now Ed, Lee, most commentators welcome all these agreements. I point that out because obviously I'm not going to be welcoming it. Am I alone in starting to question the point of all these agreements? Because they all seem to say that information sharing involves a lot of arranging foreign documents, arranging foreign fact-finding trips, arranging lots of conference calls and press releases about how everyone's doing a great job, but no actual prosecutions of anybody breaking the law. Am I wrong to be cynical, Ed? I don't think so just because historically that's what tends to happen. I think the thing I'm trying to figure out is if along with the wining and dining that you're kind of pointing to, there is an end result that says there's some kind of legal framework in place that helps us, right, to enforce rules around all the time. No, they exclude that. Yeah. They exclude that from the agreement. It's like if that piece of work doesn't get done and it's just about the getting together to schmooze, then yeah, I'm with you and I feel like there's an awful lot of that going on here and elsewhere. Now, Lee, they're much better in the Middle East at prosecuting things. What's happening over there in terms of comparison? Are they going to lead the way with taking more of a sensible stance on stopping all this nuisance messaging or are we all just doomed to spending the rest of our lives reading press releases about people travelling around the world not prosecuting anyone? Well, it does sound like jobs for the boys, doesn't it? But look, the only thing which I found a little bit strange about this is that if you look at the Australian ACMA, which is the regulator over there, they're not actually talking to the UK regulator, which is Ofcom. They've actually signed this MOU with the information commissioner's office, right? So it's a little bit strange as to why Ofcom's not involved in this. Well, it's just more reasons to travel around the world, isn't it? I mean, you've hit the nail on the head. I mean, Australia's got a privacy regulator very much modelled on the same model as the UK's privacy regulator. So why is it not an agreement between the two privacy regulators? However you cut this, this is a very strange deal that seems to involve yet more reasons for people to travel backwards and forwards. Although the Australian regulator, if say they get involved in something like blocking traffic, well, that's not the kind of provision that the UK's privacy regulator can do because the UK's privacy regulator is not in a position to order telcos to block traffic. Vice versa. The UK's privacy regulator, data protection at GDPR here in Europe, well, there's a lot of theory about how that can be used to prosecute companies around the world. Theory, no actual fact because they never do prosecute anybody outside of the UK. Absolute nightmare to try and persuade them to actually take on anybody who's not based in the UK. So why do they need to swap information with Australians? Is the information commission in the UK like to be prosecuting somebody in Australia? Not very likely, I would say. And a comment here from one of the viewers, BEREC does nothing on fraud, but they do love their whining and dannying. It says, sorry, apologies, I forgot to mention BEREC, the Club for European Regulators has also signed one of these bilateral MOU agreements. Although I always found that one really amusing because that was the one where the FCC wrote that it was all about stopping robocalls and BEREC managed to just not mention robocalls at all in their version of what was otherwise, word for word, the same press release. So even when they're agreeing to swap notes, they don't seem to know what they're swapping notes about. Right. Enough of the ranting because we're behind schedule because I disappeared off screen for a few minutes. So two minutes of somebody who's the least ranty person in the world. Before we introduce our next guest, Geoffrey Ross of Coal Authentication, Fraud Prevention and Geolocation Specialist, One Root, he likes to take us on a tour of the world. And he always sees the good in people like me. And he sees the world not just in the good of people, but through the phones that they use. This week, Geoffrey is going to take us to one of his favourite countries, Mozambique. So producer Matt, roll VT. Hey, everyone from One Root, I'm Geoffrey Ross, and this is the world in your phone. Let's talk about Mozambique. Mozambique is known for its rich culture and history and beautiful coastlines. It's located over in southeastern Africa and border six countries, Tanzania, Zambia, Zimbabwe, Malawi, East Watine and South Africa. Did you know just a few years ago that Vodacom Mozambique partnered with Google's parent company Alphabet to bring network access to previously uncovered populations via stratospheric internet balloons? Balloons? Who knew? So I'd be willing to bet that there are parts of Mozambique that probably have better connectivity than rural parts right here in Texas. Also found it interesting that the name Mozambique comes from the name of an Arab trader, Musa Albeek, who settled on an offshore island in the 15th century. At that time, the capital city was located on this island until 1898, when it was moved to Maputo. Mozambique's also home to our own Cali Kautz. Cali's an incredible guy, and you can find him in the capital city or hanging out in the bush there in northern Mozambique. You never know with that guy, but we appreciate him and Cali, obrigado. Mozambique has an incredible economy with a vast resource of agriculture and has one of the largest natural gas planes. Be sure to tune in and subscribe to One Route on YouTube, where you can catch up all these video series and watch the One Route Roundup, where we interview people making an incredible difference in the telecom industry. Now on to another great communications risk show. Well, thanks to Jeffrey and to One Route for the world in your phone, their regular weekly contribution to our program. And now let's welcome today's expert contributor, David Rogers, chair of the