 Welcome back to ThinkTech. I'm Jay Fidel. This is ThinkTech Tech Talks. We're going to talk about the threats in our appliances and all our devices at home. This is not just a war on a kind of large scale or with drones and missiles. This is war in your refrigerator, is the problem. So many household devices are exposed and vulnerable. We don't realize it. We've been thinking about the internet of things for years, but with AI and with the recognition and processing of somebody from far away, it could affect your refrigerator. Not good. And for this discussion, Nathila Suresh of Cyback, who follows these things, I don't know if he gets any sleep at night, but he does follow these things. Welcome to the show. I really appreciate you being here. Sure thing, Jay. Lots of coffee all the time. That's what keeps me up. So talk to me about the internet of things and how the whole concept of it has changed and the scope of it has changed because we have many, many, many more things on the internet than we used to. Well that's what's fun. You know, we have all these wonderful gadgets and you can go to Costco and get everything from smart plugs to smart mirrors and they work really well. They can connect to the internet and they can help you look better. They can help you sleep better. They can automatically turn on and off the lights. I mean, I use smart plugs for Christmas lights all the time. So, you know, there's always something to be plugged in to the internet. But, you know, maybe 10, 15 years ago, our home networks would have perhaps your maybe at best a smart TV, like a Chromecast and maybe just some Netflix and, you know, a few laptops. But now there's everything from dozens of devices that are connected to the internet. And in fact, I was reading the advertiser. They had an article about how there was recent power outages on Hawaii Kai. And I guess a lot of really well off people have a lot of really a lot of connected devices and that article, the lady was complaining that her smart washer and her coffee machine and her sprinkler system and her lights and her internet, they were all out for this power outage. And it affected her ability to work and function even in her home. So that should tell you that we have this explosion of internet connected devices. So in 2024, which is, you know, just last month, there's an annual consumer electronic show in Las Vegas. And they had even more internet connected devices, these kind of smart devices. So they had everything from, you know, smart baby monitors, smart pillows, smart weather stations, coffee makers, and of course, even toothbrushes. And that's what kind of spawned this conversation, Jay, is that they found that the toothbrushes that are internet connected could even be potentially used in a distributed denial of service attack. What that means is that you get all the toothbrushes out there that are connected to the internet and inside of them is a tiny little chip. And that chip maybe 15 years ago would have been the size of maybe this coffee mug. But now it's the size of your small little pinkie nail. And that little computer inside could have vulnerabilities that are then exploited and a bad actor can point tens or hundreds if not thousands of these small internet connected devices and start taking down private and government networks. And that's where the problems begin. So all these wonderful devices do wonderful things and they're pushed out fast by the manufacturers, oftentimes with security being the last on the list. They need to get these products out. They need to get them for cheap and they need to get people to buy them. And unfortunately, when you do connect these devices to the internet, it's sometimes only after the fact that the manufacturers find out that these devices are vulnerable, that they're being exploited, that it's not just, you know, they're watching, you know, what your cat litter box is doing or how many times your cat uses it. They're trying to get inside those little tiny computers and then leverage that access to go attack everything from governments to big box stores and Amazon and all these other big retailers. And that's the real fear is how do you get a handle on that? And it's tough. Well, let's let I need to understand how the cat litter box or the toothbrush or the refrigerator can be weaponized. I mean, so what they know that I buy a quart of milk every week. So so what they know that I brush my teeth twice a day or my cat goes goes into the litter box five time. So what what that's information that's data. But how does that connect up with a with an attack on the community, on the government, on a business? How does that connect that? Yeah, that's a great question. So in 1969, we put a man on the moon. In order to do that, we needed to invent our first compact flight computer. And it had some ridiculously small specs, but it got us to land on the moon. Right now, the kind of computing power we have just in the palm of our hands is literally millions of times more powerful, faster, stronger, whatever. And surprisingly enough, the computers that are inside of those smart appliances are not too shabby either. You know, I would definitely put them as much stronger than the first computers that got us to the moon. Those are the attack