Hackers, Researchers, and Industry Tackle Security Challenges with IoT Village

John Vecchi:

Hello everyone. You’re listening to the IoT Security Podcast live on Phosphorus Radio. And I’m John Vecchi.

Brian Contos:

And I’m Brian Contos, and we’ve got an amazing guest today. Welcome to the show, Rachael Tubbs.

Rachael Tubbs:

Hey everybody, thanks so much for having me.

Brian Contos:

Well, thanks for being here, Rachael. We just met, I think, within the last couple of months, and we were talking about the IoT Hacking Village at DEF CON, and I was just really fascinated by the conversation.

And John and I were like, “We’ve got to get you on the show just to share some of the stories.” But if you would, maybe you could give some other listeners a little bit of background about you and kind of how you got into the business and got into cyber and kind of your story.

Rachael Tubbs:

Yeah, absolutely. So my background’s actually in psychology, and I’ve always been really interested in understanding what motivates somebody to do something. So after I graduated from college, I went and started working for the US government as a contractor. I was with the Defense Counterintelligence Security Agency, so I was introduced to the cybersecurity realm there.

And then I decided that private sector would probably be a better fit for me, get away from all that red tape, and that’s when I found my job with IoT Village. So IoT Village was founded by a company called Independent Security Evaluators. It’s a security consulting and research firm based out of Baltimore, and I’ve been there just shy of three years now.

Brian Contos:

That’s so cool that I’m wondering, with your education background in psychology and then working for the government, when you’re looking at sort of cybersecurity issues, do you sometimes do that through that lens that gives you a very specific lens that somebody that perhaps came up with a computer science or engineering type background might not?

Rachael Tubbs:

Yeah, I do it every single day. So I’m actually in school right now to get my Ph.D. in forensic psychology, and I spend all day long studying my coworkers who are ethical hackers and trying to figure out what motivates them and why they do what they do every day.

Brian Contos:

Wow. You must be a scary person then to be around the water cooler. When you walking in the room, do they run, or have they gotten used to, “Oh, here’s Rachael. She’s going to profile us again?”

Rachael Tubbs:

They’ve gotten used to it for the most part.

John Vecchi:

Yeah. And Rachael, let’s talk a little bit about the IoT… I mean, it’s incredibly fascinating. It’s one of the reasons Brian and I really… we’re excited to have you today. Can you just talk a little bit about the genesis of that, kind of how it’s changed since joining the charter, some of the things you’re focusing on today and compared to maybe when it first started?

Rachael Tubbs:

Yeah, absolutely. So the whole kind of motto of IoT Village is, “Hack all the things.” We created this space as a way to give back to the security community. Our company, like I said, it’s a security consulting and research firm. So research is something we’re super passionate about, and we created IoT Village as a way to bring researchers and industry together. So the Village was founded back in 2014. At our very first DEF CON, people didn’t even recognize us as a Village.

Okay. I mean, people were literally throwing trash on our table, right, because we were so small. Whereas today, we now have four… we’re four-time black badge village, our CTF is one of the largest at the conference, and we have Village Goons coming into our space first thing in the morning asking if we can open early because the line outside the door is so long it’s becoming a fire code issue. So we’ve done a lot of growth since we first started.

Brian Contos:

Well, you know you’ve made it when you become a fire code issue. That is for sure.

Rachael Tubbs:

Exactly.

Brian Contos:

Especially at DEF CON. So your Village isn’t just limited to DEF CON, right? I mean, you guys are doing other shows all over the world, isn’t that right?

Rachael Tubbs:

Yeah, so we originally were just in person, and of course, with the COVID-19 pandemic, we flip-flopped to virtual, and now we’re a hybrid Village, but we attend domestic and international events all over the world. We’ve been to different conferences in Canada. We’ve been to different conferences out in Europe. We’ve even been to Dubai. So we’ve been everywhere. All at once, it seems sometimes.

Brian Contos:

Yeah. And when I was at BSides in Calgary, I believe, in 2022, you had an IoT Hacking Village there, which was… everybody was there. Nobody was any place else in the event except there. So there’s really a great amount of interest. And I’m wondering, do you find it’s attracting people that are, they’re new to this space? Is it the more elite sort of hackers, if you will, that really have this stuff nailed down? Is it a mix? What kind of people generally come to the Village?

Rachael Tubbs:

So originally, with being a DEF CON Village and kind of holding that notoriety, we were really only attracting your elite hackers. Since the pandemic, we’ve watched our audience expand rapidly, and it’s expanded to a point where we’re not only seeing elite hackers, but we’re seeing high school and college-age students.