GSMA Fraud and Security Group. He's a thought leader, he's a researcher into security, and one of the areas that there's a lot of work in is the Internet of Things. So David, thanks for joining us again on the show. It's a pleasure to have you here. Thanks for having me, Eric, and nice to see you all again. Now I know that you probably think that everything we said in the first half hour of the show was a load of old rubbish, but that's why we have you on the show to tell us how things really are. Amazing advances are being made, but I'm the kind of guy who gets worried about my privacy, okay? So when more and more devices like your Amazon devices, your connected cars and everything is circling me with their cameras and microphones, I think to myself, you really don't want to hear more of what I've got to think about the world. I hope people aren't listening to me the whole time as I'm speaking to myself on my own. They're gathering a lot more data. It causes me worry. People are, pregnant women are wearing harnesses that are listening to their unborn kids. We've got cars producing, what is it, five terabytes of data per hour. Am I the mad one here with worrying about all this data being collected about people, or are there serious reasons to fear about the privacy implications for the Internet of Things? Oh, I think they're entirely legitimate concerns and you see that played out in sort of consumer concerns and consumer behavior. I think there's an increasing awareness and in some cases, paranoia that individual privacy is kind of gone and that these big companies are just having a field day with whatever they want. And to a certain extent, that is probably true. We've been working on some really, really basic concerns around IOT security. And it's always worrying that as the technology advances that some of these companies don't necessarily want to do anything about privacy or that's what's being projected to customers. It's steps, isn't it? You have to make steps in the right direction. If they won't make the initial steps, they will never get to the further protections that are needed. So putting privacy to one side, what about safety for network devices? For example, the supposed benefits of connected cars is that they'll be safer for drivers and passengers. But how wary should we be of the risks to safety if devices like a connected car can be hacked? Yeah. Again, I think this is something that's playing on people's minds, both privacy and safety. And there have been some quite widely publicized hacks, maybe class of stunt hacks in the security research world. But I think they served a very, very good purpose in raising awareness of the types of issues that could happen if we don't pay attention. And what's been happening in multiple spaces is governments were waking up to the reality that their citizens are not being protected adequately. And so you see right across the world in multiple sectors, action being taken, particularly around defensive security, protecting those products for the future. And yeah, that's starting to bear fruit. Well, let's talk about the research that you do on an annual basis for the IoT Security Foundation. For those of viewers who are not familiar, could you please summarize what you've been trying to learn through this research and your most recent findings? Yeah, absolutely. So we conducted this research on behalf of the IoT Security Foundation, and it was supported by HackerOne, who worked closely with security researchers. And we've been doing this for five years now. We've followed a very distinct methodology, and we committed to making this data available as open data right from the start so that it was fully transparent and that anybody could use this. I think that was really important. The reason we did it in the first place was a lot of people assumed that the IoT security was really poor. But there are very few ways of measuring that. So obviously, you could take a device and you can have a look at it and reverse engineer it. But that is relatively difficult. So what we were looking for was public indicators, or what I call insecurity canaries, and ways that we can measure how a company approaches security. So one of those is on something called vulnerability disclosure. And what that requires the company to do is to have a public-facing way of security researchers to contact that company. So what you can conclude from that is if it isn't there, because it is good practice, then that can tell you a lot about that company's approach to security, as in they probably don't pay too much attention. And given that we have regulation and legislation coming around the world specifically asking for this, it also kind of is worth monitoring. So we've done that over five years. We started out when it was about 330 companies, and there was less than 10% of these companies actually had any kind of way for people to contact them. We're now up to 27.11%, which is still pretty rubbish, if I'm honest. We extrapolated that, and I think we worked out it was 2039 before we got to 100%. It's a very linear line. So that's really not good enough. And the fact that even with the threat of regulation, they're still doing nothing is quite astonishing to me. And it really shows how broken that market is. And that's just us taking one public indicator. What do you think the products really look like? It's going to be pretty poor. That's absolutely, I think that's shocking. I have to say, I think that's absolutely shocking. If you were to pick on a part, I know that there's variations between different parts of the world in terms of where manufacturers are doing a better job and a worse job in terms of being open to independent security research. Who's leading the way? Who's doing a good job? Who's doing a poor job? How should we be barracking on a regular basis and who gets a round of applause for doing slightly better than 27% on average? Well that's also part of our research. But a couple of years ago, what we wanted to do was to understand to what extent those companies that were doing this, so we were looking at