Ken Munro has spent the last 20+ years making a name for himself in security, picking holes in Internet of Things (IoT) and smart devices to unearth security flaws in them, before going down the right and proper channels to make those flaws known to promote better security design and practice.
Why, you may ask? We live in a world where the IoT is a real part of everyday life. So much so in fact, it’s now become practically impossible to purchase any sort of tech device without some kind of connectivity function built in as standard. TVs, fridges, toothbrushes, wearables, cars, home heating units, sex toys…yep – you read me right on that last one; all manner of ‘smart’ devices come off the shelf with the capability of internet connectivity, whether consumers know it or not.
Internet connectivity in devices can be a great thing; control your home heating from your mobile device, track your heartbeat throughout your day with a snazzy watch, have your fridge let you know when you’re running low on milk – it’s a tech enthusiast’s dream. The problem is, all-too-common IoT and smart device security design flaws can be far less fun, not to mention possibly very dangerous.
That’s where Ken comes in. The work that he and his team carry out is, in many ways, pretty damn important.
The types of vulnerabilities that he discovers sometimes have the potential to cause significant harm and damage to innocent and unknowing users. However, if there’s one thing to say about Ken, it’s that even when he’s looking into potential IoT threats, he’s always willing to have a bit of fun (and push a few boundaries) along the way.
So how do you get into that sort of gig? For Ken, it was something that began when, after dropping out of university and the applied physics course he was studying for and taking jobs in the hospitality industry, he discovered he had a talent for hacking by persuading a till to print out mortgage amortizations.
Till Tampering and Dr Solomon’s
“I was working at a hotel in Tring in 1995,” he says, “and the point of sale and till system fascinated me. I found that I could get the till to bomb out to DOS – a very early version of DOS – and found a few of the old basic files. I started messing around a bit with them, and discovered I could print off my mortgage amortization statement onto a restaurant receipt.”
It would be safe to say that Ken’s then boss was less than impressed, and he made it clear that he felt Ken’s career path probably lay elsewhere. Ken agreed, but it was a slice of good fortune that showed him just where that might be.
At the time, S&S International (later and better known as Dr. Solomon’s Software Ltd, and famed for producing the Dr Solomon’s Antivirus Toolkit) was a fast growing IT security company, and also just so happened to be a regular customer at the hotel at which Ken worked, often booking it as a conference venue. Having always found IT tech interesting and keen to see what the IT security profession had to offer, Ken approached S&S International and was able to secure a job working in sales admin support, analyzing data.
“A lot of people who are very well known in the infosec industry have cut their teeth at Dr Solomon’s,” he explains. “I worked there for two-and-a-half years, and I was there when the acquisition by McAfee took place. Solomon’s was bloody amazing! What I took from there, particularly from Alan Solomon himself, is that when you’re doing a conference presentation or working at trade shows, you don’t pitch your product – you tell a story. Alan Solomon was brilliant at it. He would tell a story and let people draw their own conclusions, rather than trying to sell something and ramming it down their throats.
“It was great – we had a fantastic time,” Ken smiles, “running distributor incentives, looking at motivating people to help sell the product into the channel. We grew it massively in a couple of years.” The company, over that period, evolved into the leading European manufacturer of anti-virus software.
The purchase by McAfee in 1998 did bring about significant change though, for both Dr Solomon’s and Ken. “I’d never been through any acquisition before,” he admits, “but things did get a bit weird for a year.” Ken was put in charge of e-commerce just as it was starting to emerge as a sector, and he learned a lot, but the role wasn’t the right fit for him anymore, and so he moved onto pastures new.
After a “random” (by Ken’s own admission) and brief stint working in advertising, PR and website design, he found himself back in the security game with a vulnerability assessment vendor called Vigilante. “They tried to set up a competitor to Qualys, but unfortunately their growth rates didn’t quite work. Two years later, parts of the company were put into receivership.” That led the organization to bankruptcy, and Ken was out of a job, not long after buying a house and getting married. Ironically, he describes it as “the best bit of luck” he has ever had.
