In-brief: The security firm Rapid7 said it is launching a consulting and advisory service to help companies design more secure Internet of Things products and assess the risk of deploying IoT products in corporate environments.
Rapid7, the Boston-based security firm best known as the home of Metasploit, has launched a new security testing and strategic consulting practice to help organizations “securely use IoT devices,” the company announced on Tuesday.
The new practice will cover a number of areas, helping organizations that are developing products “”think strategically about building security practices into product development lifecycles.” Rapid7 said it will also provide security assessment and testing of both hardware and software, and offer forensic analysis for devices that have been compromised.
“The risk posed by IoT devices has moved from theoretical to real-world. When we consider IoT, we’re no longer talking about a single or highly unlikely, targeted instance of a vulnerable device that leads to one compromised system or consumer. We’re now seeing large-scale attacks that leverage huge numbers of devices against extremely popular organizations,” said Deral Heiland, IoT research lead at Rapid7 in a statement. “As a result, device developers and manufacturers are coming under increased scrutiny and heightened expectations. Their products are assumed secure, though many of these product developers are still learning the fundamentals of secure design principles.”
Recent denial of service attacks linked to botnets like Mirai and Bashlite have relied on global populations of insecure devices including cameras and digital video recorders, DHS warned in October. That has raised the stakes for Internet of Things security. But threats posed by connected devices go well beyond denial of service attacks.
Rapid7 has long conducted research on connected devices. The company recently published information on vulnerabilities in an insulin pump made by Animas, a division of Johnson & Johnson. The company has also researched security holes in consumer products like smart toys. Still, the new program marks a big expansion into IoT-focused services for a company that made its name providing more traditional network vulnerability scanning.
[Read more Security Ledger stories about Rapid7 here.]
The company said its strategic advisory services will focus on enterprises who want help adjusting security programs and business decisions to take into account the risk of Internet of Things devices.
The service will also offer assessments of IoT devices in the consumer, enterprise, industrial, medical, and transportation sectors. Among them: advice on how to develop IoT technologies securely, threat modeling for IoT products, advice on securing hardware and incident response related to compromised IoT endpoints.
The security testing and vulnerability analysis services will comprise penetration testing and analysis of IoT devices including associated mobile applications, APIs, communications and, of course, embedded hardware and software. Rapid 7 will also offer services to test the internal architecture of the device – including internal components – to determine the breadth and depth of its physical attack surface. Protocol- and firmware testing services will also be offered.
Lax design of Internet of Things devices promises to be an acute problem in the coming years, as a population of hundreds of millions or billions of connected devices – both in the consumer space and in industry and critical infrastructure. Much of that comes down to issues with quality and control in the supply chain. The Mirai botnet, for example, capitalized on weak security in software written by XiongMai, a China-based supplier of circuit boards and “system on chip” components used in cameras and DVRs.
Experts have noted that many of those problems are, in fact, avoidable, if companies can be encouraged to follow basic secure design and deployment principles adopted by more traditional IT vendors long ago.