Secret to safer IoT is smarter Wi-Fi, hacker Caezar says (Q&A)
Could solid protection of our ever-growing collection of Internet-connected devices be tied to building better software for home Wi-Fi routers? Longtime hacker Aiden Riley “Caezar” Eller thinks so.
As chief technology officer of Seattle-based Unium, formerly known as CoCo Communications, for the past 13 years, Eller has overseen the development of network and router technology for first responders, construction companies, and government agencies. His current focus is improving Wi-Fi safety and stability for the average consumer.
In judging Wi-Fi technology, most consumers today are fixated on bandwidth and consistency, Eller says. “When they hit play on a Netflix stream,” he says, they want to know that it won’t “drop 1 millisecond of voice or video…That’s really where the money and the attention is today.”
Router security programming may seem about as riveting as a screensaver on a loop, but Eller asserts that as Internet of Things devices for the home proliferate, consumers are tuning into it.
Routers have been notoriously insecure for years, with security patches rarely installed because they often rely on technically unsophisticated device owners to navigate a cumbersome update process. A Wall Street Journal study from 2016 demonstrates that even among the most popular Wi-Fi routers in the United States, security standards are unevenly applied.
“As a security guy, one of my jobs is to scare the pants off of executives.” — A. Riley ‘Caezar’ Eller
To change the course of router security with Unium software, Eller is tapping into his deep hacker roots, which include experimentation with phone phreaking in 1988. Along with working on several patent-winning network products, Eller made important advances to vulnerability analysis software and improvements to the “fuzzing” technique.
Eller has also long worked with the hacker community as a force for good. For decades, he’s organized weekly hacker meetups, building a “center of excellence” at Harry’s Bar in Seattle, where hackers can network for jobs and work on projects. He’s also hosted a heavily attended hacking-contest party at the annual Def Con convention in Las Vegas called Caezar’s Challenge.
Whether Eller’s expertise can help secure future generations of connected devices is an open question, but not to him. What follows is an edited transcript of our conversation.
Q: Many companies in the security business—especially network security and home networks—swear that their products will protect you from myriad threats. What sets Unium apart?
One thing that makes our story interesting, over the 13 years I’ve been here, is the slowly dawning realization many wireless-networking problems are understood to a certain approximation—and then just dropped on the floor. The old advice, “Have you unplugged it and plugged it back in again?” It seems like such a customer support nightmare story.
In surveys we’ve conducted, people have said Wi-Fi is the greatest thing that’s ever happened to them. They would never ever ever criticize it, and please, can they have some more?
Then when we ask them, “How long has it been since you rebooted your router?” the answers were like, “Oh, a week or so.” “I reboot it every week.” “My Netflix buffers sometimes.” And “I occasionally—every year or two years—have to buy new Wi-Fi products.”
READ MORE ON THE INTERNET OF THINGS
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Hackers call for federal funding, regulation of software security
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IOT device
Living on the edge of heartbreak: Researcher hacks her own pacemaker
As we move to more and more complex products, users’ ability to understand and to make reasonable decisions about whether they need different products, or whether something is on the fritz, or whether their Comcast is out—that distance from smart decisions is getting greater and greater.
Our software is meant to bring to each of the devices enough interactive communicative awareness of the state of the network to tell the user, “Hey, I’m having a problem. You need to reboot your router,” or “Your Comcast is out, so don’t even bother trying. Don’t get frustrated. It’s not your fault. The problem will fix itself.”
We spent 11 years building wireless networks for the Department of Defense. We built different products for every different branch of the DoD and came home with a trophy case full of patents. We went to commercial and industrial, and tried to find a fit there, and as we thought about it more, the largest number of people with problems with Wi-Fi are actually home users. The numbers of home users and home devices are skyrocketing.
What is Unium doing to ensure that, going forward with our new IoT overlords, consumers’ home networks will be as secure as possible?
We are trying to get the home network to be a meeting place for devices to all have an equal level of responsibility. Today your home access point, usually provided by the cable company, is really the only device that has security management responsibilities. As we add more devices to the home, and as there are more coverage problems, and different kinds of solutions coming and going, that model of having a single device in charge of everything really continues to fall farther and farther by the wayside.
The Unium model is to develop open-standards software and network protocols that everybody can play in fairly, so that network access and enterprise security features can be boiled in at an application layer. Rather than having to buy an enterprise domain authority, and enterprise core-switching functions, and routers, and firewalls, and all these absurdly overly expensive “features” or “capabilities,” you have a core network.
How complex is this? Most people just want their devices to be plug-and-play.
Up until maybe 10 or 15 years ago, wired Ethernet was the model we all used for our home offices. Everybody bought a switch, and hung it off of the modem, and plugged in their desktops, and so forth. Most of us were able to make a switch work. There was no configuration, there were no buttons to push, and there were no IP addresses to type in.
