How is the internet of Things (IoT) going to change the security landscape? How secure is the Internet of Things? Aditya Gupta

How secure is the Internet of Things?

Founder of mobile security firm Attify and the author of Android security book Learning Pentesting for Android, Aditya Gupta speaks and shares his thoughts on the safety of Internet-enabled devices

How is the internet of Things going to change the security landscape? Internet of Things (IoT) is a huge growing phenomena currently, with more and more devices coming up every single month for both consumers and enterprises. To just get an idea of the exponential rate of growth, CISCO predicts that by the end of 2015, there will be an estimated 25 billion devices with a total market size of around $20 Trillion. It’s not surprising that not much concern is paid to the security of IoT device for any new device hitting the market. Which makes it an easy and attractive target for the attackers. Also, security for IoT devices is in the early stages, and even when a developer would want to secure their newly created IoT device, not enough resources are available to help him/her achieve it. Compared to other areas in security, the IoT security will prove to be much more critical to both users and enterprises, with much more sensitive and critical data at risk. What would be a good place to start for people interested in the security of the Internet of Things? Unfortunately, there are not many great resources available for IoT security currently. However, OWASP has started an initiative for the Internet of Things Top 10 project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project) How many different attack surfaces are there when it comes to the Internet of Things? IoT simply put, means any physical device connected to the network. So, it could be a thermostat, car, fridge or any other device you can think of, which could be controlled by a mobile application or through a web interface. This itself, includes a huge attack surface for IoT devices since there are more than one component involved. You’ll have a hardware device communicating over WiFi/Bluetooth/NFC and might be communicating with a mobile app and having a web dashboard as well. So, the attack surfaces could be exploiting one of the flaws in the web or mobile application leading to take over or exploiting the physical device, making it do the desired malicious action. Also, one could find vulnerabilities in the network communication, where we could sniff the traffic and maybe craft our own malicious requests to exploit the device, or maybe even finding vulnerabilities in the hardware itself. What kind of mindset and technology would you need to break the security of the Internet of Things? In order to break the security of Internet of Things, a person needs to think the same way as they would think in order to break other web or mobile applications. It’s not much different than the usual mindset to break other types of security. One just has to think out of the box and come up with new ways and techniques to circumvent the security of the devices. What is the methodology behind developing fuzzers and exploits to test the security of these internet-connected devices? Fuzzing is simply a technique sending malformed, valid, invalid or special inputs to an application component. While writing fuzzers for the IoT application, there could be a number of targets for which fuzzers could be written. These include individual protocols with which the devices communicate, hardware components, web applications and mobile applications. Once we get some crashes with fuzzing, depending on the platform one could then go ahead and write an exploit for that device depending on the architecture in use. What kind of a custom operating system will you be using to test these devices? The custom VMs that I’ll be providing during the BlackHat training this August in Vegas (https://www.blackhat.com/us-15/training/offensive-iot-exploitation.html) , is a customized distro which I’ve created for the assessment of IoT devices. It’s built on top of Ubuntu with public/private tools and custom scripts to help students during the class pentest IoT devices. What resources would you recommend for people who are interested in this subject but are not able to attend your training? That’s the tough part. There are not enough resources available as of now, except the OWASP guide. But yeah, follow our blog at http://blog.attify.com and we are soon starting up with a series of blog post on IoT security.