Black Hat , Endpoint Security , Events

IoT Hardware Security: A Growing Concern

Plaskett and Herrera of NCC Group on Sonos Flaws and Holistic Security Approach
Alex Plaskett, security researcher, NCC Group, and Robert Herrera, senior security consultant, NCC Group

Hardware security remains a critical concern for IoT and embedded devices. Recent research revealed serious vulnerabilities in Sonos devices, specifically affecting Wi-Fi and Secure Boot functions, said Robert Herrera, senior security consultant at NCC Group. The Wi-Fi vulnerability lies in a flaw within the MediaTek Wi-Fi stack's kernel module and stems from inadequate input validation, leading to memory corruption and stack buffer overflow, Herrera said.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

"Hardware vulnerabilities are as critical as software vulnerabilities," said Alex Plaskett, security researcher at NCC Group. "You need a holistic approach to security. You need to consider both software and hardware, and if one area is a lot weaker than the other, the attacker will just go for that."

The current state of embedded security shows a broad spectrum of vendor practices. Some vendors employ robust security measures while others may neglect essential practices, such as disabling debug interfaces, Plaskett said.

In this video interview with Information Security Media Group at Black Hat 2024, Herrera and Plaskett also discussed:

  • The importance of conducting extensive background research on targets and purchasing devices for vulnerability testing;
  • Using reverse engineering, binary analysis, code review and fuzzing to find vulnerabilities;
  • The need to perform security audits of the software, whether developed in-house or by third parties.

With more than 15 years of experience in vulnerability research and exploitation, Plaskett has identified and exploited vulnerabilities in various high-profile products across diverse security domains. He previously led security teams across multiple sectors including fintech, mobile security and information security.

Herrera specializes in vulnerability analysis, secure software development, cloud security and IoT device protection. With extensive experience in penetration testing and incident response, he has identified critical vulnerabilities in popular consumer IoT devices and developed secure coding practices.


About the Author

Aseem Jakhar

Aseem Jakhar

Co-Founder, EXPLIoT

Jakhar is the co-founder of EXPLIoT. He founded null - an open security community platform in Asia. He also organizes Nullcon and hardwear.io security conferences.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.