Oops! Something went wrong while submitting the form.
It seems everything smart is hackable, with IoT startups sometimes repeating security mistakes first made decades ago. How then does one start securing it?
In this episode of The Hacker Mind, Beau Woods and Paulino Calderon discuss their book, Practical IoT Hacking, and talk about IoT threat models, the technologies being used today, and what tools and knowledge you need to get started successfully hacking IoT devices.
Vamosi: I once lived near a large urban park. And as a consequence I inherited a family of raccoons living into my cottage. One night I found the light in the crawl space beneath the cottage was on and off and on again. At first I thought it might be a homeless person, but then I heard the chittering of young rats and apparently the young raccoons are pulling on a very long spring that turned on and off, a naked incandescent bulb. Funny thing. Raccoons are blind in the light, so they were effectively creating a denial of service attack upon themselves.
The next day I cut the string,
There's a parallel here to IoT light bulbs that change colors. In 2013, researcher Nitesh Dhanjani found that a popular brand used simple MD5 hashes of the device's MAC addresses for authentication. Problem is, MAC addresses are not great for authentication. It's like using a hash of your street address, as the password for your front door.
So he queued up some hash MAC addresses and wrote a simple script. In a YouTube video he shares the night he lost his entire apartment in the darkness, and is surprised that it stayed dark until he killed the program. The Internet of Things presents us with both convenience and inconvenience at the same time, suddenly everything is smart is hackable again with startups sometimes repeating security mistakes made decades ago in the rush to market toys. The question is, who is hacking the internet of things today, and how does one even get started?
Welcome to the hacker by original podcast from for all secure, it's about challenging our expectations about the people who hack for a living.
I 'm Robert Vamosi and in this episode I'm talking about hacking IoT devices specifically what are the IoT threat models, what are the IoT technologies being used. And what then are the tools and knowledge that you need to get started hacking IoT devices
So far on the hacker mind, I've talked about Capture the Flag bug bounties and how to become a pen tester. I've even talked about how to pick locks, But we haven't talked much about hacking the Internet of Things, as I produce this episode I have a Bluetooth enabled coffee mug that uses an app to regulate its temperature undoubtably you have Bluetooth or other enabled devices in your life as well. To learn more about common threads facing these IoT devices, and how to create a framework for it, I turn to two experts.
Woods: My name is Beau Woods, I'm a cyber safety advocate with, Iamthecavalry
Calderon: Paulino Calderon, I'm a senior application security consultant with Websec.
Vamosi: Beau and Paulino are two of the five authors of Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things, a new book from no starch press available from Amazon and other fine booksellers. It's a comprehensive book, and it's an important topic. The book reminds us that besides worrying about someone randomly crashing our power grid. Maybe we should also consider that someone could remotely crash our insulin pumps pacemakers, even our coffee mugs.
Woods: A lot of people don't understand why you would teach people to hack devices that could cause harm. And we want to show the extent to which we care about, not causing harm, not inadvertently equipping criminals or not inadvertently equipping, other people whose motivation and goal is to hurt other people. So, in the book, we have a whole chapter dedicated to safely and lawfully conducting security research. We have a chapter on threat modeling, so that researchers will know the potential harms that they could cause we have a chapter on an IoT methodology, so that they can have tried proven mechanisms to conduct security research, and we've got a chapter that talks about how to defend organizations defend enterprises, from their IoT.
Vamosi: Before we get too far we really should take a step back and define IoT. When I started writing my first book when gadgets betray us, IoT was still known as hardware hacking, or embedded security. That's because early IoT systems consisted mostly of dumb sensors on embedded systems out in the field. They had very few onboard resources, and were typically bundled with a lot of old communications protocols. Gradually the devices got smarter, and their numbers increased exponentially. So what do you call it when every dumb thing we have now starts communicating over the internet, Cisco tried real hard to make the Internet of Everything or io e stick. It didn't. So we settled upon the Internet of Things, or simply IoT.
Woods: I think everyone defines the internet of things differently. For some people, for instance, a router might be internet of things for other people it might not be it might be considered network infrastructure. For some people, a car might be internet of things for other people, that's an industrial application of the Internet of Things, or some people, a power plant might have IoT devices for others they might consider that industrial IoT, or operational technology. So everybody kind of has their own definition, but the one that I tend to use as a working definition is anything that has computing power, conductivity and physical capability kinetic capability.
