Crowdsourced Security Gaining Ground for IoT and Enterprise
Would you be willing to pay to enlist an army of potentially anonymous hackers to look at the code of your forthcoming IoT product? Could you afford not to use such a service?
Bug bounties and the broader category of crowdsourced security testing platforms (CSTP) are hot. Last year, Gartner pegged CSTPs close to the peak of its Hype Cycle for Application Security, estimating the product class was five to 10 years away from mainstream adoption. While the analyst firm’s track record is somewhat uneven when it comes to the predictions of its proprietary s-curve hype cycle, it is clear interest in crowdsourced security is strong now. Last year, Microsoft paid some $2 million in bug bounties. The U.S. government also deploys crowdsourced pen testing.
The concept of crowdsourced security testing is also well suited for many IoT deployments and has a number of advantages over traditional penetration testing, said David Baker, chief security officer of Bugcrowd in an interview at IoT World. “In the pen test model, you might have two consultants for two weeks,” Baker said. With a crowdsourced security platform, a company could enlist 1,000 pen testers deployed throughout the year. “And since there’s a competition, they will create all the necessary things to do to get that P1 as often as possible,” Baker said, referring to a priority-one-level vulnerability. “The model gives far better results from a resource perspective.”
“You pay for results,” said Mårten Mickos, chief executive officer of HackerOne. “That’s why it is so disruptive.”
As Gartner observed in the aforementioned report, crowdsourced software security testing is well suited for IoT applications and other application security deployments involving esoteric platforms or heterogeneous systems.
Another factor that has dampened interest in the technique is enterprise professionals’ mistrust of deploying hackers to examine sensitive software. Crowdsourced security testing firms have worked to counteract that concern by offering private invite-only bug bounty programs involving curated participants.
The fact talented participants — bug bounty hunters — are paid for essentially finding a bug first provides an incentive for the system to function as designed. Some participants are well-paid for their efforts. Last year, a total of 12% of HackerOne’s user base make at least $20,000 from that platform. On Bugcrowd, some of the highest payouts have topped six figures. One researcher was awarded $180,000 for three weeks’ worth of testing, which including finding a string of vulnerabilities. “Typically, the average, average P1 [priority-one] payout right now is right around $3,000,” Baker said. “There are people who [use our service to] feed their families. They buy houses.”
Enterprises using the crowdsourced security approach can find a scale that would be difficult to match through conventional hiring practices. “Before BugCrowd, I was a customer,” Baker said. “I was a CSO at Okta and had my own pen testing team. I had run a pen testing firm before, and so I was able to recruit those [security researcher] folks for my team, but I could only hire so many and they were very expensive.” And developers, you can hire developers all day long, it was hard to hire a security person.” Companies deploying a crowdsourced approach to security free up internal security resources to focus on tasks such as code review, threat modeling and remediation. Meanwhile, customers of such programs will often get a plethora of feedback on software vulnerabilities. “The client will get approximately 200 to 500 submissions that are valid,” Baker said. Bugcrowd deploys a team to vet the submissions to weed out research finds that aren’t helpful. “They take out duplicates, out-of-scopes, not-applicables and so on. The customer just gets the signal and not the noise.”
In addition, the white-hat hackers engaged in the process are paid based on results rather than by the hour, as is the case with pen testers.
In terms of IoT- and networking-related companies using the technique, Bugcrowd counts Tesla, Cisco Meraki, Arlo, Twilio and Netgear as customers.
Black hats were quick to target home networking gear such as routers and switches, which is a fact that helped make networking companies eager to embrace crowdsourced security. “Netgear and Arlo were very early adopters,” Baker said.
In terms of general IoT-based attacks, “what’s old is new again,” Baker said. “[Vulnerabilities] you would expect to see in web applications like broken authentication, not doing proper code signing for certificates or not encrypting properly. We find those in IoT devices.”
The underlying problem that leads to the widespread proliferation of such vulnerabilities for IoT devices is an overall deprioritization of cybersecurity among many product developers. “People are focusing on making the device easy to use, making it so I can activate it with my cell phone,” Baker said. “They are focused on all of the things that make it very easy to use, but they are not thinking about the underlying security protocols of the API, the webhooks or the actual firmware.”
Another consideration relevant to IoT security is the supply chain. “We’re getting commodity computer chips, and commoditized firmware being built out for these devices,” Baker said. Compromised aftermarket USB chargers used for smartphones and all manner of other gadgets can be used to launch exploits.
Last year, Bloomberg ran an unverified story claiming China was able to target nearly 30 U.S. companies through a supply chain compromise. Apple Chief Executive Officer Tim Cook demanded Bloomberg to retract the story while Amazon and server maker Supermicro also disputed the reporting. The latter company is reportedly ceasing the use of Chinese-based contract manufacturing as a result of fallout from the article. “There wasn’t a lot of substantiation behind [that article], but I have also seen supply chain issues of crop up,” Baker said.
Automotive companies have been relatively early to embrace crowdsourced security testing. “There’s definitely a lot of maturity with car manufacturers right now,” Baker said. “Ever since Charlie Miller and Chris Valasek, came out with the Jeep hack, but it’s been very high profile,” referencing the 2014 exploit of the Jeep Cherokee that enabled the researchers to remotely control the vehicle’s brakes, steering and acceleration after breaching its connected entertainment console.
HackerOne’s customer roster includes GM, Lufthansa, Uber and the U.S. Department of Defense.
Another similar vendor, Synack, was founded by former NSA and U.S. DOD professionals to combine crowdsourcing with machine learning. That company received funding from Hewlett Packard Enterprise, Microsoft Ventures and Kleiner Perkins, among others.
Ultimately, crowdsourced security can help a sort of virtuous cybersecurity cycle, Baker said. “Security is a never-ending challenge. But the idea is you have a crowd of people watching. You have people involved in reporting vulnerabilities and always watching so you have a feedback loop,” he said. “And then you’re fixing what’s being found. You can continually just make it harder and harder for people to break.