It's five o'clock somewhere, time for a security cocktail hour. I'm Joe representing North Jersey.
And I'm Adam, I don't know who I am. I'm Adam representing Staten Island.
All right, that's good. So now we all know who we are. That's cool. So today I got a little story for you. Check this out. So a few months ago, I think it was warm out. So it's before that, literally six months ago. I'm hanging out at home, not doing very much, and I see there's some kind of commotion at the next door neighbor's house. There's a bunch of people outside. There's cops out there. There's something going on. I don't know what's happening. So, you know, then I kind of ignore it. You know, I'm nosy, but I ignore it, whatever. A little while later, there's a knock at the door, and there's a cop at the door. And I'm just like, oh, come on. I'm like thinking to myself, I hope this dude next door, I don't really know him. I'm like, you know, I hope he doesn't have like people in the basement or something crazy like that. You know, it ends up, the cop tells me the guy, someone tried to break into his car sitting outside in the driveway and we got a lot of car theft in my neighborhood. So whatever, not that surprising. I'm like, yeah, okay. He says he ran across my lawn. I'm like, well, okay, whatever. And he said, look, you know, We don't know who it is, we didn't catch him. He goes, do you have any security cameras, you know, that might've caught him? And I said, you know, no. He goes, no, I'm like, no. And he says like, okay, well, you know, do you have like a, like a doorbell camera, a nest or something like that? I said, no, I don't have a doorbell, I got a regular doorbell. And he looked at me like I said, I didn't have a phone. that I was like, so backward and this was so ridiculous. Yeah, you know, and I'm like, dude, I guess, you know, I'd help you out if I could, what I'm like, I just don't have a cameras ring in the house. You know, I'm not a big fan of the whole home surveillance thing and cameras and everything. I'm a big fan of securing your home network. You gotta do that. You gotta secure your stuff. But you know, the whole surveillance and electronic locks and all that stuff, Not my favorite thing. Now, Adam, I know that you feel very differently than I do.
You're into this stuff. So let me tell you something. Joe, I have a story for you. And my story is I live in Staten Island. And in Staten Island, yeah, yeah, yeah. Staten Island. I know, I know it's really kind of like part of New Jersey. But let's not tell anybody that.
It's like New Jersey, just cooler, right?
Cool. And we have turkeys. And so, uh, I, I've gotten one and once knocks on my door, right? One time, uh, it was detectives asking me about, uh, do you, you know, can we see your, your video surveillance system? And I'm like, which one? And they're like, what do you mean?
Which one?
I go, well, I have a legacy system and I have a whole string of nest doorbells. So it turns out three different things have happened on my block. One, two sets of teenage kids came over and took bats to one of my neighbor's cars, which I won't go into that story deeper. Two, unfortunately, my next door neighbor's child, you know, a child, let me say child, Their son, which was closer to my age, passed away, had an overdose. And also, a bunch of kids were walking down the block, or young adults, opening car doors. So I've had multiple times where police officers have asked for video footage.
Just so everyone knows, you live in a You know, we joke about things, but you live in a pretty nice neighborhood. I hope so.
I mean, you know, Pete Davidson's mother lives in my same zip code. I know Kim Kardashian has gone to a restaurant in my zip code. So I think, well, I mean, you know, I mean, I guess Kim Kardashian might have been slumming a little bit. I don't know. I mean, I shouldn't be saying that, but in all seriousness, you know, we do have some celebrities living here, but it's a pretty nice neighborhood. But the point I guess I'm making is video surveillance systems can be really good. It can help protect your house, but it can also put you in some legal jeopardy, right? You know, sometimes you're filming things you might necessarily don't want to get involved in. And then you have to take time off and bring that. But with having video surveillance systems, also comes a big responsibility on how to secure them. And I'm not just talking about security. Yeah, go ahead. I'm sorry.
I was going to say, well, that's the thing too. And that's not what we're going to talk about here is, you know, whether it's your, your regular home network, cause everyone has a home network now, everyone's got a route or something, or if you're going to do something more sophisticated with all this stuff, you got to secure it. It's, it's on you, you know?
