Podcast

AI, Robots, and Cyborgs — Inside IoT With Chris Poulin

Posted: 27th November 2017
By: AMANDA MCKEON
AI, Robots, and Cyborgs — Inside IoT With Chris Poulin

In this episode of the Recorded Future podcast we take a closer look at the Internet of Things (IoT). It’s a wide-ranging category, spanning everything from connected thermostats, refrigerators, and security cameras to industrial control systems, self-driving cars, and medical devices. It’s hardly an exaggeration to say that if a device has a power source, somebody is thinking up a way to connect it to the internet. And with that comes opportunities for improving our lives and the world we live in, as well as risks to our security and privacy.

Our guest this week is Chris Poulin. He’s a principal at Booz Allen Hamilton, where he leads the company’s Internet of Things security practice.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 33 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire. Today, we're taking a closer look at the IoT, the Internet of Things. It's a wide-ranging category, covering everything from connected thermostats, refrigerators, and security cameras to industrial control systems, self-driving cars, and medical devices. It's hardly an exaggeration to say that if a device has a power source, somebody is thinking up a way to connect it to the internet.

And with that comes opportunities for improving our lives and the world we live in, and risks to our security and privacy. Our guest this week is Chris Poulin. He's a principal at Booz Allen Hamilton, where he leads their Internet of Things security practice. Stay with us.

Chris Poulin:

Devices have been connecting to the internet for a long time, and in fact, it's kind of interesting. Way back in my career, I was always fascinated where physical and digital meet, and so I would say, probably around 2009 or so is when I sort of realized that the internet was a place where other things ... So, beyond, for example, industrial control systems, which had to send their telemetry. So, pumps saying how fast their motors were spinning, how much heat, how much pressure was in pipes, et cetera, et cetera, all of that was being reported in industrial control systems, and I'd say that was probably one of the first ... what we would consider nowadays to be “Internet of Things” things.

So, there was always this awareness that they were connected, and then the rest of the world decided that they were going to connect other things like cars. And so, for example, OnStar and Uconnect and all of those things have been connecting cars back to a call center for a long time, but it used mobile airwaves. So, you could argue that those things were connected. And then, the same mechanisms that connected them back to the call centers also started to report back telemetry from the cars. So, you know, things like brake events, different conditions that might happen. Also, ways that the car manufacturer could, ostensibly, pre-program certain features in a car.

So, for example, somebody like Sirius XM — not a car manufacturer, but part of the tiered suppliers, obviously — could add new features to the radio stations, or whatever. So, cars were part of it. And then, all of a sudden — I would say about 2010, 2011, I don't know exactly when the term was coined — the Internet of Things became a thing, and people ... It's funny, because I think sometimes, the tail wags the dog, and so once people said IoT, all of a sudden everybody had this light bulb go off and says, "Wow, we could connect everything to the internet. We can connect ..." So, for example, our thermostats. We can connect toothbrushes, which are ridiculous, but they're out there.

Dave Bittner:

Refrigerators.

Chris Poulin:

Refrigerators, right. Shower heads. There's actually a connected shower head out there, for good or bad.

Dave Bittner:

Wow.

Chris Poulin:

Yeah, I think it monitors how much water you use and the temperature, and … I have no idea. Still. But if you think of it, somebody's going to connect it to the internet, is what it boils down to now. So, around 2012 or so, I had an “aha” moment too, which was effectively, this was what my entire career was waiting for, was the fact that people acknowledged that things, the physical world, would connect to the digital world. And I have to say, over the past five years or so, it's been an interesting and fun ride, both from a functional perspective and from a security perspective.

Dave Bittner:

And when you say your career was waiting on this, what do you mean by that?

Chris Poulin:

Back in ... Oh, God, I can't even remember how long ago I started getting into security, but the late 80s, mid 90s probably, security comprised, largely, firewalls, intrusion detection systems, antivirus, endpoint protection systems, as we now call them. And I always thought that there was this capability for something more to be added to the mix.

