On this IoT For All podcast episode, Ken Munro, Partner at Pen Test Partners, shares his experience finding and disclosing security vulnerabilities by breaking embedded IoT systems.
Ken walks us through the testing and reporting process for security vulnerabilities and how liability is handled in cases where devices are tested and issues are found, especially when manufacturers choose to ignore said issues. He also addresses how companies without impregnable devices can be put out of business due to security failures and why security continues to be an afterthought.
The episode concludes with a discussion about how companies are handling the growing threat of cybercriminals, what the catalyst will be to driving rapid change across the industry and how IoT device regulations in states like California and Massachusetts can be adopted nationwide. Finally, Ken answers the tough question of whether or not we should be scared of IoT.
If you’re interested in connecting with Ken, check out his LinkedIn!
About Pen Test Partners: Pen Test Partners is a partnership of high-end penetration testers, cherry-picked for their wealth of knowledge and years of experience in the pen testing sector, with a passion to be the very best at what they do.
Key Question and Topics from this Episode:
(6:26) What is the device testing process like for PenTest Partners?
(7:49) How is liability handled in cases where devices are tested and issues are found but manufacturers are not open to change or feedback?
(8:48) Why is security an afterthought in IoT?
(10:27) What size companies are impacted the most when it comes to being put out of business due to security failures?
(12:08) What is the reporting “process” when you find issues with devices?
(17:11) Outside of cost, what is contributing to the cause of these security vulnerabilities?
(19:48) What can be done to fix security holes once a product is launched and out in the market, if anything?
(21:17) How wary should consumers be of products coming from smaller companies/startups?
(23:06) How are IoT companies dealing with the growing threat of cybercriminals and the potential threat to their businesses?
(25:15) What is it going to take to start driving change across the industry?
(26:58) How will IoT device regulations in states like California and Massachusetts be adopted by other states?
(36:02) What advice can be given to consumers when it comes to buying an IoT device?
(31:58) Should we be scared of IoT?