Uncovering the Risks of Nation State xIoT Hacking

John Vecchi:

Hello everybody. You’re listening to the IoT Security podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we have an amazing guest today, long-term friend as well as mentor, luminary in the cybersecurity space from about a dozen different angles. I’d like to introduce Bill Crowell.

Bill Crowell:

It’s a pleasure to be here, Brian. Thanks for inviting me.

Brian Contos:

Well, thanks so much for being here, Bill, and you’re such a wealth of knowledge. Every time we have a conversation, I never know what’s where it’s going to end up, and that’s what I love about talking with you. But just to kick things off and give our listeners a little bit of background about who you are and how you got into security yourself, maybe you could give everybody your background.

Bill Crowell:

Okay. Well, the logical place to start is that I was recruited by the National Security Agency right off campus on graduating from Louisiana State University, which by the way, just got certified as a cyber center NSA which is-

Brian Contos:

Oh wow, that’s awesome.

Bill Crowell:

It’s awesome. And so I went to NSA and I had a lot of different jobs during my time at NSA, my most important ones having to do with dealing with intelligence on the Soviet Union, intelligence on weapons systems worldwide. And I built a lot of the intelligence gathering systems for the military [inaudible 00:01:56] forces. My career took me outside NSA. At one point I left the agency, went to the aerospace industry to actually be involved in designing satellites. And after a short stint at that, which was successful by the way, I went back to NSA and served as the Chief of Staff and the Deputy Director for Operations and ended my career there as the Deputy Director of the agency. So it was a whirlwind tour of everything cyber and everything signals intelligence. So I had 34 years of exciting times.

Brian Contos:

Yeah, 34 years of which, smack dab in the middle, was the Cold War. So your stories have stories.

Bill Crowell:

Yes. So my greatest job actually was serving as the head of the organization that was focused on the Soviet Union during the Cold War. Now I got to see that war end in that job. So it was a great run.

Brian Contos:

Amazing, amazing. So Bill, just at a high level, you’ve had exposure to so many areas within the public sector, the private sector, as an investor and board member, CEO of publicly traded companies, you’ve really done it all. So just looking broadly at the cybersecurity landscape and the threats and trends and priorities, what are you seeing as the hot topics now and has that changed over the years? Or is it pretty much the same? What’s your view on that?

Bill Crowell:

It’s changed, but it’s changed within a framework that I think most of us who have been in this business a while understand. That framework being the essential elements of cybersecurity, authentication of people, encryption of data, countering threats like viruses and malware and so on. And so the evolution has been within those different elements of the framework of cybersecurity. What’s interesting is the way it has changed so as to impact our society. What’s really changed is us. We now rely on the internet and we rely on it for everything from financial services to the area you’re involved in now, which is OT or IoT, which is the use of the internet to provide physical control of things, whether it’s manufacturing or physical security like cameras or the lighting within buildings. And that’s become a new foundation for a whole area of cyber, one that you and I actually predicted when we co-authored a book in 2007. Can you believe it’s been that long?

Brian Contos:

I can’t believe it’s 2007. And I can’t believe we were talking about, hey, wouldn’t it be great if you could combine network access control with door locks and security cameras? And we were about a decade ahead of where the technology could keep up with the ideas, I think.

Bill Crowell:

Actually more than a decade. If you count the years, it’s been 15 years since that book was published. And the interesting thing is that when I was CEO of Cylink, which was a security company that focused primarily on encryption and public key infrastructure and those kind of things, my Chairman was the chairman also of a very, very large physical security company. And he challenged me at one point to, “Well, what would you do if you married those two areas, cybersecurity and physical security?” And so I actually had my team build the first smart card oriented access control system that controlled both physical access to buildings and logical access to computers.

Brian Contos:

Oh, interesting.

Bill Crowell:

Really interesting thing. That was 2001, and we couldn’t find anybody who would buy it. It was not attractive to them to combine those two areas then. You and I co-authored the book on the convergence of physical and logical security, and since then there’s a lot of focus on the convergence and it’s quite remarkable how much focus there is today. And several of my companies are involved in trying to deal with the threats to physical systems as well as logical systems.

