Last updated: 16 May 2016
Who’s the greatest superhero? I grew up arguing that with friends. My answer remains the same today: Batman.
He has versatile Bat gadgets (never including guns), his combat training, and his genius-level intellect and deductive abilities – making him the World’s Greatest Detective – and that’s it. But that’s all he needs. He’s the dark realization of mankind’s potential, but he’s just a man, making him an underdog in the superhero world.
Compare that to Superman: Earth’s benevolent alien with the powers of superhuman strength, near invulnerability, flight, freeze breath, x-ray vision, and heat vision.
Usually, he and Batman see eye to eye, but sometimes – like in Warner Bros.’ Batman vs. Superman – they can’t get on the same page. Super fisticuffs ensue.
If Batman’s going to win in a fight like that, he’s going to have to bring his A game and stay at least one step ahead.
While I’m pretty confident the Dark Knight can take him, there are some past missteps that do give me pause. And, sadly, cyber security is an area where I think Batman has room for improvement.
Here are three good examples. Warning: Potential spoilers ahead (for older, non-Batman vs. Superman material, that is).
Batman Cyber Security Fail #1: Batmobile Hijacking – Batman Returns
An innovator with a need for speed, Batman was driving a smart car long before they hit the roads in the real world. We know it as the Batmobile.
Sure, it has a jet engine, armor, and defensive weaponry, but it’s also able to transmit data with Batman’s computer. Batman can control it remotely. It’s a smart car.
In 1992, seven years before the term “the Internet of Things” entered our lexicon, Batman faced off with The Penguin and Catwoman in Tim Burton’s Batman Returns. Like all Batman films, the Batmobile played a big part.
Unfortunately, while The Penguin relies mostly on machine gun umbrellas and penguins sporting backpack rockets in the movie, he somehow figures out how to take control of the Batmobile using a device attached to the underside of the vehicle.
With Batman trapped behind the wheel, his flightless foe takes him on a wild ride through Gotham. Buildings and other vehicles are damaged, pedestrians are nearly killed, and Batman is forced to destroy numerous panels and components in the car to take back control.
All because while he made sure the body of the car was covered with armored plates, he missed a weak spot on his car’s underbelly.
What no one could have known watching that movie in theaters at the time was that we’d all be concerned about a similar scenario playing out with average Joes behind the wheel.
What we can learn: We’re trusting our lives and our families’ lives to smart cars whenever we use them. That’s an incredible leap of faith companies have to earn and retain.
Ensuring that smart car security measures adequately prevent hackers from taking control of the cars or stealing their data is paramount, meaning we need to protect the cars themselves, the hubs controlling the data and updates, and the communications between them.
Thankfully, it looks like Batman might have made progress in this area in Batman vs. Superman, as we covered in a post over on the Gemalto Enterprise Security blog.
[Learn more about securing the Internet of Things by downloading our free IoT security guidebook.]
Batman Cyber Security Fail #2: Holy Hackers, Batman! – Justice League: Doom
Bringing Batman, Superman, Wonder Woman and other heroes together as a team means they’re a roadblock for any super villain scheme, which is why step 1 in said plan has to be taking down the Justice League.
What’s the best way to do that?
As shown in the animated film Justice League: Doom, the answer is simple: start with Batman.
The Caped Crusader believes in the saying “Keep your friends close, your enemies closer… and your super friends that could potentially become enemies closest.” As a result, in Doom we learn he has files on how to immobilize each member of the Justice League in the event they go rogue, making the Batcomputer the world’s biggest hacking target.
In the movie, a group of super villains manage to get into the Batcave, attach a state-of-the-art hacking device supplied by Lex Luthor to the Batcomputer, and steal the files.
To his credit, Batman uses cutting edge encryption. It wouldn’t be much of a movie if they weren’t decrypted, however, and that leads to the near-deaths of the Justice League heroes.
As a fail safe, however, when the files are decrypted, they disclose the location where they were accessed, leading Batman and the rest of the Justice League straight to the villains. You can guess what happens after that.
What we can learn: One of the most technologically savvy superheroes makes strong data encryption a priority, and so should we.
However, does the fact that the villains were able to decrypt the files mean that Batman stored the encryption keys with the encrypted data? Potentially.
While the ping-back feature is cool, we’d recommend changing it slightly – an alert any time someone attempts to decrypt the data and a Bat Hardware Security Module as a root of trust for the keys in order to prevent actually exposing the data.
[Learn how enterprises can leverage hardware security modules with our white paper, An Anchor of Trust in a Digital World.]
Batman Cyber Security Fail #3: Gotham Grid Attack – Batman: Year Zero
One doesn’t become the world’s greatest superhero (in my opinion) without learning from a few past mistakes. And while it’s not a side of him we normally see, Batman made his fair share of mistakes when he started fighting crime.
Writer Scott Snyder and artist Greg Capullo explored that formative time with their “Zero Year” story in the Batman comic book series, during which the Dark Knight crossed paths with The Riddler for the first time.
Enter the Internet of Things again. The Riddler manages to steal the work of various research teams. By combining their technologies, the brainy thorn in Batman’s side is able to build a “remote hacking hub” capable of taking control of Gotham City’s energy grid.
Though Batman is able to build a jammer and nearly get it in place, he fails to stop The Riddler in time – a rare thing. The effort nearly kills Batman, allowing his enemy to flood and take control of Gotham. Parts of the city are irreparably damaged, and many lives are lost.
At his lowest point in his early career, Batman has to find a way to outsmart The Riddler and take back the city.
While many of us think of The Riddler as an annoying and non-threatening villain that shows up, says “Riddle me this…?” a few times, and then quickly gets what’s coming to him, in this particular iteration he applies his twisted mind to hacking and becomes much more formidable and terrifying as a result.
What we can learn: In order to protect the smart grid from hackers rivaling The Riddler’s talents, energy and utility organizations need to protect the grids’ devices, communications, and application layers.
One of the best options is using a key management solution as part of a Public Key Infrastructure (PKI) environment to secure the private keys and certificates used to protect the smart grid infrastructure.
[Learn more about smart grid security by watching our on-demand webinar, Building the Trusted Smart Grid.]
Cyber security solutions can’t necessarily be packed into a utility belt, but clearly they’re something Batman needs if he’s going to come out on top and save his city.
If he can put enough contingency plans in place to prepare for a breach and address his vulnerabilities – physical, psychological, and cyber – he has the ability to overcome any attack from The Penguin, The Riddler, Superman, or anyone else bold enough to take him on.
Good luck to them. They’re going to need it.
And actually, we’re all going to need a little luck when it comes to data breaches based on the latest findings from the Breach Level Index.
While we unfortunately only have mild-mannered alter egos with no superhero identities to match, we can still prepare for security risks as good as – if not better than – Batman.
For help with that, check out these resources: