In this short interview we talk with one of our instructors, Vaibhav Bedi. He developed the "Exploiting IoT Devices" course with Hakin9, which was the first IoT workshop on the platform. we discussed his education, IoT security, and worst developer mistakes. Enjoy!
[Vaibhav Bedi]: Hi Hakin9, I am doing good, awesome, thank you. I am a person who is always curious to dig into the current and upcoming technology to build applications that can serve humanity and change the world we live in. I have a total of two years of experience in building and breaking smart IoT devices in various areas such as biomedical, embedded system and industrial IoT. With an electrical engineering academic background, I excel at operating and working with hardware. Along with this, I love spending most of my spare time making, breaking and securing IoT devices.
[H9]: IoT is fast becoming one of the most important sections of cybersecurity. When did you get into it? Why did it catch your interest?
[VB]: During college, I was very much interested in building products and after my academics, I got the chance to work as an IoT security researcher with Attify. I worked on pentesting numerous smart devices in various layers such as firmware, hardware, radio, and binary exploitation. I also learned a lot of different things each day and along with this I delivered talks and hands on workshop to several IoT local chapters and hackerspaces in India.
[H9]: In your opinion, will IoT security even become simpler or easier?
[VB]: In my opinion, IoT security will become one of the challenging areas in today’s world. Every month, there are hundreds and thousands of smart devices being connected to the internet and potentially being exposed to malicious attackers because there are a number of privacy and security concerns in those smart devices. There are roughly 8 billion devices connected to the internet as of now and by early 2020, it’s estimated that there will be 25 to 35 billion IoT devices worldwide. So a little more attention has to be paid to the device security.
[H9]: What’s the IoT topic or tool everyone in security should educate themselves on? Why this one?
[VB]: I will suggest they should be aware of secure device development. Most of the IoT devices existing on the market are riddled with security issues. This does not mean that all the devices you see in the store or online are vulnerable, it means that there are higher chances than average of the device being vulnerable. The reason why so many IoT devices have security issues is because IoT is a combination of several components, like hardware or embedded devices, web application, mobile application, and cloud-based assets, firmware and radio communication. Out of four components, any one of them could be vulnerable to a specific security issue, which would ultimately end up making the entire product vulnerable. So we should be aware of each and every component to build the secure device.
[H9]: What do you think will be the biggest challenge in IoT security in the nearest future?
[VB]: There are a lot of security issues in IoT devices, like data integrity, encryption capabilities, updation, and privacy issues. But in my opinion, the biggest and most obvious security challenge with IoT devices is the inability to easily upgrade and patch them. Many IoT devices become vulnerable to cyber attacks because their firmware isn’t updated. And managing the update of millions of devices needs to be adhered to, respectively, and not all the IoT devices support over the air update and hence it requires manually updating the devices. This process becomes time-consuming and complicated and if a mistake happens in the process, this shall lead to loopholes in the security later.
[H9]: What’s the worst mistake firmware developers make?
[VB]: Actually firmware is the brain of any embedded IoT devices. In my opinion, one of the worst mistake developers did is mostly prefer using the default credentials while developing the device. One of the instances where we might have heard of firmware security is during the time of the Mirai botnet attack. The Mirai botnet infects devices by getting access to the device using default credentials. So we have to prefer the strong password protected policy.
[H9]: What are you researching now?
[VB]: Currently I am working to dip more into IoT security and identify more vulnerabilities on the IoT device on the various layers. Also, how we can develop a more secure and user-friendly IoT device.
[H9]: Do you have any plans for future projects?
[VB]: Yes, sure. I am very much interested in sharing my knowledge. In the future, I will try to prepare the course on the Binary exploitation, Docker security, and the DevSecOps.
[H9]: Does your formal education help you in your career? Or do you think you would be able to do just as well being self-taught?
[VB]: I always believe in self-learning. Some of the quotes which I always believe:
We have true education, which is self-learning.
We have a school education, which is book learning.
But it doesn’t mean formal education did not help me in my career. The most important thing I got out of my formal education is the people I met while getting that education. The contacts I made at that time can last a lifetime and help me on the road to success. As far as a degree is concerned - well, that just proves I have finished what I started. There is an Elon Musk video on YouTube where he proclaims, your education will open a few doors for you, so it is worth it in that regard. What happens next is entirely up to you.
[H9]: IoT is relatively new, so many people need to educate themselves if they want to become professionals. Which pro certification do you think is most useful for people dealing with IoT?
[VB]: I will suggest Exploiting IoT devices course at HAKIN9 as a unique course that offers security professionals the ability to assess the security of these smart devices. In that course, you guys have discussed a lot of security and privacy issues in IoT devices such as firmware, hardware, Bluetooth and protocols. That course is also going to demonstrate the actual hacking into IoT devices and highlight the top vulnerabilities that exist in IoT devices. That course will give hands-on opportunities to perform exploitation techniques on real-world IoT device rather than just watching the videos.
[H9]: Where can people find you online?
[VB]: You can catch me on any social media platform like Linkedin, Quora, Twitter, Instagram. If you are more interested to know my work you can explore me at http://vaibhavbedi.in/.
Check out the course: