July 14, 2025 • 14 mins
In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points:
- The Alarming State of IoT Security:
- A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall.
- A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips.
- The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits.
- IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies.
- Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets.
- Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments.
- A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable.
- Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption.
- The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs:
- Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras.
- This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood.
- Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API keys hardcoded in the app, and static TLS certificate pins.
- Threats extend beyond simple data breaches to more severe outcomes like device hijacking, Man-in-the-Middle (MitM) attacks, ransomware, and botnet creation, allowing malicious actors to manipulate physical devices or launch large-scale attacks.
- Even smart water shutoff systems like Phyn, Moen Flo, and Flo-Logic, while protecting against water damage, introduce data privacy implications (e.g., detailed water usage patterns revealing intimate household routines) and the risk of unauthorized remote control by malicious actors who could repeatedly toggle the water supply, causing disruption or damage. Moen's privacy statement explicitly notes its business model includes "monetizing data".
- Building a Secure Foundation: Solutions and Best Practices:
- Adapting OAuth2 for IoT: The OAuth2 open authorization standard, popular on the web, is being adapted to help secure access to IoT devices. This involves the authorization grant flow where a client obtains an access token to delegate access to server resources. Modifications are necessary for constrained IoT environments, such as dynamically securing the channel between a client and resource server (e.g., Alice's phone and a door lock) by using a possession key shared via the authorization server. Another example is a medical device scenario where the authorization server encrypts the possession key into the access token claims using a pre-provisioned key pair.
- Beyond Static Secrets: A more secure approach involves removing static client secrets from mobile apps and leveraging remote attestation services. A dynamic attestation service can verify an app's authenticity at runtime, returning an authenticating, time-limited client integrity token.
- Zero Trust Security Model: Smart home platforms should adopt a Zero Trust security model, which in
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to Upwardly Mobile API and App Security. I'm Sky MacIntyre.
Speaker 2 (00:03):
And I'm George McGregor.
Speaker 1 (00:05):
Today we're diving headfirst into the well, the really high
stakes world of mobile app development and API security, specifically
how it plays out in smart homes.
Speaker 2 (00:15):
Right, a pretty volatile digital landscape these.
Speaker 1 (00:17):
Days, exactly, So our mission today, especially if you're building
for iOS, Android, HarmonyOS, Flutter, React Native, you know, the
whole spectrum is to unpack these evolving threats, especially the
AI enabled ones and look at real solutions.
Speaker 2 (00:35):
Yeah, we want to explore why those built in protections
one's platforms offer often just starn't.
Speaker 1 (00:40):
Enough, leaving sensitive data pretty vulnerable, and we'll explore how
more advanced techniques can actually fortify your app ecosystem. This discussion,
by the way, is proudly sponsored by Approved Mobile Security.
Speaker 2 (00:51):
It's critical stuff for developers, security pros, tech enthusiasts. Understanding
these nuances is well, it's non negotiable. Now we're talking actionable.
Speaker 1 (00:59):
Insights, detecting your apps, dealing with breeches, emerging threats, the works,
from best practices right through to compliance. Okay, so let's
get into it. Smart homes, they're everywhere devices connect, apps
control them. But what does that actually mean for security?
What are the core pieces of this smart home puzzle?
Speaker 2 (01:18):
It's surprisingly complex When you break it down. You've got
the device and appliance vendors think LG, Samsung, Nest Ring
ones making the actual stuff. Then protocol and API brokers
matter to you. Smart They provide that kind of interoperability glue,
letting different brands talk to each other, the translators sort of. Yeah.
(01:42):
Then the big home automation platforms, Google Home, Alexa, Apple
home Kit trying to unify control. Mobile app providers often
create these vendor agnostic dashboards, try to pull it all
together in one place makes sense. And behind it all
cloud infrastructure aws, IoT core as your IoT hub, that
kind of thing. Every interact sh pretty much relies on it.
Speaker 1 (02:01):
And don't forget security vendors.
Speaker 2 (02:02):
Oh absolutely, Companies like Octa cloud Flare, they're working specifically
to secure these ecosystems. It's a whole layered thing.