Absolutely. So, you know, Having Nestor Bells has its pluses and minuses, right? It's a nice little compact, you know, on-premise device that builds a tunnel out and delivers your video to there. third-party, or not third-party, they're back-end servers. I don't know how to access them, but they're IoT devices, right? And if the people, the threat actors, know how to access those devices themselves individually, it's bad. But it's even worse if they're able to get into your account. If they can get into your account, They can download the video and the information and the data and the meta stuff and really understand what you're doing and God forbid you're walking around and you're not clothed. They can try to do like a sexportation TTP where they tell you to give them money or they're gonna release you in your underwear. I don't know who'd wanna release pictures of me in my underwear, but they're gonna release your pictures in your underwear and God forbid you're doing something you shouldn't be doing. uh you know you bring somebody into the house you shouldn't be and you're married and they're gonna use that video to blackmail you and believe it or not it's been done before and then the other side is if you have on-premise equipment and you have like your own network video recorder and it's a linux device and you nat it or make it accessible out to the internet to people who have a username and password And then somebody exercises a vulnerability on that device, they can pretty much get free reign to your network. So yeah, there's issues, right?
All right, well, let's, well, let's break it down. Let's take this in pieces, because there's a lot to get to here. So let's start with the kind of with the most basic. which is, you know, you got these things, you're buying them, you put them on your network, you're putting these devices on your network. And, you know, they come from wherever they come from. And, you know, everyone should know, we talk about IOT devices, that's the internet of things. And it's where they're not regular computers. It's not like a desktop or a laptop. I mean, it is a computer, but it's a specialized one. It's, it's little, it's, you know, It's got a very specialized function, and it's built to do just that.
Think Raspberry Pi. Think Raspberry Pi. And Raspberry Pi is actually pretty secure. Think, you know, embedded Linux devices. Think about things like that.
Well, the thing is, it can be secure, you know, because a lot of these things do, in fact, run Linux, like a version of embedded Linux, something very, you know, very stripped down, like the Raspberry Pi version, the ARM version of it. But, you know, the question is, it comes down to the ones you're buying it for, from this hardware, they adapted Linux to run on it. When it comes to security, did they do a good job? You know, just because you're buying something that's got a label on it says, use this for home security. It doesn't mean it's been built very securely. You know, it's still software. It can still have vulnerabilities. It can still have stupid decisions that were made, especially to make it cheap.
You know what? I got a story for you. I'll tell you a really quick story. One of my neighbors where I live on my block asked me to help his friend out, lifelong friend. You know, I guess he went through a bit of divorce and he had... I believe they were, it was the Hawaii NVR Network Video Recorder, right? And we already know that Hawaii... is not really good, supposedly it does reporting back to a country, right?
Well, the government wants you to think that if you're using that all your data is getting shipped right to China, which may or may not be true or somewhere in between. I don't know.
So I got a funny story about that, right? So not only is it an organ, you got a story within a story. I do.
Now it's like you're breaking the fourth wall within the fourth wall. This is very sophisticated.
Yeah, I know. It's a, it's almost recursive. So, um, so I said, so the guy comes and he goes, Oh, you know, I don't have access to my username and password. How do I get that? I'm like, yeah, well I'll take care of it. So, 14 hours later, I found a way to get a copy of the hash. And I say kind of hash, it's not really a hash, it's a string. And I took the string and I found a third-party online website that actually converted, because it was a hash, you really can't convert it, but I found a third-party website that reversed it into a password. and I was able to get access to the device. But here's the funny part about it. When I went to Hawaii and I told them the model number and the device, they said, that's an illegal copy of our hardware. We never manufactured that device. So not only do we have to worry about devices that send data back possibly and report back, But it was actually, uh, what do you want to call it? Spoofed or copied or emulated or knock off a counterfeit of, of, of, of a company that we don't even necessarily trust.
So I got, well, that's, well, that's really important. Cause the, you know, there's a couple of things with that. The first is if you got to, it may be something malicious. where they're copying them. And that can happen, not just to Huawei, it can happen, I think it's Huawei, it can happen to anyone, clones and stuff. But even if it's not, you know, if you're buying this counterfeit stuff, it may not be exactly right. It may not be up to spec and you're probably not getting, like when there are vulnerabilities, you're probably not getting updates for it. I mean, it's a big issue with getting updates from the legit ones, much less from a fake one. Good luck. Yeah, exactly.
