Part I: IoT Devices, Data, and Exploitation

In this series, our guests address critical factors when purchasing monitoring devices, securely storing, moving, and using the collected data that is exponentially accumulating, and how to mitigate the exploitation of these systems.

Matthew D Edwards
August 25, 2020

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Our first episode in the series addresses critical factors when purchasing monitoring devices, securely storing, moving, and using the collected data that is exponentially accumulating, and how to mitigate the exploitation of these systems.

About Our Guests

Xavier D. Johnson is the Founder of Enterprise Offensive Security in Detroit, Mich. He also serves as a Secondary Cybersecurity Instructor at the University of Michigan, the Director of #MISEC, a Founding Organizer of DEFCON Group for Detroit, Show Host on How They Got Hacked, and Founder of Red Team Clothing.

Nicholas Starke is a highly skilled security researcher and penetration tester focusing on Internet of Things (IoT) security evaluations. Nick's primary area of interest within IoT is networking equipment, ranging from Small office / Home office routing equipment all the way to carrier grade/ISP equipment – and everything in between. Right now he is focused on enterprise-grade networking devices as part of his role as a Threat Researcher at Aruba Networks, a Hewlett Packard Enterprise company.

Read the Transcript

01:00 Matthew D. Edwards: Hello and welcome to the inaugural episode of Long Way Around the Barn. Today, we are starting a series focused on remote monitoring, management, security and privacy in the senior living industry. In today's session, we will discuss IoT devices, data, and exploitation. Very simply put, what do you need to know to purchase, implement and manage remote monitoring devices? How do you securely store, move and use the collected data? And how do you mitigate the exploitation of these systems by external actors. My guests include Nick Starke, a threat researcher at Aruba, a Hewlett Packard company, and Xavier Johnson, a full-time ethical hacker and part-time cyber security instructor at the University of Michigan. Welcome, gentlemen.

01:50 Xavier Johnson: Thank you for having me.

01:51 Nicholas Starke: Thank you.

01:54 Matthew D. Edwards: For a senior living community interested in adopting some of the the newest connected remote monitoring technology that exists, what do you believe are some of the most important things leaders of senior living communities must consider when they're purchasing, implementing and using connected devices in their communities and networks? For example, remote vital monitoring, daily activity monitoring, geographical movement mapping, predictive analytics and contact tracing. What do you think are some of the considerations that folks should review as it relates to hardware, network, Cloud platforms, data collection, use? Xavier, what are your thoughts on this?

02:29 Xavier Johnson: First thing that comes to my mind, privacy. The considerations of maybe where you sourcing data, excuse me, the actual hardware that this data is flowing on to, where else could it be going to? If we're dealing with a piece of hardware that has a system on the chip, how easy is it to update the firmware on that specific device? What is the life cycle of that? And what's the management of it? How much of a pivot… Much of a pigeon hole does it put you in? If you deploy it, do you get stuck with one particular vendor? Using one specific stack? I don't wanna name and shame, but we all know those environments where when you go to go replace the one thing, you gotta replace the whole thing unless you're gonna continue to go on the life cycle, and eventually they'll upsell you on replacing the whole thing. When we're talking about assisted living, and we're talking about devices that are supposed to be there to help offset the load and to load balance and to create a higher quality, we still have to make sure that we're doing right by way of privacy and assuring that there are ways to maintain and update these devices.

03:49 Matthew D. Edwards: Good call. So privacy number one, and then also making sure that we don't put ourselves in the corner such that we're not able to change, or that when we do want to change, we don't end up having unplanned costs and complexity along the way. That's a good call. Nick Stark. Mr. Stark, what are your thoughts on that?

04:11 Nicholas Starke: Vendor lock-in is definitely an issue you wanna consider. The adoption of open standards with whatever communication protocols are implemented in the devices that will allow you to build on top of whatever you've deployed quite easily, as long as they're not using proprietary protocols and things of that nature. In addition to privacy, I would say security is a big issue too, because of privacy. Because there is sensitive data being collected and stored, you wanna make sure that no one who is unauthorized gets access to that data while still maintaining the people who do have authorization, that they can still have access to it. So it's balancing those two things.

