The Security Ledger

Episode 82: the skinny on the Autosploit IoT hacking tool and a GDPR update from the front lines

In this week’s episode of The Security Ledger Podcast (#82), we take a look at Autosploit, the new Internet of Things attack tool that was published on the open source code repository Github last week. Brian Knopf of the firm Neustar joins us to talk about what the new tool might mean for attacks on Internet of Things endpoints in 2018. Also: the go-live date for the EU General Data Protection Regulation is just months away, but many firms are still unaware that the regulation even exists. We’ll hear two reports from the front lines of GDPR, first from Sam Peifle of the International Association of Privacy Professionals and then by Shane Nolan of IDA, the Irish Development Authority.

The news last week was about Autosploit, a new, automated attack tool that was published to Github. A cobbling together of two well-known tools: the Shodan search engine and the Metasploit penetration testing platform, Autosploit automates attacks on embedded systems and other Internet of Things endpoints. Attackers can search for target systems online that use a particular software platform and then rifle through various exploits for that platform to see if they can gain access to the system.

Autosploit invites Script Kiddies to the IoT Hacking Party

Attacks on Internet of Things devices are becoming more common and more dangerous. Since the Mirai botnet made headlines in late 2016, any number of Mirai variants and new bonnets have emerged that target embedded devices such as IP enabled cameras, digital video recorders and home routers.

The New Year may bring even more of that, especially after the publication of a new tool, dubbed Autosploit, that makes finding and hacking into embedded devices as easy as clicking a button. The new tool, which was published on the open source code repository GitHub, marries a number of existing tools, like the Shodan search engine and Metasploit attack platform in one, easy to use platform.

[You might also like to listen to Episode 79: Hackable Nukes and Dissecting Naughty Toys]

Autosploit simply combines two, existing hacking tools. But it does make hacking the IoT easier for low skill “script kiddies” says Brian Knopf of the firm Neustar.

In the first segment of our weekly Security Ledger Podcast, Brian Knopf of Neustar joins us to talk about what Autosploit means for IoT security. Knopf, whose previous work includes a stint at device maker Belkin, said that Autosploit isn’t the first marriage of Shodan, Metasploit and other hacking tools – and won’t be the last. But it will certainly make it easier for “script kiddies” (or low skilled hackers) to target IoT platform. However, getting rid of the tool won’t solve any problems. The long term fix is for the industry and regulators to begin policing the security of connected devices and holding manufacturers to higher standards.

Among other things, we talk about a new open source platform, Trusted Device Identity framework, a way to  authenticate and revoke IoT device identities in real-time.

GDPR Eye on the Strava Guy

The EU General Data Protection Regulation (or GDPR) takes effect in a few months, but many companies in North America and even Europe are unprepared to meet the new law’s strict data privacy requirements. Case in point? Last week’s revelations about how exercise data from the Strava fitness app was being used to identify both military facilities and individual soldiers.

Our second guest this week, Sam Pfeifle of the International Association of Privacy Professionals says that the Strava “heatmap” incident is indicative of a culture in which companies treat customer data as their property and give scant thought to how it might be abused either individually or in aggregate.

GDPR will be a rude awakening for many of these firms, as it treats data privacy as an inherent right and imposes stiff penalties for firms that violate that right. In our second segment, Sam and I talk about what GDPR will mean for companies that traffic in data on employees or customers, what kinds of enforcement actions to expect and how ready firms are to comply with the law. While larger firms have been getting ready for the new law for years, there is concern that smaller companies are not up to speed. One warning sign: Pfeifle says that surveys suggest that between 50% and 70% of small businesses are unaware of the existence of GDPR, or what it requires.

GDPR: a view from the trenches

And finally, firms in North America can at least be forgiven for thinking that  GDPR doesn’t apply to them. But Shane Nolan, the VP of Content, Consumer and Business Services at IDA Ireland, said that doing so could come with a steep cost. As an executive with that country’s inward investment agency, Nolan works closely with companies that do business in the EU on GDPR. He stopped into the Security Ledger podcast to talk about how things are going in the lead up to GDPR, what the biggest compliance headaches are and what the impact of the new law will be for both businesses and consumers.    

Spread the word!