A View from the Top: Jennifer Steffens, CEO of IOActive, on staying safe from cyber-attack

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Jennifer Steffens and her team at security and research firm IOActive get ideas about what to hack next from real life as much as science fiction.

A few years ago, Steffens’ father had a pacemaker fitted that was recalled three times. Security issues in medical devices often mean patients have to undergo further surgery. For heart patients, that can be especially risky. It was the advent of connected medical devices, when it was relatively unknown that patients with pacemakers were walking around with hackable computers in their bodies.

Steffens was approached by the late Barnaby Jack, a researcher at IOActive, who figured out he could remotely exploit the devices to send an electric shock to anyone wearing a pacemaker within a 50ft radius.

The example inspired Jack to write a post called “Broken Hearts” on the IOActive website, exploring the plausibility of a scenario on the TV series Homeland in which the vice president of the US uses a serial number to remotely interrogate the pacemaker and send an electric shock. Barnaby wrote that his first thought on watching the episode was: “TV is so ridiculous! You don’t need a serial number!”

Following Jack’s report, the US Government Accountability Office issued a memo to the US Food and Drug Administration to look into the security of devices. Steffens says: “That’s often the purpose of our research: to shed light on the risks and make the consumers aware, so we can affect change.”

It’s been five years since Jack’s research on pacemakers. Connected devices, or electronic devices that are connected to networks such as Bluetooth, wifi or 3G, are now more ubiquitous than ever.

The introduction of voice recognition software has made it socially acceptable for these devices to be listening in on users at all times. While we are getting used to the benefits of calling out to Siri or Alexa to answer our smallest queries, Steffens says it is worth asking why a device is connected and how this benefits the user.

“Just because something can be connected doesn’t mean it should be,” she says. “I have seen internet-of-things hairbrushes with microphones and count the strokes. I don’t see why I need an internet connected device to do my hair. One has cameras and a microphone – there could be unpleasant exposure if you keep it in the bathroom. I see some of these things and wonder why we would need them.”

Nonetheless, Steffens is relaxed about having connected devices around. She calls Siri a “fantastic tool” that she doesn’t worry about using. I ask more about the security risks associated but Steffens can’t say anything because IOActive works with Apple under a non-disclosure agreement.

“There are vulnerabilities all the time, but that doesn’t mean I don’t have Siri on my phone or have a car with Bluetooth in it. The likelihood of attacks is slim, but will increase over time.”

The risk is increasing as the world becomes better connected, making it easier for hackers to cross boundaries. This breakdown in barriers has many benefits – think how much cheaper and easier it is to call someone over wifi through Skype or Whatsapp, compared to the expensive phone calls that would have been normal just a decade ago.

But global connections can also make it easier for hackers to get across country lines. Since the last US election, authorities have confirmed that Russian hackers targeted election systems in 21 states. While we are yet to see all-out cyber warfare, hackers are becoming a pervasive force in global politics.

Steffens says the potential for cyberwar is no different to the potential for offline war: “As a planet, if we can’t move away from war, it’s going to leverage all the the innovation it has at its fingertips.”

IOActive is paid by companies to explore vulnerabilities in their systems, which it does by thinking like an attacker. The most vulnerable devices, Steffens says, are those that were developed quickly, or those where multiple types of connectivity are present.

“A basic device with an app interface, an operating system, wifi, Bluetooth etc: many of those are entry points,” she says. “When we did a hack on the car, we came in through the wifi, accessed the infotainment and that gave us access to the mechanism in the car. It’s often a multi-stage approach.”

To protect the car, the computer needs to be on a separate network. This is much less costly to do when the connected car is in development, rather than adding security functions to every car on the market. Yet even when security is considered from the outset, maintaining the safety of a device is an ongoing process. “Security is an evolution,” Steffens says. “In our world there’s not a concept that is perfectly secure.”

IOActive started 20 years ago after Josh Pennell and his ethical hacking group in Seattle won the capture the flag hacking competition an the annual DefCon for three years running. The group took over the running of the conference and from there starting working with private companies on improving their security.

Steffens joined 11 years ago, when the company was still concentrated solely in the northwest of the US. (It now has offices globally, including Argentina, Dubai and London.)

“I tripped and fell into security around 2000,” Steffens says. She was working in sports marketing around the time of the tech boom, got intrigued by startup culture and moved across to work at a company specialising in intrusion detection.

From there she became the seventh employee at Sourcefire, which developed network security hardware and software until it was acquired by Cisco in a deal worth $2.7bn (£2bn) in July 2013. Steffens left prior to the takeover and worked for a time at a young startup called GraniteEdge before joining IOActive, where she was promoted to chief executive within six months.

Her job involves travelling the world to talk about the latest advances in security with some of the world’s biggest companies. I ask her if she has any tips to help ordinary tech users stay secure.

“The first step is to understand what’s on the device,” she says. “Make sure that you have things set to lock and use passphrases and fingerprints to unlock your device. Only turn on features and applications that you want to use and look to see what those apps turn on in addition. Make a decision based on the risk/reward of an application, rather than installing everything for fun.”