For this week’s IoT cyber security and cyber hygiene interview, we had the pleasure of interviewing Aditya Gupta, the founder of Attify -a global leader in IoT pentesting and security training, with learning kits and hardware for IoT exploitation for sale at their store. Gupta has spoken and taught classes at a number of security conferences (BlackHat, Def Con, OWASP AppSec, Syscan, Toorcon) and at private training engagements for organizations worldwide.
This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!
Do you live in a connected home, with 9 or more devices connected?
When I was getting started with IoT security, I had a couple of IoT devices in my home, but I started removing them from my network as I realized how open and insecure they are. You can’t live in a home where you have a lot of vulnerable devices that can invade your privacy.
Now I have like 3 devices that have been extremely vetted and the security is pretty strong.
What led you to create Attify?
I started Attify around 5 years ago, with the initial plan being to help companies secure their mobile applications – which was pretty big back then. But as we evolved further, we realized that IoT was going to be a real beast, with tons of extremely insecure devices. My academic background was on electronics and telecommunications, focusing on how hardware embedded devices and communications work, and doing research on hardware security. Based on that experience, we started our IoT security offering, figuring out different IoT security threats and later offering a training course called Offensive IoT Exploitation to help people figure out how to assess or find vulnerabilities on their own IoT devices.
There are tons of materials available online for people getting started in any generalized topic of security, from blogs to tutorial videos and trainings. But two or three years ago there was not a lot of content available online for those interested in learning IoT security, and that’s why we created a systematic and methodological approach to learn IoT security in an intensive 3 or 5 day class.
In addition to creating great content, Attify sells IoT hacking tools and learning kits for researchers and makers… is this a shift in the company to focus on training the next generation of information security professionals over consulting?
There is definitely a huge need of awareness in terms of IoT security for all companies interacting with IoT devices; they definitely need IoT security education. I would say that we are gradually focusing more on the training aspect of the business, because that is where the entire industry is paying more attention to, they want to learn how to figure out the security issues in these kinds of devices.
Tell us a bit about The IoT Hackers Handbook, who is the book written for?
The book was written for anyone who wants to get started with IoT security with absolutely no previous background in it, giving them an in-depth introduction to each of the various IoT components.
Good cyber hygiene practice recommendations: What can users that have smart things do to stay protected?
This is pretty much the need of the time now because a lot of consumers are introducing so many new devices, but there are not that many things that consumers can do at this point to secure themselves from IoT security threats, which is kind of scary. But there are definitely a few steps which they can take to make themselves secure:
- Network segmentation: making sure that the new IoT devices are in a different network.
- Making sure the new IoT device does not have any public vulnerability online, which anyone can look up and attack your device.
- Making sure that the company making the device is proactive when it comes to security.
- Invest in solutions that can help analyze and monitor the home network traffic (i.e. Netonomy) and alert you when something wrong is going on.
If you have some technical background, its always good to do some research on the device before introducing it home. This is something I always do, even though it takes a lot of time, you get the assurance that your device is not recording or spying on you.
If you are a company, its always good to have an internal pentest before introducing a connected device, smart coffee machines can leak your WiFi credentials. We have to wake up and smell the coffee; I’ve seen so many IoT devices leaking sensible information. And it’s going to get much worse unless enough attention is paid to these kind of device in the future.