Podcast

Podcast: You’ll never need to know a password again!

May 26, 2022

Posted by: IoT global network

Worryingly, drivers of connected vehicles may not control their car, says Julia O’Toole, founder of security company MyCena. All the vehicles’ internet-facing communications are entry points to hijack your car or tamper with signals; it’s a serious matter for the auto industry. Julia insists no one needs to know a password – ever. Plus the first factor in multi-factor authentication can be a weak, reused, phished, shared or stolen password – it has zero security. Fortunately, Jeremy Cowan hears that Ancient Greece holds a solution. And waste chip oil may be the answer for EVs in the Australian Outback. We are NOT making this up!

Listen on

Transcript:

Jeremy Cowan  00:04

Hi, and Welcome to the latest Trending Tech podcast brought to you by the technology sites VanillaPlus, IoT Now and The Evolving Enterprise. I’m co-founder Jeremy Cowan, and it’s great to have you here for the latest, sometimes serious, sometimes light hearted look at digital transformation for enterprises. Today, on the podcast, I’m really pleased to be joined by Julia O’Toole, the founder and CEO of MyCena Security Solutions.

Today we’re taking another look at the fast-changing subject of automotive technology, in particular, securing vehicles and passengers. Like many of us, Julia saw her number of passwords rise from two or three to hundreds in the last two decades. And unable to remember them all, she tried all kinds of solutions from password books to password managers, but discarded them all because of their lack of security. Her solution involves decades of personal research in the fields of neuroscience, mathematics and technology. But it was a trip back in time that actually triggered the solution. Julia, first of all, welcome to the Trending Tech podcast.

Julia O’Toole  01:23

Hi, Jeremy. Thanks very much for having me.

Jeremy Cowan  01:25

Great to have you. And tell us, it sounds a bit Back To The Future. What was your trip back in time? And how did it help with a password solution.

Julia O’Toole  01:34

So, it was quite a few years ago now. We, as a family, travelled to Greece and visited the ancient Greek city of MyCena. It’s a 2,500 year-old city. And it struck me when I walked through the ancient ruins that the ancient Greeks had done something really smart, they’ve created layers of security. So when you first entered the city, you could see the Lions Gate with the two lions, which are still there. And once you got into the city, there was another gate to take you to the garrison. And once you were in the garrison, there was another gate to take you to the King’s Palace. And I thought this layered security was actually the clue to how to secure passwords in not having a single point of failure. So, you could actually have all your non-sensitive passwords in the outer layer, the medium-sensitive passwords in the silver medium layer. And the most sensitive passwords like for your bank, if you had diamonds and gold stored somewhere, with a with a password in the gold level. So that’s the origin of MyCena, it comes from the solution that created.

Jeremy Cowan  02:41

I think that’s fascinating. Well, as usual, we’re going to start with a look at a recent news story in the tech space. And then we’re going to hear more from Julia about the impact her work is having in the automotive sector. And, when all of that’s covered, in our closing section called What The Tech, Julia and I will take a sideways look at a story that made me raise an amused and amazed eyebrow. So, tell us about the story, the news story that caught your attention, Julia, where was it? And what’s it about?

Julia O’Toole  03:13

It’s a story from the Hacker News, where the there was some criminals who could jam, could send a signal to the chargers of electric vehicles to stop the vehicle from charging. And so I thought you know, I have a maths background. And I’m always interested in patterns. And I thought this broken wire story was a typical disruption pattern used in a modern vehicle charging situation, where the criminal just tampers the signal between the sender and the receiver. In this case, the car company are using a PLC, which is a powerline communication for charging, and that allows malicious actors to interfere with the signal, in this case using electromagnetic signals, which cause the charging process to stop. And so this is a serious design flaw that we see in millions of cars, which can have a huge impact on, for example fueling ambulances when they need to actually be somewhere. So, it can actually have life implications.