John Vecchi:

Yeah. And Bill, it’d be hard to not talk about, ripped from the headlines, current events here with the war in Ukraine. I think in terms of all of your focus on Russia and within the war that we’re seeing happen before our eyes, and then you think in terms of cyber, physical kind of devices and systems and things, are you seeing anything there that if you were in the NSA today during this time, that surprises you or is it fairly predictable or any thoughts and comments around what’s happening with Russia and Ukraine and specifically some of the attacks and threats that we’re seeing happen there? Is there any interesting things there that you could talk about?

Bill Crowell:

I think that it would be fair to say that there have been no cybersecurity, cyber attack, surprises in Ukraine. I follow it very closely with the commercial companies that I’m involved with. So obviously I’m not going to talk about anything otherwise. But most of the attacks by the Russians on the Ukrainians have been pretty conventional, mostly distributed denial of service kinds of attacks. They demonstrated in earlier years the ability to impact their energy system, but notice that all of the energy attacks have been physical, kinetic, and not cyber-oriented. So no, I don’t think we’ve learned very much from that. I don’t know whether they have held back or whether they just had an opponent who was better at defending. And by the way, the Ukrainians are very good at defending their systems.

John Vecchi:

Mm-hmm.

Brian Contos:

Yeah, well, Ukraine very publicly was one of the first countries to experience broad and deep cyber attacks against their [inaudible 00:09:16]-

Bill Crowell:

No, no, it goes back to Estonia.

Brian Contos:

Yeah, Estonia as well.

Bill Crowell:

Which was attacked very broadly and very deeply, but defended itself remarkably well. And also Georgia, in the war that involved the Chechens in Georgia. So no, it’s not new. It actually is more subdued than it was in both Estonia and Georgia in my opinion.

Brian Contos:

Interesting, interesting. Well, I guess if you’re in the middle of a kinetic attack, the idea of launching a cyber attack might not be as necessary perhaps in what they’re doing or who knows? Who knows the approach, or maybe it’s just a question of focus and what they’re trying to achieve.

Bill Crowell:

It’s the question of how you do combined arms warfare. I guarantee you, if the US goes to war, it’s going to be a combined attack on all of us, information warfare, cyber warfare, and kinetic warfare.

Brian Contos:

Absolutely. Well, let’s pivot a little bit to xIoT and we’ve touched on it at tad, but when we say xIoT at Phosphorus, we’re really talking about three distinct but also interrelated areas. The first one is traditional enterprise IoT, so voiceover IP phones, door locks, printers, cameras. The next is OT, scaled devices, PLC, industrial control systems you see in manufacturing and power distribution and generation, transportation, things of that nature. And the last one is just general network devices, switches, wireless access points, load balancers, network attached storage. Collectively, these are embedded devices, purpose built, and they’re network connected usually, and they’re usually very vulnerable because they were installed by… Some of that drove up with a truck, bolted in a bunch of security cameras, doesn’t really think anything about cybersecurity, and they get up and running and they’re highly vulnerable.

But most of these guys tend to be Linux, Android, BSD. On the OT side, things like VxWorks and things like that. My question for you is we here on this podcast understand the threat level associated with xIoT devices across all those spectrums. Do you feel that business leaders, I’m not necessarily talking about security leaders yet, but have business leaders caught up to this? Do they understand the threats intrinsic to xIoT like they understand phishing attacks and malware and denial of service and some of these things these days?

Bill Crowell:

Now, Brian, I’m not trying to be unkind to business leaders, but quite frankly, business leaders don’t even understand cyber attacks. They don’t understand ransomware, they don’t understand solar winds kinds of attacks and how extensive they are. So no, they don’t understand IoT at all. I mean, they think that the light switches are just like they were 20 years ago, physically hardwired. And the fact that most buildings today are becoming smart buildings in which everything from the lights to the switches to the timing of all of those things is automated over internet protocol networks.