So, I'll give you two defining moments. One was, I was at an RSA conference. I want to say it was around 2000. Let's say, 2000, 2001. Computer Associates had something they called CA eTrust 2020, I think was the name of it. But what it showed was, there was this beautiful graphical display of three floors in a building, and it mapped out the floors. So, the doors, the bathrooms, the cubicles, offices, et cetera, et cetera. And the point of this thing was that you could actually monitor people’s behavior within the physical space, and then look for anomalies. Presumably, for example, for somebody who's going to try to break into the server room, for example, and steal one of the backup tapes. That's one way to steal information. Or whatever, right? Think of any “Mission Impossible” scenario you want.

It was an interesting perspective to see that visual and start to think about the physical world, and using something that we did in IT, which is an intrusion detection system, and blending those things together. So, that was the first “aha” moment for me. The second was when I was working at QN Labs, and someone said, "Well, what's the future of SIEMs?" You know, and SIEMs typically take in firewalls, intrusion detection, host endpoint protection, network flow data, et cetera, et cetera, and you write rules around those things. The thing that was the most important in the SIEM world, and still is, is adding context. So, you can pull in a lot of data, but until you actually add context to the data, it doesn't really make any sense.

So, an example would be that you see network flow data, and maybe some logs from somebody logging into a source code server, or something like that, and you can infer from a source IP address that maybe this is your contractor who works out of Kansas, and they should have access to it. But there were a lot of use cases where people wanted to bring in HR data, for example, that said, “Yeah, this is a contractor, this was their start date, this is their contract end date.”

So, now you can add context to say, “Well, I know what this IP address is, and I know it belongs to the Acme Corporation who's providing subcontracting services, but their contract ended two weeks ago, so why are they still accessing the system?” You know, really simple example, but it is context.

So, when they said, "Well, what's the future?" Having a background in the military, I think about SIGINT, but I also think about HUMINT and OPSEC and all those other fun acronyms that they use in the DoD, and I said, "Look, what we really should be pulling in is not just threat intel that we think about as bad IP addresses from websites, but also things that come from typical human intelligence, and think about deniable operators who are working in remote regions where we might have enemy agents who are trying to move against us in some way."

And so, that sort of brings the physical side of security into the digital side, where we're actually saying, "Look, we've got these bad actors, they're going to conduct some kinetic operation against us, and can we pull that intel into our sims and have this aggregate view of what constitutes threat?" Not only what is considered active network traffic and events, your IT environment, and maybe your OT environment, but also, who are the threat actors? How are they actually moving against it? What are some of the early signals that they might actually be conducting, for example, an operation against our energy and utility grid, or whatever?

There might be some preliminary signals that come out of the physical world, and that sort of sets the stage for the next step, which is obviously the Internet of Things, at least for me. I think it also laid the groundwork for how we use threat intel today, and the example that I would give there is, we go into the dark web and we look for people chattering in chatrooms and in forums, saying, "Hey, how can I,” for example, “clone a key fob for a car?" And to some extent, we're using digital means to determine where there might be kinetic threats, and by the same token, we can also use that same threat intel to inform, in that particular case, automotive manufacturers that there are vulnerabilities in the key fobs, and that there are threat actors that are looking to exploit them.

Dave Bittner:

What about this, sort of, blending of systems that I think has happened with the IoT? I'm thinking, specifically, of security cameras. It used to be that your organization, your building, had a system of security cameras, and chances are, they were analog cameras that were running coax cables that had video baseband signals that went back to, maybe even a stack of VCRs, before there was digital recording. And of course, now that's all IP, and so there are great benefits to that, being able to monitor all over, however you want, and being able to store much more than you used to be able to, but there are downsides as well.

Chris Poulin:

Yeah. You know, actually, that particular statement captures the essence, I think, of the IoT in general, and we should probably dig into that here in a few minutes. But on the topic of security cameras, absolutely right, and it's kind of interesting that I remember some movie, where they go into exactly what you said, into the video surveillance room and they've got this stack of VHS tapes. And of course, they cycle through them, so you might be able to keep seven days' worth, or whatever.

Dave Bittner:

Right.

Chris Poulin:

So now, we can keep them perpetually because, obviously, the storage is much cheaper now. But also, the image recognition, because we're recording it digitally is A, enabled and B, pretty sophisticated. And so, for example, in a previous job that I was working at, we were able to ask a pretty lengthy video stream to find all men who were wearing red shirts, for example.

