Last Updated on March 21, 2022
Experts estimate that humanity is on course to deploy up to 75 billion Internet of Things (IoT) devices by 2025. That’s about 10 devices per person, worldwide.
What are all these gizmos and what are they doing out there? What security risks do they present to sensitive data in the here-and-now?
On a recent episode of The Virtual CISO Podcast, our special guest Joe Grand, the legendary hardware hacker better known as Kingpin, explains what makes up the IoT, the best way to define an IoT device, what risks these devices pose, and much more. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Not worth the risk
Whether he’s talking with IoT device manufacturers, CISOs at companies deploying tens of thousands of IoT devices in smart buildings, or anyone in between, one thing John often notices is, “… how unaware they seem to be of the risk that these devices pose and their responsibility to manage that risk.”
Comically, Joe relates that he does everything possible to avoid using IoT devices around his own home and work environments: “Because I know the kinds of risks and dangers, and to me, those risks aren’t worth the benefit. But I can make that choice in my house. I can’t make that choice if I work in an office environment or if there’s an infrastructure being deployed that I have to be a part of.”
“Just the number of devices that are out there in the IoT landscape is mind-blowing,” Joe continues. “But people tend to trust hardware more so than software. Like, when you go buy a device, you plug it in and you use it. Not a lot of people really think about, well, is it actually secure? Are there design problems? Are there back doors that an engineer accidentally left in there? Does the vendor think they’re actually secure, but they’re not?”
However you slice it, it’s a hard challenge. “And it really depends on who you are—whether you’re a designer or a vendor or an implementer of these things—how you need to approach the problem in order to try to be more secure,” Joe adds.
What is an IoT device?
Before you can think about IoT security, you need to define the IoT. Easier said than done!
Joe starts off with two answers to the question of what is an IoT device: “My knee-jerk reaction is any sort of resource constrained device that’s connected to the internet. We think about servers and computers and laptops and phones. Those are sort of high-resource, very powerful computers. When I think of IoT, it’s everything else. It’s the sensors, the cameras, the home automation. It’s the infrastructure… all those other things that are connected to the internet.”
“But now I would say because of the integration of not only sensors and all of this stuff, and the computational power of these devices is not resource constrained anymore,” Joe observes. “The IoT is just the internet. It’s more stuff connected to the internet and everything that’s connected to the internet becomes a possible entry point for someone who wants to attack it.”
“There’s an entity called the ioXt Alliance, which is promulgating ‘the global standard for IoT security,’ and Google actually certified their Pixel phones as being ioXt compliant,” relates John. “Google is calling a Google Pixel phone an IoT device. Which my head just explodes… Are we basically saying that every computing device that has access to the internet is an IoT device?”
Everything is connected
“Everything is connected,” Joe reminds. “And with hardware hacking, or hacking in general, every way in is like a stepping stone to something else. As a hardware hacker, I’m looking at the hardware related devices that are connected to this IoT, where so many of these devices are extremely insecure. And part of that is because of the low-cost sort of commodity-ness of hardware devices. They have to be cheap and easy to setup and aim to the consumer. And designing secure products is hard. It generally will require not only more engineering, but also more computation or more chip specific to security, and those cost more money and they’re harder to work with and they’re not as available.”
“So we basically see a bunch of general-purpose computers without a lot of security, all attached to the internet,” says Joe. “Those are the things that we would go after. I wouldn’t go after somebody’s PC, and target them through phishing or whatever. Hitting IoT devices that are connected to somebody’s network is the easiest way in.”
To catch the entirety of this illuminating podcast with Joe Grand, aka Kingpin, click here: https://pivotpointsecurity.com/podcasts/ep-75-joe-grand-how-hardware-hackers-exploit-iot-vulnerabilities/
Want some practical guidance on how to manage risk in your IoT ecosystem? Check out this recent post: https://pivotpointsecurity.com/blog/iot-devices-the-lord-giveth-and-he-taketh-away/