And what we can think about is these, these design flaws could in the future create a large recall of vehicles a bit like what happened in Dieselgate. It’s a bit of a butterfly effect on a little story that you find on the internet, you can actually see it as the beginning of a much larger story. One of the things that I liked about the story is a is a typical illustration of the lack of foresight with digital risks when it comes to new technology, and how technology often looks bright, shiny, promising. And for the last few decades, most people have just rushed through taking the new technology on board, only seeing the advantages, but overlooking the potential vulnerabilities, risks and downsides. We’ve been through a ‘break fast, fix later’ mentality that dominated innovation in the last few decades, where in this particular instance with vehicles, you deploy first, and you fix design flaws later. It’s just an illustration of the trends we’ve been living in no more largely in the last few decades.

Jeremy Cowan  05:29

Yeah. So if we’re driving electric vehicles, right now, is this a threat we should worry about now? Or is this something that’s being taken care of?

Julia O’Toole  05:38

Well, there’s actually much more threats that concern electric vehicles, that with all the communication, internet-facing communication that the car has, all of them actually potential entry for criminals, who can actually hijack your car or tamper on signals. The driver actually does not control the car, and that we may touch upon it when we answer your other questions, but it’s a serious matter for the auto industry.

Jeremy Cowan  06:10

Yeah. I know, powerline communications has been an absolute godsend for all sorts of in-building communications. I wasn’t aware that that was being used by the charging firms. Does that mean that charging firms do you think are going to need to change their connectivity to more costly alternatives like 4G or 5G? Or is that still up for decision?

Julia O’Toole  06:33

I think it’s up for decisions. One of the things that I’m a big advocate for is actually mixing mechanical technology with digital technology as having a layer of physical bounds that prevents the attack, which are remote from succeeding. But I see this as a much more safe way to go forwards, rather than just rely on digital.

Jeremy Cowan  06:57

Yeah, I’d like to drill down a bit into MyCena’s work. Clearly, organisations can lose control of their network access when employees create their own keys and passwords. So, am I right in saying MyCena has patented solutions to segment, control and protect that access? And if so, is it is that in order to eliminate the risk of human error, and theft and fraud?

Julia O’Toole  07:25

Yep, to give you a bigger overview of the situation, the problem that we have identified at first was that there’s a big confusion in business in general, between authentication and identification, which has created a labyrinth of problems. But, in general, you need to identify yourself when you need to prove your identity. So, when you want to cross a border, when you want to vote, when you sit an exam, these are cases where you need to show who you are to someone else. And then you have the cases, when you don’t need to show identity, you just need to have a key. So for example, when you go home, your door doesn’t look at you and ask, ‘Is it Jeremy?’ You have the key, you open – if you don’t have the key you don’t open.

And it’s the same with your car, if you have the key you can go in, otherwise you can’t. But the confusion has really created a mismatch of solutions, which amplify the problem of access insecurity. So when it comes to authentication itself, the misconception about password is that you actually need to know them. Because when you think about it, when you go home, you don’t hammer your key before you enter. (Laughter) You just take it out of your pocket and you put it in the lock, you can unlock the door.

Similarly, this whole fuss about passwords is completely unnecessary. No one needs to know a password ever. And so what we’ve done with MyCena is say your passwords can be encrypted; it can actually be a billion characters in the future when we have quantum computers. So, it doesn’t really matter how long it is, and what it is. All that matters is that you have the key to access an account, or a vehicle or a door where you have the right to access. And for that, that key can be distributed, encrypted by the company to the user in real time, and then be taken off the user, just like will happen when someone leaves a company in the physical world. They take the badges, keys and fobs off you when you leave the company. So you take these passwords off, which no one has ever seen. And then the user can’t get in anymore. So that’s the whole idea about MyCena, is to make the access security that concerns authentication – not identification, just authentication – the same as in the physical world.

Jeremy Cowan  09:49

Does that mean that you think multi-factor authentication doesn’t work in automotive, and other business sectors?

