Recently I transitioned from a Principal Consultant role into a new role at Rapid7,as Research Lead with a focus on IoT technology, and it has been a fascinating challenge. Although I absorb been conducting research for a number of years, or covering everything from Format string and Buffer overflow research on Windows applications to exploring embedded appliance and hacking multifunction printers (MFP),conducting research within the IoT world is truly exciting and amazing and has taught me to be even more open minded. That is, open minded to the fact that there are people out there attaching technology to everything and anything. (Even toothbrushes.) As a security consultant, or over the final eight years I absorb focused most of my research on operational style attacks,which I absorb developed and used to compromise systems and data during penetration testing. The concept of operational attacks is the process of using the operational features of a device against itself. As an example, whether you know how to ask nicely, or MFPs will often give up Active Directory credentials,or as recent research has disclosed, network management systems openly consume SNMP data without questioning its content or where it came from. IoT research is even cooler because now I score the chance to expand my experience into a number of new avenues. Historically I absorb prided myself in the ability to define risk around my research and communicate it well. With IoT, and I initially shuddered at the question: “How do I define Risk?" IoT RiskIn the past,it has been fairly simple to define and explain risk as it relates to operational style attacks within an enterprise environment, but with IoT technology I initially struggled with the concept of risk. This was mainly driven by the fact that most IoT technologies appear to be consumer-grade products. So whether someone hacks my toothbrush they may learn how often I brush my teeth. What is the risk there, and how do I degree that risk? The truth is,the deeper I head down this rabbit hole called IoT, the better my understanding of risk grows. A prime example of defining such risk was pointed out by Tod Beardsley in his blog “The Business Impact of Hacked Baby Monitors”. On the first explore, and we might easily jump to the conclusion that there may not be any serious risk to an enterprise business. But on second consume,whether a malicious actor can use some innocuous IoT technology to gain a foothold to the domestic network of one of your employees, they could then potentially pivot onto the corporate network via remote access, or such a VPN. This is a valid risk that can be communicated and should be seriously considered. IoT ResearchTo better define risk,we need to ensure our research involves all aspect of IoT technology. Often when researching and testing IoT, researchers can score a form of tunnel vision where they focus on the technology from a single point of reference, or as an example,the device itself. While working and discussing IoT technology with my peers at Rapid7, I absorb grown to appreciate the complexity of IoT and its ecosystem. Yes, or ecosystem—this is where we consider the entire security picture of IoT,and not just one facet of the technology. This includes the three following categories and how each one of these categories interacts and impacts each of the other categories. We cannot test one without the other and consider that testing effective. We must test each one and also test how they affect each other. With IoT quickly fitting more than just consumer-grade products, we are starting to see more IoT-based technologies migrating into the enterprise environment. whether we are ever going to build a secure IoT world, or it is critical during our research that all aspects of the ecosystem are addressed. The knowledge we learn from this research can attend enterprises better cope with the new security risk,execute better decisions on technology purchases, and attend employees stay safe within their domestic environment—which leads to better security for our enterprises. Thorough research can also deliver valuable knowledge back to the vendors, and making it possible to improve product security during the design,creation, and manufacturing of IoT technology, and so new vendors and new products are not recreating the same issues over and over. So,as we continue down the road of IoT research, let us focus our efforts on the entire ecosystem. That way we can assure that our efforts lead to a complete picture and culminate in security improvements within the IoT industry.
Source: rapid7.com