CBS Launches CSI Cyber Series with Hacked Baby Cam Story

Cyber CSI’s “Kidnapping 2.0” episode highlights cybercrime, forensics, IoT vulnerabilities, darknets and password quality issues for the public. Police and other law enforcement investigators should watch for any realistic tips and techniques they can use. But politicians and prospective jury members should look elsewhere for hard facts to inform their expectations.

_{Source: @CSICyber Twitter Feed}

Security reviewers and movie critics share one trait: they’re hard to satisfy! Many comments online highlight unrealistic sequences in the show. I could do that if I wanted, but instead will just focus on what intrigued or amused me as well as messages security pros should communicate to the public.

Forensics for first finders: Police and any other first finders at a crime scene are responsible for securing the evidence from tampering. They should give smart devices there the same respect given to bodies. Don’t touch them, or move them.

Forensics for investigators: Preserve the evidence. As chief investigator Avery put it: “Farraday bags block the kidnappers from communicating with your devices.” Shows like CSI Cyber should be a wakeup call to provide basic forensics training to police, EMT professionals and other likely first responders.

Developers: Understand that smart devices used in the home can have high risk implications to life and safety. In the show, a vulnerability in a baby camera allowed both kidnappers and estranged family members to break into the device and observe the baby and the home from the inside. Build more security into the development process!

Product executives: In real life, a case like this could generate huge liabilities above and beyond the cost of product recall. Think about it – an internet-accessible device hacked and its cloud service used as a platform by criminals to auction off babies. Treat any internet-accessible smart home device as something with high-risk implications. Invest in secure development, a software update process to fix vulnerabilities in the field, and an incident response program with an ethics- and compliance-driven responsible disclosure component. Treat the mere discovery of any vulnerability in your IoT as a “incident” that must be dealt with.

Public policy: It’s a slippery slope from atavistic instincts awakened by shows like Kidnapping 2.0 to demagoguery involving software liability or other ill-conceived schemes to protect the public. But let’s continue the debates around pressures and pitfalls for immediate breach disclosure requirements and/or cyber-insurance as a market governor.

General public: CBS offers some gratuitous advice on locking down your passwords. That’s a start but I recommend going beyond passwords to get an easy authentication makeover. 

Bottom line: Security is everyone’s responsibility. Just look at who we address in this post. Not the critics, not the experts, but people living day to day in the world, people building the products we use, and all those on the front line of law enforcement.

A Final Bit of Advice (for those who saw the show)

Don’t tattoo your 20 character alphanumeric password on your habeas corpus!