Speaker 1 (02:09):
And it feels like those mobile apps are the real
lynch pin, aren't they They're the main control interface like
remote controls for APIs, managing real world things, unlocking doors,
changing the heating.
Speaker 2 (02:19):
Exactly, and that's where this toxic combination idea comes in.
Speaker 1 (02:22):
Sounds bad. Why is it so toxic?
Speaker 2 (02:24):
Well, think about it. Mobile apps run in an inherently
untrusted place. Yeah, your phone. It's not a secure server room.
So apps can be cloned, tampered with, modified, Yeah, And
once an attacker figures out how the app talks to
the API, the traffic pattern, they can reverse engineer it,
and then then they can build bots or fake clients
to just hammer that API directly allows for automated abuse
(02:47):
you at scale, webinizing that app to API connection to
mess with real world devices.
Speaker 1 (02:53):
Turning your smart luck against you precisely. And there are
some pretty alarming stats about general IoT vulnerability out there
that really set the scene right. It's not just theoretical, oh.
Speaker 2 (03:03):
Definitely, Like fifty seven percent of all IoT devices have
medium or high severity vulnerabilities.
Speaker 1 (03:09):
Wow, more than half.
Speaker 2 (03:10):
Yeah, And get this, ninety eight percent of all IoT
device traffic is unencrypted.
Speaker 1 (03:15):
Ninety percent. Seriously, seriously, think about that. Almost all the
data routines when you're home, maybe even voice commands potentially
readable by anyone who intercepts it. It's like leaving your
curtains wide open.
Speaker 2 (03:26):
Yeah, digitally that is Yeah, that paints a grim picture,
and it gets worse. I heard something like seventy percent
has serious flaws right out of the box. How does
that even happen?
Speaker 1 (03:37):
It really highlights how immediate the threat is. The moment
they connect, bots are probing them, automated attacks hit them
within minutes, often yes, and adding fuel to the fire.
Ninety one percent of IoT data breaches come down to
weak or default passwords like admin and admin exactly like admadmint.
I've seen it work in tests. That's what's disturbingly common.
(03:59):
And then there's the support issue for devices just aren't
getting security updates from vendors.
Speaker 2 (04:04):
Anymore, leaving them permanently exposed.
Speaker 1 (04:06):
A ticking time bomb essentially. Yeah.
Speaker 2 (04:08):
So okay, those are the general risks. What about the
specific threats facing smart home apps and APIs? Where are
attackers focusing? They go for the obvious, high impact stuff.
Data reaches are huge, grabbing personal info, usage patterns, location.
Speaker 1 (04:22):
Video feeds, sensitive stuff.
Speaker 2 (04:24):
Very Then there's device hijacking, taking complete control, turning things
on off, changing settings, locking you out, or watching you
through cameras. Creepy huh man in the middle attacks mitten
m to intercept and manipulate communication, ransomware locking your data
or device until.
Speaker 1 (04:40):
You pay, even ransomware on smart.
Speaker 2 (04:42):
Devices it happens, and creating botnets, enslaving your devices to
launch dds attacks on others. Plus big privacy concerns excessive
data collection. You know, sometimes it's not even a breach,
it's the intended use. What do you mean, Well, take
Mohen that's pronounced Moan. Their flow water devices. Their privacy
statement explicitly mentions monetizing data as part of the business model,
(05:06):
revealing things like occupancy routines.
Speaker 1 (05:08):
So they're selling insights about when.
Speaker 2 (05:10):
I'm home potentially, Yes, it's right there in the terms.
It's not just about leaks, it's about what they choose
to collect and use.
Speaker 1 (05:16):
Okay, so hackers aren't just finding theoretical holes, they're actively
exploiting real weaknesses and mobile apps and APIs, what are
those key weak spots developers really need to watch out for?
Speaker 2 (05:28):
A really big one is the lack of app attestation. Basically,
the API back end doesn't verify if the request is
coming from a genuine, untampered app, so.
Speaker 1 (05:38):
It just trusts any request that looks right.