Julia O’Toole  09:58

Well, to answer this question I need to redefine what MFA is and what it is for. So MFA, what is it exactly? MFA means multi-factor authentication. It means it can be a second or third or fourth or more factor authentication. And which means not the first factor. And it’s often a token that is sent to one of your devices, which you have to click to accept, or copy and paste. It’s purpose is to verify that the person with the right of access, and has the first factor, can verify that this person has the right key and can enter. And the first factor at the moment is usually a password or biometric. But the problem is, as we’ve seen earlier, the first factor is weak in the first place, when the company does not even control that first factor. And that first factor can be a password that is weak, reused, phished, shared, stolen, I mean, anything can happen to that first factor, it has zero security. And if it’s a biometric it’s even worse, because if you lose it, you can’t replace it. So we are in a situation where the first factor is subject to so many issues, including man-in-the-middle attacks, just like we saw in the Broken Wire story where someone has tampered on the signal. Then your second factor becomes de facto your first factor. And it’s also easily intercepted, therefore it doesn’t work. But, and there’s a big but, MFA is actually very good when it’s used in its original purpose, which is as a second, third or fourth, or more, factor authentication. And when it’s well designed it can still work in automotive and other sectors. So, it’s all about using it in the right place at the right time.

Jeremy Cowan  11:40

Understood. So, if it can work in automotive, just looking at the negative for a second, where has MFA failed businesses in the past? In what sectors or in what applications?

Julia O’Toole  11:52

Actually, I would say, because of the problem I’ve just mentioned in the beginning, you know the confusion of authentication and identification, and then the company is actually not controlling the first factor, it’s failed because it’s not used in its purpose as a second, third or fourth factor. If it’s used with a first factor which is strong and reliable, like what we offer, so a password which is encrypted that no one sees, that can’t be intercepted, that travels through a tunnel from creation, use to expiry, that cannot be tampered with, then NSA gives you security. Otherwise, it just provides a false sense of security and should be not relied upon.

Jeremy Cowan  12:33

Yeah. So do you think that end users are appreciating appreciating the difference between authentication and identification?

Julia O’Toole  12:42

Absolutely not. (Laughter.) The reason? The reason is our brain is actually, in the digital world, extremely incapable to perceive any danger. I mean, our brain has evolved to adapt to the physical environment. So, when we see a lion we run usually. But digitally, most people don’t know, what is digital risk, whether it’s with reading the data, the privacy, when they give the biometrics away. No, they click without really understanding where it goes. And the incapacity of the brain to actually visualise the path and the risks make it such that people don’t see the difference between what is dangerous and what is not.

Jeremy Cowan  13:32

Lastly, can you help me understand what techniques we can use to re-establish command and control of our vehicles, and of our businesses as a whole.

Julia O’Toole  13:42

I’m going to come back to multi-factor authentication because I think we can actually use the concept of multi-factor to secure a lot of things. And in the case of the car, for example, I can see the mixing of mechanical and digital security, for example. So, I can imagine when you approach your car, you can use your fob within a short distance of the vehicle. But once in a car, you actually use the physical key to start the engine.

And then you can think of a third level authentication, which is a multifactor, like a digital token, a password that only you have, that you can actually send to the car to actually start it. So you get then three factors of authentication — all  different — that can really give you more much more security in who controls your car rather than the single digital layer that we have today. And for businesses as a whole, the first need is actually to stop confusing authentication and identification.

And for businesses to stop using the employees’ identities, especially when they have no data access control, as we’ve seen earlier, you just risk all these digital identities, which are just strings of zeros and ones to get stolen. And we know that it has happened so many times and once it’s gone, it’s gone. They can’t be they can’t be replaced. You can’t replace your eyes or your hands. It’s extremely dangerous and that really has to be stopped.

And then to secure authentication for businesses, they really first need to segment access to every system. So we should stop seeing stories of one password has led to the breach of a system and then another system, and another system within a few hours, like what we’ve seen with Octa not long ago. This scenario should not be able to actually happen. So, segment, segment, segment every system so that you lose the minimum possible if you are breached, let’s say in a supply chain attacks and one of your system is breached. But then you know that all the other systems that you have, are still trustworthy, reliable, and are not compromised. So, at least you actually limit the damages if there’s a breach. Similarly, if someone comes into your house and have gone through your bathroom window, they can see your toothbrush and your toothpaste, but they can’t actually go inside, you know, the other rooms in your house to steal other things. I’d say segment, segment and then make sure that the business controls the access, distributes strong encrypted passwords to the users, and not the other way around. Come back to common sense. Then expire those credentials when the employee leaves. All of this can be done; again, technology exists. It’s just about using it in the right place at the right time.