04:57 Matthew D. Edwards: That's a good call. So making sure that we're balancing privacy and security. From your perspective or from your experiences, Nick, in different organizations, have you found that people undervalue or overlook or just assume the relationship of permissions and access with devices? In other words, have you seen through time that people are most excited to plug things in and least excited to think about how to secure them?

05:32 Nicholas Starke: Yes, so I think there's the issue of, you get a new IoT device and you plug it in. It's the configuration of it, right? Not only just the device with the network that it sits on and everything, and I see a lot of times that the amount of configuration needed isn't performed, and that results in security holes, exploitation vectors that open up, the device itself probably needs to be configured in some manner, and so does the network it sits on. So there's two different levels of configuration that you need to do, and a lot of times I don't see end users performing the amount of configuration that they need to perform in order to keep the devices safe and the data safe, and provide that level of privacy that is expected.

06:16 Matthew D. Edwards: Right. Okay, so there needs to be a plan. It's just that simple. There needs to be a plan for the device, there needs to be a plan for the device ecosystem, in other words, one or more devices, and possibly spanning multiple vendors. And there for sure has to be a plan for the network, the network configuration, the device configuration, the security around it and the privacy. So this isn't so simple as someone at an organization going and making a bulk purchase from Best Buy or some other store and plugging it in and everything rocks and rolls, but there needs to be a plan for what problem do you wanna solve? There needs to be a plan for the device, even the firmware, as you brought up, Xavier. So it sounds like there needs to be a lot of forethought, is the summary, there needs to be a plan.

07:11 Xavier Johnson: Certainly, and you know what else, Matthew, I'd like to toss in there, there needs to be room for innovation and room to play. And I think that as a security person within a company, as security engineer, we often are saying, "Hey, you cannot do this. Thou shall not." And us as testers when we come in and we do our scans and we do our thing, and we reinforce why you shouldn't, but I think there's room for us to all play nice together, and figure out a place on the network where we can go out and vet these things. Where we get ahead of some of these problems. Maybe we start to think about our networks the same way that marketing thinks about campaigns, and start to have more of an A/B environment beyond just prod-dev, like, "Hey, we wanna try something out, let's low balance some of our more stable users, our younger users in this case, that may take less attention over to something that may have a higher risk and reliability, but has all of these other features." And I know we're talking about lives here, so you have to be careful, but what I've noticed in healthcare, especially in the smaller clinics, as a tester, you find these doctors, they run the show at these clinics, and so they plug whatever they want into the switch, when you're not around as a system admin.

08:38 Xavier Johnson: So this is just a toy, this is the latest thing that they got on the show room floor at a trade show, and sometimes they forget it's plugged in. Sometimes they don't change the default passwords. Most times they don't, and it could be a week, it could be any given… It could be moments. You're talking about the potential to compromise. So it's something that, there's multiple angles that you got a plan for, you don't wanna put people in a box and then make them go stir crazy so that they just do outlandish things without your permission. You wanna have a process in place so they can actually feel empowered when they hit the trade show floor to ask the right questions like, "Hey, I'm gonna take this to my team and they'd gonna put this in our special network, what do you want to let me know before I do that? What should I know?"

09:27 Matthew D. Edwards: That makes sense.

09:29 Nicholas Starke: I wanted to speak to something that Xavier just mentioned. An important part of this is how you build and validate the configuration that you're building, the system that you're building. I think external validation is gonna be really important, getting… Not only just checking all the check boxes on the compliance side, but performing security audits, penetration tests, things like that, of these deployed networks beyond what the manufacturer is doing on the manufacturer side, they need to be doing the same thing, and that should be a question that you ask as you're potentially gearing up the purchase system like this, is, do you have a software bill materials? Do you perform regular penetration tests? Do you adhere to the compliance regulations around HIPAA for protecting health data? And what do you do to meet those compliance standards? These are all questions you should ask going into going into purchasing a system like this.