So, so then my point, I guess is, that I gave you a story in the story, but even if you decide to get a nice legitimate, you get a nice legitimate network video recorder, it's the top of the line, it's supported, it's a great company, it does updates every single day, twice on Sundays, you put it on your network. And then poof, right? All of a sudden now it's natted to the outside, which means that if somebody is able to use a vulnerability or get access to the device, they might be able to create a connection outwardly to maybe a DNS server and exfiltrate data from your network. So what do you do, right? What do you do?
Hang on a second. Hang on a second. You're using a lot of big words there. Remember, we got to explain this stuff. So NAT is, so everyone knows, Network Address Translation. That's just something where on your home network, it's what virtually everything you do, your router, everything uses to basically get out, be able to get anywhere. It has to do with how networking works. It's how you can have more than one machine on your network. when your router only gets one address from your ISP, your cable company, whatever. So that's what NAT is. And then data exfiltration is a very fancy $5 word security people use for stealing your data, getting it from your network out somewhere else.
So I take exception to one of those definitions. It's not a $5 word, it's a $10 word. So you're right. Let me translate this to like modern day, right? You go to somebody's house and you only have one door in. But meanwhile, you have multiple rooms within that house, and everyone exits the same door. So each room is basically its own IP address, and then you're going out the home address, which is your postal address, if that makes sense. Um, if you, if you want to use your door as one of the, we, we talk about Nat, Nat means you're converting a port to be accessible to outside. So imagine your windows and your doors and anything else is another opening into your same address.
So, uh, yeah, I just got to do a little more explaining. Cause it makes me feel good. Um, you know, one of the things to keep in mind is that, you know, that, that NAT, it makes it harder. That's not firewalling by itself, but it makes it harder for someone to reach inside your network and attack it because it basically is as simple as if someone is just coming into that one door and wants to hit one of your devices, it doesn't know which one to go to because there's all of them and it's rigged so it can't do it. Now, there are some ways around that, but one of the big ways around it that Adam was talking about was if you have a machine that then, you know, makes a connection outward. So you go to a website or something, you know, and you have that connection there. So you make the connection out and it connects there. It's possible that if you connect to something malicious, they then can connect back to you. And that's bad because then they got to weigh in and then they'll do something. Here's another, I'm going to call this a $15 security word. They try to establish persistence, which means they'll drop a little thing on your computer, your device, whatever it is, that will have it reach out to them because it can reach out all the time. And that's how networks get compromised.
So. The old Verushka Marui.
That's right. The old, the old shell. Anyway, so that's, so these are some of the things we're working on when you got things like this that are maybe don't have the best security in the world. Don't get that monthly update like windows does. Uh, you gotta, you gotta think about that a little bit.
So I'm going to get to this part, right? So, you know, and this sounds like another, like one of those, I guess, $4 and 50 cents words. We created DMZ. And what is a DMZ? A DMZ is known as a demilitarized zone, but let's talk airports. When you go into an airport and you want to go board a plane, you have to go through security. And when you go through security, you're considered on the outside of the secure zone. That's your internet. When you go through the metal detectors, you're kind of in the DMZ. You're in between the inside and the outside. And when you finally pass through the metal detectors, and you're on the inside, and you have free reign to walk around on that side, That's the inside. So what I propose is, and it's a little bit hard for most, you know, average people, is you create a DMZ on your network. That means not only do you have a firewall that connects to the internet and to your inside, but you create this other network where it's in between. So if you put your network video recorder there, you have to create something called access list, which means that when they come from outside the internet to your network video recorder, it can only access that. And then you create another access list or another rule that says only the network video recorder can connect to certain machines on one port, which limits the possibility, should your network get compromised, they can't get everywhere. Does that sound like a good explanation?