surface that they're after. They're not really interested in finding out, you know, you're a smart salt shaker to see how many times you shook the salt or how many steps you took with your rubber slippers that have a chip embedded inside. Those little chips, those little tiny computers as being an internet connected device is essentially a computer connected to the internet. And if they can take that over, then, wow, they can do some damage. Now, I would not really condone getting rid of this technology. So let me just kind of make that really front and center. These things are wonderful. Smart devices, right? Having a smart toaster, a smart toilet, they even have smart belts that can kind of track how many times you, you know, how many times you tighten it or loosen it or a smart scale. These all help us become more fit, get our jobs done faster, take care of our pets better. They even have smart deodorants. So I can tell you when your deodorants running low, I mean, there's some really kind of cool appliances and tech that's coming out. The problem is that it's coming out so fast and there's so little attention to security that if we as consumers are not educated about them and know what to do, we could be in for trouble. And that's what I want to talk about. Yeah, but how does it reach us? Suppose Vladimir Putin instructed his people in the Internet Research Agency to somehow weaponize and access my toothbrush. How would he do that? Would he be able to sit in the Internet Research Agency in Moscow and actually manipulate my toothbrush? Sure. Now, you know, so there's two types of Internet things. So there's Internet and there's Internet connected devices that you and I use, you know, smart light bulbs, that kind of stuff. Ring doorbells, that's a real popular one. Then there is industrial control systems. These are ICS devices. So think of these as smart devices, but they're controlling real important stuff. And so, you know, maybe Putin might be more interested in in those devices first. Now, we're talking about Schneider Electric, which you've probably heard the name, but you're probably not sure what exactly they do or what they're known for. What they're known for is for those kind of valves that turn on and off things like water and fuel and liquids and gases, the pipes that run in the ground. Schneider Electric has a known vulnerability. And unfortunately, especially if, you know, they were installed and no one changed the username and password on them, that's first tip. Then they could potentially reach those devices and shut off things like a fuel line or a water line for, you know, say a factory or a neighborhood. Those are like the big attack surfaces. So industrial controls devices, those are those are the primary target. We don't want those to be, you know, become vulnerable. But in terms of your original question about how how would Putin leverage this? Well, he would look to see if there's any known vulnerabilities on a particular type of device. So think about this, you want to make a smart pillow. Well, you're really probably great at making pillows. But how do we get a chip inside of there? Are you going to design a chip from scratch or use one that's potentially ready to go allows you to get your smart pillow onto the market quickly. And so, of course, you go with ladder approach. And that piece of hardware that's actually inside of the pillow, that could be exploited or have a vulnerability that can then be later exploited by a bad actor. And this is the case with these toothbrushes, for example. So these smart toothbrushes have a have a chip inside. And this to the toothbrush maker, they, you know, they do their due diligence in terms of making a wonderful toothbrush. But that little chip inside with that little computer. How do you keep that safe? Kind of tough sometimes. So it's only sometimes after the fact that a manufacturer will get wind that, oh, no, all these toothbrushes we sent out, they have a vulnerability. Remember, I talked about changing that for that username and password. That's tip number one. You got to make sure that these devices don't just get plugged in and have a default username and password stuck on them. Download the app, connect to the device and make sure that you set a unique password that's actually access these smart devices. Second thing you're going to want to make sure to do is update these devices. So a lot of smart devices, they have, you know, a piece of software on them, firmware. So firmware is software that's actually on the chip itself, right? So it's not, you know, running on the ether. It's actually on this program onto that device. And that firmware could be vulnerable. And many times the firmware doesn't get automatically updated. Sometimes you got to launch the app and there's a little checkbox that says, Hey, automatically update my devices. Hey, isn't that great? Now I know, for example, my my smart plugs that I use for the outdoor Christmas lights get thrown inside the Christmas box. And then they show up a year later, 12 months later. Well, hmm, do you think any software of vulnerabilities could have been discovered in those past 12 months? Sure enough. So this Christmas, when I plugged in my smart plugs, sure enough, it my app popped up and