10:40 Matthew D. Edwards: That makes sense. So just again, it comes back to, I'm sure that we're not touching the depth and breadth of the things that you guys have seen and regularly test, but the net of the conversation so far is, know a problem you wanna solve, have a plan, and then figure out how to make sure you can evolve. Test and evolve and not get boxed in, privacy and security have to be done on purpose, they don't accidentally come with the device when you take it out of the box. Alright, those are fun conversations, and that then spans across to everything where the hardware, the network, the Cloud. And the data collection in particular is a big deal. So for example, with the idea of Geofencing, organizations that are interested in Geofencing are looking for ways to identify where are all of my staff? My healthcare worker staff. And putting in place ideas that says, "If this part of the building, then these conditions. Else this part of the building, then these conditions." And so on. So behavior driven, Geofencing if you will. Similarly though, there are understandably some parts of the building where our elders, our family members should be in the senior living communities and some that are probably off-limits, dependent upon. I'm sure they wouldn't wanna turn me loose in one of these buildings.

12:12 Matthew D. Edwards: They would have to tell me, "Matthew, you stay on this side of the building. Please and thank you." But they are leveraging Geofencing to understand where people are and where they should be. Also leveraging, there are some interesting new technologies that are monitoring your location in the building. But in relation to your activities, in other words, how many times have you been to the sink to get water? And/or have you taken your medicines? And/or your times that you've taken for personal time, if you will, in the restroom. And so monitoring all of these things, not because there's an interest in knowing your details, but rather enabling autonomy is the goal, enabling autonomy. But it means we're collecting data on everything all day, every day for all of our elders or family members, as well as all of our health care workers. In this world where there are so many devices collecting so much of that data on so many people, we're gonna just have a lot of data. What are your thoughts? How do you guys react to that? Nick, will you start us out on that? How do you react to that many devices for that many people with that much data? What do we do about that? How does a person in charge of a senior living community make sure they're doing right by the healthcare workers and doing right by the elders or our family members? And they stay within the law, but still add value?

13:46 Nicholas Starke: My first thought is, protect that data, you have got to do everything within your disposal to protect that data. But at the same time, you need to allow people who are authorized, access to it. From a security perspective, you need to have good access controls surrounding that whole database, if you will, the collection of data that you're siphoning up from the devices, there needs to be auditable, discernible access control lists that determine who has access to it and who doesn't. Another problem you're gonna run into is just the amount of data, with all these devices collecting all this data all the time, you're gonna just have… Terabytes and terabytes, if not petabytes of data. So you need a place to store all that, that will scale, because if you don't have that, all of a sudden your devices will not be able to send data to your central system and you have an availability problem. So the ability to scale is going to be very important, even just from a security perspective, not taking into consideration the business value of being able to scale.

15:04 Nicholas Starke: I think maintaining Cloud platforms for your stuff is a good way of meeting that scale, the Cloud engineering stuff is built so that you can scale it out to millions of users collecting all this data at once… And it's much more difficult to do that on-premise, so I would definitely look into Cloud options.

15:32 Matthew D. Edwards: Okay, that's a good call out. Xavier, what are your thoughts on the volume of data? And the method of collecting, managing, securing. What are your thoughts on the Cloud stuff that Nick was just offering up as well?

15:48 Xavier Johnson: So we talk about the data lake, as it's called. There are a couple approaches you could take to it, and I've been involved with both of them, at least two of them. One of which is the on-premise method. This is gonna require you to have military grade security, encryption, up-time. If your housing secrets there that are military grade, it makes sense to do that. I've been lucky enough to work for some smart people that solve some hard problems that keep us safe, and I've been able to work in startups where things move faster and you grow on demand. Where the growth looks like a hockey stick, and sometimes you do things that are maybe short-sighted, but to get the job done, and so we wanna make sure is with both of these approaches, be it if we move fast or if we want to roll our own and move really slow. The things that we want to do is as very fundamental, keep people away from the data.

