October 13, 2016
Merritt Maxim and I just published our research on the IoT Attack Surface. This report gives a realistic, but not sensationalized, view of how enterprises need to think about IoT. Three factors motivated our research for this topic – attacks on IoT will transcend the digital-physical divide, the sheer scale of IoT will challenge security teams, and IoT devices collect massive amounts of data.
The following methodology allowed us to hone in on concrete enterprise scenarios:
- We went for offense first. We started by interviewing prominent security researchers that spend their days thinking about how to attack IoT devices and systems. Our outside in approach allowed us to develop a threat model for intrusions, as well as identify weak points in the defenses of IoT makers, users, and operators.
- We explored the ramifications of an attack. We wanted to understand what an attacker would – or could – do when successful. We also wanted to understand the amount of friction that existed for whatever came next – credential harvesting, persistence, or disrupting operations.
- We examined existing security practices to understand what works, and what doesn't when defending IoT devices. This step highlighted that while IoT is different, defending IoT looks similar to other security problems S&R pros have dealt with. You can bring security lessons forward and apply them to IoT without having to learn them all over again.
Every security practitioner learned with cloud and mobile that ignoring things will not make them go away. IoT presents a chance for security to guide the business by prioritizing privacy and security for each IoT use case.