In this week’s IoT cyber security and cyber hygiene podcast, we had the pleasure of interviewing Omer Shwartz, a Ph.D student at the prestigious Information Systems Engineering Department at Ben Gurion University of the Negev, and an active member of the Implementation Security and Side-Channel Lab under Dr. Yossi Oren.
His latest published paper is titled, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, in which him and his team analyzed the practical security level of 16 popular IoT devices and discuss how to improve their security without significantly increasing their cost.

This interview is <20 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Could you explain a bit about the work being done at the Implementation Security and Side-Channel Lab at Ben-Gurion University?
We are a relatively new lab, but with very exciting work: investigating all kinds of side channel leakage models and implementing security. My field is mainly around hardware security, but we research and work on all kinds of metrics to get information in and out of devices that are not meant to broadcast information. Some research I’ve done under Dr. Yossi Oren include a phone case that can exfiltrate phone data (location and conversations) while the user is unaware, and a project on how replacement touch-screens could be malicious and used to harm or spy on users.

How did you first get involved in cyber security and hacking, were you always breaking things?
Yeah, actually (laughing) since I was little I liked looking into things and figuring out how they work. I’ve been in the hacking community for around 15 years and always had an interest in hacking and cyber security before it became a really big and known issue as it is today. Cyber security always interested me, it’s like a hidden thing that really affects our world, and nobody really talked about it until recently, and it has a long way to go. There are so many threats that we have not seen yet, and that’s why I’m a part of this lab and studying towards a PhD, because I think there is so much to discover.

If cyber security has a long way to go, it’s probably because of the exponential growth of IoT devices, right?
IoT devices are a really big part of it. Nobody cared about cyber security before, but now that we have all these phones and IoT devices, everybody suddenly realizes that these things were never designed to be secure -they use infrastructure that was not designed to be secure.
It’s a really good place to be, from an Academic point of view, because there is so much to invest and research everywhere.

Share with us some details behind the research you conducted with Asaf Shabtai, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, what was the thought process that went into it?
A friend of mine had hundreds of IoT devices for some cyber security research he was conducting and, out of curiosity he asked me if I could find any vulnerabilities in them, we didn’t think of writing a paper about it.
We began taking devices apart and looking inside and noticed that all the devices were really insecure. Many, if not most, IoT devices sold today can be accessed remotely with a default password, which is usually really simple.
But we also looked into what happens when an attacker has one of your networked devices, using it as a gateway to get network information and access. So we wrote a really comprehensive analysis of the devices’ vulnerabilities and compiled a large array of techniques used, some of them already known, but gathered in such a way as to allow other people to try them and see if their devices are secure.
Other than easily and cheaply cracking the passwords stored in these devices’ hash and creating our own Mirai botnet with them, we found vulnerabilities such as devices holding private communication key in the file system. Anyone that gets that key can listen to the device’s communication. It’s really bad security practice, but it seems that in IoT the most important thing is getting a product to market and not securing it properly.

What would be your recommendations for IoT manufacturers?
I’d start with not having hard-coded easy passwords and completely disabling remote-access. Also, nobody considers attackers with access to your device, but devices should be built in a way that make it harder to reverse-engineer -this is a difficult problem, but at least it shouldn’t be so easy to reverse-engineer. All the devices we used were really easy to reverse-engineer, they have special ports in the board that allows us to connect and communicate with the console quite easily, and that’s something that shouldn’t be on a production board, just on a development board. We were actually able to get all of our information because most of the devices’ debug ports were open, which combined with weak passwords, gave us full access to install our own software. So my recommendation is to disable the debug and WRT ports, and strong passwords hashed with strong algorithms.

What would be your cyber hygiene recommendations for technology consumers?
You know, they always say that humans are the weakest link in the cyber security chain, and this is correct in a way. I would recommend strong passwords, because the current way people use them today is incorrect, they should be long and hard to crack – and one should never reuse passwords to avoid bigger problems.
When it comes to IoT devices, I would recommend staying away from unknown manufacturers. I hope some of my research will lead to consumers and researchers using our techniques to inspect their own devices and realize what is in there, and whether they are secure or not, giving power to the consumers to understand what is being sold.

For this week’s IoT cyber security and cyber hygiene interview, we had the pleasure of interviewing Aditya Gupta, the founder of Attify -a global leader in IoT pentesting and security training, with learning kits and hardware for IoT exploitation for sale at their store. Gupta has spoken and taught classes at a number of security conferences (BlackHat, Def Con, OWASP AppSec, Syscan, Toorcon) and at private training engagements for organizations worldwide.

This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home, with 9 or more devices connected?
When I was getting started with IoT security, I had a couple of IoT devices in my home, but I started removing them from my network as I realized how open and insecure they are. You can’t live in a home where you have a lot of vulnerable devices that can invade your privacy.
Now I have like 3 devices that have been extremely vetted and the security is pretty strong.

What led you to create Attify?
I started Attify around 5 years ago, with the initial plan being to help companies secure their mobile applications – which was pretty big back then. But as we evolved further, we realized that IoT was going to be a real beast, with tons of extremely insecure devices. My academic background was on electronics and telecommunications, focusing on how hardware embedded devices and communications work, and doing research on hardware security. Based on that experience, we started our IoT security offering, figuring out different IoT security threats and later offering a training course called Offensive IoT Exploitation to help people figure out how to assess or find vulnerabilities on their own IoT devices.
There are tons of materials available online for people getting started in any generalized topic of security, from blogs to tutorial videos and trainings. But two or three years ago there was not a lot of content available online for those interested in learning IoT security, and that’s why we created a systematic and methodological approach to learn IoT security in an intensive 3 or 5 day class.

In addition to creating great content, Attify sells IoT hacking tools and learning kits for researchers and makers… is this a shift in the company to focus on training the next generation of information security professionals over consulting?
There is definitely a huge need of awareness in terms of IoT security for all companies interacting with IoT devices; they definitely need IoT security education. I would say that we are gradually focusing more on the training aspect of the business, because that is where the entire industry is paying more attention to, they want to learn how to figure out the security issues in these kinds of devices.

Tell us a bit about The IoT Hackers Handbook, who is the book written for?
The book was written for anyone who wants to get started with IoT security with absolutely no previous background in it, giving them an in-depth introduction to each of the various IoT components.

Good cyber hygiene practice recommendations: What can users that have smart things do to stay protected?
This is pretty much the need of the time now because a lot of consumers are introducing so many new devices, but there are not that many things that consumers can do at this point to secure themselves from IoT security threats, which is kind of scary. But there are definitely a few steps which they can take to make themselves secure:

  • Network segmentation: making sure that the new IoT devices are in a different network.
  • Making sure the new IoT device does not have any public vulnerability online, which anyone can look up and attack your device.
  • Making sure that the company making the device is proactive when it comes to security.
  • Invest in solutions that can help analyze and monitor the home network traffic (i.e. Netonomy) and alert you when something wrong is going on.

If you have some technical background, its always good to do some research on the device before introducing it home. This is something I always do, even though it takes a lot of time, you get the assurance that your device is not recording or spying on you.
If you are a company, its always good to have an internal pentest before introducing a connected device, smart coffee machines can leak your WiFi credentials. We have to wake up and smell the coffee; I’ve seen so many IoT devices leaking sensible information. And it’s going to get much worse unless enough attention is paid to these kind of device in the future.