Skip to main content

Security Failures in Movies – The Sequel

By April 28, 2021April 30th, 2021Thoughts

I’m a fervent movie watcher (and, really, re-watcher) — an indulgence and, now, a convenient rationale for revisiting my favorite movies with an eye for security mishaps and their work-related importance. “It’s research,” I tried explaining to my girlfriend. (And surprisingly, my first post about security failures in movies was our most visited ever.)

So it goes without saying I’ve put together a follow-up post. After all, every moderately successful movie demands a sequel — Hollywood’s rules, not mine. With no trailers to sit through, we’ll jump right into our main feature.

Movie Security Failure 1

Iron Man 2 – Smart TV Snafu

It seems apropos to begin this sequel with a sequel. Iron Man was a breakout box office success in 2008, launching the Marvel Cinematic Universe and revitalizing the A-list status of Robert Downey Jr. As he famously revealed as Tony Stark in the final moment of the movie, “I am Iron Man.” Mic drop! (Technically, Gold-Titanium-Alloy Man, but the moniker is “evocative” Tony concedes.)

It’s Gold-Titanium-Alloy, err, “Iron” Man

Marvel Studios immediately went to work on Iron Man 2, releasing it in 2010. It’s six months after Tony’s revelation, and he’s been busy kicking butts and taking names to achieve world peace, donning an immaculately manicured goatee the whole time — and with a growing swagger, shall we say.

Of course, the U.S. government wants him to turn over the Iron Man tech and has called him to account in a public Senate hearing with a would-be grilling from Garry Shandling as Senator Stern. The stage is set as Tony swaggers in, C-SPAN cameras streaming, to deliver another epic mic drop. In real time, he commandeers video footage submitted as evidence during the hearing and reveals how far behind adversaries are in replicating his Iron Man suit, including villainous rival Justin Hammer, played by Sam Rockwell, who we see frantically pulling any power cords within reach to shut down the video. “You want my property? You can’t have it! But I did you a big favor. I have successfully privatized world peace.” Throw ‘em the double deuces, Mr. Stark, as the mic falls to the floor.

Lesson: Extend Security to IoT

Commenting on the scene during an interview with Wired magazine, hacker and security researcher Samy Kamkar said, “It’s actually kind of realistic, as you could easily break into a Chromecast or Apple TV. And most smart TVs are internet connected now. So there’s a big attack surface, a lot of ways to break into these TVs and cast something that otherwise you shouldn’t.”

With the advent of IoT, almost every device these days is connected to the internet, dramatically increasing the attack surface, as Kamkar points out, even including smart fish tank thermometers — a lesson learned the hard way by a casino, which had its high roller database stolen by attackers, no gold-titanium-alloy suit required.

With the advent of IoT, almost every device these days is connected to the internet, dramatically increasing the attack surface.

According to the 2020 Unit 42 IoT Threat Report from Palo Alto Networks:

  • In 2019, there were more than 4.8 billion IoT endpoints (and it’s grown significantly since)
  • 57% of these devices were vulnerable to medium or high-severity attacks
  • In one sampling of medical imaging devices, 83% were running on unsupported operating systems, making them vulnerable to exploits
  • The majority of IoT devices run on unsupported operating systems or embedded operating systems, both of which lack security updates (again, making them vulnerable)

The first step toward improved security? Segment the IoT environment from the corporate environment, thereby creating a secure barrier (keeping those internet-connected thermometers in the fish tank, so to speak). Secondly, access into and out of IoT environments should be identity based, providing visibility and least privileged user access. Doing both dramatically reduces the attack surface and the blast radius, and also speeds up detection and response capabilities.

Movie Security Failure 2

Demolition Man – An Enhanced Attacker

Demolition Man is, in my opinion, a criminally underrated sci-fi actioner from the late ‘90s starring Sylvester Stallone and Wesley Snipes, who represent opposing sides of the law and face off throughout the film (often wearing no sleeves). The opening scene in downtown Los Angeles gets right to it: A building is demolished. A bus full of innocent hostages is blown up. And, after their first confrontation, both go to prison. But not behind bars.

Enter the sci-fi part: They’re frozen in cryogenic tanks sans sleeves (or any other clothing for that matter), while they pay their debts to society.

Fast forward 36 years to Year 2032. Snipes’ Simon Phoenix, who is up for parole, is set to be thawed and released into a Brave New World that has eliminated all violence, drugs, sex and rock-n-roll, and — wait for it — toilet paper. (How do you use the three seashells?!) Plus, only one restaurant chain has survived: Taco Bell. (And these folks don’t need toilet paper. Yikes!) Oh, and handshakes are out, replaced by air high-fives. “Salutations and greetings!”

But this isn’t the same-old Simon Phoenix. (Thankfully, though, his yellow high-top fade does remain intact.) While imprisoned as a popsicle, he was “upgraded” by the scientist leader of San Angeles (the cities around Los Angeles and San Diego have been combined, of course) with an impressive array of capabilities, including enhanced strength and fighting abilities, and newfound computer skills. He immediately puts all of this to use upon breaking out of prison against a woefully outmatched police “force” armed with tidy uniforms and a stern tone of voice — which they’ll repeat even more sternly, mister, if you don’t comply.

An enhanced Phoenix isn’t in the mood to lay down, though. It’s the prefect recipe for a beautifully choreographed, sarcasm-drenched security failure. “Simon says, ‘Everybody sing!’”

Lesson: Adopt Zero Trust to Fight Enhanced Attacks

As we’ve witnessed in a rash of headlines about recent and very high-profile breaches, cyber attackers have been “upgraded” Simon Phoenix-style with state-sponsored techniques and tactics.

Cyber attackers have been “upgraded” Simon Phoenix-style with state-sponsored techniques and tactics.

Cyber criminals used to have to write their own code to develop exploits. Now, they can simply add highly sophisticated packages to online carts — ransomware and malware-as-a-service, quite literally, complete with purchased support. Add to that, attackers now have access to weaponized AI and ML capabilities, further enhancing their effectiveness. (Who knows, maybe they’ve upgraded their haircuts too.) And many companies are still protected with no more than San Angeles-esque “stern voices,” leaving them concerningly outmatched.

As Microsoft itself advised after the SolarWinds breach, it’s time to mature security postures by adopting Zero Trust — that is, eliminating the excess of access and implicit trust that plagues security architectures today. Now is the time to make the investment to reduce attack surfaces and close the gap with the enhancement of adversaries. With billions of dollars for the taking, they’re not going to simply lay down (even if you use a stern voice).

Conclusion: The Trilogy Awaits

Perhaps the most rewarding aspect of my first movie security failures blog was the responses I received from LinkedIn readers, who have been chiming in with their own favorites — Iron Man 2 among them. It’s clear that many out there not only are big movie fans; they’re also recognizing the cyber security vulnerabilities movies can reveal (in an oh-so-entertaining way).

In the meantime, it goes without saying that I plan to write another post to complete the trilogy. Again, per Hollywood’s rules. Suggestions in the comments are encouraged!

Until then … “Simon says, ‘Never trust!’”

Leave a Reply