said, Hey, you need to update these plugs because they're vulnerable. Okay. Yes. Isn't that great? So a vulnerability was discovered, it was patched. And now these devices are safe. But there's still one more thing you got to remember. Let's pretend that a device does get infected or gets taken over. What if it starts snooping on traffic on your network, starts looking around, see what else you're doing? Imagine if you have a laptop that's connected to the same Wi-Fi as this smart device, this smart refrigerator, this smart TV. Could it perhaps pick up some of that traffic and do some sort of attacks based on that? Maybe get inside bank accounts or get inside insecure websites that you could have visited? It's possible. And so what you want to do is make sure that you put all your smart devices onto a guest network. So get them off of the network that you're using your important work related stuff for. Many of us still do some work from home. That network, where you're actually doing the real work, shouldn't be the same network that your ring doorbell, your fridge, your sprinkler system or any of these other smart devices are connected to. Because if the two can see each other, they could potentially get some of that data out of there. So we don't want that. So that's my third tip is make sure that you put it onto a separate network. So number one, change us names and passwords. Number two, make sure you update the software and firmware. Make sure that they're all kept up to date with any of the latest stuff that comes out from the manufacturer. And then number three, put on a separate guest network. You don't need to have the two on the same network as your important data. We don't want that to get hacked. Other than that, it's not really that much more you can do, but you can still get it. I'm beginning to get it. So if you have a refrigerator in your house, and it's an internet refrigerator and it's running on your your home network, which includes computers, something in that refrigerator system, some chip in that refrigerator or something riding on the chip. And I want to mention that in a minute, can can allow the hacker to come in and go through your network to other peripherals. So nobody cares about how many quits of milk you have in the refrigerator. But it's kind of a mirror. It's an access point that would allow Vladimir Putin to come in and sort of bounce around between the refrigerator and the router and look at your computer and then get data from there. It becomes part of the scam. I want to add a story that was on 60 minutes a few years ago about these guys in a utility company that used a lot of devices that included a lot of electronics. And they went to China. This is before we were so adversarial with China. They went to China and they asked them to produce a bunch of these because it was really cheap to do that in China. And they gave them designs and specs and the Chinese came back. Chinese company came back really quick. It's always really quick. And they, you know, I say that on Chinese New Year's, you know, she, Shinyin Kuala, Happy New Year, I tell them. So it came back as designed, pursuant to the specs, except there was this little thing, a little kind of superchip writing on top of the circuit board that they had created for the utility. And the guys in the utility couldn't understand what it was there for. It's very hard to reverse engineer this sort of thing. The only thing they knew was that there was a little thing writing on the chip that that was manufactured for them, the circuit board that was manufactured. And so it was a mystery, but you know, it was nefarious. You know, there was a reason for it. And so to think of all the utility companies and all the industrial uses around the country that in days going by, maybe even now today, they send their requests and their specifications to other places who make their circuit boards and it comes back with a little, a little something, a little special rider on the top that nobody knows what that's for. And, you know, maybe it's nothing, but maybe it's something and nobody knows. That's what happened in the 60 minutes story. Yeah. And that was a few years ago. I mean, since then we've seen Android conducted devices, fire TV devices, where the advertising that's built into them is hijacked. And and those funds are going to who knows where we suspect. China, of course, but those ad dollars that should be going to those advertisers is not going there. So it's advertised redirection. One of the largest, in fact, the largest DVR camera manufacturer in the world, HikeVision, they are a China owned company. They have over 50 percent market share, hundreds of thousands, if not millions of these camera systems out in businesses all across the island. We see them all the time and is a known vulnerability. They are not allowed on military bases or any state facilities. They are banned because they have known backdoors for, you know, our our friends in China to be able to access them. So for that reason alone, it's it's a pretty scary proposition that we have a lot out of devices out there that are directly accessible to mad actors, have vulnerabilities that we know about, but it's very difficult to change infrastructure overnight. The other thing is you