luke

More Hardware, More Problems

Microwaves notwithstanding, there is an increasing amount of connected technology in our homes, cars, and workplaces. Unfortunately, each of them comes with more and more potential vulnerabilities.

There are webcams that can be knocked offline via Bluetooth intrusions. There are cars that can be unlocked through Android app vulnerabilities. There’s the directory traversal vulnerability on a professional dishwashing machine. There’s also the newfound ability to disrupt a device’s accelerometer through music. And, there’s the wifi-enabled, video-streaming sex toy with so many vulnerabilities, Pen Test Partners called it “another IoT device produced without much care or attention.”

With the incessant ingenuity of malicious attackers as a guide, it’s clear that not-yet-imagined methods for breaching devices will continue to appear, and that’s obviously concerning for businesses planning to deploy these devices and connect them to their networks. Ultimately it’s the responsibility of developers and manufacturers to ensure these connected devices are secure.

Hardware Bounties are Happening

To that end, hardware companies are increasingly leveraging hacker-powered security through vulnerability disclosure programs and bug bounty programs. HackerOne customers, like Intel, have opened their hardware security programs to the hacker community. In Intel’s case specifically, bounties for critical hardware vulnerabilities are 4 times higher than those for software vulnerabilities ($30,000 vs. $7,500, respectively).

General Motors is another HackerOne customer leveraging hacker-powered security to help make their hardware—in this case, cars—more secure. GM’s chief product cybersecurity officer, Jeff Massimilla, was recently quoted in a WIRED article saying,

“The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity.”

Microsoft Research is using HackerOne as part of their new Project Sopris (hacker applications close in 2-days!), in which researchers are exploring how to “bring high-value security to low-cost (IoT) devices.” Their hypothesis is that “optimal device security must be rooted in hardware but kept up-to-date through evolving software.” The team also recently published “The Seven Properties of Highly Secure Devices,” covering what they insist is required to secure connected devices.

Which brings us to the Internet of Things (IoT).

20 Billion? Yes, 20 Billion.

IoT is a catch-all for, essentially, every connected device that isn’t a traditional computer or mobile phone, from consumer light bulbs and washing machines to industrial sensors and location-tracking devices. It’s an exploding space, with Gartner recently predicting there will be 20 billion (yes, billion!) installed devices by 2020, up from the mere 6.4 billion installed in 2016. This wide array of technology across hundreds of niche markets doesn’t undergo the same scrutiny as devices with bigger markets and more awareness, essentially creating a security black hole.

As the IoT market continues to grow, so does the opportunity for criminals to find their way through these unsecured devices and into seemingly secure networks. The massive Mirai DDoS attack last year used routers, security cameras, printers, and even DVRs as a massive botnet. By exploiting weak security protocols, Mirai simply scanned the web for “IoT systems protected by factory default usernames and passwords.”

This gaping vulnerability hasn’t gone unnoticed, however, with Vint Cerf, a “Father of the Internet,” mentioning this during a recent panel discussion: “The biggest worry I have is that people building (IoT) devices will grab a piece of open source software or operating system and just jam it into the device and send it out into the wild without giving adequate thought and effort to securing the system.”

Apparently, Cerf, that’s the least of our worries...especially when connected vibrators have hard-coded accounts with a username of “admin” and a blank password!

Security is Much Harder After Deployment

What’s even more alarming is the lack of awareness, especially as manufacturers embed smarter technology and cellular connections in traditionally dumb devices. Security updates for a thousand company laptops are fairly common (and relatively easy to implement these days), but it’s much more difficult to update smart meters, remote sensors, and other devices that stay connected yet may go months or longer without a user interaction. It’s even more difficult and more expensive when updates require facility shutdowns or production disruptions.

Creators, developers, and manufacturers are on the hook for mitigating the risks associated with IoT devices. Just as with software, bug bounty programs are proving to be faster, more cost efficient, and able to find more elusive vulnerabilities than traditional scanners and penetration tests.

Elite Hardware Hackers are Ready to Help

Lucky for you, HackerOne can help! Many of our customers—Nintendo, Intel, Qualcomm, Nest, GM, Toytalk, and others—have already included IoT and other hardware devices in their bounty attack surfaces.

Hackers are interested in hardware bounties, too. @Meals, one of HackerOne’s top hackers (currently ranked #2!), was recently interviewed for his IoT hacking prowess. “I always love when I get invited to a (bug bounty) program that has some hardware,” @meals said as he explained how he made $5,000 in one night by hacking a $200 device he bought at Best Buy.

Talk to us to learn more about how HackerOne—and elite hackers like @meals—can help improve your hardware security today.

Let's Talk!


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image