This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
 everyone. I'm Drex, and this is the two minute drill, and here's some stuff you might want to know about. There's a guy in Spain, his name is Sammy. He's not a hacker. He wasn't intentionally trying to raise a robot army. He just got caught up in something that, well, I, he just honestly didn't expect to happen.
Again, Sammy's not a criminal mastermind. He's not part of some shady ransomware syndicate. He's a volunteer, an open source contributor, an engineer. He's a tinker. And I've had a couple of stories about these kinds of folks lately, and it's important that you listen because there's a lot of folks in your organization that are a lot like Sammy.
They're makers, they're curious. They like to figure things out, and that's exactly what Sammy was doing a few weeks ago. He decided to do something kind of nerdy, and I also have to say that if I was voting, I would say not only was it nerdy, it was also an awesome idea. He wanted to control his own robot vacuum with a PlayStation control.
Yeah, because why not? When something spills on the floor, there's a spot of dog hair where the dog lays and it needs to be cleaned up instead of waiting for the robot vacuum to run all those patterns through your whole house. Sammy, just thought it would be cool to fire up the PlayStation controller and take control of the robot, drive it over there and take care of the problem.
That's it. So he starts reverse engineering how the vacuum talks to the cloud. He looks at API calls and authentication tokens and the MQTT messaging layer, it's all pretty normal. Nerds, spelunking stuff, the kind of things that curious engineers do every day, and then something strange happens. He realizes that the authentication token that's being issued for his vacuum works on other vacuums and not just one, and not just 10.
Oh. Uh, here's a game you shouted out. How many vacuums do you think Sammy found himself accidentally in control of? Shouted out now. Go ahead. Wrong. 7,000, roughly. 7,000 robot vacuums around the world. Different homes, different countries, different owners. They all have the same backend trust model. Now pause there.
'cause this is the part usually in the story where I would say something like, and then there was a massive hack, but that's not what happened. Sammy didn't brute force anything. He didn't exploit some exotic zero day, he didn't socially engineer credentials from the service desk. He accidentally discovered that the robot's code failed to verify that a token issued to one device was actually bound to that one device.
So that's like saying if, if you have a key to your front door, you feel pretty good that your key only opens your door, and that the neighbor's key only works on the neighbor's door. But Sammy figured out accidentally that his key opened all the robot doors. So what could he access? Well, he had remote control of the units so he could drive robot vacuums around other houses using his PlayStation controller.
And it turned out he could see live camera feeds on the models that were equipped with cameras. And he had access to the microphone input. And remember, these things drive all over your house. And in doing that, they create a floor map and that's also stored in the cloud. And he had device telemetry, so he had everything about the device, including things like IP based location data.
So he kind of knew where the, where the robots were too. So we buy a lot of this kind of stuff these days and we don't think much about it. We trade privacy and convenience. Back and forth. So often it's just turned out not to be a big deal anymore, especially for us at home and for our families. But these things aren't really just vacuums.
They're roaming sensor platforms. They map the inside of your house, inside of private spaces. Now to his credit, Sammy did what responsible researchers do. He disclosed the problem to the robot vacuum company, and quietly and in a coordinated way, the vendor patched the issue On the server side, no botnet, no chaos, no ransom note.
But this story matters because of the pattern. We're filling homes and increasingly hospitals with connected devices that operate on the assumption that the cloud identity equals device security. Every device has its own key, and only that key opens the door to where all the data is stored for that device.
But that assumption fails more often than we'd probably like to admit. So think about the healthcare implications. Replace robot vacuum with infusion, pump or patient monitoring system, or badge access controller or telehealth endpoint. You kind of get my point. If authentication boundaries blur. In a hospital environment, the risk profile escalates instantly.
Sammy's discovery wasn't. A nation state level exploit, but it was an identity hygiene problem. And between the IO OT and IOMT and OT and AI agents, it feels like these days there's more non-human identities running around our hospitals and our networks than there are actual human employees. Identity hygiene is pretty unsexy stuff, but we are now way past the point where we can keep doing security through obscurity.
Hiding things and hoping that makes them secure because people are curious and now they have agents that can help them solve their mysteries. AI agents can autonomously probe APIs and test boundary conditions and discover misconfigurations, and they can do all that at machine speed. So 7,000 vacuums today.
But what's the number When the discovery process is automated for healthcare leaders that are listening, this is not a vacuum story. It's a trust boundary story. It's an identity hygiene story. When you evaluate vendors, especially in the AI enabled cloud connected device space, the question isn't just does it work?
It's all the other stuff too. How tightly our identities bound. Granular is authorization. Can a token wonder? And if it does, what's the blast radius look like? Modern cyber risk these days is less and less about smashing through the firewall or deploying malware or brute force attacks, and it's more and more often that we're talking about someone politely and quietly walking through the front door because nobody checked to make sure that one key didn't open 7,000 doors.
A misconfiguration, a tiny error in code. Details have always been important, but the details are more important today than they've ever been. By the way, I'll be at HIMSS next week and you'll wanna be a part of the small group that Nordic and Clear are pulling together. It's about one of the biggest security vulnerabilities that we have today, the service desk and identities.
Security experts from Nordic and Clear are pulling back the curtain on how major healthcare breaches often start, and why the service desk has become so important in that fight. So join me on Tuesday, March 10th at 1:00 PM booth, 6 3 1 6 31. It's a candid round table you won't wanna miss. That's it for today's two minute drill.
Stay a little paranoid and I'll see you around campus.