Akamai CSO: 5G is a whole new cybersecurity nightmare

From smart aquariums to remotely controlled HVAC systems, the proliferation of internet-connected devices with lackluster security controls presents a constant challenge for cybersecurity professionals.

Andy Ellis, Akamai's chief security officer, says 5G is only going to make it worse.

"5G enables more devices to be online at a time where we don't really have a plan to secure them in the future," Ellis told Protocol. "It's basically the creation of a debt to service the future. We buy this world full of connected devices, and the mortgage is that at some point we have to secure them before they cause more problems for us."

Ellis has spent the last two decades in cybersecurity roles at Akamai, which operates one of the largest content-delivery networks in the world. He got his start in cyber as an information warfare specialist in the U.S. Air Force, which he joined after earning a computer science degree at MIT.

He talked with Protocol last month about 5G, connected devices, and what cybersecurity professionals should be focused on in 2020.

This conversation has been edited for length and clarity.

How will the proliferation of connected devices affect cybersecurity?

When it comes to connected devices, we're at a fascinating touchpoint. Everything is becoming connected: your garage door, the fitness tracker on your wrist, the thermos you drink coffee out of. These items used to be bespoke. They had custom-made electronics and were designed to do one thing: With the garage door, you would press a button and it would transmit a signal to open or close. But they're not bespoke devices anymore. They're computers that can talk on the internet, and that fundamentally changes things. It creates a dramatically different level of complexity.

If you have a connected garage door, you access it through an app on your phone, which sends a signal into the cloud, talks to someone else's server, transmits it down to another computer running inside your garage that can open and close the door. In the past, you could maybe spoof frequencies and get a garage door to open, or you could trigger a manual release and open it from the outside — those were the vulnerabilities you had to deal with.

But now you have to worry about what malware might be running on your phone, how is the phone authenticating itself on this cloud-based server, how is the server protected, how are the passwords secured, can people on the internet get access to the computer in your garage. There are many more vulnerabilities in this system than in a traditional garage door, and the devices can also be misused in other ways. With botnets, hackers compromise cameras and other connected devices by entering default passwords — like username: admin, password: admin — and use that network to harm someone else. The compromised devices can all try to access a target at once, flooding it with traffic until it becomes inaccessible.

Is the problem getting better or worse?

The problem is absolutely growing. There are billions of connected devices. We've probably already passed the point where connected devices have outnumbered handheld computing devices like laptops, tablets and phones.

We need to be concerned about 5G and the growth in IoT devices. The big promise with 5G — and news stories suggest we're not quite there with this promise — is that the capacity for more devices in a given location is much higher than it has been with 2G, 3G and 4G. In the past, if you tried to connect 35 devices to your home network, they would stop working properly. With 5G you can have that, and we're going to see an explosion in the number of IoT devices because of that.

You mentioned a lot of consumer devices, like garage doors and fitness trackers. Is this also a business problem?

I was talking earlier about a garage in a house, but parking garages rely on a similar system. There's a transponder in my car, the system reads it, it queries a server on the internet, sees that I'm still employed, and opens the gate so I can get into the company garage. In my office I have lighting systems, thermostats, video conferencing — all these connected devices in offices don't look like computers and aren't treated like computers, but that's what they are. And a common difference between consumer-grade and commercial-grade devices is whether or not you're building them into your system. In commercial buildings, a lot of these systems are installed by someone else, and you have to coexist with them until the building is torn down.

What industries are most affected by vulnerabilities in connected devices?

Pick any sector and I'll tell you how they are deeply at risk. In the medical sector, hospitals are now filled with connected devices. In fact, human bodies are starting to be full of connected devices. There, you have a special risk where human life is on the line if a device is compromised.

If you talk about agriculture, more and more connected devices are used for farming — imagine the damage that could be done if an adversary was able to target machines and adjust the fertilizer recipe so that instead of 1 parts in 10 of a particular ingredient it's 1 part in 3, and now you're burning whatever you're trying to grow on an industrial scale. In the satellite industry, you have some really interesting problems because you can't service the devices at all.

There has been research into attacks on pacemakers and insulin pumps, where you can cause them to use up their batteries or medicine. What if you performed that kind of attack on a satellite, where you cause it to burn its thrusters or crash? Kevin Fu, at the University of Michigan, is a fantastic researcher in this area. In every industry, you have a case like that where you don't do anything fancy to the device, but you get it to do its function more or less frequently until something like the battery dies. That's a kind of threat that many people don't think about. Pacemakers are designed so that when you walk into your doctor's office, they can run diagnostics to check things like the battery life and how it's operating. For manufacturers that didn't secure that interface, a hacker could theoretically sit next to them, continuously ask for the data, and the device's lifespan is shortened from years to months. These are the interesting problems people need to think about.

How are cybersecurity professionals at health care organizations handling these kinds of risks?

From talking to hospital CISOs, a lot of them struggle with connected devices. A challenge is that the device may be completely out of date and horribly vulnerable, but it's high-revenue for them. Or there simply might not be an update; the manufacturer might not support the device anymore and they want you to buy the next $3 million device even though yours works well and is used 24/7.