We’re seeing people that are trying to switch to a career in cybersecurity. We’re seeing VPs and C-suite individuals that want to better understand what their teams are doing all day long. So it’s really cool how the audience has expanded to kind of cover all sorts of realms of people.

John Vecchi:

That’s incredible. And do you think that… I mean, what is causing that, do you think? I mean, look at IoT in general. We call it xIoT as in kind of the Extended Internet of Things, encompassing traditional enterprise IoT devices, as well as kind of network-connected devices, and of course, all the OTICS stuff.

And you see this every year. We say, from the research we’ve seen, these devices are increasing 18 to 20% every year around the world. So you’ve got those increasing. You have the attack surface increasing. You have various types of attacks, and attack vectors increasing. Do you think those are all contributing to the growth that you’re seeing since you said kind of in COVID, or what do you see as the reason that it’s kind of growing that?

Rachael Tubbs:

I think that is a huge part of it, and I think another part of it is simply accessibility. People have wanted to go to the RSAC and DEF CONs forever, and a lot of people can’t afford to take time off of work, take time away from their families, or even can’t afford the cost of the ticket or the travel. When IoT Village went remote, we wanted to keep our conferences free. So we made a Discord channel. We started our own conference during the pandemic, that was 100% virtual, and we would find ways to get people the information that they needed.

We would help people get certified. We would make our recruiter available, and they would review resumes live on the spot in Discord. We would help people get to RSA and DEF CON in the virtual capacity. And we learned a lot of really cool stories of people who were able to get hired in the industry because they were able to attend a virtual DEF CON or virtual RSA as a result of learning about how accessible IoT Village made the space. I don’t have statistics on this, but I think we’re probably one of the, if not the first, villages to go completely remote back in 2020 and create that environment for the cybersecurity community.

Brian Contos:

Wow, that’s awesome. And it’s so great to hear. I love hearing about high school and college-aged people attending these events. But the fact that somebody attended that and then they were able to parlay that into a job interview or an actual job that’s just amazing. And what a great testament to the strength of what you’re doing.

I’m wondering now because you have done these shows. You’ve done them virtual. You’ve done them physical. Are there any really cool examples of things that people have hacked or different use cases that you can share that just kind of stand out as, “Wow, that was a really cool thing that happened at this event, or the feedback was really positive around this particular scenario?”

Rachael Tubbs:

Yeah, absolutely. So I can tell you that at DEF CON 29, everything was pretty much 100% remote for IoT Village. At DEF CON 29, we had a very, very small in-person component. We pretty much just ransom hands-on hacking labs. I mean, the in-person component of DEF CON that year only had a few thousand people anyway. The virtual space was really where it was at. And IoT Village is known for having a pretty large stage presence at DEF CON.

So we had a massive call for papers because a lot of people had been working on research during the pandemic, and we had a guy who was studying the Amazon Alexas that they were using in hospitals for COVID patients, and he hacked into it in under three minutes. And I mean, that video just absolutely blew up live on our Twitch during that conference. And I tell everybody about it because, God forbid, I have to go to a hospital. I want to make sure there’s not an Alexa in the room after seeing that talk.

Brian Contos:

It’s so interesting to me when you hear about John and I. We talk about xIoT threats and attacks and new trends and stuff all the time. And a lot of it comes down to the fact that these xIoT devices have a lot of shared libraries. There’s a lot of white labeling. There’s not a lot of security development life cycle built in some of the companies and groups that build this tech. So you’re basically going to market with something that was built without that security mindset that we all hope to see.

The exceptions to those tend to be the big companies. The Amazons, the Microsoft, and the Googles, when they develop something, they have 10,000 people dedicated to the launch of a product as opposed to some farming company that hired three contractors for two weeks to IOTI some type of device. So when you hear that a product like an Alexa, or any… and not to pick on them, but any type of product in this space that’s built by an organization that pretty much they get security, they make mistakes like everybody else, but they get it. They invest in it.

But even still then a dedicated hacker that’s focused on a device like this within your example, just a few minutes is able to compromise it. And then you start to think of, “Well, what about the other 50 billion devices out there that again are built with this very limited security mindset?” Boy, it really paints a pretty bleak picture-

Rachael Tubbs:

It does.

Brian Contos:

… of IoT out there-

John Vecchi:

Yep.

Brian Contos:

… I think, doesn’t it?

Rachael Tubbs:

It does.

Brian Contos:

Now, when somebody comes into the IoT Village, what’s the experience like? Are there different vendors and booths and tabletops set up, and they can kind of bring their laptop and try to hack a device or Capture the Flag? Or what’s the interaction like for an attendee?

