Entersoft Security in collaboration with IOT Forum India and TiE Bangalore conducted IOT Hackfest on 7th November 2017 at the TiE Bangalore office.
The challenge (aimed at helping startups think about security proactively) lasted 24 hours, and had our top-notch white hat hackers hack into product companies in Connected Homes/Smart Cities/Infrastructure, Healthcare and Industrial IoT. The motive – to spread awareness about how IoT Devices can be hacked; and hardened by hackers who also help fix the identified loopholes.
After initial rounds of shortlisting, we invited 4 IoT startups to participate in the hackathon. Each had a unique product with a different business aspect. Owing to the sensitive nature of the vulnerabilities we uncovered, we can’t be too specific about their names, but here’s what they were broadly about:
- An IoT water purifying machine.
- A secure Wi-Fi product.
- A home automation product.
- An IoT plug and Play product.
The startups presented us with a comprehensive walkthrough of their IoT devices and explained technical and business aspects w.r.t security.
After we received enough information from the startups, we were able to create a threat model for each device and identify certain critical entry and exit points.
To start we ran version and interoperability standard checks with respect to the devices’ hardware and components. We were successful in identifying some unpatched hardware SDKs.
We performed vulnerability assessments on those devices and summarised trackers for them with bugs categorised according to urgency and importance. We covered security aspects related to Data Collection, Device Integration, Application and Process extensions.
Upon identification of vulnerabilities, we guided the participating startups’ respective tech teams to achieve all-round security.
After the vulnerabilities were fixed we performed regression testing on the products to ensure that the bugs were all patched up.
The security implentation strategies were explained in detail by Sri Chakradhar, our CTO, alongside Arvind Tiwary at the third edition of IoTNext in Bangalore.
We look forward to more such opportunities to reach the our goal to make the connected world a safer place.