John Vecchi:

And so from that, Bill, would you say, given that, I think you’re pretty accurate there, is that probably why, given your focus on nation states, Russia, China, Iran, North Korea, others, are focusing on xIoT devices as a major attack vector? I mean, do you think that’s one of the reasons why they’re focusing on that because they know nobody’s really looking at it or considering it? Is that safe to say?

Bill Crowell:

Well, of course that’s true because what does an attacker do? An attacker focuses on whatever is left unprotected, and if there’s not a lot of attention being given to xIoT or IoT, OT, then that’s where the attacker’s going to go. Having been an attacker in my past, you look for the targets who don’t practice good cyber hygiene, and now that cyber extends to OT and IoT, it’s quite likely that most organizations are not practicing good cybersecurity hygiene on those systems. I mean, I’m sitting here in my home. I have 68 devices on my home network, eight of which are cameras, and I’m a cybersecurity specialist. How much attention do you think I spend on the security of those camera systems? I think, well, they’re outside facing outward. They’re not inside facing inward. So I’m not really concerned that somebody robs me of some of my video. But it’s also true that people who have extensive camera systems focus both outside and inside, probably don’t give a lot of thought to how to protect. And by the way, they believe the stuff, wrong word, but the stuff that those cameras are encrypted end to end and fully protected. That’s BS.

Brian Contos:

That’s a dangerous thing to assume, for sure, as you all know. We’ve actually seen, and just this year even, cases where the security cameras, when people would switch them off, all they would do is switch the green light to red. And they were still recording video, they were still recording audio. And in many of those cases, they were still streaming that audio and video off to different remote locations in different countries. And a lot of these cameras, to your point, are also inward facing. Some of these are embedded into TV screens and their conferencing systems within executive boardrooms and in other locations that are very sensitive. So there’s a lot of information that can be gleaned there when facing inwards. I guess my question is, we’re seeing this now and we’re seeing this on the enterprise side and people taking note and taking steps to remediate those risks. Is that something that you have had experience that you’ve seen these types of cameras being used against people in the past and maybe this has been going on for decades, I don’t know, but have cameras been utilized against individuals before?

Bill Crowell:

Well, cameras until about 20 years ago, 20, 25 years ago, were essentially hardwired using coax cable. They were closed systems. Was it possible to get to them? The answer is in some cases, because a lot of them, all that coax came into a box that was then connected to the internet, so somebody could remotely view it all. There were probably some attacks back in those days of the hardwired coax cameras, but not like today. Today it’s fairly routine for someone to go after a camera if it provides them with the kind of information that they really want. So as an example, you use the example of the camera on the internal devices like conference rooms. I have a camera, which I should put a pasty over, that Sony provided. It’s part of the system on my Sony 55 inch monitor. And I’ve never covered it up and I’ve never gone in to turn it off.

Part of the reason is I don’t do anything that’s really sensitive. Right? Well, that’s not entirely true. I’m on the board so many companies, we have board meetings now via Zoom and Teams and WebEx, and so on. Those cameras are on… I mean, I’ve come to understand just how uncovered these communications are. First of all, the cameras are accessible. Secondly, the sessions with Zoom and WebEx and all of those are not end to encrypted. They’ve had to admit that in a couple of cases. And so we are vulnerable and the sensitive information of business operations can get exposed. Do I think that the Russians are interested in business operations? Well, yes because some of the companies I’m involved with are cybersecurity companies. Are they interested in cybersecurity and the defenses that we have? Absolutely. But also there are people who are nefarious enough to actually try and gather information about competitors. And so they’re all these different threats.

