As the internet-of-things (IoT) interface stretches across the globe, one of the corresponding results has been a correlative increase in cybersecurity concerns. I’ve written previous articles citing concerns of professionals in the IT and technology industries on the lack of regard tech giants are paying to security flaws, and potential consequences that could arise. A few weeks ago, I wrote an article on two cyber-breach techniques called MouseJack and KeySniffer, a flaw in wireless mice and keyboards that hackers can use to extract private data and install malicious malware on someone’s computer.
MouseJack and KeySniffer were discovered by the cybersecurity company Bastille, the first corporate entity to offer a complete security solution for the Internet of Radios, encompassing radio-enabled mobile, wireless, and IoT devices. MouseJack and KeySniffer are just two ways that Bastille is providing visibility into devices that operate on more than 100 distinct protocols and allowing for a preemptive response.
I was fortunate to touch base with Bastille CEO Chris Risley, who shared some insight on the origins behind the discovery of MouseJack and KeySniffer, measures Bastille has taken towards combating wireless tech breaches, and his hopes of influencing future IoT security.
WDD: Tell us in a little more detail about the events that led to discovering MouseJack and KeySniffer’s glaring vulnerability in wireless mice and keyboards.
Risley: Marc Newlin, a member of Bastille’s Threat Research Team, made the discoveries as part of Bastille’s ongoing research into current RF and IoT vulnerabilities. The discoveries didn’t come as a surprise. Bastille has long contended that the lack of security in many RF-enabled devices makes them vulnerable. For example, the top wearables have already been hacked and most of the popular IoT protocols have already been hacked including Bluetooth, EnOcean, ZigBee, and Z-Wave.
WDD: In addition to Mousejack, Bastille also uncovered another breaching technique called KeySniffer. How is this infiltration method different from Mousejack, and what course of events led to the discovery of this design flaw?
Risley: MouseJack was centered around injecting keystrokes into wireless mice, whereas KeySniffer is centered around sniffing keystrokes and the valuable personal and private data exposed from wireless keyboards such as credit card numbers, social security numbers, passwords, security challenge answers, etc.
WDD: How do the measures Bastille has taken towards combating the wireless hacking issue pertain to their vision of the future when it comes to IoT security? What future products and software (aside from your products released this fall) is the company developing that will keep computers safe from similar infiltrations?
Risley: IoT security is important because by 2020 there are expected to be 20 billion connected devices providing an unprecedented expansion of new threat vectors. Many of these devices, such as thermostats and building control system are used throughout the enterprise. At Bastille, we are focus on sensing, identifying and localizing threats from RF-enabled devices. We provide enterprise threat detection through software-defined radio. The company is committed to providing solutions that allow enterprise companies to secure the Internet of Radios and gain visibility into devices that operate on more than 100 distinct protocols.
WDD: How have the discoveries of MouseJack and KeySniffer impacted the corporate momentum and direction that Bastille is heading towards?
Risley: Bastille’s groundbreaking research and discoveriesof MouseJack and KeySniffer validates the company’s thesis that the IoT is already being rolled out to individuals and enterprises with wireless protocols that have not been through sufficient security vetting. As a result, Bastille expects millions of devices to be vulnerable to currently undiscovered attacks.
Furthermore, there’s widespread recognition of IoT-related threats, but limited adoption and enforcement of security policies. We think companies can take IoT device security seriously by applying the best practices of network security to those devices.
WDD: To protect against potential threats that might use radio frequency to infiltrate their targets, Bastille has broken down their products in three main categories: Sense, Identify, and Localize. Which of these categories has Bastille’s products especially exceled in?
Risley: Bastille Enterprise does indeed sense, identify, and localize RF-enabled devices. These features are not separate products but rather part of the overall threat detection that enterprises require. The ability to recognize and localize potential threats enables security teams to take swift action and preemptively remove those threats before harm is done.