Rachael Tubbs:

Yeah. So for something like DEF CON, we try to bring in as much content as possible. Our goal at a conference like DEF CON is, at the end of the day, you are walking out of our space with a new type of knowledge, a new connection, anything that’s going to help you further your hobby or your career. So we offer a wide range of activities. We offer everything from info sessions to learn how to break through and get hired in this industry all the way to our four-time black badge capture the flag hacking contest.

And then in between we have activities. We have our hands-on hacking playground, so that’s a series of labs that are designed at the 101 level to be completely self-guided but we also have instructors on site. I mean, I don’t have a technical background, and I’m able to successfully walk through those labs. We also have our hack along.

So that is a activity that was designed to have a little bit more of a classroom feel to it where people can come into our space and literally hack along with the IoT Village instructors. And they can learn how to identify over 40 different vulnerabilities through that exercise. And then we also like to have wacky and weird devices. At DEF CON this past year, we had a drone. We’ve had medical beds in our space before. I can confirm. At DEF CON this year, we’re going to have a toilet that our team just hacked into. So we like to bring weird stuff wherever we go.

Brian Contos:

What? That’s awesome.

Rachael Tubbs:

Yeah. [inaudible 00:13:40]-

Brian Contos:

Wasn’t there like a fire control issue or something you had have around-

John Vecchi:

Yeah.

Brian Contos:

… the drone? Yeah.

John Vecchi:

Yeah.

Rachael Tubbs:

Yes. The Caesars Forum did require us to bring a fireproof [inaudible 00:13:50].

John Vecchi:

Oh my gosh. That is crazy. That’s crazy. And as far as the Capture of the Flag, it’s kind of fascinating. Can you talk a little bit about what those tend to be? What makes an effective Capture the Flag kind of exercise? What types of devices do you typically see there? And anything exciting you see from a CTF perspective as you look at some of the shows upcoming?

Rachael Tubbs:

Yeah. So the IoT Village CTF is essentially a network of off-the-shelf IoT devices. So our DEF CON CTF in 2022 had over 50 devices in it. Those devices have known vulnerabilities, but in order for an-

John Vecchi:

Wow.

Rachael Tubbs:

… attendee to be able to successfully exploit those devices, they’re going to need certain skills like lateral thinking. They’re going to have to have knowledge of networking, and they’re going to want to have some level of competency and exploit development. So part of the success of a CTF comes from the willingness of the attendee to compete and bring those skills to the table, but for us to build a tough network and just really get in and give people a space where they can test their skills.

Brian Contos:

Yeah, I think when I look at these, Capture the Flags that are successful, I love the fact that you have some that are walking people through it step by step because it’s very gratifying, I think, for people, especially early on in security to say, “Okay, well, I’ve identified a vulnerability, but I’m not 100% sure what to do next. How do I actually exploit that vulnerability?”

And whether it’s developing that vulnerability or going to Exploit-DB or some other source or some other mechanism figuring out how to exploit. That’s a new process to a lot of people. And that’s a gap that a lot of people just don’t cross in security. And what I [inaudible 00:15:45] to, I don’t know why, but skateboarding. It’s like once somebody figures out how to ollie, there’s a whole world of tricks that they can do beyond that. But until they get to that point, they’re kind of limited.

And that’s kind of like that ollie. It’s like that basic foundational skillset, right, of being able to say, “Okay, here’s a vulnerability, and this is how you can leverage an Exploit to go after that.” And that opens up a whole world for these folks. So that’s really cool that there’s all those levels at that Village to be able to pursue that because it’s not just the elites of the elites. You’ve got some people that are starting off.

So I think that’s fantastic, and we’re really excited to, of course, be working on Capture the Flags these days as well. We’ve started building one for an event that we’re doing that has a robotic arm, and it’s basically this robotic arm that could do any number of things. It can paint things. It can cut things. It can grind things. It can poke things. It can crush things. And it’s about the size of a German Shepherd, and it weighs about 300 pounds. So that’s probably the best way to [inaudible 00:16:47].

Rachael Tubbs:

Holy cow.

Brian Contos:

It’s this big yellow mechanical arm. Yeah.

John Vecchi:

Yeah.

Brian Contos:

And it’s really cool. And the way you set it up, it’s got all these different set points and different angles, and it takes a while to get used to it, but at the end of the day, you can interact with it potentially just through a direct web server, which could be hacked. And then there’s like PLCs from WAG, Rockwell, and Siemens where you can go that route through more OT connections as well, but they can actually operate more independently.