Brian Contos:

That’s very well put, Bill, and one of the other attacks, so of course there’s attacks that impact the physical world. And we just talked about cameras for spying. You can unlock or lock doors, impact HVAC system, stop elevators. There’s a whole number of things. And when you go to the OT side, you’re talking about real destruction, blowing things up, so on and so forth. But there’s another line of attacks that seems to be growing in popularity that we’re seeing, and these are pivot attacks where, for example, an attacker might get into an organization through a phishing attack and get onto someone’s laptop, and that might be through an email, social media messaging app, what have you, but they’ve got some malware, it’s on a laptop and they can control that individual’s laptop within the organization. Now the attackers don’t stay there. That’s simply their entry point in.

Then they start scanning for xIoT devices, whether it’s a voiceover IP phone, printer, wireless access point, network attached storage, and they look for those devices, and again, they’re Linux, Android, BSD. They log onto those devices because usually the passwords are default. And if they’re not, most of them run level eight, nine and 10 vulnerabilities because the firmware hasn’t been upgraded in six years. And a lot of them are end of life. And there’s a huge attack surface because there’s about three to five xIoT devices per employee. So 10,000 person company, roughly 50,000 devices, at least half of which have default passwords. So there’s a big attack surface.

So they look for these devices, they log in, they load their tools, they know that they can maintain persistence, they know they can evade detection. And then from those xIoT devices, maybe they make API calls to local exchange servers or Office 365 in the cloud. Maybe they access other data stores and they take that data, compress it up and exfiltrate it out. Those are the types of attacks using xIoT devices to hide and exfiltrate sensitive data that seems to be really top of mind right now. And I know the nation states have taken notice of this. The Russian FSB of course had the tool called Fronton built for them by some contractors, which was famously later stolen and released to the world on Torrance. So if you can read Russian, you can actually have access to a nice nation state designed xIoT hacking tool.

Bill Crowell:

Yes, Google Translate could [inaudible 00:21:03]-

Brian Contos:

Yes. And Google Translate, you’re good to go. So we know nation states are focusing on this, but I think this is a huge Achilles tendon for organizations because that massive xIoT footprint, coupled with the fact that they’re so vulnerable and no one’s watching them, Bill. It’s like IT security in 1995 equals xIoT security in 2022. It’s really in the nascent years and patching credential management hardening, it just hasn’t been done to this date. And I think it’s going to bite a lot of people, to be quite honest, because it’s a great entry point.

Bill Crowell:

Well, I totally agree with everything you’ve laid out. I would just put a couple of amendments out there. One is that most of these IoT devices don’t have enough memory and don’t have enough processing power to actually become persistent in entry point. And so what they really do is they try to use that point to laterally move into more heavily… To points in the network that have more processing power and more memory. And then they keep the IoT place as a place to reconstitute if they should lose the new place that they laterally move to. But it’s the lateral move that enables them be really, really effect against these networks. If they don’t do the lateral move, then they’re not going to be able to exfiltrate large amounts of data. But it is a persistent point of entry. And I think you’re right that it’s a danger to large corporations that have lots and lots of IoT devices. And by the way, you can’t protect every one of those IoT devices with security software for the same reasons. They don’t have a lot of memory and they don’t have a lot of processing power. So it’s a conundrum.

John Vecchi:

Yeah, and of course we talk a lot about what you can do and, even as Brian mentioned, upwards of 50% of all these billions of these xIoT devices out there, are deployed with default credentials. And that alone just as a baseline and some of the vulnerabilities. And you don’t have to be particularly an eloquent hacker to go exploit a CV nine or 10… CV vulnerability on these devices, so there are some basic things we can try to do, but one of the things that I’m wondering. In your work, I mean, today you work, obviously your background with the NSA, but you also talk and work with enterprises. Are enterprises and agencies, government-side, do they communicate today? What is that like from a cybersecurity perspective? Are they communicating together on what they’re learning with each other? Is that a channel of communication you see that’s open between big enterprises and government agencies or not at all?

Bill Crowell:

Brian and I have had this conversation in past podcasts, and you know the really, really great news, Brian, is it’s finally happening.

John Vecchi:

Oh nice.