all of the information that was available and trying to record as much as we can, how do these companies implement these things? What kind of features do they have? What does good look like? And then we kind of match that against what the regulators or what incoming legislation would ask for. We came up with this kind of list. My idea for this originally was the kind of green piece list that's produced, which is about sort of ethical sourcing of components and so on. And so could we have this list of people who did sort of comply with these things? So I won't kind of name names here because people can go and have a look at it themselves. But we have got a list of companies that really, really do go above and beyond. And I think they should be kind of celebrated for what they do. And one thing I should caveat with this is we can't measure volume of sales in the market. But you can look at that list and you can probably say, well, actually, you know, of these 330 companies, there are a couple of very particular ones that you can probably guess that dominate the market. And so it's a good way to look at, you know, what are those companies doing? So we also looked at, we started to look at countries like the UK, where we have legislation now, what retailers, you know, in that country are stocking what manufacturers? But actually, in the UK, I think there was over 70% compliant manufacturers in the ones that they stocked. So actually, that's a different picture to the overall global situation. And that's what we're finding is there's a lot of sort of metadata in there that we can pull out, where actually, you know, the situation in different markets is different assumptions that you might have are entirely different. So for example, you know, if we ask the question, where do you think the most compliant manufacturers would be? Often we get the answer Europe or the United States, it's completely wrong. It's actually the Asian region that is really leading the way in terms of vulnerability disclosure adoption. So it's quite good to kind of slay those myths with actual evidence and data. Well, it's up to the Asians then for doing a better job. I wonder why we're not doing such a good job in Europe or in North America. You mentioned the UK there. Now as I understand it, the UK has taken some specific steps to improve the way manufacturers respond to IoT security concerns. What's being done? How far has it progressed? Yeah, so on the last time we spoke actually, you know, we talked about the UK's Code of Practice on IoT security, and then that was standardised through Etsy. It's really taken on a life of its own and, you know, there's been wide adoption across the globe, but the UK always said if they felt that there was demonstrative market failure, so we look at our survey results, that is clearly true in that space there, which was one of the top three requirements, then they would legislate and regulate and they've acted on that. So they created something called the Product Security and Telecommunications Infrastructure Bill or the PSTI Bill, and that's gone through all of its stages in parliament for the, what they call the primary legislation, so the sort of framework legislation, and that received royal assent, so it becomes law just before Christmas. So that is now law in the UK. What happens next is what's called secondary legislation, which defines the specifics, so the actual things like we're going to ban default passwords, we're going to mandate vulnerability disclosure, and we're going to mandate transparency in software updates for consumers, and that will take place across, you know, the next few months. So it'll be interesting to see, you know, as that comes out and they've already said who the enforcement body is and so on, so they're mapping all of that out. So really these manufacturers have been on notice for a while, but really now the big stick will come, and I think a lot of other countries will be looking towards the UK and seeing how they do, because clearly, you know, everybody's got the same problem. Well, I was going to ask, so is the UK ahead then in terms of like the progress towards legislation because obviously you've got the primary legislation but not the secondary legislation? Are there other countries that have primary legislation in place? Have any other countries gone to the secondary legislation stage? Well, I mean, obviously, you know, because of the way, the archaic ways in which legal system workers and parliaments work across the world is quite different, but I would say obviously United States have mandated for federal purchasing that there's certain security requirements in place. There are other bits of legislation as well, so the CCPA, the Californian Act also bans default passwords. We've also seen quite widespread adoption of measures to implement vulnerability disclosure. So we see that in the draft European Cyber Resilience Act, NIS2, which is for the Network and Information Security Directive, which is for sort of critical national infrastructure stuff. In the US national cybersecurity strategy as well, they're mandating it. So we're seeing that really, you know, that one specific requirement being spread right across sectors. And that's what we have to remember as well. It's a part of overall cybersecurity. So some things, you know, businesses get for free because they're already doing it in certain places or it's asked for in multiple places and the same in the automotive industry. It's the same requirements because we're talking about connected technology, it's all PCBs and software, you know. Yeah, I'm still being a nervous Nelly, I'm sorry to say because does it not sound a little bit like a patchwork here in terms of a bit of legislation here, a bit of a rule there? And don't we need better international coordination? I mean, these are going to be devices that are going to be imported and exported and connected cars are going to be driven across borders. Yeah. I mean, to be honest with you, there is quite widespread, I would say, collaboration in some cases, but at least looking over