And just the wow factor people see when, “Look, I changed it from touching a Coke can to actually crushing a Coke can into the ground and grinding it into the carpet,” which is really, really fun to watch. It’s such a eye-opening moment. And you see people. I don’t know if… just they’re like, “Wow, this becomes real at this point, and this might be in a career I want to go after now, or this might be something I’d really like to focus on.”

It’s so much more tangible. And that’s what I love about the IoT side of the house because, to your point earlier, it is a thing, and I think that that’s drawing so many people to this. It’s not as ethereal, if you will, as some of these other things that it might hack. It’s actually right there, and I’m watching it doing something maybe that shouldn’t be doing. Are you kind of seeing those aha moments with people who are like, “Ugh, this is so cool?”

Rachael Tubbs:

Yeah, we had one at DEF CON this past year. We included the emergency alert system in our CTF. We had the person that brought that to us. We had to contact the Department of Homeland Security the week before, and they had to patch the vulnerability before we put it in the CTF.

But people were just freaking out every time they got the device to send out a message within our Village that said, “Welcome to IoT Village” or something like that. It was really awesome watching the reactions on people’s faces as they were able to have fun with that.

John Vecchi:

Wow, wow. It is so fascinating. And so, as you look forward, Rachael, what are some of the things that are exciting you the most as you think of some of the shows upcoming and some of the things you’re doing? I mean, what to you is really exciting as you look ahead with what you’re doing.

Rachael Tubbs:

Yeah. So aside from DEF CON, RSA is our other biggest event of the year. So we will be there in April, and we are going to be unveiling a brand new Bluetooth low-energy lab that we are just stoked about.

And then, on the other side of the house, we are going to be having devices commonly found within the home, such as a toilet. And we are going to set up stations to let people learn about the dangers of IoT devices in their houses.

Brian Contos:

So let me ask, what does an IoT toilet do exactly?

Rachael Tubbs:

It lights up and it warms up.

Brian Contos:

Okay. Is there like a little chemistry [inaudible 00:19:44] saying, “Oh, you’re not eating enough bran.” I don’t know. I’m like, how advanced are these toilets, and what are they doing?

Rachael Tubbs:

Personally, I don’t understand why this exists, but one of my engineers wanted it, so I bought it for him, and he hacked into it into a couple of days. So I’m taking it to RSA with us.

Brian Contos:

That’s so funny.

John Vecchi:

Yeah. Yeah. I actually remember, Brian, I think, we heard rumors of an exploit or a hack. I think obviously these toilets are very popular in Asia and in Japan and others. And there was some attack that happened where they turned all the bidets on of the toilets, which potentially flooded someplace. I remember hearing there’s a hacking group that did something like that to have some fun. So I think that’s an example of one of those devices, Rachael, that people are going to have a lot of fun with, I think.

Rachael Tubbs:

Yeah. And that’s really what it’s all about at the end of the day in the Village. We want to create engaging and memorable experiences that just so happen to also be educational. So if we can provide a really fun or unique device that draws a crowd and people walk away with some new IoT knowledge at the end of the day, that’s really all we can ask for.

Brian Contos:

Yeah. Well, Rachael, as we wrap up here, and this has really been fascinating, and I think a lot of our listeners are going to be interested in attending these events. Where can they find out more about these villages? And is there a website, or should they follow you on Twitter? What’s the best place to get the latest and greatest info?

Rachael Tubbs:

Yeah, so you can follow us on Twitter and LinkedIn at IoT Village, or you can check out iotvillage.org for our current events schedule, information about upcoming content, past talks, pretty much anything you could possibly want for IoT Village.

John Vecchi:

Awesome, Rachael. And it was so fantastic to have you, and we look so forward to working with you guys as you look ahead this year. We’re really excited about it, and we can’t thank you enough for joining us today.

Rachael Tubbs:

Yeah, thanks for having me. And if you want to test out that robot arm a little bit more, feel free to bring it to Vegas.

Brian Contos:

Yeah, we just might do that actually. It’s not the easiest thing to move, but it is really fun to play with, so we’re going to bring some fun stuff with us, and hopefully, we can figure out a way to get that with us as well.

Rachael Tubbs:

Yeah, awesome. We look forward to it.

John Vecchi:

And no better place to bring a robot than to Vegas, and so we look forward to that. And again, thanks to my co-host, Brian, and to our very special guest today, Rachael Tubbs. Thank you so much, everyone. And remember, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive full-scope security for the Extended Internet of Things. And until we all meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

And we’ll see you next time on Phosphorus Radio.