Calderon: It's kind of like what happened with the term hacking, right. Everyone is still fighting over. So yeah I don't dwell too much on it further. I guess I consider IoT. Any device that could store information, and be accessible, either remote or internet based, and that should be it should be considered in our infrastructure and the needs that we have, we need to protect them as well.
Vamosi: So we have IoT sensors out in the field that utilities use, and we have consumer IoT in the home. In addition to a smart coffee mug. There's a smart IoT enabled toothbrush for example, I mean, a toothbrush is a stick with bristles. Do we really need that to communicate with the cloud.
Woods: Yeah I think eventually, anything that has electricity will have computing power, and even some things that don't have electricity today will have computing power. So, there are for instance, IoT, water bottles, things that just hold water. But that you can use to track how much you drink, or helpful it is so that you can know to refill it or how cold or hot it is so you can know. You know, if your soup is getting too cold, you know, whatever you're doing.
Vamosi: So, by that definition, IoT, still could be the internet of everything, I guess, but we're a long way past the naming of all this, quite simply IoT means anything that communicates with something else.
Woods: If you think about the overall system, within which some of these devices live. There has to be storage somewhere so even sensors, end up sending their data someplace that has to be stored, and that might be in the cloud, for instance, which is increasingly a part of the Internet of Things. It's just another node to when those sensors or those physical devices can connect to get computing instructions to deliver data, to give people a sense of power control or to accept commands from outside
Vamosi: The author's work mainly with home IOT and not necessarily larger IoT systems, mostly because they want to get people started with hacking IoT. Most of us don't have access to industrial systems on this item.
Woods: Yeah I think almost all of the research that we did for this book and published in this book is home based IoT devices. Part of the reason for that is they're more accessible. But some of our writers and researchers actually have access to the higher end more expensive industrial IoT or medical IoT devices. We chose not to write too much about those because they're not as broadly applicable, and because some of the consequences of failure for those are higher than the threshold that we wanted to necessarily equip and enable people to be able to rush out and do if they have a low level of experience a little level of maturity in working with and testing those devices.
Vamosi: That's a good point, with IoT hacking, we want to make positive contributions to the security of our internet connected things.
Woods: Yeah, in the book we go through great pains to make sure that security researchers can safely and lawfully test these devices. Now, while laws differ in every country. The ones that we tend to focus on are US laws, because that's where many of the security researchers do their work, or other countries that will have laws that are similar to US laws. And so we actually had a couple of expert outside contributors come in and talk about two in particular, the DMCA, or Digital Millennium Copyright Act and the CFAA Computer Fraud and Abuse Act, which are the two primary vehicles that security researchers might get trapped in accidentally. If they don't know how to effectively safely and lawfully conduct some of their security investigations, so. Computer Fraud and Abuse Act is the most common law in the US used to arrest and prosecute criminal actors under computer crimes laws. And that one basically says that if you exceed authorized access and tamper with a computing system, you may face criminal penalties. This is a law that was written in 1980s. And that has not fully kept pace with the time,
Vamosi: Although CFA is old. There have been recent efforts to update it,
Woods: There are some efforts to reform that law, to change it to improve it so that it doesn't inadvertently capture security researchers in the US, the Department of Justice has published guidance for prosecutors, so that they don't inadvertently capture good faith security researchers, and that's kind of a launch landslide a watershed moment for what we do is to have the Department of Justice recognize the value and utility of security research. The second law we talked about is the Digital Millennium Copyright Act or DMCA, the DMCA was written in the 1990s and updated in the early 2000s I believe, and it's meant to prevent pirating of DVDs and other media. but in writing it, it inadvertently, or maybe overtly I don't remember captured reverse engineering software that has some protection mechanism in it, and without getting into the details. If you have to overcome a security barrier, and if you have to reverse engineer security protocol, then you may get caught in the Digital Millennium Copyright Act, which exposes you to criminal as well as civil penalties.
Vamosi: Unlike CFAA, DMCA has a built in trigger to make exemptions, every three years,
Woods: The DMCA is up for renewal of its exemptions every three years in the US. So, 2021 is one of those years and many security researchers many companies. The Department of Justice, have submitted letters to the Library of Congress who manages those exemptions. And the hope is that we will continue expanding on the exemptions that have been granted for good faith security research so in 2015, we got some narrow exemptions for medical devices cars and voting machines. In 2018, we got some broader exemptions for all data, all devices all types of devices. And the hope is that in 2021, we'll get more expansive exemptions that apply to more types of devices, and that reduce the potential chilling effect that would stop researchers working on security research in the US because of fears of DMCA violations.