the fence of what other countries are doing. So we've been mapping some of this work, particularly in the IOT space, for example. So we have a site where we track all of these standards and national legislation. So it's called iotsecuritymapping.com. And we produce that deliberately, again, it's all open data, to help to defagment the market and to help people show, you know, see how, you know, a particular country's standards maps to another regions. And that's really helped the manufacturers as well, but it's also helped legislators in terms of knowing what good looks like. I don't think anybody wants to create fragmentation. And yeah, I think my view is quite optimistic, actually, is that we've already taken the stance across the world that enough is enough. We want to protect citizens from these safety issues, as you said before. We specifically call out some of those safety issues in the Etsy standard, for example. You know, we talk about the possibility that somebody could be locked in their house or they could be locked out of their house, you know, with a connected door lock. That's quite an obvious use case. And there are many others. You know, there was a lot of concern. I mean, one of the things that I'm interested in trying to help with is the issue of coercive and controlling behavior and the tech abuse, as it's called. I think there's a lot that we could do there. I didn't really want to put one requirement into our code of practice that just said, you know, here's how you solve tech abuse, because it would be ridiculous. And I didn't really want companies saying that they adhered to this and they solved it. I think it's a much, much bigger issue in that, and it's really a socio-technical problem that requires a lot of thought. But you know, we take things in steps, and I think getting the core foundations of the security right provides also the foundations of privacy, because you can't have privacy without security. That's a great point. I want to bring in Lee here, because your experience, you've been working with some regulators out in the Middle East, Lee, and of course, the Middle East is notoriously sensitive to the topic of spying devices and invasion of privacy and surveillance taking place. What's the situation in terms of the Middle East in terms of are they following what's happening in other parts of the world? Is there perhaps a greater sense of concern that more and more devices could be used to monitor people's movements, monitor what people are doing in their own homes? They are. I mean, I can talk about, in particular, Bahrain at the moment. So the regulator in Bahrain, the TRA, they've just established a safety working group, which involves all the other operators over there, and this working group is going to be looking at all of these types of issues. So I know for certain that's going to be a new working group, and that's going to start within the next two, well, one to two months. So they are looking at it. Sorry, I've seen requirements from multiple states in the Middle East on IoT security specifically. So I think they are taking it as seriously as other countries, and they are clearly adopting the best practices from other countries as well. But bringing in Ed on to this one, too. It's not usually the elephant in the room, the USA, because they always have to have different rules to everybody else. And you mentioned about how in the US, one approach that's often taken is that the government will set a code for what's purchased by the government. It won't necessarily be rules that are imposed on all the products being purchased by consumers. So Ed, do you have any reason to fear, as an American, that there's this patchwork within the USA? This may be Californians that are protected, but the rest of Americans, no consistency in how they're being protected. Yeah. I mean, I think, realistically, there's an enormous amount of electronics that communicate in various ways, including wirelessly, that are subject to all kinds of certification and what have you. They get imported every single day, and how much of that is actually tested for compliance or that it is what it says it is. I think there's so many different ways for that to be violated. And when you're talking about the importation of, like we said, all the consumer electronics, how much of that is IoT or other connected devices, or have things built into them like voice assistants, things like that, that most people aren't even aware of the fact that they're on your TVs listening to you, those kinds of things. All that's happening all the time. I feel like that when I talk to security researchers about it, and they always talk about the growth and the extension of the attack surface being the big issue in IoT. So that even if you did lock down certifications and agreements and security standards, and we should do all those things, there's still an element of so many layers of there's implementation of it. And then what are you implementing? Are you implementing defense in depth? All those other types of concepts that go into it, it gets very overwhelming quickly. But coming back to the center point of what you're saying, yeah, I think just in my experience of working in businesses that import stuff from other countries that are going to connect to us, you know, mobile networks, for example, things like hotspots and phones or anything else. I don't know that there's like, incredibly tight enforcement over the fact that the sticker that's on the thing that says that it complies means that actually complies. Well, anyone has a real sense of what's inside the box. But let me start you there. So that I think, I mean, obviously, it's easy for me to say it's easy, right? But we do know what good looks like. And we do know how to create secure products. And that across all of the sort of, you know, developments that are going on in engineering, that there are a lot of really cool things going on right now, we have, you know, much better programming languages as well, Rust is an example of that, but but specifically on labeling. So the current movement