Put to the test: Why vendors shouldn’t shy away from attack testing

IoT testing can be a complex process and as a result many vendors aren’t yet onboard with it. Concerns over their intellectual property, the level of commitment required and how to interpret and act upon the results deter many from embarking upon breakpoint testing.

But, as Andrew Tierney, consultant at Pen Test Partners says, in the long run, the process is beneficial, providing the vendor with the opportunity to correct issues that could compromise the brand.

Unique infrastructure

Nearly all of the published research on IoT vulnerabilities focuses on the device and training on attacking the device. But when it comes down to it, a real-world IoT system is far more complex. There’s the devices, the operating system and software that runs on those, the mobile application, the servers and the build on the server, to name but a few. Compounding this, the devices can be placed in physically exposed locations and on potentially hostile networks that you have no control over. They are installed by people with no networking knowledge. And the painful fact is that you have placed your system directly in the hands of the attacker. This is very, very different to normal infrastructure IT.

There are three methodologies that can be used to test IoT systems, each with their own advantages. Black box testing sees the testers approach the system as real-world attackers. The only knowledge they have is what is publicly available. Often, the testing will focus on recovering firmware or rooting the device to obtain information about how the system operates, including APIs. This can be crucial in finding serious systemic issues. It tends to be time-boxed rather than task-driven and the testing will flow in an organic manner, following paths most likely to yield vulnerabilities.

Alternatively, white box testing sees the testers given access to design documentation, specifications, data sheets, schematics, architectural diagrams, firmware, and even potentially source code. Using this knowledge, they attack the system. Unlike black testing, it can be task driven, as the open access to documentation allows the tester to develop a plan before testing starts.

Between the two is grey-box testing. Some information is provided and this avoids unnecessary time being wasted on reverse engineering. A typical scenario might involve a period of black box testing which, if it fails to yield access to the device/firmware, leads to “break glass access” at which point grey-box testing continues. Grey testing often offers some of the best results, providing confidence that the device will withstand attack from real-world attackers using defence-in-depth.

Debunking myths

Concerns over testing expressed by vendors include whether the test will lead to a compromise so extreme that their product is pushed back to the drawing board. In reality, tests tend to discover vulnerabilities that can be fixed that then prevent mass compromise, stopping the kind of take-down achieved by proof-of-concept hacks like the Miller and Valasek Jeep attack.

Will testing find all the issues? That’s unlikely but white box testing will nearly always find more issues than black box testing. Should you fix even low […]

The post Put to the test: Why vendors shouldn’t shy away from attack testing appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business

Bluetooth Vulnerability Leaves 5 Billion IoT Devices Open To ‘BlueBorne’ Malware Attack

Bluetooth Vulnerability Leaves 5 Billion IoT Devices Open To 'BlueBorne' Malware Attack
A newly-discovered vulnerability is leaving over 5 billion IoT devices open to a Bluetooth cyber-attack dubbed “BlueBorne,” according to IoT enterprise security company Armis – meaning that hackers could take over the devices, spread malware, or gain access to critical data and networks.

Steve Brumer, partner at 151 Advisors, comments:

“The vast majority of security compromises are due to devices that have identified vulnerabilities with patches available, but they have not been updated. Currently, there is no checklist or approval process to indicate that a device meets such standards. Every restaurant has a rating of 0 – 100 at the front door, but home cameras don’t have a rating system that indicates if a device is future proof for security threats. Can it receive OTA updates? Can the device check for patches every week? Who is ultimately responsible for updating the device?”

“The most secure device would look for new patches every day and the burden to update the device would be on the manufacturer. A less secure device would require the end user to check for patches and manually update the device, which in reality would never happen.”

“If you ask most consumers who is responsible for updating the software on their home cameras, those in the tech industry will not know and those who are not tech savvy may reply ‘What? There is software in the camera?’”

151 Advisors is a global advisory and execution firm specializing in Mobility, Internet of Things (IoT), Smart Cities, security, and cloud-based technologies. It provides technology companies with a combination of advisory and execution services to ensure companies are focused on the right markets, establishing new market positions and accelerating the growth of its products and services.

The post Bluetooth Vulnerability Leaves 5 Billion IoT Devices Open To ‘BlueBorne’ Malware Attack appeared first on IoT Business News.

IoT Business News

If an attack is successfully monetised, expect similar attacks to follow: Some preventive security steps

Adversaries are constantly evolving. Success breeds copy-cats. And security is multifaceted. These are some of the key lessons Jeremy Cowan takes away from talking to Ted Harrington, executive partner, Independent Security Evaluators. IoT Now: Where does the greatest threat to enterprise data security lie? Is it the threat to data in transit, or in stored data assets? Ted Harrington: […]

The post If an attack is successfully monetised, expect similar attacks to follow: Some preventive security steps appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business

Securing the IoT against cyber attack

The Internet of Things is perhaps the most significant IT revolution of our time in terms of it’s potential to change the way we do everything – from working to shopping. But as its reach and influence on our lives continues to grow, attention must at some point turn from simply what IoT might be […]

The post Securing the IoT against cyber attack appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business

We could snuff out DDoS attack by fighting fire with Multefire

Don’t go onto the IoT right now, there’s some demons out there. They use their programming skills to penetrate a company. They inject their code everywhere, giving them the power to paralyse it. That’s when the demands for money begin. No, no, I’m not talking about a software licensing writ. Underhand it may be, but […]

The post We could snuff out DDoS attack by fighting fire with Multefire appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business