Calderon: And even when we wrote the book it got tricky because some of the cool findings that we had, couldn't be mentioned in the book so we had to you know work on open source boards and come up, use open source laboratories instead of doing real life examples.
Vamosi: The book Practical IoT Hacking is full of useful examples. And it's not just stories from the authors themselves.
Woods: We brought in a number of expert contributors like Dr. Marie Moe, who is a security researcher, but also a pacemaker patient, and we wanted to bring those voices in to be able to, to save why it's both critical that we do this security research, but equally critical that we do it in a way that doesn't inadvertently cause harm, or cause potential harm. And that's something that's really really important to us.
Vamosi: So it stands to reason that basically anything IoT can be attacked.
Calderon: Yeah, and at the end everything matters as far as for for attackers like if it's in the attack surface, and they can it can be abused. Doesn't matter if it's you know, in transit, stored somewhere or inside the device. It's still a threat.
Vamosi: This raises an interesting point, The storage of information early embedded systems only reported back the conditions it observed IoT devices today can interact more and make automated adjustments on the fly. Now IoT is starting to sound less like a sensor and more like a traditional computer. So what then makes IoT hacking different from say traditional network hacking
Woods: IoT is interesting and especially some of the, the aspects that you can get into with the Internet of Things. There's several differences between IoT and traditional computer systems so you can have different consequences, you know, often the consequences of failure and an IoT device might be human life for public safety outcomes and medical devices cars, trains, airplanes, you have different adversaries, so because of the consequences some adversaries will run away from IoT some adversaries will run towards IoT and see that as a way for them to increase profitability or serve their other goals.
Vamosi: For example, let's say you're a large retail organization with a number of physical locations. Perhaps you want a centralized and remote way to regulate the temperature of each store. You want to automate the HVAC system for remote access. That's what happened with the Target breach in December 2013 Someone found a vulnerability in third party a HVAC system and then use that to laterally move on to the corporate network and find the credit card. Is that a traditional networking attack, or is that an IoT attack? I would think secure IoT attacks would be different.
Woods: You have different types of components, you know, small tiny chips that may run an ARM core versus an Intel 86 You may have many different types of things digitally in some of the chips that are on there, which provide additional capabilities as well as limited power, or a limited processing capability, high battery drain for instance, is an issue if you're trying to do certain types of attacks.
Vamosi: So our approach to IoT security should be different from traditional computing. We think about replacing our computers every four years or so, with IoT. The devices are designed to run on timescales that are measured in years if not decades
Woods: So IoT devices will live out in the wild for decades or more. We're just seeing some of the early edges of some of those adoption curves that will will take us for 510 15 years or more. In some industries, and at the same time, the consequences happen in real time. So when an IoT device starts misbehaving, you can have harm that happens in milliseconds rather than months, as with like financial theft or some other things,
Vamosi: Since most IoT devices are smaller, with limited resources, You can at least disable them fairly quickly for dramatic effect with a simple denial of service attack, like those light bulbs I talked about earlier
Vamosi: With the IoT attack surface being greater, and the technology being somewhat different from traditional computing, how do you get started hacking IoT. I mean, I have this Cally box that I use for network systems, can I use that to attack an IoT system,
Woods: I'd say start with what's most familiar most comfortable to you. So if you already have a background and network testing, that might be the place to start if you have a background in web application security. Maybe you start with the Web Components web interface,
Vamosi: I mentioned the test the Johnny at the top of the podcast. He also looked at baby monitors and one had this persistence. It seemed that once you authenticated through the local network, the app maintain that access, even if you are halfway across the world. I suppose it's a good idea if you travel a lot and want to keep tabs on things back home, but it's also a bad idea in that someone outside the family could gain access to the live audio and video stream, perhaps overhearing private conversations between parents. So is this a feature, or is this a bug. And then there's this other example. The Strange Case of someone hacking into a casinos fish tank, which is something right out of Ocean's 11
Ocean's Eleven: When was the last time you went to Vegas? You want to knock over a casino?