Speaker 2 (05:41):
Pretty much. It accepts requests from anything that can mimic
the real app, reverse engineered clients, spots, scrapers, because there's
no proof the app itself is legitimate. Got it. This
ties into repackaged or tampered apps. Bad actors inject malware
tracking code, or just change how the app works. Then
there's the failure to detect root or jailbroken devices. The
(06:01):
app runs with elevated privileges in a compromised environment, making
it easier to attack.
Speaker 1 (06:06):
And attackers have tools for this.
Speaker 2 (06:07):
Oh yeah, they bypass obfuscation using tools like FREEDA or JADX.
Think of them like superpowered debuggers that let them poke
around inside the app. See how it works. Change things?
Speaker 1 (06:17):
So obfuspation isn't fool proof.
Speaker 2 (06:19):
Not against contermined attackers. No, And then there's the classics
API keys hard coded right in the app's code to
the APK or IPA.
Speaker 1 (06:27):
File, like leaving keys under the doormat.
Speaker 2 (06:29):
Exactly once they get the ad file, the keys are
trivial to extract. We also see embedded o oth tokens
being misused, allowing token replay or unauthorized access, and finally,
static t less certificate pins. They seem secure, but they
can go out of date or worse. Attackers can sometimes
remove the pinning from a tampered app to enable those
(06:51):
men in the middle attacks.
Speaker 1 (06:52):
Okay, this is connecting some dots. How do these risks
which sound bad for my smart loock translate to something huge?
Infrastructure seems like a big leap.
Speaker 2 (07:02):
It seems like one, but the underlying principles are often
the same, and the scale can escalate quickly. Smart home
attacks specifically jumped six hundred percent in one year recently.
It's huge growth PERC. Yeah, and remember the mire botnet
infected over twenty five million IoT devices, mostly by guessing
default passwords, turned webcams and routers into attack tools.
Speaker 1 (07:23):
Right, I remember Miri.
Speaker 2 (07:25):
But it absolutely affects bigger systems. Look at municipal water
infrastructure attacks San Francisco Bay twenty twenty one, trying to
erase purification programs Oldsmar Florida also twenty twenty one, attempting
to dangerously increase sodium hydroxide levels, Israel twenty twenty and
twenty twenty three manipulating chlorine levels. Ransomware hitting water treatment
in Norway in twenty twenty one targeting PLC is those
(07:47):
industrial controllers in US infrastructure in twenty twenty three.
Speaker 1 (07:51):
So the same basic weaknesses exactly.
Speaker 2 (07:53):
Weak authentication, unpatched systems, lack of network segmentation. These are
exploited everywhere, from your smartfridge to a power grid or
water plant. The fundamentals are universal.
Speaker 1 (08:03):
It's clear that traditional security static keys basic obfuscation, it's
just not cutting it against modern attackers with dynamic tools
emulators AI helping them. It feels like bringing a knife
to a gunfight. What's the real shift needed here?
Speaker 2 (08:16):
Yeah, you've hit it. We need a fundamental change. This
is where a zero trust security model becomes well, not
just nice to have, but essential, especially for these platforms.
Zero trust okay, the core idea is simple but powerful.
Trust nothing. By default, Every single API request has to
prove its coming from a legitimate, untampered mobile app, not
just an authenticated user, but the app itself.
Speaker 1 (08:38):
So shifting from trust then verify too.
Speaker 2 (08:41):
Never trust always verify Yeah continuously.
Speaker 1 (08:44):
That sounds like a big shift for developers. How does
it work in practice? Moving from static credentials to this
dynamic cryptographic proof with every single interaction.
Speaker 2 (08:54):
There are key elements. First, per request attestation. Every API
call carries a short list sign token like a JWT
maybe that acts as a temporary tamper proof ID badge
for the app, proving its integrity.
Speaker 1 (09:06):
Right then and there, okay, dynamic badge.
Speaker 2 (09:08):
Second API side validation. The back end must cryptographically check
that token's validity before doing anything. Unlocking a door, changing
is setting anything.
Speaker 1 (09:17):
Verification is key.
Speaker 2 (09:18):
Third constant checks on the device and environment. Is the
app running in an emulator, a debugger on a rooted
or jail broken os. These are red.
Speaker 1 (09:25):
Flags looking for suspicious environments exactly, and finally, secrets, apikeys certificates.
