We are honored to inaugurate our weekly podcast with Andrew Tierney, a consultant at PenTestPartners, one of the world’s leading authorities on IT security consulting and penetration testing. They don’t just test and break systems, they go after what’s really important to protect: data. They test how long it would take to get valuable data and how quickly the systems and people can spot the attack -giving clients a true measure of how effective their security is, and where it needs work. If you are not familiar with PenTestPartners, we recommend you visit their website and check out their amazing weekly content on cybersecurity. This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!
Do you live in a connected home with 9 or more connected devices?Certainly, but the number of them that would classify as IoT devices is fairly low… over the last few years I’ve reduced the amount of devices connected to the network, largely due to my probing and poking, and starting to trust them less and less.
Interesting! So you are concerned about the expanding threat landscape in connected homes?
My primary concern is that consumers (and I put myself in that group) don’t understand what these devices are doing. We can’t just pick up a device and understand how it operates, what risks it places you at by putting it in your network. Even if you have other controls in place, like segregated networks and firewalls, you are still not truly sure what that device is doing. We just don’t have the time to look at everything we buy to work out if it’s secure or not, and what we’ve learned by performing tests across different devices is that, generally, there will be some security problems.
Could you take a random guess, based on your experience, of what percentage of IoT devices out there are vulnerable to hacking?
Given enough time and effort you’d probably be able to break into any device. If you got Mossad after you, any IoT device will present a risk to you. But if you are a general consumer considering what devices will put you at risk, I’d say around 50% of the devices we have looked at had very serious security problems in them. It’s a scary proportion.
Why do some companies perform their cyber security due diligence and others don’t?
I wish we knew the answer to that. I think it’s about the motivation within companies to research IoT security and the impact it can have. One of the problems we see very often is that companies don’t budget (in time or money) for security in projects; they feel [security] is like a bolt-on that you get for free, so it does not get put into the system and they end up with an insecure product.
So this cyber security challenge is an opportunity for organizations like PenTestPartners to consult with clients and companies like Netonomy to provide network security. Do you think there are other market entrants that could address this problem?
What we’d like to see are guidelines, frameworks and standards allowing companies to do the basics of security, so when they come to us for Pen Testing, or start using a third party system to improve security, they’ve already covered the basics to minimize the system.
What are the most common penetration methods you’ve used that succeed in breaking a device?
It’s quite hard to group them into the most common ways, but I’d say the primary cause of breaking into devices is not minimizing the system: default development passwords, telnet FTP web services and open ports. When it comes to cloud services, they often don’t validate the device’s identity, so we can pretend to be another device and access data that we shouldn’t be able to. There is no one method in penetration testing to compromise all devices connected to the cloud, pentesting is time restricted, so we may not be able to compromise everything, but we might find lots of little problems along the way, and it’s really key that vendors fix them to prevent them being chained together and become really big problems.
Do you feel that the risks moving from the cyber realm into the physical are increasing?
Certainly. We are starting to see IoT impacting the real world. One of the most common products in the UK is an IoT thermostat, and one might not think that has much of an impact, but if you control 100,000 heaters and turn them on or off at the same time, you can have an impact in the electrical grid or the gas distribution network. But IoT is moving into other physical areas, we’ve seen over the last few years significant vulnerabilities found in cars, defibrillators and pace makers, SCADA systems, and more. I think over the coming years we are actually going to see more and more attacks that take impact in the real world.
What can the consumer do when it comes to cyber hygiene, do you have any heuristics concerning IoT?
The first thing is to vet the devices you bring to the network, look at the company: do they take security seriously? Don’t bring insecure devices into your network. The second thing is not to treat your network as a safe space, companies and homes alike often fail to do this, and if a device in the network is compromised an attacker can access your data and change things like the configurations in your router. Beyond that, it becomes really difficult to give advise to the consumer, it’s very hard for them to judge if they are putting themselves at risk – they don’t have the insights or technical knowledge to dot it. Whenever I run IoT devices, they are on a completely distinct network (vLAN) from the rest of my computers, completely distinct WIFI network…but all these things are very difficult for the consumer to put in place. We are seeing dedicated routers coming out that allow users to put these functionalities in place to protect themselves and I think that’s probably the way we are going to see IoT security go in the near future.