16:55 Xavier Johnson: Humans and data just don't mix, so that means a lot of controls right there, we're talking five to seven layers of controls from access on the physical layer, access in the digital world, encryption, the amounts of keys that it will take to actually decrypt any one piece of information and the separation of those keys over people, over a number of people. So you treat your data like you would a nuclear missile, it is that level of important to you when you're talking about if someone's brushed their teeth, or if someone's taken their medicine. These are very, very intimate things that are otherwise not captured or even captureable without some of these endpoints.

17:44 Xavier Johnson: And so you have a huge responsibility no matter which way you take it. And I would say that with regard to Cloud and the adoption of Cloud. One fundamental on Cloud is encrypt everything. Just encrypt everything. I forget the actual saying, something like, "Dance like everyone's watching, encrypt like no one is." Or something like that. Or the inverse, dance like no one's watching, encrypt like everyone is. Because they are. And so even on your local environment, that last mile, I find a lot of people will encrypt up to that point, then it'll be on the private network and they're like, "Oh okay, cool." Because it costs so much to do encryption, "Cost." We'll just plain text it until it makes it to the database where everything is encrypted by default on the disk, and that's where people like me actually go to go look with our Wireshark to get all of the free and clear packets. So take the time, be meticulous and create what…

18:45 Xavier Johnson: In the Cloud we call it defense in-depth, so putting multiple layers of defenses that are available, be it encryption, again, digital access control, physical access control, and there are ways to be able to create these layers in front of whatever it is that you're guarding, the Cloud makes it really, really easy to do that, but at the expense of capital. So both of these solutions end up costing you money at the end. It comes down to how much data you have, what level of secrecy that data has, and how complex the systems are. How old your systems are that are already existing, because if we're talking about somebody like ADT, which could very well get into this business because they're already into monitoring and security, they may have a standard data lake, they may not have anything in the Cloud, or they could just scale on demand like this. So I feel for the CTOs and CISOs that have to solve exactly what to do with this level of data, because we thought social media was gonna generate a lot of data. This is gonna generate a lot of data, this and combined with mobility, 'cause this is kind of extension of mobility in my mind, this is the medical end of mobility, keeping our elders self-sufficient longer keeping an eye on them without being overly involved with them. I think that that'll create data that we've never had to house, or seen.

20:17 Matthew D. Edwards: That's a good call. So the Cloud conversation, so the capacity to store… That's a big deal, because the volume of data is just ridiculous.

20:28 Xavier Johnson: I'm almost giddy about how much it is.


20:31 Matthew D. Edwards: But the capacity to store then to your point earlier as well, Nick, is availability. As the data surges or as it just increases, you need to be able to recognize it, and capture it and contain it.

20:46 Nicholas Starke: And act on it.

20:48 Matthew D. Edwards: And act on it, absolutely. So there has to be a plan when it goes back again to having a plan on purpose, there has to be a plan to know where it's coming from, to be able to handle it, to be able to store it. And then to your point, it has to be secured, to both of your points, it has to be secured is just a non-negotiable. And in particular, healthcare, therefore HIPAA, and in some cases HITRUST, and there may be some additional considerations that if they don't currently exist today, they will need to exist. For example, when you consider state-by-state privacy laws, and then an elder or a senior family member and/or someone else in the family says, "I wanna know all of the data that you have on my dad. Now I want I want you to remove it." I wonder if that's come up yet? And if that's where that's heading, you absolutely must have a plan for the data, or that is gonna be a miserable and a horrible experience to figure out, what data do we have? And where is it? Now, how do I extricate it from my large, large vault of data. Have you guys had those opportunities yet or to look at, "My gosh, how do I get that needle out of the haystack from the privacy laws?"