Bill Crowell:

In the opportunity I had last week to get updated on where things were with regard to cybersecurity and industry, it’s very, very clear that NSA now has the authority to help the defense industrial base, the so-called DIB, improve their cybersecurity stance. And they have an unclassified center where contractors who work for these defense industrial base companies can come and exchange information. And by the way, they also get to do it online in real time, 24 hours a day. And that’s an incredible advance. And there’s cooperation also between DHS, CISA and MSA in the critical infrastructure area. So there finally is an opening up of a dialogue between the very, very excellent technical expertise of the US government in both EHS and NSA and industry. Not all of industry, but a sufficient point of it that it covers our critical notes.

Brian Contos:

Well, it has to start somewhere. I think the last time we talked about this, and I’m a big fan of Infoguard but a lot of these things took place and well, you can go to these monthly Infoguard meetings that bring together public and private sector, and at the same time if you want, here’s a phone number where you can call somebody and maybe they’ll get back to you. It was a little asynchronous, but now that it’s online, it’s 24 by seven. That’s actually pretty amazing.

Bill Crowell:

Well, and there also is an incredible change in the [inaudible 00:26:26] and the knowledge and training that the FBI has, and that’s making a big difference too, because ultimately you want to deter all of this stuff. So prosecution is an important deterrent to cyber attacks.

Brian Contos:

Yeah. I want to talk a little bit about OT, so the industrial control system side of the house. 15 or so years ago, we were involved with Project Logic, which was linking oil and gas companies with MIT and Carnegie Mellon, and then some big cybersecurity companies, Arcsite, Symantec, others like that, coming together and trying to help address this problem. And we made a little bit of movement back then, but when I go out and I’m meeting with oil and gas, power and energy, transportation, water, all these folks, and there’s some industries which move a little bit quicker than others, I’m actually surprised that we haven’t made as much advancement as I thought we would have. We have made strides for sure. And I think cybersecurity is a conversation that’s being had on the OT side where it used to just be on the IT side and the OT folks were, “We don’t have time for this,” but I was recently in the Middle East, and they seem to embrace this concept of needing cybersecurity measures around their OT devices.

And I’ll just say it this way, they’re much more open to the idea and they’re open to it in terms of they’re investing time and they’re investing dollars into actually addressing it at what I feel is a much more rapid rate that I’m seeing in other parts of the world. And I just wanted to get your hot take on that. Why maybe in the Middle East they’re more open to making these investments in cyber where in other parts of the world, they’re maybe a little bit more hesitant and they’re a little bit more, “Hey, we’re all about availability. We don’t want to put any cybersecurity controls in there that might impact that,” as they should be thinking, but maybe because of that they’re not moving as quickly as they should be.

Bill Crowell:

Well, I haven’t been to the Middle East in a while, but I see the pictures and they’re building smart cities and we aren’t yet, and they’re building smart buildings. I mean, some of them, the tallest building in the world, and they’re very, very smart. Everything is automated inside of those buildings. And so I think they understand the vulnerability a lot better than we have because it’s been piecemeal in this country, whereas it’s a focus in those countries. I mean, Dubai in particular has an incredible focus on security. I have a friend who has been a consultant to Dubai for a number of years, and they essentially sit down and build an architecture for cybersecurity at the same time they’re building the architecture for the building.

Brian Contos:

Yes. Security development life cycles are built into the buildings and the cities and the ships, which blows my mind that we’re not seeing that everywhere, but they’re going fast.

Bill Crowell:

But you stimulated a thought that I’d like to put on the table, and that is we are thinking, and you and I are now talking about IT and OT like they’re separate. And let me give you an example of where they’re not separate. The Colonial Pipeline attack, it was a ransomware attack. It was intended to hold Colonial Pipeline hostage until they paid a ransom. This is my opinion, this is not knowledge. It’s independent. I do not believe that the attackers intended to take down the delivery of oil and gas to the entire eastern coast. I believe that they attacked the administrative system, which is what they attacked, not knowing that if the administrative system couldn’t bill for the oil and gas, that they would have to shut down the oil and gas system. And so we aren’t paying enough attention to how these things interlock and how they are influenced by each other. And so Colonial Pipeline was an attack against an administrative system that merely did the building, but caused the company to shut down all of the plumbing. So we need to learn some lessons from that.