Speaker 2 (09:32):
Aren't bundled in the app anymore. They're delivered securely at
runtime only if the app proves its integrity first.
Speaker 1 (09:38):
So no more key is under the doormat precisely. That
sounds much more robust. What are the main wins for
developers implementing this zero trust approach for their mobile apps?
Speaker 2 (09:47):
The big benefits You block fake or modified apps before
they even hit your API. That stops scrapers, bots and
abuse attempts right at the entry point.
Speaker 1 (09:57):
Proactive defense right.
Speaker 2 (09:58):
It prevents those automated tools from impersonating real mobile clients
and critically, it stops attackers from easily extracting and reusing
your API keys or other secrets.
Speaker 1 (10:08):
Makes sense.
Speaker 2 (10:08):
Solutions like Approved Mobile Security our sponsor are built for this.
They continuously validate the app and device sending the request
through deep inspection, protecting APIs from unauthorized devices, bots, fake apps,
giving you real time dynamic control.
Speaker 1 (10:23):
And you mentioned other benefits.
Speaker 2 (10:24):
Yeah, reducing cloud costs is a nice side effect. You're
not wasting resources processing junk traffic from bots and the
ability to push security updates, new policies, SERTs keys over
the air without forcing an app update. That's huge for agility.
Speaker 1 (10:39):
That over the air update capability sounds incredibly useful. Okay,
this is great for the API side. Let's shift focus now,
what practical steps can developers and manufacturers take and what
about us as users and homeowners.
Speaker 2 (10:52):
For developers and manufacturers, it starts with secure coding from
day one. Security can't be an afterthought you bolt on later.
Build it in exactly regular pen testing. Robust patching processes
are crucial. Build malware resistance into the device, secure boot,
encrypted storage, validated updates, especially for critical stuff definitely like
medical IoT security updates. Need to be prioritized in service contracts.
(11:15):
Remember that's that eighty three percent run on outdated OS.
That's scary. Yeah, and please enforce strong password creation during setup.
No more one, two, three, four, five, six defaults.
Speaker 1 (11:25):
Okay makes sense for the creators. What about for us
at home? What should we be doing?
Speaker 2 (11:29):
Users have a big role too. First passwords, Change all
default passwords, immediately, use strong unique ones twelve plus characters,
mix it up.
Speaker 1 (11:37):
Use a password manager maybe good idea.
Speaker 2 (11:40):
Second, updates redaarly, check for and apply firmware and software updates.
That fifty eight percent of users who never update, that's
a massive risk.
Speaker 1 (11:49):
Keep things patched.
Speaker 2 (11:50):
Third, network segmentation. Put your smart home stuff on a
separate Wi Fi network if you can, a guest network
or a dedicated iotv.
Speaker 1 (11:58):
Land what's a VLAN again, Virtual local area network.
Speaker 2 (12:01):
It basically creates a separate, isolated zone on your network,
So if a smartlight gets hacked, it can't easily jump
to your laptop with sensitive data. Most orgs don't even
do this properly. Surprising. Okay, Disable unused features reports on devices,
less surface area for tack, monitor app performance, buggy apps,
slow loading connection drops. These can indicate problems or just
(12:21):
make the system unreliable, and finally check out the manufacturer support,
especially for critical things like water shutoffs or security systems.
How responsive are they? Speaking of water shut offs, it's
interesting to compare devices like Finn pronounced fin Mow and
flow Moan and flow Logic. Flow Logic's design is different.
(12:42):
It's hardwired, has a week long battery backup. It's designed
for resilience without the Internet for its core job.
Speaker 1 (12:48):
So it works even if the Wi Fi is down.
Speaker 2 (12:50):
Its main shut off function does yes. Moon Flow and
Finn are generally more reliant on constant power Wi Fi
and their apps. Moon Flow even had a battery recod
and some users reported issues with corroded parts. Finn needs
AC power and Wi Fi too. It shows different priorities.
Speaker 1 (13:06):
It's fascinating for something critical like preventing water damage, that
basic reliability, that ability to work offline might actually be
more important than the smart features.