So, the video analytics was able to pick out, to identify, male versus female, not perfectly, but pretty definitively. It's better than you sitting there, looking through two weeks worth of video and scrolling through.

Dave Bittner:

Right.

Chris Poulin:

And it was clearly ... Red is a color, and that was pretty easy for a video to identify, but the fact that it was a shirt is kind of where things get a little complicated, right? So, you know, you can find red pants. What if it's a picture of a guy wearing a red shirt? So, that's where things ... The subtleties of video analytics come in. But we get better and better at training these things, and so, that's one of the places where we can actually take artifacts from the physical world and turn them into digital intel that we can then merge against digital assets, or other digital intelligence, and come up with some interesting insights.

Dave Bittner:

But in the past, that security network would've been segregated from the rest of your network, and today, that might not be the case.

Chris Poulin:

That's true, and yet, it probably should be segregated to a large extent. Although, connected provisionally, I guess that's probably the best way to say it.

Dave Bittner:

Yeah.

Chris Poulin:

So, I think ... It's funny, because we've gone from one side of the pendulum to the other, which is that it used to be that operational technology, so your industrial control systems, maybe your building control systems, were completely separate from the IT systems. And, in fact, there was this whole movement to air gap things. And then data diodes came about, and the philosophy behind that … In the OT environment you want to send telemetry back to IT systems so that you can have this consolidated view of the world. And largely, it was telemetry, and events, and things like that, maybe sending it back for a SIEM. or whatever, or maybe just to an auditing system.

But the diode part is that you shouldn't be able to access the OT network from the IT side, because the OT assets were far more sensitive. You know, you could actually open up floodgates, literally, if you're dealing with water and utilities, or you could affect an assembly line, or you could cause a nuclear power plant to explode, or something like that, whatever it was, but that's sort of the danger of the IoT in general, anyway.

So, what we've done is, after that — which is the intermediate step — we said, "Hey, we want to have a complete convergence between these two things." And I think a lot of people have gone too far that way, in that they haven't thought out the restrictions and the access control that ought to be implemented between these two systems. Almost no organization that I know has figured out what all their assets are and what their properties are, and that goes back to a few things.

Number one is that it's complicated. Networks are insanely complicated. They're constantly moving, they're almost like a biological system, they're just ... You know, you keep adding assets to them, you keep subtracting from them, you move things around, and then you add in mobile devices, and even IoT devices, right? If they're part of the IT asset, if they fall under the IT rubric, so, for example, mobile phones — are they an IoT device, or are they IT? And I think they've fallen on the IT side, but still, they're sort of ... They're not what we would consider to be traditional static assets in that sense.

So, the second part of the problem is that people who write code aren't particularly good at exposing how things work, and so, I remember being, for example, at a bank a while back and they wanted to connect up to a partner bank. They wanted to be as restrictive as possible between the two. So, you ask a really simple question like, "Okay, what applications do you have that you want to expose to this partner bank?" And they had a hard time answering that, they didn't actually know all of the applications.

Alright, well, let's take the dozen that you do know. Now, what kind of access do you need? What ports do they run over? What protocols do they use? Meaning, are they, for example, remote procedure call, or are they just sort of a static port, or what do they do? And almost no one could answer that, including the vendor. We called the vendor a couple of times and we said, "If we locked this down to just a handful of ports that you use, what could it be?" And a lot of times, they couldn't answer.

So, the problem that we run into is that there seems to be a lack of rigor all the way from software development, up to infrastructure implementation, and that's partially a lack of planning, but it's also because we're in an amazing and glorious place in our history, which is that technology is changing so quickly that it's hard to come up with a firm strategy and say, "This is how we're going to implement technology, and that's that." Instead, we have to be flexible because technology is changing so quickly.

So, on one hand I understand why it happens, on the other hand, it's not particularly good for security.

Dave Bittner:

Yeah, and I think we end up with unintended consequences. Again, thinking of security cameras and them being herded into botnets where you have this little computer sitting up on a wall, and as long as it still is doing its security camera job, chances are someone won't even notice that it's using extra processing cycles to do the work of a botnet.

