https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

IoT security

IoT Security: A White Hat Hacker Clarifies a Fuzzy Subject

IoT may be seemingly everywhere, but it is often poorly understood and secured. The IoT research lead at Rapid7 shares concrete advice on what is often a nebulous subject. 
  • Written by Brian Buntz
  • 22nd August 2019

Internet of Things device can be elusive. That is a fact Deral Heiland, who is the IoT research lead at Rapid7, knows well. 

For one thing, such devices tend to pop up in myriad environments — inside and outside offices and industrial facilities. 

“Shadow devices are very common,” he said. “These are the devices that sneak into the network or a technology that changes through time.” That is, devices that once had limited capabilities, like printers, refrigerators, thermostats, cars or industrial machines, can be become computers in their own right.  

Despite the at times maddening the subject IoT security has received in recent years, many individuals don’t give the matter much thought. “These are devices everyone’s using. They see them, but they often forget that they’re attached to the network.”

Another contributor to the murkiness surrounding the subject is the term “IoT” itself. Heiland for one is not the biggest fan of the phrase. It’s an example of a marketing term vendors dream up to sell their technology, he said. “I don’t like the term ‘IoT’ because I think it’s misleading. When I talk to an enterprise organization, if I ask: ‘Do you have IoT?’ They may say ‘no,’ because they might think it refers to some home consumer toy. “They don’t understand that IoT is way beyond that.” 

Deral HeilandTo make sense of IoT devices requires looking at devices’ functions. “I have three major ones in my model,” Heiland said. The first is that the device needs to be an embedded technology. Second, to qualify as an IoT device, a product should leverage cloud and API  services to communicate over the internet. “And the third piece,” Heiland said,” is that “it has some management control capability.” 

In the following interview, Heiland talks about his experience working with manufacturers, local governments and others with IoT projects:

What is the motivation that drives manufacturers to reach out to audit the security of a forthcoming product? 

Heiland: It’s a branding concern. Manufacturers are thinking: “It’s our name on our product.” They’re starting to take security more seriously. The impact of a security breach is damaging to the brand. And companies that have a solid brand want to protect that. 

Often, companies with a lot of white-label technology that doesn’t have a brand behind it have the biggest security problems. They rarely have an effective patch management response.

What role should end users have in using IoT projects securely? 

Heiland: In a number of the stories [on IoT-related security attacks] I’ve seen, the breaches weren’t necessarily a defect in the product. In some cases, the end-user wasn’t using good passwords, or they were reusing passwords for everything, whether it’s for a bank account or an Amazon Echo. In cases like that, when passwords get breached or when they use simple passwords, there is an increased possibility of those IoT technologies being used by random people. 

Do you see a similar pattern of lax security on the enterprise side?

Heiland: Often, organizations don’t have policies and processes around new emerging technologies. In a large organization, you may have satellite divisions that may decide: “Hey, we want to leverage some IoT technology.” So then they go out and purchase it. The core company may not know that’s taking place. I’ve worked with Fortune 500s where that was a very common problem. I think organizations need to have solid processes in place that define what IoT means to them as an organization. How are they going to approach it? Are they going to embrace it? Are they not going to use it? In any case, they should define processes and also ownership of those processes. 

If you’re going to bring new emerging technologies into a company, who owns them? If you don’t have defined processes for those things, devices show up. And these devices don’t necessarily have an obvious footprint. So just scanning may not detect them. So that’s how a number of these devices sneak in, and you lose accountability. There’s no change control or change management processes. So things just show up on the network. And no one’s aware of it.

How would you describe the level of cybersecurity awareness of local governments with “smart city” ambitions? How good of a job are they doing at securing funding for security?

Heiland: At least some of the people I’ve talked to rely on vendors for security. Some of those companies come in and set up, run and control the project. They pretty much do all the work. So some cities don’t need to do anything other than find funding. 

Would you advise cities with limited budgets to work with vendors that can provide something like smart city functions as a service? 

Heiland: Yes. That makes more sense because most cities don’t necessarily have the resources to throw behind it. Everyone I’ve talked to [with a smart cities project] doesn’t seem to have enough of a workforce to maintain, manage and secure all these technologies. So in those cases, there I think smart-cities-as-a-service makes more sense. If you don’t have the resources to do it yourself, it’s probably better you don’t try. 

What is Rapid7’s business like in the smart home space? 

Heiland: We do a number of things. We at Rapid7 have an entire service arm within the company in addition to our products. The service arm does pen testing and offers advisory services and forensics. On the pen test team, we have a number of people who are trained to do assessments on IoT technology. And we’ve done everything ranging from medical to [industrial control systems] environments, to consumer products. A lot of times with consumer products, companies that are going to market with something, they want to have it tested first. Or if it is something that’s already in the market, companies call us to check it after, say, a scare on the internet. You’re thinking: “Hey, we haven’t really had that tested. Maybe it’s time we do that.”

Do you also work with companies on procurement of IoT devices?

Heiland: We’ve done a couple of small type assessments related to pre-purchasing IoT technologies or enterprise technology. 

Most of the time, manufacturers reach out to us. That’s the biggest bulk of the type of work we do. And literally, we’ve done everything. 