Speaker 2 (13:15):
Sometimes exactly, it's a trade off. Homeowners need to consider
function versus flash.
Speaker 1 (13:19):
So wrapping this up, it's crystal clear there's a crucial
balance to strike homeowners, developers, everyone needs to weigh the
features and convenience against these very real cybersecurity risks. Proactive
layered security isn't optional anymore.
Speaker 2 (13:33):
Absolutely, our homes get smarter, but so does our responsibility
to secure them. It demands constant vigilance, which leads to
a thought. For you, our listener, what hidden vulnerabilities might
be lurking in your own connected environment right now? Things
you haven't considered, and looking ahead, how will AI continue
to shape both the threats attacking these systems and the
(13:54):
solutions defending them. It's an ongoing evolution, a lot.
Speaker 1 (13:58):
To think about there. Thank you for joining us for
this discussion. This particular discussion was made with human sources
and assisted with AI
Welcome to Upwardly Mobile API and App Security. I'm Sky MacIntyre.
Speaker 2 (00:03):
And I'm George McGregor.
Speaker 1 (00:05):
Today we're diving headfirst into the well, the really high
stakes world of mobile app development and API security, specifically
how it plays out in smart homes.
Speaker 2 (00:15):
Right, a pretty volatile digital landscape these.
Speaker 1 (00:17):
Days, exactly, So our mission today, especially if you're building
for iOS, Android, HarmonyOS, Flutter, React Native, you know, the
whole spectrum is to unpack these evolving threats, especially the
AI enabled ones and look at real solutions.
Speaker 2 (00:35):
Yeah, we want to explore why those built in protections
one's platforms offer often just starn't.
Speaker 1 (00:40):
Enough, leaving sensitive data pretty vulnerable, and we'll explore how
more advanced techniques can actually fortify your app ecosystem. This discussion,
by the way, is proudly sponsored by Approved Mobile Security.
Speaker 2 (00:51):
It's critical stuff for developers, security pros, tech enthusiasts. Understanding
these nuances is well, it's non negotiable. Now we're talking actionable.
Speaker 1 (00:59):
Insights, detecting your apps, dealing with breeches, emerging threats, the works,
from best practices right through to compliance. Okay, so let's
get into it. Smart homes, they're everywhere devices connect, apps
control them. But what does that actually mean for security?
What are the core pieces of this smart home puzzle?
Speaker 2 (01:18):
It's surprisingly complex When you break it down. You've got
the device and appliance vendors think LG, Samsung, Nest Ring
ones making the actual stuff. Then protocol and API brokers
matter to you. Smart They provide that kind of interoperability glue,
letting different brands talk to each other, the translators sort of. Yeah.
(01:42):
Then the big home automation platforms, Google Home, Alexa, Apple
home Kit trying to unify control. Mobile app providers often
create these vendor agnostic dashboards, try to pull it all
together in one place makes sense. And behind it all
cloud infrastructure aws, IoT core as your IoT hub, that
kind of thing. Every interact sh pretty much relies on it.
Speaker 1 (02:01):
And don't forget security vendors.
Speaker 2 (02:02):
Oh absolutely, Companies like Octa cloud Flare, they're working specifically
to secure these ecosystems. It's a whole layered thing.
Speaker 1 (02:09):
And it feels like those mobile apps are the real
lynch pin, aren't they They're the main control interface like
remote controls for APIs, managing real world things, unlocking doors,
changing the heating.
Speaker 2 (02:19):
Exactly, and that's where this toxic combination idea comes in.
Speaker 1 (02:22):
Sounds bad. Why is it so toxic?
Speaker 2 (02:24):
Well, think about it. Mobile apps run in an inherently
untrusted place. Yeah, your phone. It's not a secure server room.
So apps can be cloned, tampered with, modified, Yeah, And
once an attacker figures out how the app talks to
the API, the traffic pattern, they can reverse engineer it,
and then then they can build bots or fake clients
to just hammer that API directly allows for automated abuse
(02:47):
you at scale, webinizing that app to API connection to
mess with real world devices.
Speaker 1 (02:53):
Turning your smart luck against you precisely. And there are
some pretty alarming stats about general IoT vulnerability out there
that really set the scene right. It's not just theoretical, oh.
