In the latest episode of the X-Force Red in Action podcast, we dive into the world of hardware testing with Ivan Reedman, global hardware security and capability development lead at IBM X-Force Red.
The Toymaker Tackles Hardware Flaws
Reedman is known as “The Toymaker” among his teammates, and his passion is creating hardware-based tools to compromise physical devices. Why hardware? While traditional penetration testing can reveal fixable software or configuration flaws, physical hardware can’t be patched. Threat actors who get their hands on these devices could bypass security certificates, steal data and leverage other IoT devices for a back-end attack.
The big problem with hardware, according to Reedman, is implied trust. Users naturally trust devices to secure data — but both commercial and industrial devices struggle to do just that.
Reedman’s rule of thumb is that security is less costly when built into hardware design from the start. After all, finding the resources for better hardware protection is cheaper than recalling and redesigning millions of products.
Fulfilling the X-Force Red Mission, One Appliance at a Time
For Reedman, the current security landscape suggested a solution: Design physical products to help mitigate hardware design flaws. These include common problems like developers forgetting to remove code or merely disabling debugging interfaces, which are still accessible at the beginning of the boot cycle. And once his patent is officially filed, we’ll be able to hear much more about the solution Reedman has identified.
Not surprisingly, the Toymaker’s passion for tinkering and design also carries over to his everyday life. He recently discovered that his smart washing machine could be compromised when he figured out how to quickly turn the hot water solenoid on and off — so quickly, in fact, that the natural gas used to heat the water didn’t have time to ignite after being released by his furnace.
After several cycles, he left the solenoid just a little longer, which prompted a discussion with his wife about why he was trying to blow up the house.
Humor aside, this story underpins the critical mission of both X-Force Red and Ivan Reedman: to test, identify and eliminate potential vulnerabilities — no matter where they occur.
Stay Ahead of the Threat
Need a refresher on what this series is all about? Check out the first episode of the series to hear Thomas MacKenzie, associate partner at IBM X-Force Red, talk about Internet of Things (IoT) security.
Never miss a new episode of X-Force Red in Action! Subscribe to the SecurityIntelligence Podcast on iTunes or your favorite podcast platform.