can't, you know, you can't assume that every single refrigerator is going to be involved in this scheme or every single device or every single television or what not. It's the hacker, whoever it might be, an individual or state hacker. He's going to decide where he or she wants to go going to decide what kind of appliance he wants to look at, what kind of information he wants to get, what kind of manipulation he wants to make. And and you cannot assume that it's everything. It's not everything. It's just the selected pieces before I go further. I just want to mention that the the other thing comes to mind is Marisk, Marisk, the shipping company. So we have the the Houthis in Yemen, throwing drones and missiles at shipping on the way in the Red Sea and the way to the Suez Canal. I don't think you really need that because the fact is that every one of those containers has is on the Internet. It's part of the Internet of Things so that Marisk or anyone else who has an interest in the destination of those containers knows where they are. And that is very valuable information so that if the bad actor wanted to say what container he should blow up, what container he's interested in, you know, doing bad acts about, he can find out because the chips are in every single container and they're there, you know, what do you call it? Geopolitical, their their geo chips identifying where it came from, its route where it's going to be offloaded, all that. And so if you really wanted to screw up the supply line, you think of ways to, you know, deal with those vulnerabilities. That's not your refrigerator now. That is something much more serious because in that container could be bloody anything and the destination of the container could be very important to World Trade, right? It's true. And, you know, you also bring up an interesting point is that the military here, their primary goal is to be mission ready. And any sort of disruptions in the supply chain for our military to be mission ready that could be perceived as a threat. So, yeah, it's an absolute, we live in an ecosystem. We benefit from the from the modern world. You know, we all love Amazon and having things here and in just a matter of days versus weeks and being able to watch it all the way across the board. But the truth is that leaves us very vulnerable to a lot of attacks and ways that, you know, our entire society can become disruptive. You know, there is a there is a movie on Netflix, which I won't repeat the name, it's pretty popular. But it's all about cyber attacks and what it would look like to have planes fall from the sky and the electrical grid, you know, collapse and have Teslas drive themselves into into each other to block the road so that people can't escape. It does sound a little bit like fantasy, it's kind of an exaggeration. But, you know, it does show the possibility of what the world could look like if we if there really was a coordinated high intensity cyber attack that would involve many nation states to that that would target the United States, for example. So this was that's that's the hypothetical, you know, what if scenario? You know, I don't think that we're running into a terminator scenario, but we are running into scenarios where there's a very real possibility of disruption to our critical infrastructure if we were to be on the wrong side of a political agenda. For example, you know, NBC recently reported about how CISA came out and stated that we do have, you know, Chinese bad actors inside of our critical infrastructure. And if they were to decide to disrupt our critical infrastructure, which includes energy and transportation and water and power, that kind of thing. Well, you know, if we were to aid, you know, Taiwan in an invasion attack or an invasion attempt, then they could potentially disrupt our critical infrastructure in that way. And this is a story we've seen played out in and the Ukraine and in other war zones. So, you know, I don't know what the future holds. All I know is that we are at risk. And, you know, I know where this is kind of really big, high level, 30,000 foot conversation. But, you know, back down to the to the sidewalk level, we can do our part to protect ourselves from making poor choices with these smart appliances. And I think we should use new technology to let's just be, you know, safe about it. Well, going back to that, so you say that just as the bad actors are not necessarily going to attack every refrigerator, that would be a waste and it would not be effective for their, you know, nefarious mission. But the fact is that if there was a war, called a cyber war, with these bad actors trying to slow down our our military, our industrial sector and our society in general, there would be a lot of things on the list. But some of them are, you know, critical things. And some of them are just morale things. But it seems to me that that if it's out there, and I think it is out there and you sort of store it up, you set it up for a doomsday moment where just as you say, you know, a fight around Taiwan and they want to demoralize and undermine the military and the whole country, they would go on all the levels. They would attack on all levels, including your refrigerator. They, you know, we talked about what happens in