Shrinking the IoT Attack Surface
Key Points
- The Internet of Things turns everyday objects—lights, thermostats, cars, cameras—into computers, dramatically expanding the overall attack surface.
- As codebases grow (e.g., Linux with ~28 M lines, Windows with ~50 M, modern cars >100 M), complexity and the number of software bugs rise, creating more vulnerabilities.
- A larger “bullseye” attack surface makes it easier for attackers to succeed, so reducing that surface to a tiny target is essential for security.
- Hacked IoT devices can jeopardize privacy, safety (e.g., medical implants), cause denial‑of‑service failures, and even be weaponized to attack other systems.
- Mitigating these risks involves practical steps to shrink attack surfaces at home and in the workplace, such as securing devices, limiting exposure, and applying regular updates.
Full Transcript
# Shrinking the IoT Attack Surface **Source:** [https://www.youtube.com/watch?v=7zWVxrjjIpE](https://www.youtube.com/watch?v=7zWVxrjjIpE) **Duration:** 00:13:52 ## Summary - The Internet of Things turns everyday objects—lights, thermostats, cars, cameras—into computers, dramatically expanding the overall attack surface. - As codebases grow (e.g., Linux with ~28 M lines, Windows with ~50 M, modern cars >100 M), complexity and the number of software bugs rise, creating more vulnerabilities. - A larger “bullseye” attack surface makes it easier for attackers to succeed, so reducing that surface to a tiny target is essential for security. - Hacked IoT devices can jeopardize privacy, safety (e.g., medical implants), cause denial‑of‑service failures, and even be weaponized to attack other systems. - Mitigating these risks involves practical steps to shrink attack surfaces at home and in the workplace, such as securing devices, limiting exposure, and applying regular updates. ## Sections - [00:00:00](https://www.youtube.com/watch?v=7zWVxrjjIpE&t=0s) **IoT Expands Attack Surface** - The speaker explains that turning everyday items into IoT computers adds millions of lines of code, increasing complexity, bugs, and vulnerabilities, thereby dramatically enlarging the overall attack surface. ## Full Transcript
here's the problem statement with iot
the Internet of Things everything
becomes a computer
basically a light bulb is a computer
that lights up your home a thermostat is
a computer that controls the temperature
a car is a computer that takes you
places a security camera is a computer
that records activities everything
becomes a computer great where's the
problem well we know from security that
every computer can in fact be hacked so
if everything becomes a computer with
iot and every computer can be hacked
what does that mean
it means this
everything can be hacked that's the
world we're moving to so let's take a
look at an example of what I mean by
this take the Linux operating system
last time I checked it's got about 27 28
million lines of code that make up the
operating system Windows
even more about 50 million how about the
fact that we have cars today with
software in them that have over a
hundred million lines of code in them
now what does all of that mean think of
this as your attack surface and what
happens with those things well in fact
as the number of lines of code goes up
then so does complexity
and so do the number of bugs that are in
the software just because there's more
software and if at the same rate you're
going to end up with more bugs
ultimately that means we have more
vulnerabilities as all of these things
increase
complexity is the enemy of security so
that means the more complex the system
gets the more insecure it gets as well
so what can we do about this attack
surface think of the attack surface a
little bit differently if we've got a
bullseye over here if you've got a huge
Bullseye then it's going to be easier
for the bad guy to hit it when he's
trying to attack you however if we can
shrink that Bullseye down to a minuscule
dot then it's going to be much harder
for the bad guy to do what he wants to
do and you can see it's going to be hard
to shrink some of these attack surfaces
but we are going to look at some things
that you can do for instance what are
the risks why do you even care about
this well there's the issue of privacy
if someone breaks into these devices
maybe they are recording you and seeing
you or tracking your activities there's
the issue of safety some of these may
even be implantable medical devices
imagine a defibrillator or an
implantable insulin pump one day those
things could then be hacked and all
kinds of havoc could occur from that
or a denial of service attack a denial
of service could be where someone has
attacked your device and now your device
won't respond to you that's one example
here another example is where your
device because it's a computer remember
is being used to attack other people's
devices and now you are unwittingly part
of the denial of service on other people
well what can you do to shrink this
attack surface and lessen these kinds of
risks happening to you we're going to
take a look at five things you can do in
your home and five things you can do in
your office and organization to reduce
the risk of iot security okay now what
can we do in order to avoid those risks
well I'm going to give you five things
first of all for your home iot devices
we're going to take a look first at
credentials
creds basically you've got credentials
that are a user ID password
those are the typical ones and you've
got those for your iot devices as well
as for your home network and the iot
devices exist on that Network so you'll
want to secure both of those
the iot device for instance in this case
it's a camera but there's probably an
administrator interface that goes into
this so that this person can log in that
person probably being you if you're the
local iot support guy in your home so
that you can log in and change
configurations and things like that
change that stuff don't go with the
default don't go with the default user
ID if you can change it definitely don't
go with you the default password
definitely change that and the same
thing is true when it comes to your home
router and the network there so there
will be also an administrator interface
here change the default user ID and
password to the extent that you're able
to and also the Wi-Fi network itself
most of these things of iot are working
over a Wi-Fi network we want to change
from the default SSID that the network
broadcasts we want to make sure we have
a strong password on the network work
itself maybe even make it not
discoverable although sometimes that
runs into problems with the individual
devices but make sure that the network
as well is secure now I said change
these passwords I'm going to say
remember this rule about passwords
length
is strength small passwords are almost
always worse than longer passwords so
try to make your password as long as the
system will make it and since you can't
remember it because you don't want to
set them all to the same thing store
them in a password Vault so that way you
can put all of these passwords into the
Vault and then you unlock the Vault with
one password that you know and better
yet use multi-factor authentication that
is something you are and something you
have as well so maybe a biometric in
order to open the safe and then this
part will be much more secure
okay what's next the network itself I
talked about some of the things you can
do to secure the network but how about
the configuration the overall
architecture of your home network so