22:09 Xavier Johnson: Not State side, but GDPR hit everyone in the product market in the mouth, square in the mouth. I worked at a company called DynaTrace a few years ago, and we had a large number of people in Europe that use our product. The users of our private data actually gets collected as well, so we had to figure out a way to actually go in and literally find the needle in a haystack, and that goes back beyond any data that's even just live, that's all of copies of that data, there is literally no one blanketed way to solve that problem, it will really come down to data classification, and I know that's an umbrella term, but whatever that means for your organization, some people are small and nimble and they could potentially have a separate database for all of those users with different web endpoints where they house things in different regions thanks to the Cloud, and completely separate out those types of users. But when you talk about state level, that becomes much, much more difficult.

23:22 Matthew D. Edwards: That makes sense, GDPR. So a lot of these communities that we're talking about right now may actually be domestic US, and they may have extensions down into Canada or Mexico, for example, but it could very well be that some of these organizations have international footprints outside this particular continent. Those are good considerations, good call out.

23:46 Xavier Johnson: And even if you look at New York and California, the way that they're moving with their data privacy laws. They're gonna have state level versions of GDPR, very soon, if not this decade… I can't imagine it not happening this decade actually, it will be a problem that we have to solve as a community on the domestic level of data classification. And it's a good problem to solve, a lot of people who get into HIPAA compliance should already have a strong data classification program because of… It's not a requirement, but that's something, that's a huge consideration that I'll be honest with you, I didn't even think about.

24:27 Matthew D. Edwards: That's a good one though. So the net on this conversation on data, guys, I think what I've understood for you is, understand your points of origin, understand your traffic and demand capability, have the ability to receive it and store it and encrypt everything, encrypt everything. But then on the tail of that, you have to have the ability to honor and obey, be compliant with, if you will, privacy laws along the way, which is, "Hey, I know it's encrypted, I know you have all the stuff on my dad. Now, I want you to show me what you have, now I want you to remove it please." And so state by state privacy laws, big deal. So if you're an organization that has different types of data, you need a data classification plan, and if you're an organization that has different types of data in different states, it's even more important to have a data classification plan. So this is no plug and play job, this is not order 50 IoT devices from company 12, plug them into the net and I'm a rock star, and now I have marketing materials. There needs to be a plan or you're gonna be in the paper for all the wrong reasons.

25:39 Matthew D. Edwards: So in terms of being in the paper for all the wrong reasons, let's talk about exploitation. Nick, from your perspective on the work that you do nowadays, your responsibility is to see attack vectors, and assess the quality of a solution that's being proposed, assess the method of securing and attacking it and destroying it. And similarly, Xavier, your responsibility among other things is, you're hired to just go into various situations, and ethically and responsibly and above board, take it down. So I have questions for both of you, and I'd love to hear from both of you guys on this, but Nick, would you start us off on exploitation of the systems, if you were responsible to go into any of these senior living communities who've recently adopted and implemented large Internet of Things device networks, or remote monitoring networks, if you will, managing geofencing and personal data, and all of that. And your responsibility was to prove to them, "Hey, this is secure, or is not secure, and here's how it's not secure." Where would you be inclined to start?

27:00 Nicholas Starke: Sure. So, I think the logical place to start in this type of assessment is to define a threat model, right? Define all the attack vectors that could be used against whatever system you're evaluating, and then just go through each one of those, and see if you can attack it in that manner. So, securing IoT devices is more difficult than securing regular systems. A lot of times, because less protections are built in place to the IoT device, whether it be because the manufacturer didn't spend enough money to build security into it, or there was problems along the assembly.

27:39 Nicholas Starke: So, with the addition of more security problems, you're gonna have more attack surface, and there's gonna be more ways to attack these devices. I would start by individually looking at the devices that are on the network, or attached to the hub, if you will, and just try my normal tools, to see if I can get into them. One of the things I wanna call out here, part of the threat model is going to include the patients themselves, right? You know, whether they don't wanna be tracked, and they break the device on their own, or they try to get into it to manipulate the data that goes over the wire. The patients themselves are going to be part of the threat model, part of the attack surface that is part of the system.

