X-Force Red, IBM Security’s team of hackers, is hired by a variety of companies to find and help fix vulnerabilities exposing their most important assets to potential attacks. One sector that is increasingly looking into the security of their products is internet of things (IoT) manufacturers that build and sell IoT technologies such as smart home kits, cameras, appliances, televisions, security systems and even smart light bulbs.

Some IoT devices, while “smarter” than their nonconnected brethren, are also known to have more security deficiencies, such as default passwords that cannot be changed, privacy concerns and a lack of encryption. These issues can make IoT devices easier for attackers to access remotely, which is why device manufacturers seek ways to test them for potential risk. In a recent analysis, X-Force Red performed a hardware test on a consumer IoT device, which led to us discovering some interesting issues that could have a detrimental effect on businesses that sell everyday devices and services.

During testing, my team and I often look for vulnerabilities in a device or system that might expose it to an attack from an unknown adversary. The attacker may be a member of a criminal gang, a lone wolf or even a nation-state actor, and can often be well-equipped, experienced and determined to compromise their target. However, what if an attacker does not fit into any of those categories and, instead, is a seemingly legitimate customer? That is a very plausible scenario nowadays.

Vicious Tinkerers in Customer Clothing

Let’s take, for example, a scenario that begins with a manufacturer’s customers purchasing and installing a device that provided a certain service. We will assume here that the manufacturer offering the service did install controls to prevent its customers from getting additional features if they did not pay for them. For example, maybe the customer got a set top box — a device that converts video content to analogue or digital TV signals — that provided conditional access to only the channels the customer had paid for.

Yet in this scenario, and in many others, customers may look to obtain more capabilities without necessarily going through the service provider or paying the extras. They start experimenting with the device, trying to find a way to gain an advantage. After all, the device itself is in their possession, giving them ample time to play around with it in the privacy of their own homes.

By tinkering with a device that’s designed to enable customers to enjoy the services they pay for, the manufacturer’s customers who might abuse their access to it can significantly elevate the risk of an attack against the company. It’s a threat that could be scaled and that the manufacturer may not even consider.

Based on my hardware testing engagements, manufacturers and online service providers rarely consider a customer manipulating a device to be a scalable threat, nor worth worrying about. In other words, they may believe that, most times, the number of customers who are likely to grab a screwdriver and start pulling their device apart is so minimal that there’s really no point in spending time, money or effort trying to prevent it.

But that belief is a misconception. Customer tinkering can be just as dangerous as any other threat and can lead to a compromise of a company’s entire environment.

The problem with that tiny percentage of customers who do pick up the screwdriver and start pulling the device’s hardware apart is that, if they are successful and manage to find some weakness in the device, such as a crypto key or network credentials, it may be used not only to further compromise the manufacturer’s direct offering to them, but also provide access to the company’s entire back-end network.

In many cases, it could potentially enable those enterprising customers to start illicitly selling the original company’s service at a reduced price to an entirely new user base by creating cloned, “fake” hardware and taking a market chunk out of the legitimate vendor’s client base. Even worse, the customer may decide to publish the device’s “secret sauce” on the internet, unbeknownst to the manufacturer, and could cause considerable losses to their business.

Unfortunately, modifying devices has become very common. Whether seeking free access, more features or something that could potentially be more dangerous, end users often look for loopholes that could benefit them. All the while, the device’s provider’s back end bears the extra load, risk of exposure and costs.

So, what can manufacturers do to prevent their customers from creating vulnerabilities while maintaining their paying customers’ satisfaction?

IoT Security From the Ground Up

Security of IoT devices of all types should start from the ground up, using secure by design methodologies. By understanding the potential threats and selecting the right components before the work on building the product even starts, manufacturers can choose and utilize security features specifically designed to reduce the attack surface, minimize exposure and lower overall risk of future abuse. Features such as secure boot and cryptographic coprocessing can make a difference when properly implemented, but these types of controls are nearly impossible to add at a later date, such as after a compromise.

Performing hardware testing against devices, before and after they are released to the market, can also help minimize risk. Manual hardware testing entails ethical hackers, such as our X-Force Red team, pulling apart devices using the same tools, techniques, practices and mindset that customers and attackers might use to compromise them. We do that to find and help fix vulnerabilities that could possibly enable any of those attempts to succeed.

Focusing on IoT threats, X-Force Red recently opened its four global IoT testing Red Labs, one of which we are celebrating in Austin, Texas, this week. Manufacturers can ship their devices to any of our labs for testing. The labs provide a secure facility for our hackers to reverse engineer and assess devices using specialized equipment and skill sets.

To learn more about our X-Force Red Labs, watch the video on our IoT testing page. To learn more about our X-Force Red Penetration Testing Services, which includes hardware hacking, read this white paper.

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…