That’s our vision for wireless networks. Not only should it be plug-and-play, just like an Ethernet switch, but all of the features that require human interaction should be surfaced in a friendly and simple way, rather than requiring someone to learn SSH, and then IP addresses and subnets and all these crazy things.
If we can solve the problems of the network layer the same way we did with Ethernet, that means users don’t need to know anything. They just need to plug in any wire, anywhere. If you’ve got power line adapters in some part of the home, then every power line device should just plug into the network, and you shouldn’t need to know that it happened.
Other than that, we need to automate away all those IP questions, and that’s what the algorithmic and the patents that Unium brings to bear are for: automatically making the right decision, very quickly, all the time.
The important thing, really, is that everything we’re offering is still at the communication standard line. There’s no vendor-specific magic. People don’t have to buy Unium software to make the devices they sell work on the network. They just buy our software, if they want them to work better. We give them the same decisions that they could be making, and we give them more astute, simpler, smarter user interfaces and more reliable bandwidth so they get fewer dropouts and less buffering.
Do people have to buy specific devices to take advantage of the Unium software, or does it work on legacy devices as well?
The more Unium devices in a home, the more value you get from additional Unium devices in the home. Every device in the home benefits from any Unium devices in the home. A Unium router makes better decisions and keeps poorer-performing devices off the air. Being off the air, they don’t interfere with the well-performing devices. Each device has a better Wi-Fi experience, with greatly increased bandwidth available throughout the home.
Can users install it on older hardware?
Right now, we want to make sure that the usability is absolutely transparent. We want to make sure that every device that goes out with our software is just magic. We don’t have any announcements or any plans to offer those for download opportunities today because we’re afraid that somebody will misconfigure them before we can get the word out.
How will a Unium router improve device security and privacy?
Devices can be sectioned off and protected from each other. If your cameras become part of the next Mirai network, then having those cameras sectioned off into a different virtual local area network from your lights and from your speakers means that not all of your devices can be hacked. Hackers can’t pivot from a camera into the lighting system. This creates compartmentalized networks in the home, and can protect the different vendors’ devices from one another.
Down the road, we plan to introduce a feature we’re calling “time out.” We pull a device off of the network, disconnect it, make it no longer able to access the Internet, and keep it that way until we deliver a firmware update. The device is still connected to Wi-Fi, but it doesn’t get to route any packets. The router would update connected devices with new firmware, then let them back onto the network.
So if we find out that a whole class of cameras is vulnerable, we can knock them off of all of Unium-enabled networks. We can upgrade them without letting them back on the network, and then only let them back on after the security patch is available. Offline patching of nearby devices, I think, is going to make a really powerful security story.
For now, we’re really focused on getting the quality of the Wi-Fi experience in the home better. I think that “time out” will be a Wave 2 feature; we don’t have a specific announced date for it. I would be very happy to see it this year, but I don’t know whether we’ll make that.
The security industry is positioned to spend about $90 billion this year on protecting Fortune 500 companies, yet we know that at some point, some of them are going to get hacked. How do you plan to address long-festering problems with computer security, more broadly?
I’ve had a passion for stronger security, and raising people’s awareness, and doing things better. That’s exactly how we engage with the brands we already love, but we might rightfully wonder, Are those brands really doing a good job with my privacy? If there’s a microphone in the device, could it be manipulated to spy on me?
As a security guy, one of my jobs is to scare the pants off of executives. I know how to come in and to deliver an impactful proposition. I might ask something like, “Did you know I can see your accounting server?” And I tell them, “You need to protect your employees from your customers,” or, “You didn’t protect your customers from your employees,” or “You need to protect your employees from viruses and from Russian spear phishers and from bitcoin miners,” or, “You need to be watching how much CPU time is getting used.”
Today every brand that we’re engaged with has had at least one strong security conversation with me because I push for it. With the engagement, the companies get a chance to really grow up.
The world I came from was spy versus spy; the FBI’s going to try to get a hacker; the hacker’s going to try to get away. It was very morality-oriented. But there’s a level of integrity and dignity in building well-reasoned and secured products.
That’s one of the reasons Amazon gets to take a moral high ground a lot of the time: It has just built a really good customer protection strategy, and its security is part of its brand. In fact, in a way, security is what makes every marketplace real.
In the last five years or so, we’ve started to automate programming to greater degrees. Preference systems and all the early machine-learning programs are being increasingly replaced with game theory players, and with bidding systems, and with smarter pieces of code.
To make decisions that are worthy of our investment, those systems need to be believable. But as consumers, we need to believe that the fake-news detector at Facebook isn’t just bullshit. The removal of humans from those critical functions just magnifies the need for securing each of those corporate functions at least from each other and from the outside.