Yeah, that's good. I mean, what we're talking about here, this is gonna sound familiar to people who know a bit about it, but... What we're talking about here is leveraging something called isolation. And in fact, this DMZ trick, this is how websites have worked for years. Basically, you have different components, different pieces of the software and what you're talking to out on the internet isolated. So if you break one, you can't get into everything else. And that's something that's a really, really common trick when you have You know, when you have something you don't trust, you're like, I don't trust it, but we got to use the bosses. We got to buy this. It's business critical. We're going to die if we don't get this thing. Well, you don't trust it. You isolate it, put it in a, in a network and not a real physical network, but what's called a virtual network where, you know, your, your network software just isolates. It makes it so. It can't talk to anything else, so it's very limited what it can talk to. So if it does get popped, as we say, if someone gets into it, it's compromised. Yes, that machine is compromised. Everything it has access to and it can do, someone else can have control of. Maybe all your other stuff, your other equipment on the network, and for a home thing, your Xbox and your PCs with your files and your kid's stuff and all that kind of thing, or even other pieces of your other Nest cameras or something. Those are all OK. Those can't be affected. That's the idea. Now, this used to be the realm of, just security guys and enterprise stuff. But now, Adam, more and more consumer grade devices are now supporting this and making this realistic for the home user.
Because people don't want to get popped and they don't want to, you know, say, I don't want to get popped, man.
You do not want to get popped.
So can I scare everybody? Please, please, please.
Oh, we got, you know, you're not supposed to do security through fear, but you got to say some scary stuff. I mean, you know,
Well, security through obscurity, right?
So, um, anyway, or at least something, well, you know, our, our tagline is you might need a drink for this. Okay. Give us something you need to drink.
A lot. I don't want to stereotype this, but I don't want to say most, but a lot of the routers that you buy for your home have something called UPNP. And, um, it's pretty much universal plug and play, which means.
Oh, I thought that was the United Paramount Network. Didn't they fold like in the 90s?
Yeah, they did. But maybe they stole from that. So UPnP allows any device that you plug into your network to kind of create a direct connection out to your internet by bypassing your NAT, in a sense. It creates its own kind of NAT. So what you don't want to do is put your device directly accessible on the internet. And if you have UPnP on, you're pretty much doing that. So I'm going to read like a little tagline. UPnP possesses serious security risks, since it's built into many new devices, even unverified ones connected to your network. If a device is infected with malware, it can bypass security restrictions and affect other devices on your network. So I would turn UPnP off. People use it for gaming, and I understand why. But I would not use UPnP. I would not use it.
Well, if we'll put it this way, if you, if you, if you turn it off, the question on everyone's mind is if you turn it off, what's going to break? Because that's always what happens. We put security on things break. What's going to break?
I don't think anything's going to break unless you're like my son who wants to host his own server to play certain video games. And that's kind of why I bought, sorry, I shouldn't say I bought, I was kind enough to get a firewall from a friend of ours. And yeah.
Well, you're right. If you are, if you are hosting, if you have people coming into your network, if you're hosting like a gaming server, a file server, you know, for your own stuff or whatever, you, you really should have that level of isolation. And for God's sake, don't do it just from your PC.
And that's what people are doing. And that's exactly what UPnP does. It creates a connection directly out to the internet, where if you gave the port number, somebody can connect to your IP address, 1.2.3.4.0 forward slash, or whatever, colon, I'm sorry, six, seven, you know, two, three, which is your port that that's been added outside. And that's not good. So if somebody's doing his regular scans, and they're looking for open ports, and they see 443 open, which is your, your sharing on your on your on your on your machine, they can literally drop or deposit a file or take your files without even really doing exfiltration. They're literally copying it. So it's not good.
That brings up another thing. I've got a story to tell now. I have many stories. I used to regularly get asked when being audited, you know, you got all these auditors, they want, they want to make sure you're doing things securely, whether it's a customer or regulatory agency, whoever they audit you and you're the security guy. And they say, when is the last time you were attacked? I love and hate that question at the same time.
You mean a security standpoint or like you're walking in the street?
Security standpoint.
Oh, I was wondering. Oh, OK, go ahead.
Yeah.