So in many cases, the CISOs have to functionally disconnect a lot of their devices. They create an enclave just for the device so it can operate but not talk to anything else on your network, because it's not safe. I feel that hospital CISOs have one of the more challenging jobs in my industry. They're more of a landlord than an enterprise. Maybe their physicians don't actually work for them. They come in, do their procedures and expect the devices to work. They need to have electronic records, so there has to be this interchange: Someone goes in, gets an X-ray, and other physicians need to see it so you can't completely disconnect the X-ray machine. They also have to deal with celebrity customers who have valuable data; a lot of people would pay big money for that information.

What's the worst-case scenario of an attack on a connected device?

The worst-case scenario is going to vary by organization. When you think about IoT, the question is what is the prevalence in my organization and how exposed are we. We have room-booking devices on our conference rooms, and one researcher bought a bunch of them on eBay and took them apart, and his discovery led us to pull the devices because we couldn't secure them in a reasonable way. People didn't really like the system anyway, so it wasn't the end of the world. But you have to look at where you have certain devices, ask if they have credentials on your network, and figure out the worst thing that could happen. To most companies today, IoT is a distraction. You need to pay some attention to it, but it's not your biggest worry. The data breach worry is probably much larger.

But for some organizations, the worst-case scenario for IoT devices is life safety, but not in the way that some people might think about it. Imagine if someone could mess with the traffic lights in New York City, for example. The likelihood that someone could kill someone directly with that attack is pretty low. Make an intersection all green, and people could possibly have a couple accidents but pretty soon no one is driving through the affected intersections. But indirectly what you've done is now New York doesn't have streets. What happens when people need ambulances? We certainly saw that with the NotPetya cyberattacks in 2017. It took down dispatch networks in the U.K. The scheduling software was down, surgeries were postponed. How many people are indirectly killed or had their quality of life degraded? We don't have good numbers for those, but in a complex system, incidents where you lose critical infrastructure have a huge impact.

Everything deployed that doesn't have a path to secure itself is probably never going to get secure until the building is torn down. That's our biggest challenge for the next couple decades.

What's the biggest challenge with securing IoT devices?

The real challenge is the upgrade cycles of these devices. If you had an iPhone 1, upgrades really sucked. You had to plug it into iTunes and manually download the new configuration, back up your phone because you didn't know if it was going to work, install the new operating system and pray. For the new iPhones, it's totally different. You go to bed and wake up in the morning and your iPhone says: "By the way, a new iOS is installed, have a nice day." The change from the old model to the new model required serious hardware changes. There have been security protocol changes that would make today's process impossible on the iPhone 1. Apple was willing to say that when they update the iOS, they won't support hardware that's several generations old; it's past its shelf life, get rid of it. Basically, the iPhone — as expensive as it is — needs to be treated as a disposable technology.

The challenge we have on most devices is they're not treated as disposable. You buy a thermostat and you don't have a long-term relationship with whoever you bought it from. It's lower quality than your iPhone, but you attach it to your wall, and it runs for 10 or 20 years until it dies. So my main worry about connected devices isn't about the pace we deploy them, it's about the pace we update them, which is approximately zero. Everything deployed that doesn't have a path to secure itself is probably never going to get secure until the building is torn down. That's our biggest challenge for the next couple decades.

What should you do if the thermostat manufacturer goes out of business shortly after you buy the device?

You have to toss the device in the trash. That's what you have to do. At the corporate level, we have the staff and infrastructure to take that challenge on. It's a different issue for houses of worship, small enterprises, nonprofits — they don't really have the bandwidth to worry about that kind of problem. They keep going forward, and that's not necessarily the wrong thing in many cases. You have to ask if the benefit is worth the risk you're taking. If you're running a synagogue in America today, you might want surveillance cameras outside. If the risk is someone else seeing what's on the cameras, or having the cameras get used for DDoS attacks, that's probably still worth being able to detect and record acts of antisemitism. It's a trade-off, and at some point, you have to pick.

Is there a way to keep vulnerable devices off of shelves?

You could try to ban systems, but when you look at a lot of the innovation, you often see someone come up with an idea, and by the time they bring their device to market, there's like 150 knockoffs and they're built as cheaply as possible and often by a shell brand. They build one device and never make another. It makes it really hard when a lot of manufacturers are not in the U.S. The challenge is the consumers aren't differentiating on the quality and security of software. If you're buying a security camera system, you're probably most concerned with things like resolution of the cameras, whether they work at night and outdoors, and how much storage you have. Maybe you say you want to manage them from an iPhone or web browser. The consumer isn't incentivizing the manufacturer to secure that system. Our hopes rest on a larger brand saying we'll provide you devices with all of this and security baked in, because we have our brand and we want to maintain a long-term relationship with you. But that's a really big branch to hang our hopes on.

Do you think security standards for connected devices could help solve this problem?

Standards do exist. But it's really hard to find a standard that's comprehensive enough to be useful without it being so comprehensive that its inordinately painful. We see standards like PCI security standard for systems that deal with payment card information. There's FedRAMP for federal government systems. Many of these are very cumbersome and overweight and are designed for environments that don't change regularly. I don't see a near-term path for a good IoT security standard that will be genuinely meaningful.