this is what it normally looks like
you've got a bunch of users here and
they're inside your home they're you
know using their laptops and stuff like
that their devices in order to
ultimately probably access the internet
get out to the rest of the world and so
here's our home router again but what
I'm going to suggest to you is to carve
out a special Network segment for iot
this a lot of these routers support
what's known as a guest Network or a DMZ
area however the terminology is on that
particular system what you want to do is
carve out this separate Network and put
all of your iot devices in that Network
the idea being that if there's a
vulnerability that happens down here it
won't have direct access to all of these
things and it will still be protected
because it's behind the firewalling
capabilities the network address
translation and things like that that
your router implements so create the iot
special Network and maybe you let your
guests in on that as well but that that
will give you a little better separation
okay what else patching
all of these devices have tons of
software in them and what we want to do
is make sure that the software or the
firmware whichever the the terminology
is on it that that stuff is absolutely
up to date as up-to-date as it can
possibly be and the best way to do that
is to set it up to automatically update
rather than do this manually if you're
doing it manually the chances are you're
not going to remember to do it
frequently enough and you're going to
fall behind and why does that matter
because the security vulnerabilities
will exist in your software for a longer
period of time whenever new versions of
software and firmware come out almost
always there are security patches in
there and you want to get those as
quickly as you can again reducing your
attack surface
what else well another idea in security
is the principle of least privilege the
principle of least privilege says I want
to turn off everything that I possibly
can and Harden My systems that's one
aspect of principle of least privilege I
want to effectively disable any
unnecessary functions again this is
hardening I also want to make sure that
only the right resources have access and
are turned on
so to give an example of this let's say
we've got our refrigerator here and it's
an iot refrigerator so it does all the
great bells and whistles here is a user
and the question is does that user
really need remote access into the
fridge
I don't know if you think they do then
go ahead and Grant that but understand
that you've also created some risk
you've created more attack surface if
you're not getting enough value out of
the features that you're getting from
doing that I would say turn that off
another example is is this fridge
connected say to the cloud so that you
can create your shopping lists and
access them elsewhere there might be
some features that you really want to
use just understand with every single
one of these connections you need to
make a conscious decision about risk and
if that risk is in fact worth it in many
cases what we may also be doing by
connecting these things is creating a
greater risk for us in terms of privacy
as well so some of these are back doors
that an attacker could come into and
take control of the device and once they
do they could violate our privacy they
can make the device stop working they
could do all sorts of other things they
could use your refrigerator in order to
attack other people believe it or not
even without your knowledge and so
finally the maybe the best thing that
you can do if you don't need it turn it
off I mean literally not just disable
the feature but if your security camera
is in uh in your home then when you're
in the home you probably don't need it
to be on probably this is a better
setting literally turn the camera off
maybe even unplug it if you're extra
security conscious paranoid so that way
it cannot be spying on you it can't be
being used by a bad guy to do bad stuff
so what I'm saying is be very conscious
and intentional about the features that
you have and the way you've laid things
out so that the stuff that is on is
actually serving your needs and it's not
just on because it was on by default and
that's the way the manufacturer shipped
the device okay now we've talked about
what you need to do to secure the iot
devices in your home
how about in the office some people will
bring home devices into the office also
we have people working from home in a
home office so it's effectively like all
of those iot devices are part of the
corporate Network as well what can we do
in those cases to secure the office well
it begins with policy
I need to have some sort of description
that says this is what's allowed this is
not what's allowed these are the kinds
of things that we are going to implement
and enforce from a security standpoint
and by the way just saying don't ever
bring these devices in that's a fine
statement to make it doesn't mean it's
actually going to happen because a lot
of times people will do what they're
going to do anyway so the policy needs
to be useful in this case not just
something that you write on paper the
next thing would be to train our users
help them understand what they're doing
that help security and the things that
they do that hurt security help them
understand what are the risks in an iot
device because to them it just looks
like something hey it looks harmless I
plug it in and it works but they don't
realize that it may be exfiltrating data
out of their Network that it might be
implanting a virus in their device that
it could be used for spying it could be
used for all kinds of things so make
sure people understand they're going to
be more likely to follow a policy that
they understand than a policy that just
sounds like a bunch of edicts that are
passed down from on an eye
next thing enable
enable the security
I talked about all of these kinds of
controls that we can put in place in
order to make a system more secure an
iot system less risky for us that's what
we want to do we want to enable all
those things even in the office
environment and again start from the
home and then expand out from there
and then we want to discover
again you could say I'm not going to
allow this but that doesn't mean it
doesn't exist I need an ability to
discover all of these things and find
out when someone has brought an iot
device into our Network when something
in a home network has connected in that
we didn't expect it to do the good news
is there are tools and there are
services that will do this kind of
automatic Discovery for you that way you
can be alerted when you have now created
a case that your attack surface has just
increased and then finally we need to
enforce
enforce
the policy that we just came up with
put into practice the training that
we've given you also put into practice
the security controls have those
implemented have them happen
automatically as much as possible
automatically discover new devices and
then ultimately have a way to enforce
all of that and do it seamlessly this is
what we're about what we're trying to do
is decrease the attack surface from a
big attack surface to a much smaller one
and iot is pulling us in the opposite
direction if we don't get control of it
and if we don't get control our devices
aren't serving us they're serving
someone else so you want to make sure
your devices serve you keep your stuff
safe and secure
thanks for watching if you found this
video interesting and would like to
learn more about cyber security please
remember to hit like And subscribe to
this channel