Sunday, March 6, 2011

Travis Goodspeed Outside The Box

You are not likely to forget your first encounter with the very neighborly Travis Goodspeed.  He is a rather lanky young man (age 24 as of this posting) hailing from the Knoxville, TN area, who speaks with the slightest Southern drawl, and sports a rather impressive crop of dreadlocks.  Travis is an extraordinarily polite, easygoing, and friendly person who is very sociable and is quite fond of West Coast Style IPA beer, which he longs for when he visits Germany (where malty lager is the brew of choice).

Travis likes to challenge security assertions.  He likes to shave, etch, probe, and otherwise infiltrate computer chips in his quest to discover what secrets lie within.  He insists he does this for fun, and after sitting with him for a bit and listening to his exploits, I am convinced he must be having the time of his life. I am also glad he is not one of "the bad guys".

I had the pleasure of having Travis join us at my Smart Grid Security East conference, as a panelist and as a fixture in my expo area, where he set up shop with some of his tools and toys (some homegrown, some off the shelf) and proceeded to show the crowd how he managed to hack the "security" of a Microsoft Wireless Keyboard.  Mind you, this was not an old keyboard, but one he had recently purchased.  Apparently Microsoft decided to use the MAC address as the key for this keyboard communication scheme.  Travis showed how, using a rather interesting badge he had created, he was able to monitor every keystroke typed into the keyboard, and display it on a monitor.

I find this particularly intriguing, because for the last year or so I have been working on security guidelines for the State of California Office of Health Information Integrity as part of the Security Steering Committee for the Privacy and Security Advisory Board.  We have been creating guidelines addressing security for health information exchanges in order to help ensure that health care organizations in California align themselves with requirement under the HIPAA HITECH privacy and security regulations.  While we have done all we can to deal with issues such as how people should interface with systems, and how data should be handled in the system (mind you, it is not perfect, but we are working hard on the issues), something like a wireless keyboard communication protocol is so far out of scope it may as well be a discussion on the topic of corn pads.

We still live in a world where, from a security perspective, device manufacturers are essentially exempt from any liability for making silly choices.  Microsoft has enough money and brain trust to address this issue properly.  They could easily implement a design that transcends this level of silliness, but they choose not to do so.  Yet a health care organization that decides to replace their keyboards with the cool wireless ones available from their hardware supplier is one Travis Goodspeed Hope Badge away from having everything they type into the electronic health record becoming publicly available information.

People like Travis (and there are a lot of people like him, both good and not so good) think way outside of the box.  Organizations that spend millions (and even billions) of dollars trying to secure their systems who fail to understand this should prepare for lots of sleepless nights, and many sour looks as they face their boards of directors.


Brian said...

Love this example! Nobody but the security conscious and hackers think about such devices as a potential security breach for critical data. What if you are typing in your credit card information, bank account numbers, and passwords? Obviously, wireless consumer keyboards won't support the cost of military grade security properly done. But can devices be made reasonably secure at a reasonable cost? One way is an external authentication IC like the AT88SA family from Atmel. At least with a proper implementation, hacking requires physical access which would be obvious tapering.

Andy B said...

I attended Travis' presentation at the SGSE conference and all I can say is it was a doozy. The simplicity of his deconstruction / reverse engineering of everyday electronic objects was what took your breath away. You should have seen the looks on audience's faces; jaws were on the floor all around. With implications for securing Smart Meters and all manner of "smart" devices.