around labeling is to move towards a live label. So what that means is there's no static certification. And I really, really support this. So you know, conceptually, you might have something like a QR code that you can scan in some way. But what that really means is that you can at any point, check the life status of that product, you know, the software updates and so on, rather than kind of having this useless label, which is six months old from when the thing was shipped, it doesn't have any value really in saying whether product is secure or not, because it's not, it can change over time, right? Yeah, it's very hard for the buyer. And I would add to that, too, that sometimes what you'll see in the certification documentation that's provided is not necessarily for the product name or the product number, you know, that you're trying to buy. And then sometimes the person on the other end with the other organization who's trying to sell you something, you don't know if they're either confused because it's complex or deliberately trying to deceive you because they want to make a sale, right? And then some of those things, that's what I'm saying. I'm not trying to be overly cynical because I am with you, David, that's a wonderful way to solve the problem, right? Having that live sense of certification where people have to be bought into it, right? I could see a blockchain application for that kind of thing, for example, something that's live and that you have to support and be participating in at all times. That makes sense to me. It's the flip side of it where the chinks come into it, right? Is all those little things we're talking about where do people understand it? Is there down to the level of I'm the person buying it and importing it because I have an order to fill or, you know, a business that I'm trying to build, is the person I'm communicating with, are they trustworthy, right? Like having more visibility and even the purchasing process for those kinds of things that I think you're talking about collecting from a data point of view would be tremendously helpful, right? So that at least all the well-intended people are allowed to make proper well-intended decisions and do business with people that are on the up and up. Well, I mean, it also opens up new possibilities technically as well. So for example, if a device, you know, if a device can communicate its state, it may be within a network could communicate its state as well. So if it goes insecure, then that could be isolated in some way. So I think there's a huge range of sort of future opportunities here for sort of engineering that go beyond this kind of just this thing that you haven't a clue what it is or it does. And then that, you know, links to supply chain security aspects as well, like you say. And I think one of the things that you're saying I take away from it too is the more friction that we can create for the person that has an ill intent, right? I think that's actually, that's usually a good concept. I realize sometimes people push back against that because then are you stopping innovation, what have you. But I think we've probably proven to ourselves in this environment that we need to put the clamps on a little bit more. And I like what you're saying too about the idea of being able to isolate something that is stepping out or acting out, right? And the only way you know that is if you're monitoring the whole situation. And like you said, if you have a standard to measure that against, and then thereby to know that something is not behaving the way it should and have a mechanism for stopping it, calling it out, preventing it, right? And I think that's, again, that to me is another element of defensive depth as well, though. And like how we start, when I've talked to this, I won't get too into it, but as I start to talk to security researchers, it's those kinds of concepts that go into like continuity, right? And it's interesting if I tie this all back, all of that goes back even to the whole change we've seen in software development. You know, going into the idea of continuous improvement and some of the concepts you're talking about, David, I'd like that are taking things that were paper certifications and paper agreements and no, let's make this a live thing that's part of this continuous improvement method that we should have in technology all the time and we can keep an eye on it. That's an interesting concept. Hey, well, I want to jump in here and say that complexity is where criminals thrive. If things are simple, then at least there is a chance that the consumer or the authorities can do something about protecting the consumer from harm, can do something about weeding out the bad actors. So I'm still getting the feeling, I'm still getting angst about the complexity here. And whenever I deal with complexity, my answer is always, who should I be emulating? Who is a good example? So let's not just talk about who's bad or who's failing, but who are the examples that stick out for you, David, in your mind when you talk about the best practice in the industry, whether that's a business, whether that's a country, whether that's a legislative environment. If we were to condense it down to messages that this audience can take away two or three messages in terms of be like this person, be like this country, who would you pick out? Well, obviously being British, it's got to be the United Kingdom. I mean that genuinely because, you know, all the intellectual leadership on this has taken place in the UK. And I think part of that is because the UK had this world leading organisation, the National Cybersecurity Centre that was set up, and the work they do is unbelievably good. And the way that they work as the sort of glue between all the different government departments means that they are really able to sort of accelerate the work that they do and protect the UK and make it, you know, a safe place to work and live and they're acting on that. So, you know, what we're seeing is other countries and not just in this space, but in the telecom space as well, looking to