Learn how seasoned security professionals use Bugcrowd to help IoT device manufacturers remove exploitable weaknesses from firmware.
There's a growing list of reports, studies, and surveys proclaiming IoT devices are insecure. As can be expected, this set off debates between IoT device manufacturers and security organizations. Debating this important subject is good: however, that does not help matters at hand: similar to arguing, in the middle of the lake, who left the boat plug back on shore.
There is a group of individuals trying to find a solution, and do so without raising the ire of either security pundits or IoT device builders. Mark Stanislav, group spokesperson described the project during an email exchange. He said, "BuildItSecure.ly is a community initiative providing resources, feedback, research, and guidance from industry-leading security professionals on how to make the Internet of Things safer for consumers and businesses."
To that end, the group came up with the following goals:
● Focus effort towards crowd-funded, small commercial and bootstrapped vendors
● Build partnerships and goodwill between IoT vendors and the security community
● Coordinate efforts to incentivize security researchers for reporting vulnerabilities
● Curate informational resources to help educate vendors on security best practices
● Present research at relevant events and be a point of contact for press inquiries
To achieve the above goals, BuildItSecure.ly offers several services. Curating information and resources happens at the BuilItSecure.ly website. There you will find links to presentations and documents regarding applicable technology and standards. BuildItSecure.ly members are already giving seminars at conventions, explaining the services provided by the project — in particular: connecting IoT device manufacturers to security researchers who are familiar with the vendor's technology and willing to check their products for vulnerabilities.
As for the qualifications of the security researchers, they are impressive and always explained to the vendor. New researchers are vetted by the entire group. "We take input from all of our existing researchers, vendors, and partners," Stanislav said. "In fact, we have a 'request for comment' period anytime we want to bring a new researcher on board to ensure we have cohesion and buy-in from existing researchers."
Partnering with Bugcrowd
To facilitate the researcher-vendor interchange, BuildItSecure.ly partners with Bugcrowd — a vulnerability-management platform that provides a secure and neutral digital meeting platform. Stanislav said, "Bugcrowd is providing their services for BuildItSecure.ly researchers to report, triage, and resolve product vulnerabilities with vendors." Stanislav added, "Bugcrowd is the moving part that keeps communications flowing and issues being handled in a controlled practical manner."
An example might be in order: company XYZ is concerned their IoT device is exploitable, but do not have the time, finances, or expertise to find out for sure. Company XYZ contacts BuildItSecure.ly about their concern. BuildItSecure.ly determines which researcher best fits this project. BuildItSecure.ly then creates the Bugcrowd connection the vendor and researcher will use to plan what happens next. BuildItSecure.ly will also handle any needed hardware logistics.
Vendors and researchers will benefit
Stanislav and the other members of BuildItSecure.ly feel this approach will benefit both vendors and researchers. First the vendors:
● Be connected with experienced security researchers
● Gain insight about the IoT device's security
● Coordinate the disclosure of reported vulnerabilities
● Show customers their security is important
● Participate for free and reward researchers who help
Next, how researchers benefit:
● Get access to pre-production hardware
● Work on important security research projects
● Direct path to vendors concerned with security
● Avoid legal implications of researching IoT devices
● Potentially receive bug rewards
But will they come?
One thinks of the movie "Field of Dreams" where Kevin Costner's character built a baseball field wondering if his father would come. Apparently they are coming to BuildItSecure.ly. Stanislav said, "It's been inspiring to see just how supportive both technology vendors and the security community have been of this initiative."
One of the goals of BuildItSecure.ly was to focus on smaller companies. However, Stanislav brought up an interesting point. Large companies are also making inquiries, which makes sense from what reports are saying about IoT devices.
In any case, Stanislav is upbeat about their initiative working. He said, "We've found much pleasure in helping those who want to help themselves. We have a very positive community growing within this initiative and I honestly believe we are making real progress."