Now they say, you know, when's the last time you had a security attack? And I just look at him and I look at him like the cop looked at me when I said I don't have cameras. And I go, what are you talking about? We're attacked constantly. We're getting attacked now. And the bad news is that's not just true if If you're a corporation or anything, if you got a router there out on the internet, you are being scanned and effectively attacked. That's right. Like I was saying in a previous podcast, well, you know, this thing is occurring at, uh, you know, at industrial scale. If you've got a router that's got a mistake on it, it's got a vulnerability or that's got something, you know, I, I hate to tell, I hate to deliver the bad news because I know a lot of people are not, totally equipped to deal with this kind of stuff. But, uh, you know, the reality is the bad guys will absolutely find it. And the truth is within even minutes, I mean, I don't even know what the latest stats are that they're like an unpatched machine gets discovered in like three minutes or something like that. It's like totally, totally out of hand. Um, so. You need to, for that front door, especially your router, even if you don't have the fanciest thing in the world, you need to secure it. And if you have a situation where You know, say you're hosting a gaming server and something's hitting it, you got to have that machine patched. You got to have it configured. If it comes out with a, you know, if there's a vulnerability released, you got to patch it. Guess what? If you're doing that kind of stuff, you're now a security administrator, like it or not.
So, you know, we talk about constant scanning and there was more, so I don't want to get into politics, but I will bring up an incident. Um, when, when, uh, Clinton, Hillary Clinton, um, hosted the software in her, in her network on her own home machine, a home network or whatever you want to call her network from her house. Um, I'm looking at the reference to Wikipedia. It said in 2012, a hacker in Serbia scanned Clinton's server twice. And it says that there was repeated intrusions according to her own monitoring software originating in Germany, China, and South Korea. So, and then their threat monitoring software also server blocked at least five times. So the point I'm making- That's all. You're always being scanned. And this reminded me about how easy it was to scan and look at servers. Not only that, but unfortunately, that server was also open to the internet with RDP. So if you're, and the point, again, I'm making is UPnP, if your services are on like RDP, which is remote desktop, your services are on like printing, your services are on like, you know, which is 9100, the port, people can effectively utilize those ports and either traverse or meaning connect to your machine and go to other machines, or they can use those services to take advantage of your machine. So that's why you got to be really careful what you host on your home network.
Yeah. Okay. So we hit the doom and gloom. Now we got to do something actually, actually useful. What do you do about this?
I like when people get doom and gloom because they think about it.
well i think about it but you know need to uh... you know we're going to help people out you know i'm i'm an altruist didn't you know that a non-defective altruist and i'm just an altruist but uh... i'm i'm uh... pessimist well that's something else that anyway so i think you got it You got a router, right? A couple of things you should do, even if you're not hosting something. Please keep it up to date. Everything usually has a firmware update. Check it occasionally or put it on automatic. Make sure you got that. The default, there's probably a default password on it and it counts. Please change it. Change it to something good. Change it to something long, complicated, incomprehensible. Not, I like sex. And don't forget it.
Don't forget it either. But wait, wait, wait, wait, let's step back. Let's go one step. Not only should you change your default router password and username at home, but you should also consider if it's not integrated, changing your default username and password on the cable companies supply. Oh, that's true.
You can do that. That's a good thing to do. Okay. The other thing on the router is there are services and we'll have to put in some links where you can scan it yourself. If you want to get really fancy, you can go and get the software, which by the way, it's been the software to do the scanning. It's been out there for years. It's open source. It's pretty easy, but there are also websites where you can say like, scan my, uh, You know, scan my network, figure out your IP address, it'll scan you. And if you see stuff on there that either you think it's not supposed to be there or you don't know what the hell it is, that's not good. You want to work on turning that off and figure out what it is. Because you may not know what it is, but the bad guys do.
So security cocktail hour can scan your network as part of a service. With that service, we can scan as long as you provide multiple amounts of drinks to the parties of the security cocktail hour.
It's one cocktail per scan. Per IP. And we'll do a whole network, but it's got to be a call brand, I guess.
Do we do it from the bar? Is that where we do it from?
Well, you need to be coming, you know, you need to be coming from the outside, not from the inside, from a random location on the internet, you know, so a bar is perfect, right?
