Black Hat , Endpoint Security , Events
IoT Hardware Security: A Growing Concern
Plaskett and Herrera of NCC Group on Sonos Flaws and Holistic Security ApproachHardware security remains a critical concern for IoT and embedded devices. Recent research revealed serious vulnerabilities in Sonos devices, specifically affecting Wi-Fi and Secure Boot functions, said Robert Herrera, senior security consultant at NCC Group. The Wi-Fi vulnerability lies in a flaw within the MediaTek Wi-Fi stack's kernel module and stems from inadequate input validation, leading to memory corruption and stack buffer overflow, Herrera said.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
"Hardware vulnerabilities are as critical as software vulnerabilities," said Alex Plaskett, security researcher at NCC Group. "You need a holistic approach to security. You need to consider both software and hardware, and if one area is a lot weaker than the other, the attacker will just go for that."
The current state of embedded security shows a broad spectrum of vendor practices. Some vendors employ robust security measures while others may neglect essential practices, such as disabling debug interfaces, Plaskett said.
In this video interview with Information Security Media Group at Black Hat 2024, Herrera and Plaskett also discussed:
- The importance of conducting extensive background research on targets and purchasing devices for vulnerability testing;
- Using reverse engineering, binary analysis, code review and fuzzing to find vulnerabilities;
- The need to perform security audits of the software, whether developed in-house or by third parties.
With more than 15 years of experience in vulnerability research and exploitation, Plaskett has identified and exploited vulnerabilities in various high-profile products across diverse security domains. He previously led security teams across multiple sectors including fintech, mobile security and information security.
Herrera specializes in vulnerability analysis, secure software development, cloud security and IoT device protection. With extensive experience in penetration testing and incident response, he has identified critical vulnerabilities in popular consumer IoT devices and developed secure coding practices.