The Internet of Threats: From bugs to bounties and the future of digital assets
CYBERSECURITY & PRIVACY | INTERNET OF EVERYTHING
BY AMITPAL SINGH ON NOVEMBER 14, 2016
Dark IoT TM Forum Live! Asia 2016 TM Forum Live! Asia 2016 Speakers
At TM Forum Live! Asia next month (December 7–8, Singapore), Threat Equation’s Amitpal Singh will take part in the panel, All-seeing, all-telling connected devices? Here he gives a preview of some of the issues he hopes to see discussed.
Since the emergence of computers in the 1940s, software bugs have existed in computing systems. These bugs, also known as security defects, have caused multiple and widespread vulnerabilities across operating systems and application frameworks. Now this is happening in The Internet of Things (IoT), where intelligent sensors, drones and even healthcare insulin pumps and heart pacemakers have been successfully compromised prior to launch. Traditionally, software debugging was done by monitoring and measuring the level of a product’s performance, to diagnose errors and to write trace information for further root cause analysis.
Just as the standards for IoT security are being formalised, ratified and adopted, the attackers have had a jump start in both research and development as well as motivation. These IoT applications can be abused, bypassed and jail broken since there is no proper vulnerability disclosure for part-time contract developers and often no leader or full-time formal security team to identify and fix potential security threats within the code chain. These IoT killer applications are under tremendous ‘rush to release’ pressure, and as such they have been easily compromised. Moreover, the security in IoT is somewhat theoretical and decentralised telecom IoT micro-services infrastructure platforms have seen a regular stream of attacks.
Dark IoT
Then there is another side to this where ‘Dark IoT’ already has an operational open-sourced Dark IoT platform (e.g. Shodan Search or even Google Dorks) capable of showing hundreds and thousands of vulnerabilities to anyone and allowing attackers the means to compromise IoT-connected devices. More recently, telecommunication service providers have begun investing and relying heavily on web-facing IoT applications using MQTT communication standards.
So just as we move to mainstream IoT, which is essentially chained code (micro services) in a server-less and decentralised architecture, we have to consider a disruptive and real-time defence (with security intelligence) which is baked into the code-chain as well as capable of enforcing run-time protection.
We call this new and emerging technique “Interactive & Real-Time Asset Self-Protection”. This is a pre-emptive defence mechanism that runs in real-time within the front-end mobile applications and even the backend web application frameworks. It enables built-in self-protection for IoT applications, thereby reducing the attack surface, risk exposure and reputation damage. This disruptive technology has emerged from our threat research labs into the dynamic and highly competitive IoT sector. At its core, this technique provides a run-time protection for next-generation IoT applications written in Node.js, Python, PHP, Ruby even Android & IOS. The key capabilities and the business benefits include precision asset protection, virtual patching, and zero-day vulnerability mitigation.
Amitpal Singh is presently the Co-Founder & CTO @ Threat Equation Pte. Ltd. based in Singapore, the creator of iRASP™ (Interactive & Real-Time Application Self-Protection) a SaaS based solution which enables built-in self-protection for IoT Applications (written in Node.js using MQTT messaging protocols) thereby reducing the overall attack surface. This run-time protection is also available for applications written in Python, PHP and Ruby. Amitpal has about 15 years’ experience in the IT industry starting from the Silicon Valley where he held Senior Engineering roles at Brocade, Stryker and then Applied Materials. Following that he served as a Senior Enterprise Architect and then part of Product Management at Oracle Corporation and Sourcefire Inc. (later part of Cisco Systems) respectively. He holds a B.S. in Computer Science and Mathematics and an M.S. in Engineering Management from Santa Clara University.