Speaker 2 (03:03):
Definitely, Like fifty seven percent of all IoT devices have
medium or high severity vulnerabilities.
Speaker 1 (03:09):
Wow, more than half.
Speaker 2 (03:10):
Yeah, And get this, ninety eight percent of all IoT
device traffic is unencrypted.
Speaker 1 (03:15):
Ninety percent. Seriously, seriously, think about that. Almost all the
data routines when you're home, maybe even voice commands potentially
readable by anyone who intercepts it. It's like leaving your
curtains wide open.
Speaker 2 (03:26):
Yeah, digitally that is Yeah, that paints a grim picture,
and it gets worse. I heard something like seventy percent
has serious flaws right out of the box. How does
that even happen?
Speaker 1 (03:37):
It really highlights how immediate the threat is. The moment
they connect, bots are probing them, automated attacks hit them
within minutes, often yes, and adding fuel to the fire.
Ninety one percent of IoT data breaches come down to
weak or default passwords like admin and admin exactly like admadmint.
I've seen it work in tests. That's what's disturbingly common.
(03:59):
And then there's the support issue for devices just aren't
getting security updates from vendors.
Speaker 2 (04:04):
Anymore, leaving them permanently exposed.
Speaker 1 (04:06):
A ticking time bomb essentially. Yeah.
Speaker 2 (04:08):
So okay, those are the general risks. What about the
specific threats facing smart home apps and APIs? Where are
attackers focusing? They go for the obvious, high impact stuff.
Data reaches are huge, grabbing personal info, usage patterns, location.
Speaker 1 (04:22):
Video feeds, sensitive stuff.
Speaker 2 (04:24):
Very Then there's device hijacking, taking complete control, turning things
on off, changing settings, locking you out, or watching you
through cameras. Creepy huh man in the middle attacks mitten
m to intercept and manipulate communication, ransomware locking your data
or device until.
Speaker 1 (04:40):
You pay, even ransomware on smart.
Speaker 2 (04:42):
Devices it happens, and creating botnets, enslaving your devices to
launch dds attacks on others. Plus big privacy concerns excessive
data collection. You know, sometimes it's not even a breach,
it's the intended use. What do you mean, Well, take
Mohen that's pronounced Moan. Their flow water devices. Their privacy
statement explicitly mentions monetizing data as part of the business model,
(05:06):
revealing things like occupancy routines.
Speaker 1 (05:08):
So they're selling insights about when.
Speaker 2 (05:10):
I'm home potentially, Yes, it's right there in the terms.
It's not just about leaks, it's about what they choose
to collect and use.
Speaker 1 (05:16):
Okay, so hackers aren't just finding theoretical holes, they're actively
exploiting real weaknesses and mobile apps and APIs, what are
those key weak spots developers really need to watch out for?
Speaker 2 (05:28):
A really big one is the lack of app attestation. Basically,
the API back end doesn't verify if the request is
coming from a genuine, untampered app, so.
Speaker 1 (05:38):
It just trusts any request that looks right.
Speaker 2 (05:41):
Pretty much. It accepts requests from anything that can mimic
the real app, reverse engineered clients, spots, scrapers, because there's
no proof the app itself is legitimate. Got it. This
ties into repackaged or tampered apps. Bad actors inject malware
tracking code, or just change how the app works. Then
there's the failure to detect root or jailbroken devices. The
(06:01):
app runs with elevated privileges in a compromised environment, making
it easier to attack.
Speaker 1 (06:06):
And attackers have tools for this.
Speaker 2 (06:07):
Oh yeah, they bypass obfuscation using tools like FREEDA or JADX.
Think of them like superpowered debuggers that let them poke
around inside the app. See how it works. Change things?
Speaker 1 (06:17):
So obfuspation isn't fool proof.
Speaker 2 (06:19):
Not against contermined attackers. No, And then there's the classics
API keys hard coded right in the app's code to
the APK or IPA.
Speaker 1 (06:27):
File, like leaving keys under the doormat.