Chris Poulin:

That's right. That's exactly right. So, I do a talk now where I talk about the IoT and a lot of it is sort of educating people on what the IoT is in general, and there's four or five general categories, depending on how you look at it, and it's everything from consumer devices — so, home networking and things like that — all the way up to the industrial Internet of Things. So, running manufacturing, energy, utility, and even building controls. And somewhere in between are wearables and implantables — so, the medical industry — and then, connected cars.

And so, I put up slides and I say, "Okay, here's the front door of a traditional house." And I throw it out to the audience, and I say, "Tell me where the IoT is." Sometimes they get it, sometimes they don't. Sometimes they come up with things that I hadn't even thought of that may or may not yet be a product, but it's an excellent idea. At least they understand the concept of the IoT. But at the end, I have a slide up there which is effectively the ... If you remember Predator, the Arnold Schwarzenegger ... And I feel like the IoT's point in life is to blend into the background in many cases. It's supposed to be part of our life, and it's supposed to make our lives better and easier, but it's not supposed to be something that we, necessarily, are aware of.

For example, eventually, we're going to have homeostasis monitors that are implanted permanently into us when we're born. Things that monitor heart rate, temperature, blood pressure, and galvanic skin response. Maybe we have a lie detector built in there. Who knows? And the point there, though, is that now, continuously, computers can actually monitor us and say, "Hey, you look like you're headed for a bad place." You know, "Your blood pressure doesn't look good," or whatever. And then, predictively help us to maintain our health, which is awesome, but we shouldn't have to be aware of it.

And so, the same thing is true with toothbrushes. "How much time are you spending brushing your teeth? Well, it looks like you're headed for a real plaque problem down the line."

Dave Bittner:

Right.

Chris Poulin:

So, IoT is supposed to blend into the background, to a large extent. I don't think it's insidious in that sense, but you want it to be those silent helpers that improve our life quality and our efficiency. But with that, to your point, is that it is hidden, and when things are hidden, that's where the bad guys are going to go. So, they're going to start compromising video cameras, DVRs, baby monitors, whatever. And so, that means that somebody has to launch them. So, the more that they fade into the background, the more that we as security professionals also have to fade into the background with them.

Which is actually true, in another way, which is that security shouldn't be something that's invasive. It should be something that just is ... It's built in, and the regular consumer shouldn't have to worry about it too much. So, as the IoT fades into the background and the threat actors also try to compromise them, we as security researchers also have to go into the background and accompany those IoT devices.

Dave Bittner:

So, I'm curious. Going back to industrial control systems, in the pre-internet days, how did these systems communicate with each other over distance? Did they just have dedicated networks that were just point to point?

Chris Poulin:

Well, some of them did. I mean, that was a luxury back then. In fact, most ... If you think about it in industrial control, a lot of that was actually dial up. So, you'd go to some sluice gate for some water control system, or whatever, and there'd be a modem in a little brick shed somewhere right beside it, and there would be power to it, obviously, and there were some actuators and a telephone line going to it. In fact, it's interesting when you ... A lot of that infrastructure still exists, so you'll get some sort of programmable logic controller, or some kind of dedicated device that's sitting in some remote location that has a singular function, and then it will connect back.

You know, maybe nowadays, they connected it back through some sort of mobile connection and ... But it's still using serial line protocols to get to those things, and then it'll ... It eventually funnels up into an IP network. But yeah, there's a lot of antiquated devices still that run our infrastructure. It would surprise most people, by the way.

Dave Bittner:

I want to touch on threat intelligence, and what part threat intelligence plays in the type of work that you do.

Chris Poulin:

Yeah, so, it's interesting. There's a couple of angles to threat intel when it comes to the IoT. Right now, the IoT isn't necessarily being exploited on a per device basis. And by that, I mean, for example, cars aren't necessarily being targeted en masse for some sort of insidious purpose. We monitor the dark web and different forums and look for people who are actually trying to do something. They're trying to find some vulnerability, they're trying to figure out how to monetize the connected car ecosystem.