Going it Alone
“If you look at most people who start their own business, 80% or 90% of them do so because they’ve lost their job.” Ken had lost his, but he was eager to bounce back and now had nothing to lose. So, with a tech colleague, he founded SecureTest, a penetration testing business that quickly established a reputation for delivering high spec services. It was a move that not only got him back on his feet, but more importantly, cemented a zeal and penchant for pen testing that has defined his career ever since.
“We ran that for five years,” he says, “before eventually selling it to NCC Group. It was great, as together we created one of the largest pen testing firms in the UK (if not the world) at the time, and it was an interesting experience.”
However, upon selling the firm to NCC, Ken felt the cultures of the two companies did not align particularly well. “What I learned from that experience was that you can have two similar companies in terms of what they do, but if the cultures are different, it’s like trying to put chalk and cheese together. Both cultures were perfectly valid, but different. I stuck it out for over two years, I worked with some great people there, but the cultures of the businesses were just too different.”
Pen Test Partners
Ken then took a year out from work – he tells me he spent a lot of his time honing his gardening skills and contemplating his next step. Towards the end of that hiatus, Ken noticed that the number of former SecureTest colleagues leaving NCC Group continued to rise, and he could not help but feel that he had, in some way, let his previous colleagues down. “Conversations started about doing something new, something a bit different, and starting again,” he says. That something new was Pen Test Partners, the ethical pen testing business which Ken and his team founded in 2010.
In the last nine years, Pen Test Partners has grown substantially and now boasts some great ethical hackers, many of whom have a stake in the firm. “What’s been really great about what we’ve done is that, having experienced starting from scratch before, we’re not making the same mistakes – we’re making new, different mistakes,” Ken laughs. “It’s allowed us to grow much faster, offer a much higher quality of delivery and be more efficient. We use all the skills we’ve learned over the years just to be better at what we do. It’s allowed us to focus a great deal more on research, which is a big part of our business – doing new, random, crazy stuff!”
Ken’s not joking when he says he’s been involved in some “random, crazy” projects. From research into hotel key cards and driverless cars to home control systems, Ken and his team at Pen Test Partners have made some truly groundbreaking IoT and smart tech vulnerability discoveries over the years. I wonder then, if he had to choose his personal highlights, what would he pick?
“One thing I have always wanted to do is to successfully set fire to something through a hack”
Trackers, Dolls and Kettles
“Something that’s got my real interest right now involves tracking devices, and it’s got us into an area where security issues are accelerating,” Ken explains. “You’d hope that with the focus based on IoT right now, security would be improving, but we’re seeing vulnerabilities start to unravel and effect not just one product, but multiple products. One vulnerability in one thing leads to a compromise in everything, and that’s really been blowing my mind.”
Looking further back on his career, a piece of vulnerability research that stands out to Ken is the work he did around the My Friend Cayla doll in 2015. Four-and-a-half years ago, Ken gained widespread notoriety for exposing how his team was able to hack into the system that controlled the doll, which was designed to use internet connectivity to talk to children and respond to their questions, and modified the commands and changed her responses. In a nutshell, he was able to turn the sweet-talking children’s toy into a foul-mouthed, swearing nightmare. The real issue was that, due to the security flaws, practically anyone with a Bluetooth device could have connected to the doll and communicated with children.
“It was a great example of security done incredibly badly,” he says, and that Pen Test Partners research is probably the firm’s seminal piece of work on smart tech. “However, we put Cayla to bed three years ago – she’d done the rounds at trade shows and conferences. Then, out of the blue, the Norwegian Consumer Council independently stumbled upon the same vulnerabilities. They were a bit surprised as we’d already done the work, and I realized that actually, although we’d actively made the Cayla vulnerabilities known to the infosec community, ‘Joe Public’ didn’t have a clue.
“One of the most interesting things for me is seeing a whole new angle to vulnerabilities we saw years ago, now coming to new markets and effecting change. If you look at California’s SB-327 bill, which will regulate IoT next year, My Friend Cayla and our research is cited as one of the catalysts of the regulation. It’s amazed me that a funny, swearing doll is now affecting governmental change, affecting consumer markets and changing behavior.”