Speaker 2 (06:29):
Exactly once they get the ad file, the keys are
trivial to extract. We also see embedded o oth tokens
being misused, allowing token replay or unauthorized access, and finally,
static t less certificate pins. They seem secure, but they
can go out of date or worse. Attackers can sometimes
remove the pinning from a tampered app to enable those
(06:51):
men in the middle attacks.
Speaker 1 (06:52):
Okay, this is connecting some dots. How do these risks
which sound bad for my smart loock translate to something huge?
Infrastructure seems like a big leap.
Speaker 2 (07:02):
It seems like one, but the underlying principles are often
the same, and the scale can escalate quickly. Smart home
attacks specifically jumped six hundred percent in one year recently.
It's huge growth PERC. Yeah, and remember the mire botnet
infected over twenty five million IoT devices, mostly by guessing
default passwords, turned webcams and routers into attack tools.
Speaker 1 (07:23):
Right, I remember Miri.
Speaker 2 (07:25):
But it absolutely affects bigger systems. Look at municipal water
infrastructure attacks San Francisco Bay twenty twenty one, trying to
erase purification programs Oldsmar Florida also twenty twenty one, attempting
to dangerously increase sodium hydroxide levels, Israel twenty twenty and
twenty twenty three manipulating chlorine levels. Ransomware hitting water treatment
in Norway in twenty twenty one targeting PLC is those
(07:47):
industrial controllers in US infrastructure in twenty twenty three.
Speaker 1 (07:51):
So the same basic weaknesses exactly.
Speaker 2 (07:53):
Weak authentication, unpatched systems, lack of network segmentation. These are
exploited everywhere, from your smartfridge to a power grid or
water plant. The fundamentals are universal.
Speaker 1 (08:03):
It's clear that traditional security static keys basic obfuscation, it's
just not cutting it against modern attackers with dynamic tools
emulators AI helping them. It feels like bringing a knife
to a gunfight. What's the real shift needed here?
Speaker 2 (08:16):
Yeah, you've hit it. We need a fundamental change. This
is where a zero trust security model becomes well, not
just nice to have, but essential, especially for these platforms.
Zero trust okay, the core idea is simple but powerful.
Trust nothing. By default, Every single API request has to
prove its coming from a legitimate, untampered mobile app, not
just an authenticated user, but the app itself.
Speaker 1 (08:38):
So shifting from trust then verify too.
Speaker 2 (08:41):
Never trust always verify Yeah continuously.
Speaker 1 (08:44):
That sounds like a big shift for developers. How does
it work in practice? Moving from static credentials to this
dynamic cryptographic proof with every single interaction.
Speaker 2 (08:54):
There are key elements. First, per request attestation. Every API
call carries a short list sign token like a JWT
maybe that acts as a temporary tamper proof ID badge
for the app, proving its integrity.
Speaker 1 (09:06):
Right then and there, okay, dynamic badge.
Speaker 2 (09:08):
Second API side validation. The back end must cryptographically check
that token's validity before doing anything. Unlocking a door, changing
is setting anything.
Speaker 1 (09:17):
Verification is key.
Speaker 2 (09:18):
Third constant checks on the device and environment. Is the
app running in an emulator, a debugger on a rooted
or jail broken os. These are red.
Speaker 1 (09:25):
Flags looking for suspicious environments exactly, and finally, secrets, apikeys certificates.
Speaker 2 (09:32):
Aren't bundled in the app anymore. They're delivered securely at
runtime only if the app proves its integrity first.
Speaker 1 (09:38):
So no more key is under the doormat precisely. That
sounds much more robust. What are the main wins for
developers implementing this zero trust approach for their mobile apps?
Speaker 2 (09:47):
The big benefits You block fake or modified apps before
they even hit your API. That stops scrapers, bots and
abuse attempts right at the entry point.
Speaker 1 (09:57):
Proactive defense right.
Speaker 2 (09:58):
It prevents those automated tools from impersonating real mobile clients
and critically, it stops attackers from easily extracting and reusing
your API keys or other secrets.
Speaker 1 (10:08):
Makes sense.
Speaker 2 (10:08):
Solutions like Approved Mobile Security our sponsor are built for this.
