Aditya Gupta has an impressive security research background on Internet of Things (IoT) and mobile technologies. He has been focused on redefining the way IoT security is shaped by building the right products and services.
CEO of an IoT security company, Aditya has made it his mission to develop IoT security solutions which would teach people get started in the field. He is also helping organizations deal with IoT-related crisis. Aditya has participated in a number of major security conferences – BlackHat, Syscan, OWASP AppSec, Toorcon, Brucon, HackInParis, phDays, Nullcon, ClubHack etc – where he has delivered inspirational and educational talks.
Aditya has also written several research papers on attacks on ARM based platforms, NFC security and mobile application vulnerabilities, and a mobile security book – “Learning Pentesting for Android Devices”. He was kind enough to talk with us on the subject of IoT security, explaining how he decided to start off in the field, and what has been driving him towards its improvement.
STF: Tell us more about yourself and your company. How did you decide to become involved in IoT security?
Aditya: I’m Aditya, founder and CEO of Attify. Attify is a specialized security firm where we help organizations secure their IoT devices by providing them penetration testing services and training offerings.
I decided to jump into IoT security a few years back around late 2011 when it was getting started to be popular, because I realized that pretty soon enough people and enterprises are going to be really concerned about the security of these devices. There was not a lot being discussed about security of these devices, which was a real problem and I decided to fill that gap.
STF: We are currently living in an IoT crisis. What are your predictions for 2017? What comes after Mirai?
Aditya: That is true. I believe that Mirai was just a beginning and helped everyone understand the vulnerable nature of smart devices. However, Mirai could be thought of as just the starting point of IoT-based attacks. Just look at shodan.io and you will find tons of IoT devices exposed to the public Internet.
Considering the fact that these days almost everything is getting connected to the Internet – be it medical devices, critical infrastructure, home and enterprise offices and more, it’s going to get worse.
Attackers are looking for new targets every single day and it won’t take long before a lot of devices are exploited with attackers gaining access and stealing sensitive and confidential information.
Even after the impact of Mirai, there are a lot of devices still running with default credentials and exposed ports – it won’t take long before another major attack compromises millions of IoT gadgets worldwide.
STF: What’s the aftermath of a disastrous IoT DDoS attack?
Aditya: The aftermath of a disastrous IoT DDoS Attack is a couple of things:
1.People and Organizations start panicking and wondering if their IoT device is safe or not.
2.Some people end up realizing that they have been infected and had been a part of a botnet for a long time.
3.Try to come up with a plan of how to avoid this vulnerability in the future.
The problem is even after the tremendous impact of DDoS attacks and botnets like Mirai, most of the world is concerned about how to prevent their devices against this attack, rather than looking at the bigger picture. Tomorrow, there could be another exploit in the wild which compromises devices through another technique, and those same people will be vulnerable again because they didn’t take time to completely secure their devices.
Manufacturers end up making the same mistake again and again. We worked with over 250+ IoT device manufacturers helping secure their products the past year and it was surprising to see that most of them in the market are still vulnerable to common security flaws.
STF: What’s in an “IoT Exploitation Learning Kit”?
Aditya: An IoT Exploitation Learning Kit is a unique combination of software, hardware and educational resources which allows anyone to jumpstart their career and learn IoT security and penetration testing.
This is something that me and my team at Attify developed after traveling all over the world delivering in-person training when I realized that there is an actual need of a solution which people could use to learn the a to z of Internet of Things Security.
Due to the exponential increase in demand of IoT security professionals, and not a single point of resource which can teach people on how to get started, find vulnerabilities, exploit hardware, reverse radio communication and all the topics which are in IoT security, we decided that a kit like this would serve the purpose of enabling people to learn IoT security and make a career in it.
STF: How did you come up with Attify Badge Tool? Are tools like that what we need to improve the security of IoT devices?
Aditya: Attify Badge tool is a companion app which works along with our Attify Badge. To give a very high level overview – it helps users identify vulnerabilities in their IoT device.
For example, you get a new smart thermostat or a smart coffee maker. The way in which you could find vulnerabilities or figure out whether your device is secure enough is to open up (unscrew) the device, look at the circuit board and then use our badge to interact with the device.
Yes, tools like this are needed to improve the security of IoT devices. Only when we figure out what vulnerabilities are present in a given device, we would be able to understand how to secure them.
Security is just like a police vs thief game where the police has to know how a thief is going to rob a place and secure the place even before the actual robbery.
STF: What are the most ridiculous cases of vulnerable IoT devices you have encountered in your work?
Aditya: One of the most ridiculous cases of a vulnerable IoT device is while we were performing a pentest on one of our big clients. The goal of the pentest was to infiltrate the network as much as possible through any means.
We were able to identify a smart coffee machine which was revealing the WiFi credentials of the corporate network it was connected to. So, we were able to sniff the WiFi credentials which were being emitted over Bluetooth, and then use them to gain access to their network.
From that point, we just went further and compromised more systems ending up having Domain Admin access as well as full access to their databases.
When we were discussing the vulnerability with the organization, it was so tough for them to believe that a smart coffee machine sitting in the kitchen could lead to the failure of their hundreds of thousands of dollars spent on security.
STF: Security tips for configuring IoT devices? Is it possible to make an IoT device completely and utterly safe from exploitation?
The security tips for configuring IoT devices would be the following:
a.Always change the default credentials of the device when you start using it.
b.Ensure that you have update your device regularly to avoid any recent security issues.
c.Stay on a lookout for any suspicious activities or sudden spikes in traffic on your device.
d.If possible, try to have two networks – one for your trusted systems and one for the Internet of Things devices.
a.Integrate security in the devices from the very start – i.e. the planning phase and perform an in-depth threat modeling.
b.Give users the accessibility to change and strengthen security features and have it configured allowing to the users requirements.
c.Always perform a penetration test before launch of the device to ensure that you are not shipping a device riddled with vulnerabilities.
d.Educate your developers and product engineering team to stay updated with the latest IoT security threats and how it could be avoided in your devices.
SensorsTechForum’s “Ask the Experts” Interview Series
If you are a cybersecurity expert and you want to share your experience with our audience, send us an email at support[at]sensorstechforum.com. We will gladly converse with you about anything on the subject!