But I'll tell you this, we will also order, we will provide enhanced services if the outside is picked by a location from you that near beach water and other tropical, I don't know.
That's right.
So if you provide tickets for us, we'll do it even. That's right.
The better the weather, the more, the more effective the scan. That's a, that's a scientific engineering thing.
That was a better way of saying it.
I see you've got to work on a marketing, I guess, but no, it's really not hard. It's stuff you can, you can do yourself and, uh, but we can, we can help. Um, okay. Uh, so. So that's talking about your router, your things internally, you might want to separate things internally. And again, a lot of these devices, like we were saying, they're not all of the highest quality in general, and especially when it comes to security. So try to do some research on that too before buying. It's a good thing to do. Then you got the next piece, which is okay. Say your network is secure, or at least you are adequately mitigating the risks to suit your needs. So you don't talk about just being secure, but you're doing a good job securing your home network. Now, typically with these cameras and all this stuff and all these controls and your washing machine and everything, It's going to be talking out to the cloud, to something on the internet, to a service.
You don't want people to know how many, no, no. You don't want people to know how many, you know, uh, how many beers and milk you have in your refrigerator. Cause that will tell you, it'll give it up right away. Is that what you're talking about?
Uh, no. Well, Hey, you know what it could be? Can you, can you imagine? if they see something like you have unhealthy food in your refrigerator and they like raise your insurance or something, I'm telling you, that's coming, that's coming, it's getting out there.
It's discoverable. I'm gonna take a lucky guess and say, no, you weren't talking about the contents of your refrigerator or how much dirty laundry you have. You weren't worried about Zigbee or Bluetooth or like that, right?
Not so much that Actually, let's get to the stuff that you were talking about. They're really nasty stuff You got all these recordings of a house. You got recordings of your house, you know You get all these cameras you get this system you get this and your yard where your kids are playing and your neighborhood and everything and you bought all this stuff and they said gee it's easy just plug it in and sign up for an account and on our service and we'll take care of everything. You say it's wonderful. Well, that's just great. As long as no one else can get into it. And as long as you trust the people you're sending all this stuff to. And that is the sticky part.
All right, another story.
You're killing it.
I'll make it really quick. I don't want to. One of the companies that services my family I want to be very careful because I don't want to know how your family is being serviced anyway. No, no, no. So this person came to me, said, Adam, I know you do cyber security. I have a question. When I walk in my house, I have one of those cameras on the inside, uh, that you put on your, on your table. I use it to watch my kids and everything. And when I walk in the camera, literally following me back and forth, I think somebody has access to my, my camera system. So this goes back to episode one. If you're using a username and password in the same username and password to access all of your accounts, and then somebody has the username and password to your surveillance system and they're using the script to discover everything under your email address. You're going to give access to a threat actor to your video and your audio, whatever else you're recording. So please be very conscious of what a username and password you use and that you use different username and passwords and multi-factor authentication for any of your cloud-based. Oh yeah.
Well, like, well, like we were saying in that, you know, you want to use two-factor authentication or a hardware token. to protect the accounts that are for really sensitive stuff, this is in that category. I mean, this is the video of your house, the inside of your house often. You know, I personally, I mean, I probably wouldn't buy one anyway, but I would not buy one that did not have at least good two-factor authentication, if not a hardware token.
Thankfully, I don't have cameras on the inside of my house. I only do the outside. I'm really dead set against it because once that video is saved on a server, it's never going away. So if a threat actor or somebody, let's say you're an elected official, let's say you're somebody in a position of power, and you have these people that want to really embarrass you, whether it's whatever organizations out there that's doing, you know, um, uh, hacktivism or activism or whatever you want to call it these days, and they want to get your video, they're going to go get it and they're going to put it on the internet. Um, is, is, is if they really want it bad enough, they probably could. And people have dumped videos about celebrities on the internet from those type of devices. So be very careful. Uh, but that being said, um, I wanted to cover something else, but I don't know if we're done on this subject yet.
Well, this is one of those things I can rant on for a long time. So what do you got next? Let's keep it moving.