They continuously validate the app and device sending the request
through deep inspection, protecting APIs from unauthorized devices, bots, fake apps,
giving you real time dynamic control.
Speaker 1 (10:23):
And you mentioned other benefits.
Speaker 2 (10:24):
Yeah, reducing cloud costs is a nice side effect. You're
not wasting resources processing junk traffic from bots and the
ability to push security updates, new policies, SERTs keys over
the air without forcing an app update. That's huge for agility.
Speaker 1 (10:39):
That over the air update capability sounds incredibly useful. Okay,
this is great for the API side. Let's shift focus now,
what practical steps can developers and manufacturers take and what
about us as users and homeowners.
Speaker 2 (10:52):
For developers and manufacturers, it starts with secure coding from
day one. Security can't be an afterthought you bolt on later.
Build it in exactly regular pen testing. Robust patching processes
are crucial. Build malware resistance into the device, secure boot,
encrypted storage, validated updates, especially for critical stuff definitely like
medical IoT security updates. Need to be prioritized in service contracts.
(11:15):
Remember that's that eighty three percent run on outdated OS.
That's scary. Yeah, and please enforce strong password creation during setup.
No more one, two, three, four, five, six defaults.
Speaker 1 (11:25):
Okay makes sense for the creators. What about for us
at home? What should we be doing?
Speaker 2 (11:29):
Users have a big role too. First passwords, Change all
default passwords, immediately, use strong unique ones twelve plus characters,
mix it up.
Speaker 1 (11:37):
Use a password manager maybe good idea.
Speaker 2 (11:40):
Second, updates redaarly, check for and apply firmware and software updates.
That fifty eight percent of users who never update, that's
a massive risk.
Speaker 1 (11:49):
Keep things patched.
Speaker 2 (11:50):
Third, network segmentation. Put your smart home stuff on a
separate Wi Fi network if you can, a guest network
or a dedicated iotv.
Speaker 1 (11:58):
Land what's a VLAN again, Virtual local area network.
Speaker 2 (12:01):
It basically creates a separate, isolated zone on your network,
So if a smartlight gets hacked, it can't easily jump
to your laptop with sensitive data. Most orgs don't even
do this properly. Surprising. Okay, Disable unused features reports on devices,
less surface area for tack, monitor app performance, buggy apps,
slow loading connection drops. These can indicate problems or just
(12:21):
make the system unreliable, and finally check out the manufacturer support,
especially for critical things like water shutoffs or security systems.
How responsive are they? Speaking of water shut offs, it's
interesting to compare devices like Finn pronounced fin Mow and
flow Moan and flow Logic. Flow Logic's design is different.
(12:42):
It's hardwired, has a week long battery backup. It's designed
for resilience without the Internet for its core job.
Speaker 1 (12:48):
So it works even if the Wi Fi is down.
Speaker 2 (12:50):
Its main shut off function does yes. Moon Flow and
Finn are generally more reliant on constant power Wi Fi
and their apps. Moon Flow even had a battery recod
and some users reported issues with corroded parts. Finn needs
AC power and Wi Fi too. It shows different priorities.
Speaker 1 (13:06):
It's fascinating for something critical like preventing water damage, that
basic reliability, that ability to work offline might actually be
more important than the smart features.
Speaker 2 (13:15):
Sometimes exactly, it's a trade off. Homeowners need to consider
function versus flash.
Speaker 1 (13:19):
So wrapping this up, it's crystal clear there's a crucial
balance to strike homeowners, developers, everyone needs to weigh the
features and convenience against these very real cybersecurity risks. Proactive
layered security isn't optional anymore.
Speaker 2 (13:33):
Absolutely, our homes get smarter, but so does our responsibility
to secure them. It demands constant vigilance, which leads to
a thought. For you, our listener, what hidden vulnerabilities might
be lurking in your own connected environment right now? Things
you haven't considered, and looking ahead, how will AI continue
to shape both the threats attacking these systems and the
(13:54):
solutions defending them. It's an ongoing evolution, a lot.
Speaker 1 (13:58):
To think about there. Thank you for joining us for
this discussion. This particular discussion was made with human sources
and assisted with AI
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.