Jeremy Cowan  16:22

All of which sounds just good sense as much as anything, and layered security has got to be an advantage. I hope that people are applying this and listening to this lesson. That’s really helpful, Julia, thank you.

We’ve reached the lighter section of the pod called WHAT THE TECH  where we share something tech-based that made us smile, and the story that I spotted was on Autocar.co.uk headlined, “EV across the Outback: Charging a car with chip fat” (See: https://www.autocar.co.uk/car-news/features/ev-across-outback-charging-polestar-2-chip-fat#:~:text=Jon%20Edwards%2C%20a%20retired%20engineer,units%20was%20installed%20at%20Caiguna) . It described one Australian’s environmentally-friendly efforts to set up an electric vehicle charging station 250 miles from anywhere in the middle of the Nullarbor Plain. The town of Caiguna may be remote, but it is on the main road running from Southern to Western Australia, so it’s an important route. There’s no mains electricity there, however. So John Edwards, a retired engineer from Perth, apparently came up with the idea of developing a generator modified to run on chip fat from three nearby diners. And if you’re not an Aussie or a Brit, we’re talking about waste oil from cooking fries. Together, they create 60 litres of waste oil per month in these diners and the main problem for now is that that’s only enough to charge three vehicles. But crowdfunding has been raised and has paid the AUS$70,000 cost of building each new generator.

In January, Edwards installed the first of his Biofil units in Caiguna. Apparently it now powers a very welcome 50 kilowatt EV charger for electric vehicles driving across the plain. I did not expect to be talking about chip fat on the podcast, but there you go, Julia, what did you make of this?

Julia O’Toole  18:16

I love this story because it really shows how crafty people can be, and there are crafty people living everywhere, even in the middle of nowhere. And really showing that you don’t have to be in London or New York to do innovation, it can come from the Outback. And obviously I love the fact that you could so easily turn waste into energy, which is something that I’ve always loved when I observe nature, how nature permanently recycles itself, and use waste and turn it into energy. And I think if we can all do that with our other waste, we as a human species have a better chance to keep our planet more livable for ourselves in the future.

Jeremy Cowan  19:00

Yeah, there is definitely a lesson for us all there. And kudos to John Edwards and of course to Autocar for the story. In fact, if you’re interested in any of the stories that we ever talk about, you will find links to them in our transcript alongside this podcast. So go and have a look at the transcript to follow up on the story. And for the same reason, how can people find you for more information, Julia?

Julia O’Toole  19:26

Well, they can go on our website, MyCena.co. Otherwise, they can send us an email at info@mycena.co and someone will reply to them.

Jeremy Cowan  19:38

That’s great. Well, look, thank you so much for your contribution today. I’ve learned a lot and I think there’s a great deal that all of us can learn and apply to our businesses generally, but possibly, it’s of particular interest in this instance for the automotive sector. Thank you, Julia.

Julia O’Toole  19:54

Thank you so much, Jeremy for having me. It’s great to be here.

Jeremy Cowan  19:57

And thank you too, ladies and gentlemen, for joining us around the world. You can subscribe to the Trending Tech Podcast wherever you found us today. And I know I’m at risk of sounding like a stuck vinyl, but go on, be a hero. Give us a 5-star rating. Tell everyone how much you’ve enjoyed it because it makes a massive difference to our ranking when people are looking for a new podcast.

Until next time, keep safe, keep checking IoT-Now.com, TheEE.ai, and VanillaPlus.com where you’ll find other Tech News and Interviews. And join us again soon for another Trending Tech Podcast looking at Enterprise Digital Transformation.  Bye for Now!