DevOps, Cloud, and Internet of Things (IoT) Hacking Stories
October 26th, 2018
DevOps has transformed how we create and maintain information systems. Increasingly, we don’t build servers or even datacenters. Many startups skip datacenters entirely, using software-as-a-service (SaaS) for what they can, and abstracting all of their other information technology needs into cloud services, whether via infrastructure or platform-as-a-service. For those organizations, a single compromised API key represents complete control of the organization’s cloud presence – from firewalls, to load balancers, to servers.
One penetration tester found an organization’s highest privilege API key checked into a public source code repository. His test achieved complete information technology compromise before he’d sent a single packet to his client.
This cultural change isn’t simply about how we build technology–it’s also about how we introduce technology increasingly into our everyday life, via the IoT movement. In our personal lives, our phones, smart speakers, and computers control our homes, our cars, and our pacemakers. Central to all of this is radio, whether it be a standard protocol like WiFi, Bluetooth, Zigbee, or Z-Wave, or a custom radio protocol created for a single product line (as in the pacemaker vulnerabilities disclosed by MedSec).
The radio-connected Internet of Things doesn’t apply solely to consumer devices. Consider this: computers connecting by radio increasingly control our manufacturing, farming, transportation, environment controls, and building security. What happens when a security flaw allows an attacker to cause damage to crops by faking the data from the sensors monitoring those crops?
For deeper insights into these issues, check out my on-demand webinar, Tackling the Privilege Challenge of Next Generation Technologies, where I share stories of hacking both DevOps-enabled cloud environments and the Internet of Things. You will hear a penetration tester’s experiences hacking cloud-enabled companies and radio-connected IoT devices, and also gain some practical security guidance from BeyondTrust on how to better enable and secure next-gen initiatives, like DevOps, IoT, and more.