28:34 Matthew D. Edwards: That makes sense. I hadn't considered that. So when you're considering all of the different ways to penetrate or manipulate the system, it needs to be all devices or all points of origin, and some of those points of origin are actually our elders, or parents, or our family members themselves. Not because, perhaps, most of them desire to do bad things, but rather they might not favor the circumstance, and have some particular opinions, and that could compromise the data, or the equipment. I can certainly see myself doing things just to mess with data analytics people, and making repetitive trips to illogical places, just to create heat maps that don't make any sense. I think that'd be hilarious.

29:17 Nicholas Starke: Or that could be accidental too. That could be a factor, as well.

30:21 Matthew D. Edwards: Sure. That's a real good call out, is, the threat model has to exist, and that threat model has to include all points of contact. It doesn't mean you're labeling granddad as a bad guy, but you have to consider granddad as a point of origin for data. Therefore, how do we make sure it's good data and secure data? I hadn't thought of that one. Xavier, if you were to walk into the situation and your responsibility was to prove, or disprove, or enable more secure solutioning, what do you consider to be some interesting approach points?

30:03 Xavier Johnson: I love Internet of things. Internet of Things is, in my mind, mobility, right? It allows us to be able to stay highly mobile, and collect different things from other things. And there is a entire network that we… It's a new network, that we have never really seen before, so much so that we've had to make new IP addresses for them. And we're on the very front edge of this. And so, for IoT, I would attack it like I would every other high-mobility system, Radio? So, there's gonna have to be some kind of GPS, if not cellular, if not Bluetooth, if not Wi-Fi. Because you're not gonna run miles and miles of copper, right? So, radio. So, I will probably start there. And then, if I was able to get a foothold, let's say, from radio, I would see if there was a way for me to send endpoint to endpoint communications, because there're probably a whole another layer of SD Care API communications that only could happen on that route, machine to machine. So then, you have the potential for a worm, over wireless. And then, if I wanted to attack it from, let's say, the server side, well, I know hardware folks aren't the best at software, and software folks aren't the best at hardware. And so, being able to…

31:37 Matthew D. Edwards: They would all disagree with you, in all of the directions, right now.


31:37 Xavier Johnson: Love IoT.


31:38 Xavier Johnson: So, we're talking about potentially having… Most likely, having RESTful endpoints that have some type of authentication, most likely OAuth or SAML. Things that we see and that we know, right? And that we know how it could be misconfigured, and we're trying to, from the server side, trick… Send commands to endpoints, right? So, there's this wireless side, there's this management API angle, there's this machine-to-machine angle. And then, my end goal is… If I'm proving the point, and this is a controlled environment, because I would never want to do this in real life, I would try and demonstrate how ransomware would work… Kind of a ransomware worm, I get one endpoint from a mile away, using my radio. I get one endpoint a mile away, and that thing is a worm, and it goes into a community that may have three or four different systems, and compromise all of those systems, using just one rogue trojan.

32:45 Xavier Johnson: These are things that we have to think about, because we're putting a lot of compute, potentially, into a bracelet, necklace. We're already carrying them around in our pocket… And we have to treat it the same way, because if I can send bad packets over cellular, just to mobile phones, we have the same risk. So, we've seen these problems, and we know how to address them. But these are the things that I would test for, to make sure that they have been addressed, because most of the time, the things that I test, it's not like they're zero days, they're often 900 and some odd days.

33:21 Matthew D. Edwards: So you mentioned earlier endpoints, so the idea of endpoint security may or may not be something that all of the technology shops and CTOs, CISOs, and senior living communities are aware of, if they haven't had to play with an API-driven platform or Cloud solution, can you expound a little bit on that as well, and as well as you, Nick, as it relates to if IoT and then platforms or Cloud ecosystems or endpoints, what does that mean to them? How are they gonna make use of it? And some of the implications it sounds like it's an attack vector?

