In partnership with international audit, tax, and advisory firm Mazars, CENSIS welcomed a group of students to the Innovation Centre in Glasgow in summer 2022 to take part in a specially developed IoT ethical hacking exercise.
The students were participants of the National Cyber Security Centre’s CyberFirst programme and had the chance to work with IoT technology designed by our engineering team, helping to give them a better understanding of the vulnerability of systems to potential cyber-attacks.
Cyber security in IoT devices is not commonly taught by universities, but it is a hugely important area that will only become more significant as the market for connected devices grows. Legislation changes are also underway, with a new Product Security and Telecommunications Infrastructure Bill currently working its way through Parliament.
Along with Mazars’ Cyber Attack and Defence team, CENSIS developed a workshop for the students that simulated practical real-life IoT issues. They were asked to identify vulnerabilities in the system and areas that could be improved to prevent exposure to cyber threats.
Exploring the differences with IoT testing
The students said that the experience opened their eyes to the additional physical cyber security risks that come with IoT devices, adding to the software-focused training they had received in their university courses so far.
“When you have a physical box in front of you with circuit boards, antennas, sensors and cables it can be difficult to find a starting point and apply specific methodologies. The technologies used in IoT devices extend far beyond web servers and Linux machines, which is not often taught to people trying to break into the sector”, one student said.
“Having the physical device in front of us sparked ideas such as hardware hacking, dumping firmware, debug ports, removeable external memory and other steps you wouldn’t always think about when testing web apps and vulnerable online machines.”
Another participant added: “With a normal computer-based penetration test, you tend to follow the same methodologies or processes and often run the same tools over and over without second thought. You rarely, if ever, see the physical equipment in front of you. You mostly just see port numbers or IP addresses or web pages.
“Having the ability to see the equipment allows you to map out what is going on and see what the flow of data actually looks like. It allows you to look for certain ports, sensors, devices and cables.
“Additionally, with a traditional software-based test, the end goal is typically to gain top-level privileges on whatever device or server is the target. With IoT, it’s not always the case. Most of the time, it’s just enough to get onto the device or plug into the device and you’re able to see all the traffic, what data it’s sending, configuration files and other useful data.”
A growing range of use cases
The group also highlighted the fact that so many different sectors are utilising IoT, but most likely give little thought to the potential security implications.
“IoT is rapidly growing across many industries and continues to pose fresh security challenges to solve. After university, it would be fantastic to get involved in this area due to the varied nature of use cases”, said another of the CyberFirst students.
“Limited standards are resulting in many unsecured devices making their way onto the market, but the growing range of different hardware used also makes it challenging to secure and pen test. IoT involves a different way of thinking and requires continuous learning of new technologies compared to a normal computer-based pen test where most systems are standard and more predictable.”
Taking IoT skills back to university, and beyond
All of the workshop participants said it had given them food for thought in terms of their future career direction and, in the shorter term, their university studies. “The experience has definitely made me a lot more interested in the IoT cybersecurity sector and it is an area I’m keen to explore beyond university”, said another learner.
“Prior to the exercise, my idea of IoT was mainly focused on everyday consumer products like Amazon Alexa, Ring doorbells and Nest cameras. However, learning about the various implementations of IoT across sectors that most people won’t think about is an exciting revelation.
“I think everyone in the cybersecurity industry has at some point tackled imposter syndrome and thought that they were not capable or had the skills to achieve something. But, it’s important to be confident in what you’ve learned, your background and what skills you can bring to the table. More often than not, a different background or skillset can really benefit a team when facing a new challenge.”
The IoT hacking experience forms part of a wider initiative developed by CENSIS and Mazars for UK students, aimed at supporting greater diversity in cyber security and IoT resilience. The programme brings together learners from a diverse range of backgrounds and undergraduate disciplines. For the purpose of this article, participants remain anonymous.
Commenting on the first workshop, Alex Miller, Manager – Cyber Attack and Defence at Mazars, said: “This was an excellent start to our new partnership with CENSIS and our CyberFirst interns certainly learned lots. The workshop highlighted the importance of a multidisciplinary skillset within a penetration testing team, particular drawing on computer science and electronic engineering knowledge. The experience was also hugely valuable for the team at Mazars who joined in, and we learned a lot about the cyber-physical approach and methodology that IoT penetration testing requires.”