Vamosi: Right, so this unnamed North American casino had a massive fish tank in its lobby, and someone use that to get access to the casinos corporate network. Kind of like the Target breach, kind of brilliant actually. But still, the Target breach the baby monitor the fish tank. These are all basically network attacks, enabled by poorly configured IoT devices for true IoT hacking, I'm thinking you're going to need a bit more than a Kali Linux box on your side.
Calderon: Yeah, and as far as tooling goes into mentioned Kelly. I think it can get you started on the software aspect of it, but then there's also the hardware side, and then for that you might need some additional tools or hardware to interact with that.
Vamosi: Right, remember I said all this started out as being called hardware hacking, or embedded security, unlike a traditional Windows box with its predictable almost vanilla chipsets and operating system, the Internet of Things uses a variety of chipsets, each with their own runtime operating system or our costs are tosses firmware on the chip itself. In some cases the artists simply don't have the resources to be updated. They're designed to be obsolete at some point in time. One
Woods: One of the characteristics of the internet of things is it has got all of these different components there's many many different gateways to get into testing. The Internet of Things devices IoT devices. And so it, it opens up the possibility for people to engage in multiple different places, and at the same time, because it has all those different aspects, there's going to be something that you don't already know which can be intimidating and can cause people to delay.
Calderon: I will always start with a simple tread model of the components and you said like very simple and get you to understand how the information is flowing between them and where to focus your attention or where it might be more worthwhile
Vamosi: Threat models are the most basic way to plan your defense, you need to identify where the attacks are most likely to target and how well you've secured those targets with corporate networks there used to be common points of entry. So your corporate it would spend heavily to defend what used to be considered the perimeter. With the proliferation of mobile devices, the perimeter became porous than non existent. The threats today can now come from a variety of places, even that coffee mug.
Woods: The nature of the threats that you may encounter might be very different. So if you're looking at a typical enterprise network enterprise endpoint device, then your primary threats are going to be around confidentiality of data, those are going to be the most severe threats that you tend to look at or severe risks that you tend to look at.
Vamosi: Beau is talking about something known as the CIA triad and security with confidentiality, that's the see, you have to ask can you keep the data confidential. There's integrity, that's the eye, which means the data hasn't been compromised in transit or at rest, and availability, that's the A, which means the data is always available.
Woods: Whereas with Internet of Things devices availability is much more of an issue. So if you've got a medical device that's keeping a patient alive, if that device goes offline, then the patient can also go offline. At the same time. Integrity attacks are much more severe in the internet of things. So, using an example of a car, if you can cause a car to turn left, all of a sudden, that's an integrity attack that can cause really severe damage to the person whereas confidentiality doesn't always lead to those types of outcomes and in fact, it almost never leads to loss of life type of outcomes, except when that data is taken and used later by someone else. One of the, the, potentially morbid jokes that I sometimes make is I love my privacy but I want to be alive to enjoy it.
Calderon: As far as just the exercise, or the threat modeling thing. I don't know. I wouldn't think about that it's too different. Because at the end of the day, you're just identifying components and data flows and just keeping an eye on the technical side. I think if you're already doing threat modeling with applications. You can do a very solid work with an AI, with an IoT device.
Vamosi: Good point. If you're already doing Threat Modeling then you should be able to incorporate the IoT attack surface,
Woods: One of the considerations in IoT is power consumption, both in terms of battery life as well as processing power. So, in some cases, you don't have the ability to have really strong cryptography, when you're communicating, or in some cases you may need to have a custom or special purpose protocol that gets used for sending data back and forth, interoperable. and often that defaults to the lowest common denominator.