34:04 Xavier Johnson: I'd say agents, agents are our current way to approach endpoint security, having an agent on the endpoint, it's gonna create overhead always, so that'll need to go into the spec, maybe this agent is maintained by the actual provider of the hardware, as kind of a selling point, I'm not 100% sure. These are just ideals. But I would say that that's the current day way to approach it, I think the next gen way to approach it would be more potentially agent and combined with something that looks at the network traffic, something that happens upstream to actually block known bad activities on the network level or activities that aren't white listed. If you know that this thing is only supposed to do one of 100 interactions, the moment it gets action 101, smack it down and say, "Hey, do you know that this is happening? Is this something that you wanna add as an action?" Because those protections upstream are probably gonna be what allows for these endpoints to not just continuously get dossed and knocked offline. 'Cause at a point we're dealing with small bit compute up against a world of hurt. Also segmentation and having these things away from the public where they could potentially be tampered with to begin with. And start there, too.

35:32 Matthew D. Edwards: I think that we're probably talking about a platform-based conversation, one main platform, one platform, very many different vendors, vendor classes, device classes, all of that, is probably its own deep and wide conversation, and we're just glossing over the top of it to say, "Hey, it's a thing, you need to know about the thing." But Nick what are your thoughts on that in terms of implementing Clouds and platforms and all of these endpoints, it looks like a giant bowl of spaghetti.

36:03 Nicholas Starke: Sure, so I don't know too much about endpoint security, but I'll talk about a few things I do know. One is, you're gonna want to purchase a solution from a vendor, I don't know which vendor is the best this week, but there's a lot of vendors in this space and you're gonna wanna go with one of them, you're not gonna wanna try to roll your own. The other thing I know is that you're going to need a person to manage that solution, basically as a full-time job, if not a whole team of people to manage it, depending on how large the network is. So there's personnel involved in rolling out an endpoint protection solution. Really, that's all I know about it. So I'll…

36:48 Matthew D. Edwards: But part of what I think you're suggesting is that the Cloud platform itself is its own conversation. And so if you're gonna have, more or less you're saying, you can roll your own, but why? It makes more sense to go find ecosystems that already exist and put those together, I think is where you're heading, as opposed to let me custom wrap all of the things on my own.

37:18 Xavier Johnson: It'd be nice if it was open source, so that when I get bored, I can go play with it as an attacker, I can think about it as a DevOps guy, think about it as a system admin, I can think about it as a software engineer, so I can make it better more than likely, but if you black box it, then I have to go through HR, I don't wanna go through HR. So if we can move some of this stuff that's gonna matter to us in the future, because let's be real, we will have this technology while we're still young and able. Let's make sure that we formed the right mentality, let's not just make it a black box, let's try and get this as open as possible so that we know that our grandkids and great grandkids are doing right by us, hopefully.


38:12 Matthew D. Edwards: Did you have anything you'd like to add on top of that Nick?

38:17 Nicholas Starke: In my experience, yeah, open source is such a great way to go, but I have this conflicting idea in my mind that when it comes to the actual devices that are being deployed to our elders, I almost wanna say, lock down that firmware that goes on those devices don't make that open source. Don't even make that public. Make that very, very hard to come by. I think that from my perspective, if I can get access to the firmware of a device, I can get into the device. So I think firmware security is a very, very important topic when it comes to discussing the security of the actual device, and it's not so much on the Cloud platform, but the devices themselves. And I know that flies in the face of the idea of open source, I don't really have a way of reconciling that cognitive dissonance there, it's just, in my experience, that's been a big attack vector.

39:18 Matthew D. Edwards: That's your job though, from your perspective, if you can get the firmware it's over.

39:21 Xavier Johnson: And I'll be honest Nicolas, I'm probably still gonna get the firmware.

39:28 Nicholas Starke: Yeah, that's true. Even if you don't have it on a website somewhere, you can always desolder it, the eMMC chip off the board and dub it there.