What are some of the most significant vulnerabilities you often see when you’re looking at IoT security? 

Heiland: It’s essential to understand the three pieces that come into play when you start thinking about IoT security. [That includes analyzing its embedded technology, cloud and API services, and management control capability.] Hardware security is one thing, but I can still attack or control that device if you have flaws in your APIs. And I can attack that device if you have flaws in your management control applications, whether it’s a mobile app or an application on a server. Each of those can have vulnerabilities. You have to think about the entire ecosystem. 

Can you explain how an attacker who gains access to an IoT device can use it as a pivot point for a future attack?

Heiland: One example of this was an assessment where we were able to do that on high-end IP cameras used by a large, state-level organization. We were able to compromise the cameras because of poor security, and then actually pivot through the cameras through other cameras into isolated segments. The segmentation firewalls allowed them to communicate, so we just pivoted through those. 

Another example was with multifunction printers. We compromised one of the machines on the DMZ. But it had no connectivity to the entire network, but it had access to the printer. I built a custom payload [for a colleague to take advantage of] the functionality of that device. We sent that payload to a printer and the printer phoned out over the internet and gave us a tunnel into the corporate network.

Where do you think we are now in 2019 with IoT adoption? 

Heiland: I think it’s unavoidable. Go out and try to by a not-smart TV. We’re going to see more and more cases where IoT technology is built in. We’re going to get it whether we wanted to not. Eventually, there’s not going to be a “dumb” option.

Do you think the public’s attitude about IoT security is often different from how they see the security of devices like computers and smartphones? 

Heiland: People are often totally paranoid about a lot of IoT technology, but yet they’ll carry their camera into the bathroom with them, or into their bedroom. 

And I think that’s critical that people think about things like that. I encourage people to use the latest smart technology. It is convenient as hell but use it wisely. 

For instance, IP cameras for security are brilliant. But do you really need them in the house? And if you’re going to put them in a house, understand the implications.

We [across society tend to be] good at doing our homework when we get ready to buy a new car or a new phone. You look online and check out all of the features and stuff like that. 

When you get ready to buy any new tech, go out there and start asking security questions. Start looking to if this manufacturer has had any vulnerabilities. That in itself is not bad. But what was their process for patching? Was the timeline reasonable? Go out and grab the smart TV manuals — all of them are available online — and start searching in there for information on security. If you sell a TV, is there a defined process for how desync it from the internet and your accounts? 

IoT devices can create new types of safety concerns. What are you thoughts on this topic?

I think there’s safety things you need to be concerned about. You could have a pressure cooker that has Wi-Fi — a microwave, a washing machine or a refrigerator. Devices like those as well as ovens and garage door openers are kinetic devices. They produce some type of energy, whether it’s movement, or heat that will be a potential risk. So an extra level of security needs to be applied to that to make sure that those things can’t be impacted.

All the ones I’ve looked at it so far have been good. I went out and got one of the Amazon microwave ovens with voice control. I purely wanted to check to see how they’re doing it. And it was pretty solid. The initial voice command would work. But once you shut the door, it had features to prevent somebody in your driveway to walk up to your door and scream: “Alexa, microwave full power for three hours.” [Laughs] 

Tags: Security Smart Homes and Smart Buildings Q&As

Related


  • Eurotech explains why “security by design” must be at the core of every IoT deployment
    When it comes to the Internet of Things (IoT), good cybersecurity practices aren’t just an optional extra, like buying a fancy case for your new smartphone. They need to be built into devices from the ground-up as a fundamental building block for connected devices. Few companies in the space understand this better than Eurotech, one […]
  • McKinsey Q&A: How Protecting Consumer Data Can Pay Dividends
    Technologies ranging from the connected home to the smartphone are generating an explosion of consumer data. 
  • Smart Home Technology
    Q&A: What Does the Future Hold for Smart Home Technology?
    Euromonitor International Research analyst shares his thoughts on key trends in Smart home technology ahead of his keynote presentation at Smart Home Summit 2019.
  • IoT security
    New International Laws Pose New IoT Security Questions
    Security has long been a thorn in the side of IoT. But what are the ramifications of the uptick in nations aiming to control data flow within their borders? 

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Q&A: Cisco Exec Dishes on Industrial IoT Security and DeOS
  • IoT World Q&A: IoT Adoption Is Risky, but Not Deploying It Is Riskier
  • A10 Networks Q&A: IoT Device Security Demands Deliberation
  • Q&A: Siemens Industrial Security Exec on Cyber Priorities

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Explore Emerging Tech For Enterprises at @TechXLR8 2022 this June ➡️ Join us from 1-3 June in harnessing the pow… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Clearview AI has been fined $9.4 million for collecting images of people from social media platforms to add to its… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Swiss-startup Airyacht is developing an eponymously named vehicle that it says will take the luxury-yacht experienc… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

@Tesla’s #Autopilot being investigated once again following fatal crash in Newport Beach, California. iotworldtoday.com/2022/05/23/tes…

23rd May 2022
IoTWorldToday, IoTWorldSeries

A new Kansas law will enable #driverless deliveries from @Walmart and its partner @Gatik_AI. #AVs… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X