Then there’s the work he did around security vulnerabilities in a smart kettle. “I loved the kettle!” Ken says. “It’s one of the stories I’m most proud of, because it highlights the journey of many smart product vendors. The number one most important thing starts out as getting the product to market, nothing else matters. However, when a vulnerability is found, and there’s no way to patch it remotely or fix it, what do you do? Do you pull your product, do you fold? Or do you carry on shipping and just deal with the bad PR?”
In the case of the kettle, it was replaced by the vendor with an updated version, but it still had pretty much the same security flaws, Ken says. “However, the great thing I love about this story is that the company, under the pressure of negative media coverage regarding its product, then hired a really good security guy, who totally gets it. He’s driven that product into the kettle ‘three,’ which is really good, really secure – and it’s a lovely story of how pressure from the infosec community can drive really good behavior and result in products being better.”
This is the News
I mentioned earlier that Ken has made a name for himself through his work, but I probably did him a bit of a disservice. He’s now one of the leading names in the UK when it comes to what he does. Perhaps that’s why he so frequently speaks at industry conferences all around the world and contributes to various media publications. You may have even seen him feature on primetime TV shows like BBC News and BBC Click in recent years showcasing his research, and the opportunity to share his work with the public is one of the things he’s most passionate about.
“I love nothing more than working with amazing colleagues and presenting great research at security events, but some of that is missing the point,” he explains. “We’re preaching to the converted – are we actually going to effect change? We’re far better off getting the message out to the world, and one of the things I always insist on when I do any TV work is that we get to include recommendations for the public to be more secure.”
I don’t doubt Ken’s enthusiasm on this, and whether he’s presenting research on stage or in front of a camera, he always does so avidly and with an eagerness that demonstrates that he really loves what he does.
“We’ve never used a PR agency with mainstream media, so there’s never been that layer of abstraction in the way,” he adds. “Generally journalists can get straight to us rather than having to work through an agency to get comments approved and in line with corporate messaging. Yeah, you might make some mistakes along the way and sometimes say the wrong thing to the wrong person, but I think that’s part of keeping it real; it’s one of the things that works for us.”
Light it Up
So, I know how Ken got to where he is today and heard which pieces of work he’s most fond of; what I want to know next is if there’s something that he’s always been itching to get his teeth into but hasn’t had the chance to yet?
“One thing I have always wanted to do is to successfully set fire to something through a hack,” he says. “I tried so hard with the kettle, but it actually had great electrical safety protections, despite its connectivity security issues. I am working on something else at the moment that I’ve managed to get to scorch and char already – so watch this space! We think we’ve found a smart product that we can successfully compromise and set on fire, and that’s a game changer for me.”
If there really was no limit to his hacking exploits and he could do anything though, Ken would love to find a willing owner of a large office building fitted with smart lighting and play a game of Space Invaders on the side of the building. “It’s been done before, but that would just be the pinnacle moment for me.” I’d love to see that, but until a smart building owner comes forward and is prepared to make that dream possible, what will he and Pen Test Partners be focusing on next?
“We’re expanding internationally,” he says. “We’ve been out doing a lot of talks in the US and that’s led to a lot of work stateside, which is great. The key to our growth is to keep pushing into interesting, challenging new technology and markets. Maritime has been great and we’ve loved some of the things we’ve been finding in shipping. The next big push is into aviation; we’ve had access to an Airbus A320 which has been great fun and we’re looking forward to breaking some of our research on that.”
When it comes to IoT and smart device vulnerability research, “you have to think big,” Ken says. “You have to keep pushing and keep doing interesting research – that’s our way of giving back to the industry.”
Absolutely fascinating stuff, and if you’re keen to learn more about some of Ken’s recent work, make sure you set aside some time in your diary to see him speaking at Infosecurity Europe on June 5 on the Geek Street stage – I know I will!