John Vecchi:

Yeah. Well, and with that, when we think in terms of, we talked about it earlier as you mentioned, Bill, you can’t put Tanium or CrowdStrike or endpoint agents on these xIoT devices, but yet they’re purpose built and they’re network connected and they’ve got loads of vulnerabilities and there’s a lot of areas and elements about them that we can pay attention to and do something about. But when you think in terms of… You made a great point. I mean, these devices are interconnected. You can attack one and there can be collateral damage on another and so forth. When you think in terms of what we can do to fix it, to date, there’s a mindset that we can try to discover these devices and you can tell me how bad they are and how insecure they are.

But when we think in terms of doing something about it, to date, there’s been a mindset that can’t really do much about it. But of course at Phosphorus, and now when we think in terms of xIoT, more proactive remediation security, there are some things we can do. Obviously we can rotate the credentials, we can harden these devices, turn off extraneous ports and protocols, we can update certificates, we can actually upgrade and downgrade firmware. Do you see that as helpful in actually trying to do something about fixing these devices? Do you see that as helpful? And do you think agencies in the government and therefore private sector as well might think that that’s useful?

Bill Crowell:

Well, of course it’s helpful, but it’s not the only solution. It’s not the only path to a solution. So it has to be combined with good hygiene. I mean, one of the things I started saying many years ago before the cloud was a really popular thing. People didn’t want to move to the cloud. They said the cloud’s going to be insecure. I started giving speeches where I said, “The cloud will be more secure than your own enterprise networks.” And the reason why is because you don’t have any idea what you’ve got in your enterprise network. You have no discovery tools that will tell you who has put something into your network yesterday that you didn’t know about. And by the way, somebody can be your own employees who are just doing their jobs and adding stuff to the network that you don’t know about and that you aren’t protecting.

And so the cloud becomes a way of handling the large enterprise problems, maybe not though OT problems in their entirety because of the need for seven nines performance on a lot of the OT devices. You don’t want the light switches being turned on and off 100 times a day in people’s workspaces. And so you have to be very careful about what you offload into the cloud. But the cloud becomes a way of strengthening the security surrounding the enterprise administrative networks. Also, the cloud is excellent for doing AI kinds of things and machine learning kinds of things. And for offloading a lot of the big processing loads. The OT world is a different world. You have to look at it differently. But then you have to think about how it integrates with and interoperates with the administrative IT network. And so we go back to architecture.

What it really takes is somebody who understands all of this well enough that they sit down and they build an architecture that says, okay, here’s this part of our network. Here’s what it does, and here’s how I’m protecting it. Here’s this other part of my enterprise operations and here’s how I’m going to protect them. And here are the interfaces between those two things and here’s how I’m going to protect them. That’s not really done a lot. I don’t know many. First of all, I don’t know many CIOs who will let CISOs have enough authority to get that done because the CIO is all about performance and uptime and making sure the trains are running and the CISO is worried about entries and attacks and so on. And those two are not aligned with each other because there are some performance hits that are going to be taken when you do security properly. So that’s why we need a total architecture approach. And the book that we wrote, Brian, was intended to tell people they had to start thinking.

Brian Contos:

Yeah, yeah. Well, Bill, obviously we could talk for hours and hours. I love your perspectives and your vision on these topics. But as we wrap up, just one final question here, closing thoughts if you will. So for those of our listeners that are out there and they’re concerned about xIoT security and whether it’s in the OT side or the enterprise IoT side, any words of advice or directions or ideas that you’d like to leave with them?