a inner world where somebody attacked your whole internet world. You get up and no hot water, no power, no television, no radio, no internet, no nothing. And your community begins to break down. Your morale breaks down. You can't do anything. You can't go to work, really. The traffic lights don't work. And so a bad actor could do something sinister with everything that we depend on, that we take for granted, including these internet of things, small things and sort of wreck us and divert our attention away, for example, from Taiwan. Well, you know what happened in the Ukraine, right? I mean, years, years and years ago, the critical infrastructure was remotely infected. So that means that telecommunications, energy and water and sewer that were all taken out, Russia was able to take those over before the physical invasion. And when the kinetic war began, they made sure to shut down those utilities and avoid bombing or destroying those critical infrastructures because they assumed that very quickly they would be able to take over the country and they wouldn't want to rebuild all that from scratch, right? Why destroy it? Connecticut through kinetic warfare, destroy it through cyber warfare, disable those services. And then once, once you're back in power, then turn it back on and we're good to go. So it's not just your home and trying to keep certain kinds of chips in your toothbrush or whatever out of your main internet network, which I really don't know how I would do that. On the other hand, I don't I don't know if I have a toothbrush like that or a refrigerator like that. I have to I have to examine the packing but cell phone, cell phones, cell phones, smart TVs, those count, too. Yeah, smart TVs have been broken into numerous times. So you'd have to be conscious of that. But every business would have to be conscious of that because just like I have a refrigerator at home, every business has a copy machine who knows what fax machine phones or kinds of communication systems, lighting systems, filing systems. The attack could be at that level, too. And of course, the military would be a perfect attack, wouldn't it? Because the military would have a secondary effect and, you know, where you have weapons involved, the weapons would be undermined. So this isn't a message about the internet of things, just for you and me at home. It's about everything in our civil society, isn't it? Yeah, the word you're looking for is micro segmentation. And that's super important. Colonial pipeline, right? They were able to hop networks from from a network where they were checking email to where they were controlling the fuel was for the fuel. We talked before we got on the Airbus Stuxnet. That's the same thing. They were able to hop over into the centrifuge networks to be able to just change a small thing, just a small little just change the rotation of those centrifuges and then destroy the uranium enrichment program. We saw that 10 years ago at Target when they had a temperature control system, right? Like a smart thermostat connected on the same network as a customer data network. And that meant that they could steal all the customer data as well as credit cards and birthdays and all kinds of PII that they shouldn't have been able to have access to. So by micro segmenting, so chopping up these little networks so that you have your important point of sale stuff on one network, perhaps your critical infrastructure types of things, such as your fuel control valves and all these other, you know, kind of smart appliances that you need in order to provide us with clean water and good running reliable electricity and put that on a separate network from the ones that are being used for like your data entry people and email and marketing and and, you know, all that other stuff that's needed for a business to operate. And we see this all the time with clients that have, you know, important customer information on the same network as the emails and all the day to day stuff. You got to start breaking that stuff apart. Yeah. And well, it troubles me is with AI you can have these sinister systems sort of segment out what they want to attack. So I only want to attack Samsung refrigerators. That's all. And if I have another kind of refrigerator, it doesn't go there. This is just like the Stuxnet thing, right? They only go to the Siemens centrifuges in a certain part of Iran. And they might have been going all over the world, but those were the centrifuges they attack. And likewise, you can have them attack, you know, on the right side of the street or the left side of the street or, you know, people whose name began with Ceres or Fidel. I mean, all they got to do is check back using AI and maybe this network or some other network to find out where the attack should be. And I told you about a video that's going around on the on YouTube about about these very small drones that could kill you. But before they kill you, they check back to see who you are. They say, well, you know, if your name is Ceres or Fidel, you know, this is sort of like the leaving Egypt, you know, you put it on the doorpost, you don't get killed. If your name is Ceres or Fidel, you're safe. But if it's not, everybody else gets killed. If you're a Republican or a Democrat, if you work