And so, we've seen people out there talking about, "Hey, what are the vulnerabilities in the key fob protocol? I'd like to go steal a car, that's what I want to do." And so, now we can go back and we can inform tier-one, tier-two suppliers, who create a lot of the key fobs, that their protocol has a vulnerability that's been discovered on the dark web, and so that helps out there.

You know, we anticipate that what will end up happening is that the bad guys will eventually try to install ransomware on cars, so that when you get in and you try to start your car in the morning, your in-vehicle infotainment system will pop up and say, "Hey, we've ransomed your car. Until you pay us two bitcoin, you can't go to work." I anticipate that what will end up happening is that on the dark web, we'll see some chatter and people will ask questions like ... And by the way, I have not personally seen this yet, but chatter might be out there. But they may say, "So, what's the most common telematics unit that is installed in vehicles?" Because the OEMs, the vehicle manufacturers, are no longer really building things. They're actually assembling parts from many tier-one and tier-two suppliers, and so, they'll go get their telematics unit from Harmon or from Bose, or from, you know, a bunch of different manufacturers.

And so, the dark web is going to say, "Where am I going to get the most bang for my buck? So, if I write a vulnerability that targets a telematics unit, I want to make sure that I'm getting 60 percent of the car market, or whatever."

Dave Bittner:

Right.

Chris Poulin:

And so, that's the number one question. The number two question is, "Okay, so what are these things built on?" QNX or another type of embedded Linux, which is what most of these in-vehicle infotainment systems are built on. "So, what are the vulnerabilities I can exploit? How can I do it over the air?" So, that's sort of the progression that we expect, is that we're going to see people asking about how they optimize their bang for the buck, how they actually target vulnerabilities, and how can they do it remotely? So, those are the three big questions.

So, threat intel informs us of those kinds of things. Right now, I would say that when we're looking at, for example, Mirai, and the latest one that I can't remember the name off the top of my head.

Dave Bittner:

Well, there's the Ripper that's ... Or Reaper, I'm sorry.

Chris Poulin:

Reaper, yeah.

Dave Bittner:

There's Reaper, that hasn't been unleashed, but is coiled and ready to strike at any moment.

Chris Poulin:

Right, exactly. And that's an interesting case of threat intel as well, right? So — and I actually did not get involved in the threat intel behind the scenes to look at what Reaper's potential was — but I'm sure the threat intel analysts were starting to see the signs of that, and part of the other thing is, if you start to tear apart some of this malware, you also see where the families come from, and you can sort of infer intent from threat intel. So, for example, going back to Stuxnet and some of its descendants — Duqu, et cetera, et cetera — we understand that those are nation-state weapons that were assembled, and then going to some of the ones that came from ... Was it Angry Bear? I can't think of all the ones.

Dave Bittner:

Right, yeah. Cozy Bear, Fancy Bear.

Chris Poulin:

Yeah, exactly. So, that's where threat intel comes in. It can inform us in advance. It can also help us to understand who the threat actors are, and what they're actually going to be using this weapon for when it actually is unleashed. And, actually, when it is unleashed, we can actually go back and sort of use the reversing capability, but also blend it with what we know from threat intel, and determine who the threat actor was at that point, and determine what the intent was, where else we may want to look, by the way.

So, it's not just, "Hey, we found this in," I don't know, the financial sector — let's just make something up. Or, energy and utility, in the case of Cozy Bear. And then say, "Okay, where else might we expect to find this?" Because now we know the threat actor and we know what their intent is, so we might also start looking in other utilities, or we might start looking in production of some goods that might be also a target from this particular threat actor.

So, threat intel has a number of aspects here and it usually ... In the perfect world, it's going to be predictive. It'll inform us what we can expect, if not when, and we can start to rally our defenses. In an imperfect world, it will help us to clean up the mess and make sure that we've cleaned it up properly.

Dave Bittner:

Well, what are your expectations for how we can expect the IoT to become part of our lives, both professionally and personally?