Vamosi: This is really the problem with IoT, the appeal to the lowest common denominator device manufacturers, particularly startups are reaching for what already exists, rather than designing something new, in part because they want their cool new toothbrush to incorporate with what's already out there today. That's both good and bad. You want quick and easy adoption. So using existing technology makes sense. But if your IoT device is using really old communications protocols but in a new way that creates some interesting new security challenges
Woods: In IoT and various flavors of IoT, you tend to see some unusual or uncommon protocols, even some really old protocols that are still being used as well as some newly invented ones that have, in some cases, fairly good security models and in other cases, fairly poor security models, which allow you to start breaking them more quickly. Intercepting replaying middlings Some of those attacks. So it gives you a lot of fertile ground to work on, as compared with the mostly heavily encrypted SSL, TLS web components that a lot of websites and apps use
Vamosi: A few years ago I was at another fuzz testing company and I created a report based on what they were seeing in the protocol space. One of the open source protocols that crashed most often was BusyBox what could happen with a vulnerability in BusyBox in 2016. The Mirai botnet contributed to a massive denial of service attack that brought parts of the Internet to a standstill, what was remarkable was that Mariah was constructed from 1000s of Internet of Things devices, namely surveillance cameras. A BusyBox flaw within the firmware of the chip used across the industry allowed an attacker to leverage the small but numerous resources of those internet connected cameras Mirai was used to take down one of the larger content delivery networks did. So, for an afternoon when August, Netflix, Twitter and other resources were down because the CDN was down, because 1000s of zombie cameras contributed to the denial of service attack. This attack is a hint of what might lie ahead with the billions of IoT devices we have today. To get an idea of the problem, you can use Shodan to query how many devices use older versions of BusyBox or any other popular protocols such as message queuing telemetry transport or MQ TT, For that matter, as I said fuzz testing shows that some of these older protocols. Yeah, I'm looking at you MQ TT. Yes, you didn't perform so well. Part of it is the MQ tt was developed in 1999 it was not used much in the past, now it's being called upon to do more than it was intended suddenly everyone's got to have MQ TT because it provides lightweight communications. So why aren't more people banging on it. Right, lowest common denominator,
Woods: And in some cases we have better protocols, you know, if you look at some of the more modern home IOT based protocols, those are starting to mature. But some of the older protocols which many devices will speak by default as, again, kind of a lowest common syntax. Those have much less security much many fewer capabilities and architectural stability built into them, but again it's, it's the lowest common denominator it's like web 1.0 Right, just basic HTML, every browser can support it, they support it almost identically. And so you can always fall back to that,
Vamosi: Something similar is happening with new protocols. They haven't been tested much either.
Calderon: That's one of the challenges that you actually face since you're dealing with new protocols and you said sometimes even the tool isn't there. The techniques are not really a lot of developers or a lot of security researchers haven't really had a chance to look into these new technologies and there's a lot to be explored in that area. So there's a huge opportunity to, to create new security research tools, or just techniques and and as you said some of the things are already really existed back then, and simple things like intercepting traffic, or we already knew that traffic, shouldn't you know travel prices in plain text, but some of these newer technologies are going back to that mistake right. And as far as when you How do you tackle that and that could be actually one of the issues that you face as an attacker. And, yeah, sometimes you're in there or unit you're stopped by some new technology, you might need to get or buy new equipment to communicate with that and that's just like the beginning, then you need to figure out how it works, and then then then you start doing your tread water then see okay so what type of attacks in this scenario could impact the system.
Vamosi: Another problem is that some of these IoT startup companies are brand new to security. hey, we only want to make cool toothbrushes, right, in some of these companies, they haven't even hired someone in security.
Calderon: A lot of the products are built by startups. So they're smaller teams, maybe not, you know, they didn't go through very complex engineering process to pick the technologies that they're using, and they go for, kind of like the easiest route or what libraries are available or what product is already kind of like working. So that could be one of the things that affects that we're seeing a lot of firmware that is being reused across different devices, or are the same libraries like all over these across different projects.
Vamosi: One of those new protocols is low power wide area network or LPWAN, which provides long range communications at a low bit rate. As I said, with some of these new protocols, there's simply not enough existing research or testing to show how they'll survive in the real world.
Calderon: Yeah, we talked about a little bit on the book. We have some friends in Mexico, who are developing new hardware to interact with this. So yeah, it's, it's an interesting challenge. And there's always opportunity for that.
Vamosi: One of the things we've danced around so far is that IoT means embedded systems. What does that really mean. If you've never worked with embedded systems before well, they are different. Let's compare an embedded system with your basic laptop, a laptop is a device that has a few common processors, like Intel, AMD, that work with a few common operating systems, Linux, Mac, Windows to exploit these boxes you don't necessarily need to think at a chip level, although Spectre and Meltdown are two attacks that were based on the way Intel chips, pre cache their instructions. My point here is that you can exploit a laptop or a desktop or a server today without specifically knowing all the circuitry inside it with IoT, you don't really have that luxury. First of all, each chipset has its own art costs usually. So we're talking about 20 Different chipsets, for example, and maybe 20 or more artists to deal with out. Okay, there are a lot of similarities, but there are also nuances between them that start to gum things up pretty quickly. So you're going to need a lot of tools. For example, there's a standard, the joint test Action Group, better known as JTAG that is used for verifying designs and testing microcontrollers or chips, after the manufacturer. So how do you go about reverse engineering those micro controllers. You can start by looking at its JTAG. How do you do that. Well, a few years ago researcher Joe Grant came up with a JTAGulator, which is available online from his grand ideas studio. Then there's also bus pirate, which is a specialized tool which talks to different ports, such as the universal asynchronous receiver transmitter or UART, which is a physical circuit and the microcontroller, that and the solder iron should be a good start.
