So I watched Neil Blomkamp’s CHAPPiE on a plane last week and one thought is stuck in my mind: The entire story would not have happened if nice folks at the company producing police robots had simply followed few really trivial security practices…
So, here’s my list of poor security practices at Tetravaal (a fictitious company that develops, produces, and controls heavily armed robots) that got the city of Johannesburg into all the mess:
1. Role separation does not exist or isn’t enforced.
Lead research engineers that work on new robot models also operate, troubleshoot, and update robots that are already in the field. Even worse: engineers from a competing project also have full access to all projects within the company. Actually, this one alone was enough to set the plot in motion- but there’s more!
2. Network segmentation and isolation, anyone?
Same access keys and permissions let you into test environment, robot-controlling network in the field, and even the manufacturing lines! All of these are accessed and controlled from the same computer – actually, any computer, as soon as you insert a special highly secure USB stick.
3. One-and-a-half-factor authentication.
Now, that thumb drive is the core of their security. Only one copy exists and it is required to make any major changes. They just share it. The USB stick is stored behind a locked door that requires physical key and a code to get thru. Once you have it, you can log in and do whatever you want with your password and this shared thumb drive.
4. No change control process.
Seriously. The guy just walks up to the CEO’s office and asks “can I borrow the key to make changes?”. Once she verbally approves, he just walks to grab the thumb drive and gains full access to all these deadly weapons carrying robots in the streets. Actually, they did not even ask most of the time.
5. Lack of audit process and policy enforcement.
I have to admit it, they have some audit. Two days (!) after the good engineer guy took that super-critical USB stick (without any authorization), someone from security called him on the phone. But these naive security people just asked the engineer to return the thumb drive by “end of day tomorrow”, otherwise they would “have to inform” the CEO…
Obviously, I understand this is fiction. Lack of security processes and awareness may be okay in the movie if it’s needed to justify the rest of the story. But think about it: the very same mistakes lead to the huge data breaches we’ve been hearing on the news all over recent couple years. Target, Sony, Anthem, you name it. Luckily, life is not a movie where these mistakes led to much destruction and violence in the city streets – it’s mostly financial and reputation losses in real life. Still, maybe we should pay a bit more attention to this security thing after all?