Chris Poulin:

I think there's two future ... Well, probably three, actually. But one is kind of coming today. So, first off, artificial intelligence, machine learning, deep learning. All of that is going to be enriched by the IoT, right? Because going back to my conversation before, which was basically, context gives you better insights. And so, the more that we can gather information about the environment ... So, whether it's through temperature, whether it's geo-location, whether it's actually looking at the person themselves, by measuring their response, their temperature, their heart rate, et cetera, et cetera.

All of that can be plugged into some artificial intelligence algorithm which can bring better outcomes to whatever we're trying to accomplish. And AI is being used in all kinds of interesting things, you know, to detect threat actors going through airports, to determine baseline traffic in a normal network, and then look for anomalies. So, there's a lot of applications of AI to cybersecurity. So, that's number one.

Number two, for the IoT, is going to be robotics. So, we've got the IoT, which is basically sensor measuring a lot of the physical environment, and it may affect the environment through actuators. You know, things like opening up gates in a sewage plant, or letting your car drive, right? So, maybe operating the brakes and the steering wheel, and things like that. And I think sort of the bellwether of this is the Amazon Echo and Google Home, and there's a few others that are coming out on the market, which are personal digital assistants. But the next evolution of those things is going to come about in more of a robotics fashion, to actually accomplish missions at the behest of its human overlords, I guess.

Dave Bittner:

Right, right.

Chris Poulin:

And you know, Roomba might be one vision of that, but eventually one of the things that we think about is, what's going to make people more comfortable with these robots? Like, a Roomba's a little bit creepy. It's not too creepy, because it's a disk that rolls around. That's not too bad.

Dave Bittner:

Right.

Chris Poulin:

But if you've ever seen the video online of the military applications, they have this thing that walks along and it looks kind of like a dog, but it's really creepy looking.

Dave Bittner:

Oh yeah, yeah. Kind of awesome, also kind of creepy.

Chris Poulin:

Exactly.

Dave Bittner:

Right.

Chris Poulin:

But you know what's kind of interesting? There's a guy, because they're proving how well it can stabilize itself. There's a guy who like, kicks it, and it kind of tips over, but it catches itself before it falls over, and you almost ... It's this … I'm trying to think of what the term is, when you ... Anthropomorphize the robot. There's another term, though, when you empathize with ...

Dave Bittner:

There's the uncanny valley situation, as well.

Chris Poulin:

Yes, exactly. And that's exactly where I'm going, too, as a matter of fact. So, when I watch that video, I go, "Creepy," then the guy kicks it and I go, "Aww, poor robot. The guy's being mean to it." So, at some point, we are going to cross uncanny valley to where we accept robots, and I don't know where that is yet, but that's going to be when they become acceptable for us to interact with in everyday life. And so, we're going to move closer and closer to that, and we're going to have this ... It's going to be creepy for a while until they actually get to the humanizing of robots, which will bring up a whole separate set of issues, by the way. I've heard people talk about ethics of robots and when we actually emancipate them, because now, AI has made them fully functioning parts of society and potentially equivalent with the human race ... I have no idea, that's bizarre.

Dave Bittner:

Yeah.

Chris Poulin:

But that's not my point. My point, though, is that we will accept them only when we actually can see them as something that's not creepy anymore. And part of that, I think, is acclimation, but part of it is also how they evolve into a form that's acceptable to us on a regular basis. So, robotics is part of the equation, as well.

The other future of the Internet of Things, and let me just preface it by saying, there's an interesting movement out there called transhumanism, or biohacking, or also called grinding, which is people who are putting stuff into their bodies. And that's sort of, again, that's sort of the first phase, where people are taking LEDs and putting them on a board, and putting a Bluetooth chip on there as well, and wrapping them in some coating that's acceptable to the human body, at least temporarily, as to avoid rejection. Then, they will open up their hand and cram it underneath there and sew themselves back up, because this is not something the medical establishment is allowed to do.

So, this is sort of elective implantation. And there's people who are putting RFID chips in the webbing of their fingers so that they can walk up to doors and open it, or pay, or whatever. Aside from the security implications, we're going to start moving more towards this convergence of human and machine anyway, that may also be on a convergence path with robots, right? As we become more robotic, maybe robots become more like us. And robots will become more like us through AI. Maybe we actually all converge into ... What's the difference between humans and robots, at that point?