Calderon: Yeah, you start, it's because they can addiction, they have boxes full of stuff at this point. But yeah, basically every protocol or every new attack there's some more stuff towards guy like go grab those you mentioned the calculator. Very useful things. Yeah, it varies a lot from technology to technology.
Vamosi: So given that you need a JTAGulator, Bus Pirate and other toys, what would be the bare minimum of the tools for anyone wanting to get started hacking IoT devices.
Calderon: Yeah it depends right if you if you're going to be playing around with LPWAN then get, you know, get this thing to communicate with that or feel II dongle, right. I will start with, obviously, soldier, Soldier iron. The, I really like the bus pirate because it communicates with most of the IoT protocols, or most of the popular IoT protocols, and has this ability with built in macros to perform automated attacks, and JTAGulator. You also need Pasila Scorpio. I don't know that word for that. Excuse
Vamosi: Oscilloscopes are cool because you can see the voltage or current inside the microcontrollers and use that to map things out. Okay, maybe all this chip stuff isn't really your thing. Well, there's also software defined radio, which takes the place of the custom design chips. So it's software that acts like a mixer or an amplifier or a demodulator. So you might have a device that seems to have all of those chips, But really, it's just software,
Woods: Software defined radio tools are also a really handy thing when you're trying to figure out new radio frequency protocols that may not listen on the familiar 802 dot 11 bands,
Vamosi: There's also room for Arduino and Raspberry Pi devices, these are Swiss Army knives for researchers, because they're generic, they have a lot of options and you can rapidly create tools on the fly or prototype solutions without resorting to creating custom microcontrollers.
Calderon: Arduino works, Raspberry Pi's. Some of those blue pills or the new the chips, there were to go actually have a new ESP 30 What 30 twos. Yeah, anything that could emulate these types of variables can be can be, and that's one of the things that we cover on the book so when you, when you get to these exercises we try to show the practical side, So we will recommend some cheap hardware that they can get for around 10, or five bucks, and they get to practice all of the attacks.
Vamosi: So given all these tools, where does one start,
Calderon: I guess, the, the way to start is just start opening things and see what debugging ports that they have started interacting with this. And as far as far as tooling, if you want to start like really not about it all was started in producing new projects around IoT, and some of these involve for example the O was the top 10 risks, which are phatic known for web. And they did it for IoT, and they're also coming up with documents or methodologies, for example, or framework. So yeah they're becoming more specific, and they're more practical and it will really help readers and people who want to start attacking IoT, get started.
Vamosi: So we have some hardware tools, there's still the issue of the various communications protocols and firmware itself. For that, the Open Web Application Security Project, or O OS has a GitHub page for something called the IoT goat. It's a free framework for researchers to start working with insecure firmware,
Calderon: One of the projects, was kind of like, pushed during the when we started working on this book was Aaron Guzman he is always contributor, he, and for this, and I started or started IoT gold, which is an open WRT framework with with known IoT vulnerabilities. And it's supposed to help developers understand and find these new trades, even or attackers to start learning how to identify them and attack. Recently, we got contacted by the board members, they want to be in it soon, so we had some spaces for students to apply and get paid through developer to work on this project and application sorry about this guy we haven't really seen no details yet, but I think it's a good time to do it so apply if you see as that
Vamosi: Bottom line, IoT presents an opportunity to create new tools, it's literally greenfield.
Calderon: People, they don't take it as an opportunity right now, there's a big gap in your boolean and our frameworks and the techniques that are documented. And, as an industry we should take this as an opportunity, and develop those new tools and share or new or findings,
Vamosi: Hacking IoT devices is somewhat of the wild wild west, with few rules. It’s literally a greenfield as far as research and tools go. It's like the early days of computer hacking where you throw a stone and you’re likely to hit a security problem. Sometimes the only way to fix that problem is to keep throwing stones.