Elvis Collado, a security research at cybersecurity provider Praetorian, also worries about attackers rewriting firmware code and installing it on an IoT device, saying “The attack vector varies from device to device, but improper key handling or firmware validation puts a great number of IoT devices at risk. If an attacker can program a backdoor into a device, whether it be remote or local, then it’s game over.”
From Blaster to Heartbleed, it’s clear that the tech industry often acts on security only after a major problem becomes evident. What all four of the above experts agree on is that you shouldn’t expect “them” to fix a problem before it happens.
“Builders make the best breakers,” Collado believes. “At Praetorian, we’re all developers and engineers. We just happen to focus on security. If you’re a developer, try breaking your code from a non-QA perspective. Can you cause information to be leaked? Can you cause memory corruption? Do you have test code that was compiled into production that can be potentially abused? Can users access hardware debug interfaces in situations when they’re not supposed to? This type of mentality shift will greatly improve the quality of your code from a security perspective.”