Bill Crowell:

Well, I think the biggest problem facing us for the future is one that they can help solve, but they can’t solve. And that is the availability of the talent that we need to do the work. There are over 500,000 cyber jobs that are unfilled in the US today, well over a million for one. That’s become a really, really serious problem. And trying to develop a cadre of people who understand and can flourish in this business has become something that’s just as important as it was when people tried to convert from accounting to enterprise accounting to enterprise operations. And so we need to have companies, enterprises, concentrating on acquiring and developing talent.

There’s no reason why every cybersecurity specialist in the world has to come from a college or university. I can tell you from having visited the cyber command, that there are a lot of high school graduates joining the Army and the Navy and the Air Force and the Marine Corps and Coast Guard that become great cyber warriors. And they learn quickly and they want to learn quickly. And then they are incentivized to become experts. And so they should step back from all the problems they have on a day-to-day basis and ask the question, what can we do to foster the development and education of more cyber people in the country?

John Vecchi:

Yeah, it’s a great advice, Bill. Great discussion.

Bill Crowell:

And I haven’t told many stories, Brian.

Brian Contos:

Well tell… Do one story. Give the people one story, Bill. So many.

Bill Crowell:

Any that you remember that I should put on the deck?

Brian Contos:

Yeah, I remember talking about the Great Seal with you, and that was carved out of wood with a little diaphragm in there.

Bill Crowell:

Yeah. If any of your listeners have not been to the National Cryptologic Museum, they really ought to go. It’s located at Fort Mead. It’s on a piece of land that you can access without having to have a guard shoot you. And it’s a really great place. I was there Friday. They’ve recently redone it. And they have some splendid displays, all of World War II successes of breaking Japanese and purple code and the German Enigma and so on. But one of the displays there is the gift to the Ambassador of the United States, I’m sorry, the Ambassador from the United States to the Soviet Union at the time. April Harriman, I believe, was the ambassador at the time. And it was a hand carved wooden Great Seal of the United States. And it was a beautiful piece of work. I mean, very nicely done but it hung in the Ambassador’s office for years and unknown to the Ambassador or anyone else for that matter.

Inside was a little cavity and a bar that served as an antenna. And the Soviet guys would beam microwave signals at this device. And as sound in the room caused the diaphragm to vibrate, it would cause the antenna to vibrate and the microwave could pick up those vibrations. And so they were listening to everything that happened in the Ambassador’s office. It’s a delightful thing to look at because it was a genius piece of equipment at the time. All I would ask your listeners to think about is how much has technology advanced since then?

John Vecchi:

It’s like the original Trojan horse that was…

Bill Crowell:

Yeah. It was.

John Vecchi:

That’s incredible. What an amazing story. Great discussion.

Bill Crowell:

I think the other story I’ve told you, and it’s one that people can go and look up online, is a story of which was Venona, V-E-N-O-N-A, which was NSA’s predecessors and NSA broke the KGB and GRU codes that were used from 1943 to 1948, and that information provided insight into the Soviet spy rings inside the United States. There were about 200 cover names that were recovered from those messages, 60 of whom were actually identified to specific individuals. And you would probably recognize some of those names.

John Vecchi:

Wow.

Bill Crowell:

The Green Glasses, Julius and Ethel Rosenberg. He was Antenna. She didn’t have a cover name. The first message ever read was about her and how she helped her husband with his work. So people who debated about whether or not she was guilty, that message [inaudible 00:42:16]-

Brian Contos:

Message one.

Bill Crowell:

Yeah.

Brian Contos:

Amazing.

Bill Crowell:

So anyway, it’s been a delight, Brian. It’s always good to talk to you.

Brian Contos:

Thank you so much, Bill.

John Vecchi:

Awesome. Bill, thank you for the discussion. It was just wonderful to have you with us. I think we agree. We need to get you back again for more of the stories. So thanks again to Brian our host, as well as Bill Crowell our guest. Thanks, Bill.

Bill Crowell:

My pleasure. Thanks.

John Vecchi:

And remember everybody, the IoT Security podcast is brought to you by Phosphorus, the leading provider of proactive full-scope security for the extended internet of things. And until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

See you next time on Phosphorus Radio.