39:36 Xavier Johnson: I would probably do the logic analyzer route talking to ones and zeros, get really ugly looking code and assemble a really ugly looking C. But you know what'll stay the same? That API key. So it makes sense to… That upstream, no matter what, that Cloud platform, that platform that we're talking about has to be hardened, has to be prepared for that kind of attack, as to make it harder for me and not just, "Oh yes, a key." Has to have something else too, something that's only generated at boot that I have to literally tap into the boot sequence of the device to go and steal the key, and it's new every time. Has to be something that's outer world for to be truly secure on the endpoint level, so it will have to happen on a layered approach, it will have to happen at the network. It will have every layer of the OSI model basically. There will have to be some kind of account for this, otherwise, I'll be honest, I'm uncomfortable if we don't at least get seven of those controls in there.

40:43 Matthew D. Edwards: Fair enough. Well if you would, I quite enjoyed this conversation with you gentlemen, and I very much value you taking the time out of your schedules to talk with this about these things. We think that the senior living community in particular, as are very many other industries they're at the front end of adopting Internet of Things technology devices, and the devices have matured very, very much through the years, predictive analytics predicting a fall is a very big deal, but in order to predict a fall, there must be gate analysis, to have gate analysis there must be data, to be data there has to be full-time collection so that only through time can you understand patterns, and then predict variances from those patterns. And that's the only one example of the inclusion of this technology in the senior living community. Now multiply that by every room in a senior living community, in every building, on every floor for every resident, and now add multiple layers of other devices over the top. If you'd allow me, and some of the summary ideas that I believe that we've talked about today, and I think brings us to good close in this conversation so far: Is you need to have a plan.

42:06 Matthew D. Edwards: If you are an administrator, a C-Suite leader in any way, shape or form of a senior living community, and you need to address nursing shortages, you need to address having to re-architect based on COVID, you need to address a surge in a residence, or elders, or folks who are in your care. If you would like to adopt Internet of things technology solutions, you need a plan, and that plan is not something that'll be solved on Saturday with pizza and Mountain Dew, it's not something that'll be solved at Starbucks with too much espresso, it's something that requires you to recognize it's an entire ecosystem, an entire plan, it's an entire team and it's an entire set of training and learning. The devices themselves need to be secure and compliant, where you're going to put the data. There needs to be a plan for how you get it, how you're available, how you secure it, how are you compliant with Privacy?

43:06 Matthew D. Edwards: They're going to attach to something else larger, called a platform up in the sky basically, Cloud-based platform, unless you're gonna build all that stuff in your house, which I can tell you based on our own experience, building platforms for other companies. The unprofessional indirect or direct answer is "No, just don't do it." The recommendation would be, use systems that are already out there, public cloud solutions, private cloud solutions, but get platforms that exist that are secure and you can connect all of your things up to that, and then after you have the data, the compliance, the devices, you're still talking about all of the ways people could attack you, and it could be through employees through the elders on the premises. It's a big deal for companies that haven't put together information security plans or privacy plans yet.

44:54 Matthew D. Edwards: Please do. For those that already have them, you're going to have to put an entire next chapter, giant chapter, onto your plans, because Internet of Things changes the way your organization operates, and what we've learned from Nick Stark and Xavier Johnson this morning in our conversations is… In our very short time together, we've only scratched just such a small part of the large surface of what should you get? How do you get it? How do you implement it? How do you service and secure it? And above all else, take the time and to go talk to folks who are above board, professional, ethical people, who can tell you the top five ways that you've overlooked and you still need to secure your ecosystem because there are so many moving parts. Think about this, and this would be our closing thought for the day, if I put 10 or 50 different monitoring devices into one room, for one resident, and I have 500 rooms, and I have 10 buildings, and I own 10 campuses across the US. And then I tell you, "Are you collecting data on my dad, show me what data you have, and now get rid of it." How are you going to prepare for all of those things? It's not on Saturday, it's going to be through months and years of work and it's gonna be on purpose with on-purpose people and solutions.

45:34 Matthew D. Edwards: Xavier, Nick, thank you very, very much for taking the time to talk with us and teach us today, it is much valued, much appreciated. And I look forward to questions that we're gonna get, and I look forward to talking with you guys again in the near future. Thank you.

45:49 Xavier Johnson: Thank you Matthew.

45:49 Nicholas Starke: Thank you.