But, I'm getting ahead of myself. Still, the point is there will be elective transhumanism, they're biohacking, where people ... At some point, will opt to cut off an arm or a leg for bionic parts. Maybe not. Maybe so, maybe not. But the real goal here is to get to the state that … For example, Walt Disney was, presumably, looking for and is embodied in that movie, I think it's called Transcendence, I think it's Johnny Depp who was in that one, where he eventually uploads himself to a computer and gets rid of his biological, corporeal self, and exists in a computer.

So, and again, that's a little bit extreme, but as we go along, we are going to ... At least the first step is going to be what I was talking about before, which is put some sensors in our bodies that can now connect back across the internet to our healthcare providers, that's empowered by some sort of AI, so that as we go through life, all of our human telemetry is consolidated somewhere, and there's predictive analytics that are looking for things that might go bad.

So, better than us saying, "Hey, let's go in for a blood test every so often, and maybe once a year see if we can detect markers for a particular cancer, or for whatever," then just going through life, we'll be able to detect that stuff predictively. So, that's sort of the first step, and then eventually, it will be things that are more ... That enhance our humanity, or ... I shouldn't say that. That enhance our bodies, that take us beyond the biological capabilities.

So, it may be a way to infuse more oxygen into our lungs, if you're a long distance runner, and that's going to be some sort of a ... Think about a heart implant, the pacemaker. But something that will make your lungs better if you're a particular ... If you're a runner. Or maybe people will go and ... And it'll be paired, for example, with plastic surgery to flatten out your nostrils so that there's less wind resistance but you get more capability to suck air in, or whatever.

You know, I can't predict all of those things, but we are going to become part of the IoT by putting stuff in our body, or augmenting our body, and we're going to connect it to the network because, A, it's going to give us more predictive ability. It's going to be able to sense how well we're performing, and we can also then tune it remotely. So, back to that person having some way to change the oxygen mix in their lungs as their heart rate increases, et cetera, et cetera, maybe what they want to do is, they want to be able to tune that particular system so that it optimally injects the right amount of oxygen, based upon microsecond by microsecond changes in the performance of the rest of the body. And then, connect all that back, so that you've got the Boston Marathon and the New York Marathon, and now you collect all this data about people and how well they performed, who won, who didn't win, who vomited at the finish line, whatever, and then change all of the telemetry, so that the next time that they run that same marathon, everybody operates at an even better level.

So, the three things are AI, obviously, robotics, and IoT, as it incorporates into our own physical body.

Dave Bittner:

So, it sounds like you're on the hopeful side rather than the pessimistic side.

Chris Poulin:

I love the ideas about the IoT. I think that there is so much opportunity for it. I do worry, though, that as we connect, we're going to expose ourselves, and that could be catastrophic. But at the same time ... And you know me well enough now, I'm not a catastrophist quite yet. So, for example, I wrote an article a couple of years ago on connected automobiles and that we should not freak out because of the “what-if” scenarios. We should definitely move toward a more secure IoT, and in that particular scenario, we should move toward more secure design of automotive connected automobiles.

But that shouldn't stop our adoption because the benefits outweigh, at least now, the feasible risks. So, in other words, there's not a lot of motive for cybercriminals to harm you in your car. Certainly, you know, as I pointed out before, to install ransomware. But ransomware is not catastrophic. Ransomware is just a nuisance, right? So, I think that if we're talking about saving hundreds of billions of dollars, or even more on fuel costs, on people’s time, on loss of lives, actual safety ... And so, if we can actually ameliorate that by connecting these things up, we're kind of kicking the can down the road a little bit on whether or not hackers are going to start eroding that savings, right, by actually hurting people.

I think that the calculus right now, the way that we understand the risk, which is a little bit fuzzy math, weighs more heavily on the feature side than it does on the risk side. And that's one of the things that we need to keep watching threat intel for, is we need to make sure that that calculus doesn't change drastically in a short period of time, because then we're going to have to change the way we look at it.

But in that interim, it is our responsibility to understand the potential risks and to mitigate them to the extent that we can now, through design and through operational monitoring and response.

Dave Bittner:

Our thanks to Chris Poulin for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the world among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related