The evolution of product security
Both our critical infrastructure and the devices we interact with daily are increasingly connected to the internet and supported by embedded software. But often the technology is outpacing security in products and low-level devices. From smart appliances to medical devices, the Internet of Things affects nearly every aspect of our lives and makes nearly every aspect of our lives more vulnerable to cyber threats.
The changing landscape of the IoT
Dan started the conversation by sharing examples from his past experience in device testing. “Back when I was doing testing, it was variant, right? You know, you would do testing on some things that were very locked down and had some good security protocols in place, and then others where it was easier than a lab device in the OSCP, right? So I’d love to get your take on how you’ve seen it evolve, you know, coming at it from that low-level aspect.”
Caleb said, “I’d say, the unfortunate reality is that it’s evolved in the security capabilities and the recognition of some of these types of attacks. But it’s also evolved in just the threat landscape of these devices. That’s kind of the nature of IoT,that everything in your house is connected now. So, you know, the surface is expanding. So I still see the easy OSCP level one type-boxes when it comes to embedded product. And a lot of that is related to the drivers for some of these things that are just first to market or the cheapest or whatever other externalities that result in thinking about security as an afterthought.”
The consequences of “security as an afterthought” can be seen in the vulnerability of everything from individuals personal data to critical infrastructure. Caleb continued, “You mentioned the industrial controls and manufacturing facilities and things along those lines, those networks that are historically not emphasized because of obscurity to some extent, or, you know, it’s difficult to, to maintain and operate things like a manufacturing line. You know, more and more those are not only under more scrutiny. And we’ve seen some notable incidents related to some of those targets, but I think also, we’re, we’re understanding that those infrastructure networks, those, those facilities have a major impact on downstream things.”
Dan agreed that the bar to infiltrate these systems is lowering, putting more devices at risk. “Yeah. What used to take a team of people that had resources within nation-state or high-level resources behind it, it took a team. Now it’s in the realm of boutique consulting firms like yourselves that have backgrounds in this and have knowledge but don’t have the resources of a government behind them can now conduct those attacks. And then that’s the natural evolution of, hey, as we keep moving forward, there’s going to be more tools and techniques available to the quote unquote script kiddies that then you don’t have to have as in depth knowledge or understanding of how to conduct it to still be able to do it.”
Hacking product security
Dan asked Caleb to provide some advice for getting into product security for folks on the proactive security side. “I’m sure that others of our ilk in terms of like the hackers and pentesters would love to kind of have some tips and tricks. How would you tell somebody to get in, where would you point them to kind of get started in product, embedded and stuff like that?”
Caleb emphasized the importance of reverse engineering when it comes to product security. He replied, “To answer your question, I think that to properly secure something and provide recommendations on how to, how to secure or how to hack it even. I think you need to understand how to build it. So, you know, one of my biggest recommendations, especially in the embedded world, is get your hands on a little discovery board, write some embedded code on it. There’s all kinds of wonderful, wonderful resources nowadays that really lower the bar, even from when I started not that long ago, that allow you to start writing that code on the embedded side of things and then understand, you know, write an embedded vulnerable application and understand how you would secure it. You know, that to me that’s the best way that I’ve learned in my time.”
Defending products and connected devices
Dan and Caleb concluded the conversation by talking about defending embedded devices against compromise. Dan asked, “What would be some advice for the blue teamers or the product security teams, you know, we alluded to it a little bit, but I’d be curious what your advice would be for them?”
Caleb responded that the best security is always built in from the beginning, so using a secure by design approach when developing products and IoT devices is going to afford the best protection.
He said, “Obviously my, my focus is on embedded, so I’ll answer it from that context. But I think the same principles apply. Introduce security as early into the product development lifecycle as you can, and you’ll have better days if you find something. So things like threat modeling and understanding realistic attack vectors, not just at the network and application layers, but also at the low level hardware layers. So that’s a big one.”
Source: https://plextrac.com/securing-products-embedded-devices-and-the-iothow-to-empower-adversary-emulation/