So part of surveillance systems is also being able to control your garage doors. Yeah, absolutely. Being able to control your front doors. And that, again, So there's multiple ways to control stuff, right? But one of the things that's often used to control your devices, either through home automation, surveillance, security, is your cell phone. Make sure you secure your cell phone, because if your cell phone is lost, and they see the number, and it's open, and they have your address, and you have an application on there, and they open your application, they're gonna be able to open your doors, your garage, and everything else. Be very careful. But that goes also to the door. I'm not gonna lie. I do use Nest products and I do use the keyboard or the numbers to open the door. But I have multiple layers of security that also protects me, that tells me if somebody's entering my house. So thankfully I had that too. But there's no multi-factor authentication, at least I'm aware of. what by using your keypad into your house. So be very careful. And also where possible, don't share your four digit code with anybody else. Cause you know, it's like one of those things about secrets, right? If you tell somebody a secret, is that secret kept? What happens if your kid writes it down on a piece of paper? What happens if that your, your child told somebody else, cause they're coming over to visit, you gotta be really careful with your, with your, uh, your keypad and your, um, numerical passwords.
Yeah, you definitely want to be careful with who you give your passwords to, to your house if you've got keypads and things like that. But, you know, it's interesting. They can be a good thing when you switch to electronic stuff like that. You know, one of the things that we do in the enterprise is, you know, it's good when you got something like that. Instead of having one key and you give copies or one number, we can give, you know, like a different number, basically a different key for everyone and get a different, you know, and then get a log too so we know who's used it. And then if people leave or you don't want to give them access anymore, you can revoke that and say that doesn't work anymore. That's like essential for corporations. For personal use, it's a little complicated. Maybe one day things will support that, but it kind of gets to, again, if you're going to have that capability, it's nice, but then you've got to manage it. You've got to make sure that when someone's out of your life or that guest leaves or you come back from vacation and the guy you gave access to, you don't need him anymore, you've got to revoke that and that gets tricky. But it does have some real benefits, too. In particular, if you're giving someone a key, you can take it back, but you can know they didn't copy it. Or if they copied it, if it's revoked, it doesn't matter. So that's a good thing to have. Even electronic devices can be copied, can be cloned, if they're not made correctly. Things like a garage door opener, you'd be surprised.
Oh, sorry about that. I'm dying to bring this up. If Flipper Zero, the manufacturers of Flipper Zero are listening to this, please send me a Flipper Zero, because I want to be able to test it on my on my security products, Flipper Zero is a big hacking tool. And the reason why I'm bringing that up is people buy Flipper Zeros and they listen for your garage door signal, your car doors and everything else, and they can open and start your cars. So the point I'm making is that it's almost like now hacking has become almost like a toy. If you look at the Flipper Zero, it looks literally like a toy. And that sophisticated piece of equipment can open your doors, can open your garage door and even start your car based on the model and make of your car if it has that vulnerability. So, you know, I'm kind of like, you know, sourcing free stuff. Don't tell anybody, Joe. But at the same time, I want people to be aware that are listening to this podcast is that there's plenty of devices that can emulate your security products and exercise vulnerabilities or replays to replay your signal and open your door, your car, and other things. So be careful.
Well, that's a ray of sunshine. You can't just be freaking everyone out. I just did. Okay, then we got to play a little good cop, bad cop here, or like, I don't know, depressing cop and slightly less depressing cop.
Which one am I?
At this point, you're the extra depressing cop. So let's get into this a little bit. There are a lot of different things that can be used to hack into stuff with radios, like a key fob or a garage door opener or something. The Flipper Zero Adam was talking about, that's this little device. It's basically a little radio, and it'll record radio systems, play them back, and do a bunch of other things. They can use to, you know, to copy what a particular device is doing if it's based on radar. It does a lot of cool stuff actually. But, you know, whether it works a lot depends on what you're attacking. Like, you know, a lot of older, you know, garage door openers say they're pretty simple. They just have like, you know, one signal opens them up. Or maybe they got some old dip switches, little things where you can set a different code, but there's only a certain number of them. So, you know, Recording that and playing it back pretty easy. The newer ones are more sophisticated and they got a little more complicated protocol. It's not so easy To reproduce, you know, it can be possible But you know It really depends on the sophistication of the thing and one of the things you got to remember with these home devices that makes them Something you got to keep an eye on to think about is that you know, you buy them they last for years they last a really long time and the world of you know security and you know, electronics and computers and, you know, it moves much faster. So, you know, that garage door opener that you got that maybe had the state-of-the-art security, you know, may not be so good in a few years. They figure out how to crack it. Same thing with your car. You know, cars last a long time. If you got a 10, 15-year-old car, which is totally viable, you know what, it may have a key fob where you got to worry about someone capturing it. these guys have figured out how to do it. There are guys who specialize in cracking this just like they specialize in hacking computers.