for this company, if you have this particular kind of loyalty, you get killed, if not, you don't. I mean, this is possible under an AI weapon and the AI weapon, and this is my question to you, the AI weapon, would that run on our Internet, my Internet at home or my Internet in the office, or would it run on their Internet, their wireless, which is more powerful and which would give better AI access to make the decision about who that drone goes after? So LLM, that's the large language model. That's the term that's used to describe what AI is. And LLMs can be built by anyone on your laptop. And you can train it to do whatever you want. You can train it to help you make better recipes, or you can train it to do better math. You can train it to help you design aerospace, you know, flying machines, and you can train it to kill. And these devices that are out there that are Internet connected will do what they are told. And so if the AI that it decides to check in with says, hey, you know, refrigerators, I want you to exploit this vulnerability in a coil that will cause it to catch fire and we're going to start fires in thousands of homes across the country because this vulnerability exists, then they can do that. So the AI isn't the nemesis. It's a hammer in the hands of one person. It's a constructive tool and in someone else, it's a murder weapon. So AI can benefit us in great ways. It's not going anywhere. So there's no, you know, this isn't a fad. AI is here to say it's been around a long time. It's just now hit final critical mass. So I wouldn't be afraid of AI. But what I would be afraid of is what people are going to do with AI. And what kind of I mean, if you're asking if AI can be responsible for genocide, yes, but you know what, so can people in history has shown that. Yeah, well, you leave me with the thought that the one thing that you really can worry about is cyber war on multiple levels on the individual, you know, person at home, on the company level, on the industrial level, on the military level, all happening at the same time. And of course, that sort of breaks down society and makes it impossible for you to respond to the attack or more difficult to respond. And I think, you know, just based on our discussions and what I've seen in the media is that's a possibility that there are state actors out there who are preparing that. They don't want to tell us, you know, as a society, what they have up their sleeve. But this is something they could have up their sleeve. And as you mentioned earlier, maybe we have our sleeves, too, where we have we don't have kinetic war. We don't have bombs. We don't have missiles or exploding devices or even guns. We just bring the whole society down. We disable the society and then we walk in. That's what, to me, there's a fair chance about that. Don't you think? Anything is possible, Jay, you know, I don't want to say that that is absolutely can't happen. I'm saying it's not likely to happen. And, you know, in some ways, you know, it's my hope that, you know, we can solve problems without having to revert to you know, any kind of warfare, cyber warfare, kinetic warfare, whatever. I'm optimistic that, you know, as people, we want to do what's best for each other. But at the same time, you know, we we do live in a fairly safe time compared to human history. We've been at war for for as long as we can, as long as we can remember. In fact, it's kind of funny that I was listening to a podcast that we're talking about how, you know, we always seem to be at war or in conflict or we're always doing something where we're and we're doing bad things as human beings. But if we go back through history, we've always done these things. So we should consider this normal. Well, whatever happens, I I intend to brush my teeth later on and tomorrow using my electric toothbrush and and open my refrigerator without fear or concern. And even if there's a risk in there, I'm not going to I'm not going to be too concerned about it. Just connect it to your guest Wi-Fi and don't connect it to your main network. I'm on the I'm on the way to the best buy for a secondary network. Lots of choices out there. You know, all these devices, they all support guest networks, turn, set that up, connect your devices to that. Update your app. Make sure you update the firmware on it with, you know, with a good password. Keep that up to date. Separate app. I think we'll be OK. It's true that our world is changing as never before. And your world must be changing, too. You know, all these things affect the depth and scope of your services and your what you hear from your clientele. Am I right? You got it. You know, we're we're always on the hunt for the for the best way to keep clients protected. We want to create an environment where clients don't have to worry about getting hacked. And the only way to do that is to keep up with the arms race. That's what we're doing here every day. Yeah, like an alternative universe, except it may be the real one. Until the rest, I thank you very much for joining in today, very important discussion about how the Internet of Things is is part of the whole environment of hacking and and global players. Thank you so much. Thanks, Jay. Appreciate you having me on. Stay safe out there. Aloha.