I love hacking things, especially new things like what’s showing up on networks around the globe in the form of IoT. If IoT security is anywhere on your radar, you’re likely incorporating these devices into your security testing program. Well, there’s a new IoT security assessment tool in town that you need to know about called Centrifuge brought to you by Tactical Network Solutions – makers of the former (and awesome) Reaver Pro tool.
Centrifuge is a cloud-based platform that can reverse engineer binary firmware files and analyze them for security flaws. It supports various IoT systems, including firmware from common routers and network devices from Belkin, D-Link, and Linksys, and finds some interesting stuff. For example, here’s the platform showing the file structure from an older Netgear R7000 wireless router’s firmware:
And here’s the output of Centrifuge’s crypto analysis…note the public and private keys uncovered:
The most telling is the number of vulnerabilities uncovered (an amazingly scary number of command injections and buffer overflows in just one product’s firmware) as shown here:
IoT poses formidable security threats to both end consumers and businesses alike and those of us in IT and security need to be paying attention. We simply cannot rely on IoT vendors to keep things in check. Instead, we have to find and resolve security flaws ourselves and establish compensating controls where possible. Clearly, there’s a lot going on in terms of IoT security…at least we have tools like Centrifuge coming to market to help us further the cause.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”