And this goes back to the whole thing about updating firmware. Guess what? Your car does have the ability to download and upgrade the latest firmware and people are upgrading their latest firmware to combat against these devices. So you'll be surprised if you, if you don't, you can go to your console, your entertainment center. If you have a car that has one and look at it, and there might be a button to download the firmware over, uh, the built in radio or, or really, it's really like a cell card and you can download it and it does it automatically. Or you can speak to your dealer that would probably Google whether or not his latest firmware for your car, but I'll be willing to bet you your firmware in your car has not been upgraded.
Yes, I'll listen to this. My wife's got a fairly new car. It's a 2020 and it's got all the latest whiz-bang electronics in it. It's really nice when it works. But it's got like all these little glitches. It's got all these little things that go on with it. I mean, it's got this thing where the door locks stop working and glitching out. And then we take it to the dealer and they update the firmware, they do something, they fix it. And then I drive it home and a couple weeks later, it's back. And it's, you know, and we've been doing, this has been going on for like two and a half years. These things, the software in these cars, it is complicated and they don't have a handle on it. And if they don't have a handle on where the locks can work and some of the other things, the security of them, I don't have a lot of confidence.
And that's another episode of... Oh yeah, you better believe it. Yeah, just letting you know the IoT devices... What, what tales they're telling on you that you don't want them to say, whether it's your health information, whether your car's telling everybody where you're going. It's not just your easy pass. There's certain things about your car that does telemetry that will report your distance, your speed, your car computer will tell you whether you break or not. And that's why these insurance companies want to install third party apps on your phone because your phone can also tell what you do and what your habits are. Crazy stuff.
Oh yeah, these cars even got cameras on the inside now, some of them. I know some of them for like, you know, like the self-driving thing, it'll make sure you're awake. You know, I bet they got videos of people picking their nose. I mean, just wait until that stuff gets hacked and starts popping up on YouTube. I definitely don't want to see that.
How about the cars that have Alexa built in? The cars that have Alexa built in?
Yeah, Alexa, empty my bank account.
Alexa, open my garage.
Yeah.
Alexa, tell my wife I'm home. Oh my God, my child's electric.
Well, we are getting to the end of the road here. Adam, last call. Final thoughts.
Final thoughts? I wish I was in a tropical place, but I don't think that's part of the show.
Look, at the end of the day- We'll have to do this from someplace warmer.
Look, so I wanna say a couple of really quick things. One, look, if you have ideas or if you wanna give us feedback, about what we discussed or you want us to elaborate more on this topic, let us know.
Yeah, we want to hear from you and we'll have in the description how to reach out to us.
And number two, if you do have questions about more of this, in addition, we can probably do a little quick episode or at the end of another episode, answer some of these questions. But I know a lot of people have a lot of questions about, you know, video surveillance and IoT devices on your home network, whether it's scary or not. And as scary as it is, and I'm a cybersecurity practitioner, I do have it. Whereas Joe is on the other side. He's a cyber security practitioner and he doesn't want it at all. It's really about your culture, how you feel comfortable and what you're doing to mitigate your risks. That's that's my thoughts.
Yeah, I'm like the doctor who doesn't want to go to the doctor because he knows everything that can go wrong. All right, so that's it for today. Adam, as always, it's a pleasure doing this with you.
Thank you very much. And it's been a pleasure not only to discuss this with you, but to bring up these very important topics for others to really think about and to put into practice.
Well, that's why we're here. We want people to understand what's going on and to see if we can help a little bit. So bye, everyone. Bye.