Awakening from the dream: The security flaws of Westworld
*This post or embedded links within the post may contain spoilers.
—The season finale of Westworld hit the Home Box Office crowd, drawing in 2.2 million viewers.
For those unfamiliar with the premise: this new HBO series was inspired by the 1973 film of the same title (written by Michael Crichton) about a futuristic theme park populated by artificial beings and set in the old West.
If you have ever dreamed of being a white hat cowboy or cowgirl rushing in to save the day, or a black hatted scoundrel with no moral compass, then this is your dream vacation destination. Similar to how gamers interacted with Grand Theft Auto in the 90s, visitors’ actions inside the park said more about you as a person than perhaps it did about the robots or narratives found in Westworld.
As one would expect from an HBO project, the series is filled with a multitude of characters: some good, some bad, some ugly. Whether human or host (i.e. the term used to describe an artificial being in the park), the characters focus heavily on what constitutes humanity and at what stage A.I. reaches consciousness.
As the closing credits rolled, I’m sure many rushed to a variety of BuzzFeed quizzes to see if they were a Dolores, a William, a Maeve or (ugh), a Teddy. However, we are not here to question the journey you would take once entering the park. Instead, we want to look at what security threats were on display during the series and what real lessons enterprises need to take away from this fictional theme park.
The terms the show was abuzz with included many of the topics that dominated our speaker submissions this year, ranging from securing mobile devices and IoT, to machine learning and A.I. to deception and uncertainty. Don’t worry, this post will not go ‘full Skynet’ as many have already looked to debunk the rise of the machines. Instead, the true threats to the park fell not at the steel beings but those carbon-based life forms…
From the outside looking in, the park had most of the trappings of a strong security program. Physical security teams were in place to alleviate attendee fears of host malfunctions or attacks, mobile devices could be placed on lockdown and disabled quickly, hosts received constant checks for issues in code, and security checks were in place to keep physical assets from leaving the premises with guests or employees.
However, this heavily “protected” park did have some major vulnerabilities we know also impact many enterprises across the globe:
Small staff, not fully trained or properly educated: This large facility actually had a much smaller core team in place than what was needed. If one person was missing, out sick, fired, etc. someone else had to pick up that role whether they were formally trained in it or not.
Security does not take a day off, and it certainly cannot be a secondary thought.
- Lack of communication/intelligence sharing: The only thing worse than being short on resources in terms of staff is to silo that staff. Throughout the season, we were able to see host code and behavior change, corporate assets destroyed and potential customer safety risked due to a lack of communication among teams. Quality Assurance, security, product/behavior and executive groups (C-suite and board) all acted on information they discovered and did not alert the other teams to the findings or the next steps.
Multiple insider threats: This show represented most enterprises worst fears. A company can spend a lot of time (and money) protecting product and customers from outside threats but often the one that slips through the radar is an insider.
Westworld’s fictional set up showed low-level technicians abusing power and access to hosts, showed multiple internal teams trying to remove data/IP from the park and higher-level executives abusing power through hostile threats (physical, emotional, financial) to gain advantage.
Big brother collecting too much data: The true gem of this park wasn’t the hosts or even the IP behind their A.I. No, the item that was up for grabs and why so many insiders could stand to make a profit was the user data.
With a 40K a day price tag, the park’s attendance was clearly an elite group of individuals. In the park’s systems, you would have access to names, number of visits, number of kills, love interests or perversions, and more.
You may disagree with these as the primary flaws. Some people choose to see the ugliness in this world. The disarray. I choose to see the beauty. (Couldn’t resist.)
Now the question to you the fans within our community: how would you have designed the security system within Westworld to combat these flaws? Until we solve that mystery or until next season, I’ll be where the mountains meet the sea, awaiting the next narrative and hoping I don’t wake up on that train next to Teddy…
RSA® Conference, happening Feb. 13 - 17 in San Francisco, drives the information security agenda worldwide. It has consistently attracted the best and brightest in the field and created invaluable opportunities for first-hand interactions with peers, luminaries, and emerging and established companies. Use promo code 5U7CSMPFD for $100 off admission for Passcode readers. Register here