During penetration testing engagements, Rapid7 often attacks internet of things (IoT) devices to gain a persistent foothold on a network or even extract usernames and passwords, as these systems generally don’t support antivirus or other host-based security mechanisms. With the ever-increasing amount of malware designed to infect IoT devices—such as the IoT Reaper botnet, Persirai, and Satori—security is a core component of protecting devices and their associated networks.
Securing IoT devices requires a proactive security approach that tests devices and, more importantly, the IoT product ecosystem of services outside of the device’s integrated circuits. The product ecosystem can potentially consist of, but is not limited to, the immediate product, interconnected devices, mobile or web applications, and cloud environments. Depending on the complexity of the product's design and target ecosystem, security services can be expensive. An alternative is to consider setting up a research partnership with a reputable company.
What Is a Research Partnership?
A research partnership is an agreement between the IoT producer and the testing company to examine hardware over a larger amount of time. This process is similar to a bug bounty program, but the research is only between the two organizations. If the tester finds a vulnerability in the device, they work with that company to report the finding, recommend vulnerability remediation, verify resolution, and then generate a public disclosure to inform customers and users of the issue.
The following are some of the top benefits of a research partnership:
Better Security Threat Management
Finding a vulnerability doesn’t always have to be a bad thing or a big ordeal. In some cases, simple misconfigurations can be fixed immediately by developers or system administrators to heighten security without public disclosure. In the case of a coordinated vulnerability disclosure, the research partner can provide time and guidance to investigate the issue and develop a stable patch.
When companies attempt to produce a patch too quickly, there is an elevated risk that the solution could potentially not fix the entire problem, introduce new vulnerabilities, or cause service disruptions stemming from compatibility issues.
Motivation to Remediate Vulnerabilities
Very little in software or hardware engineering occurs without a clear deadline, and fixing security vulnerabilities is no different. By providing a timeline for public disclosure, development teams and their product managers can be properly motivated to complete the remediation effort promptly without derailing all the other outstanding demands on their time, such as customer-reported bugs, feature requests, and the usual churn that comes with supporting a product.
It’s far preferable to be known as an organization that actively and enthusiastically engages in security research to help protect clients than to be known as a company whose compromised devices led to a network breach.
First, producers can fix and begin to deploy product updates before a vulnerability goes public. Second, consumers can proactively protect their devices, schedule resources, or make configuration changes before a potential breach. On top of these two purposes, the producer can get ahead of the situation and determine which steps are necessary to preserve a high-quality reputation.
Many organizations rely on automated vulnerability scanners to help identify risks within their networks. By publicly disclosing the right amount of material to the developers of these scanning products, producers are actively contributing to the protection of other organizations. Furthermore, in-house developers and those within other organizations can learn from publicly disclosed vulnerabilities and prevent those mistakes from happening in future products. Collaboration is a crucial element in elevating security standards.
Efficient Use of Time
Budgetary or project deadlines can hinder time allotted for testing devices and the product’s ecosystem. A research partner works outside of the development project beyond and beyond a standard penetration test. The producer will have to provide equipment to the testing company; however, there is more time to be thorough, incorporate other team members’ skills or expertise, develop new testing strategies, and work more closely with a producer’s development team over a longer period of designated time.
Resources for Startups
If you are a startup, funding for security testing is likely very tight as you attempt to build capital from an initial product launch. A research partnership can be a great alternative to save while ensuring your device is going forward with a robust security approach to the software development life cycle (SDLC).
Where to Start
Within Rapid7, the IoT Center of Excellence is capable of walking producers through the process and can offer guidance for establishing a research partnership.