How a security researcher is tackling IoT security testing
“A common misconception people in the industry have regarding my work as a security researcher is that I am sharing information that puts businesses at risk. And also, that I spend all day playing,” says Deral Heiland, Research Lead at Rapid7.
“In fact, it’s quite the opposite. I am first and foremost sharing knowledge with the manufactures of the products and technologies to insure that the products are properly fixed so we all can be protected.”
Deral Heiland, Research Lead at Rapid7
His work is also far from simple play.
“When I conduct research on specific target areas, this can often lead to very focused work and many hours learning and applying the new knowledge to insure my research is thorough. Plus all research projects require a time box to avoid the research from not being completed so the process needs to be very structured,” he details.
“In the end, all the findings need to documented in enough detail that manufactures of the product can correct the issues in a timely manner. In a few cases the research is best communicated to the security community within a formal paper, which also takes hours of hard work and dedication.”
IoT research challenges
Heiland works at Rapid7, an infosec company that’s primarily known for the development of the open source Metasploit Framework, but which has lately been making inroads into IoT security testing.
The effort is spearheaded by Heiland, and the project offers many challenges.
First and foremost, he is working on becoming a subject matter expert within new unexplored areas, e.g. knowledge around protocols within the IoT technology like Bluetooth low energy, Zigbee, Zwave, and so on.
“Building the level of knowledge needed in a timely manner can be difficult, although I still rely heavily on co-workers and research peers to help round out and expand my knowledge and skills in these new areas,” he says. “Another challenge is focusing my research and communicating the findings in such a way that it adds true value to my customers, IoT manufactures, and consumers and the security community in whole.”
With IoT exploding, and manufacturers continually dropping the ball when it comes to their products’ security, we rely on researchers to test the devices and point out security flaws that should be fixed.
With his 25 years of experience in IT (support, network management, security consulting), and his penchant for conducting security research in his spare time for over 12 years, Heiland has amassed the needed experience to become an effective Research Lead for IoT.
“My career path has taught me how to quickly consume and learn new technologies, and how to observe and test those technologies for associated risk and impact and to effectively communicate that knowledge to product manufactures, consumers and customers,” he says, adding that the latter skill is crucial for finalizing good research and avoiding FUD (fear, uncertainty and doubt).
“Working within so many different aspects of the IT community, combined with a curiosity of how things work behind the curtain, I have learned to think outside the box. I ask questions like ‘Can the product be misused outside of its expected normal functionality?’ and ‘Does the technology consume data that it does not need for normal functionality?’ and ‘Can I abuse the products ability to consume data to poison or compromise its functionality?’ When approaching research this has helped me to better evaluate technologies such as IoT,” he notes.
What’s next?
Heiland usually chooses his next research projects based on observations made during his day-to-day job. For example, the last two years he has been conducting a research project, with a friend, outside of his daily work responsibilities, targeting the SNMP protocol.
“During my day job as a pentester, I noticed a number of companies with SNMP enabled but not configured correctly. So I formed a hypothesis that exposed SNMP could expose an organization to information leakage,” he explains.
“So the first year of the project we focusing on testing this hypotheses by gathering SNMP MIB data, and examining it for information that could be used by a malicious actor. This project was very fruitful leading to a number of security advisories and pentesting processes used during assessments. The second year of this project we focused on what kind of attacks could be initiated, not by gathering SNMP data, but by sending SNMP data. During this seconnd year of the project we targeted Network Management Systems which lead to the identification of over 9 products vulnerable to SNMP injection attacks.”
He intends to follow this basic philosophy in his new role as Research Lead for IoT. He will observe the environment he is exposed to, as well as pick the brains of coworkers and peers to get their insight and observations.
“As we continue examining IoT technology, we often see a number of these consumer-based technologies migrating into the enterprise environments. My plan is to target and examine these technologies for the purpose of helping organization to better identify IoT in the enterprise environment, and manage the related risk.”