X-Force Red in Action: Spotlight on IoT Security with Thomas MacKenzie
Welcome to the inaugural episode of the X-Force Red in Action podcast series, where I’ll talk with the security industry’s top penetration testers about the work they’re doing and the trends and developments that excite them. X-Force Red is an autonomous organization within IBM Security and has a global team of hackers who test everything from applications to airplanes. In this series, we’ll dive deep into the world of hacking and penetration testing through their eyes.
In today’s episode, I’m joined by Thomas MacKenzie, European associate partner at X-Force Red. Together, we dig into the growing impact of Internet of Things (IoT) security and examine some of the unique challenges coming down the pike.
IoT Security and the ‘Black Box Problem’
According to MacKenzie, IoT security presents a distinct challenge because of the “black box problem.” This is where business-to-business (B2B), business-to-consumer (B2C) and even consumer-to-consumer (C2C) devices perform a specific function and can’t be customized.
Because these devices cross multiple security domains — including networking, embedded IT infrastructure and cloud storage — their attack surface is exponential. An added challenge is the fact that many manufacturers have limited budget for developing their devices. These devices don’t have high price points, leading to a lack of money for “auxiliary” concerns like security.
Security By Design
So, what’s the solution? MacKenzie advises IoT developers to implement security by design during the development process. Along with software risks, what are the risks of embedded, connected hardware? While there’s upfront spending required here, it’s minimal compared to costly, widespread recalls and lasting damage to brand reputation.
And yet it’s critical to recognize that creating a completely secure product is impossible. Even when using a secure by design approach, companies still need a plan to focus on programmatic testing of the product.
The X-Force Red Advantage
For many companies, this type of in-house IoT security modeling and design isn’t an option. The role of the X-Force Red team then is to provide a hacker’s-eye view of devices and the risks associated with them. So, essentially – companies can focus on what they do best – making stuff – and let X-Force Red take care of “breaking stuff” and finding the vulnerabilities in them.
Leveraging the skills of their very own “toymaker,” the X-Force Red team takes apart IoT technology to discover hardware weaknesses — and then develops programmatic test cases to enhance total security.
But I think Charles Henderson, global managing partner at X-Force Red, put it best when he said of his team, “if you can build it, we can test it.”