all of that work and the UK saying, yeah, take it because we want, you know, everybody, if everybody adopts this, then it's just general good practice. And then we're generally safer as a global community. So that's the first thing I would say. And then, you know, I think, you know, there are specific companies that are at the leading edge and that might be because they're also, you know, they have the money to be able to sort of break new ground on this, but they also help to provide that back to the community. So, you know, when we come to things like software updates, you know, Google have actually led the way on that. And I've sort of cited them as an example for years because particularly around the transparency of updates, and that was one big thing for me with all this code of practice work was if we can push transparency to the user. And so in the legislation, for example, you know, transparency of updates, we're not mandating software updates, but if a customer can see that this device is never going to get any updates, they can make their own choice. They can make their own decision because they can see that information and it's pretty simple. But even if they don't know, and I know, you know, you're saying that you're nervous and early, Eric, but that sort of light of transparency may therefore mean that some other organization, like which, for example, who are a sort of consumer protection organization can take a look at that data and help you make an effective decision. But if that is totally opaque, if you can't see it, then nobody can make a proper decision. So I want to shine the light of transparency on everything, whether it's, you know, software bill of materials or supply chain transparency, I think it's really, really healthy. I think you make a great point there because it's very easy to be critical about Google and I often am, but in this particular area, in this particular facet of how they do their business, they are a great example to others. And I think it's absolutely vital because then it opens the door for independent researchers like yourself, independent evaluation bodies to be able to step up and look and examine the detail. So we shouldn't always be critical about businesses like you. Apologies, guys. I could talk all day about this subject, but I'm conscious of time. Just read out a couple of comments from some of the viewers. Somebody's managed to get their bingo card completed thanks to, I think it was Ed mentioning the word blockchain. So thank you, Ed, for mentioning the word blockchain. So we've completed our bingo card today. And somebody else asks about Asia being a very general term. Can we get some more specifics about where in Asia is doing well? That might be a bit harsh for you, David. I don't know. Yeah. I mean, I'll point you to our website. So if you go to copperhorse.co.uk, you can download the open data and you can see exactly where these places are. So of course, yeah, we had to regionalize some of the data because we had, you know, huge amounts of data, but absolutely go and have a look at the open data and you'll see directly. Okay. So, well, thank you for your time, David. I'm just going to let the viewers know where they can get more of the information from the IoT Security Foundation. So producer Matt will make some magic occur now so that everyone can see the URL. The URL is iotsecurityfoundation.org, best, forward slash best dash practice dash guidelines. If you go to there, you'll be able to download a whole bunch of different documents. Two of the ones that you might want to pick out in particular are the review that David's just performed for vulnerability disclosure policies worldwide. And you can also download the latest version of the IoT Security Assurance Framework, a practical and detailed 57 page guide for IoT vendors. So I can't thank you enough, David. Thank you so much for all the hard work you're doing for the industry and thank you for taking a lead on this topic. It is much appreciated. Thanks for having you on the show today. Thanks great chatting with you and maybe we'll chat about some other telecoms issues next time. Absolutely. I always welcome to have you back. I was glad to have you back on the show anytime, David. Thanks a lot. So that's all for episode three of the Communications Risk Show. We'll be back next Wednesday with a show that discusses the supply of forensic network data to law enforcement. Our guests were two experts of Lattro, Tom Beiser, Director of Lattro's Cellular Forensics Lab and Lattro Chief Executive Donald Reinhart. Tune in for the live stream on Wednesday 5th of April at 4 p.m. UK, 6 p.m. Saudi Arabia and 10 a.m. US Central. You can save the show to your diary by clicking on the link on the Communications Risk Show web page or automatically save the details of every show to your diary by simply subscribing to the Communications Risk Show broadcast schedule. Thanks again to today's guest, David Rogers, MBE, Chair of the GSMA Fraud and Security Group and a leading member of the IoT Security Foundation. Thanks also to my co-presenters, especially for filling in while I disappeared there briefly, Ed Finegold, Lee Scargall. You've shared your invaluable experience again and the audience, thanks, I'm seeing lots of comments over saying that they've had a good show today despite our technical hitches. And thanks to Matt Carter, who's been able to keep this on the line despite people kept having their internet cut out here, there and everywhere. Thank you, Matt, for being producer of today's show. You've been watching episode three of the Communications Risk Show and I've been your host, Eric Priezkalns. Visit the Communications Risk Show website, tv.commsrisk.com for recordings of previous interviews, check our news website, commsrisk.com for all the latest updates and opinion about risks in the comms industry and be sure to make good use of the free resources supplied by the Risk and Assurance Group, RAG, through their website at riskandassurancegroup.org. Thanks for being with us today. We look forward to seeing you next Wednesday.