Not only the number of IoT devices, but also the number of cyber attacks on the Internet of Things is steadily increasing. Rainer M. Richter, CEO and co-founder of IoT Inspector, sees it as a major problem that the security of the IoT has been neglected by both manufacturers and users up to now. His company, which is part of the 5-HT ecosystem, has therefore developed the IoT Inspector, an analysis platform that automatically checks IoT firmware for a wide range of vulnerabilities. In the interview with 5-HT Rainer M. Richter, explains why IoT security is so important for companies and how the IoT Inspector can help them to secure their network.
What actually are IoT devices?
IoT devices are devices that are connected to the internet but do not have a classic screen with a keyboard. This is not just about Industry 4.0, which you might think of at first, but a huge range of devices that we all have installed in our networks, for example routers, network cameras, network printers, VoIP telephones, access control systems, sensors or climate control devices.
Why is IoT security so important?
On the one hand, this is due to the fact that the number of IoT devices is continuously increasing. Estimates assume that there will be between 36 and 38 billion IoT devices worldwide in 2021. Two-thirds of companies already have more IoT devices installed in their networks than traditional endpoints. Nevertheless, we observe that security in the IoT sector is often neglected on the manufacturer side. According to Europol, two-thirds of all reported cyberattacks last year were directed at IoT devices or unmanaged IT devices. As endpoint protection improves, attackers are increasingly turning to IoT devices with security vulnerabilities. For companies, there is a risk that the vulnerabilities of their IoT devices will be exploited, for example, to get into the network via a camera and spy out further data. However, most companies do not check their IoT devices for vulnerabilities, although they would actually be obliged to do so under the GDPR as part of the risk analysis and can be held liable accordingly. So the IoT area is the blind spot of cybersecurity – and that’s why we offer a blind spot assistant, so to speak, with the IoT Inspector.
How does IoT Inspector help secure IoT devices?
IoT Inspector is a platform for analysing the security of IoT firmware. For this purpose, the user uploads the firmware to the analysis platform. The firmware is then automatically checked for vulnerabilities, such as hidden user credentials, known vulnerabilities (CVEs), forgotten certificates or private keys, default passwords or undocumented credentials, outdated software components and much more. We discover critical vulnerabilities in 90 percent of the analysed firmware, most frequently standardised user credentials. Within five to ten minutes, the user receives a list of all vulnerabilities of the analysed firmware. If an expert were to perform a corresponding pentest by hand, it would take him two to three days. With the IoT Inspector, our sales partners offer the fully automated analysis of a firmware from 500 euros. If the company carries out the analysis completely on its own, it is even only 400 euros. So today, no one can say that risk management is no longer affordable.
How can corporates benefit from using the IoT Inspector?
Corporate customers can integrate the IoT Inspector already into their procurement process. Before they buy a new IoT device, they can use our solution to check whether the firmware is secure or not. With the IoT Inspector Compliance Checker, they can also check whether the firmware complies with the corresponding security standard. In this way, IoT Inspector can help them make more informed decisions when making new investments. Another important point is, of course, to check the inventory of IoT devices in order to identify vulnerabilities and safeguard against them if necessary.
What are the benefits of IoT Inspector for providers and developers of IoT devices?
Internet service providers and telecommunications providers can use the IoT Inspector to ensure that the products they resell are free of vulnerabilities. For example, Swisscom, the largest telecommunications company in Switzerland, uses the IoT Inspector as a quality gateway before distributing new firmware to its thousands of installed devices, saving itself support costs amounting to a six-figure sum in Swiss francs per year. Manufacturers and developers of IoT firmware can use our solution to ensure that they only deliver vulnerability-free software to protect their investments and gain a competitive advantage.
What differentiates IoT Inspector from its competitors?
We are in a market segment where there is a very high demand but only a handful of providers of comparable solutions. Since our competitors come from the USA or Israel, this is often associated with the uncertainty of whether foreign intelligence services might be reading in. With our headquarters in Germany and Austria, on the other hand, we are subject to the strict data protection guidelines of the EU. In addition, we are the first on the market with an integrated compliance checker, our detection rate is very high, and our pay-per-use model is attractive to many customers because they do not have to sign up for a subscription or pay costly set-up fees.
How did IoT Inspector come about?
IoT Inspector is a spin-off from the SEC Technologies GmbH incubator. The basic idea comes from our colleagues at the security consulting company SEC Consult, who painstakingly carried out pentests for IoT firmware by hand and came up with the idea of automating these analyses. The IoT Inspector was first developed five years ago as an in-house tool at one of the companies in the group, and from 2018 it was pushed to market maturity in the SEC Technologies incubator. Based on my many years of experience with go-to-market strategies, I was responsible during this time for setting up marketing and sales structures and bringing the first partners on board. Once we had achieved a certain market penetration and found a German venture capitalist as an investor, we finally founded IoT Inspector as an independent company in July 2020. By the middle of this year, we want to expand the team at our two locations in Bad Homburg and Wiener Neustadt from currently 8 to 15 to 20 employees. Our partners, who are responsible for sales and customer support, already sell our solution in 15 countries – in the DACH region, but also in France, Belgium, Luxembourg, the Netherlands, the USA or Singapore.
What are the next goals for IoT Inspector?
We recently launched IoT monitoring, which can be used to continuously check IoT firmware for newly discovered vulnerabilities, which will make our customers’ work much easier in the future. In addition, we are currently working on further improving our API so that we have the possibility to automatically import large amounts of firmware from other applications and automatically play out the analysis results, for example in risk management systems. In addition, we are currently working intensively on dynamic vulnerability analysis: by putting IoT firmware into running mode, we want to be able to detect hidden lines of communication. On the distribution side, we are working to increase our network of partners. Geographically, we also want to penetrate new markets, initially in the Nordics and the UK, but also in North America and the Far East, where the majority of IoT devices are manufactured.
How can 5-HT support you in your further development?
The Rhine-Neckar region is home to many interesting companies that have tons of IoT devices. When I think of the large chemical and pharmaceutical companies, I don’t even want to have to count how many IoT devices there are. At the same time, I don’t want to imagine what would happen if vulnerabilities were exploited there. So there are many potential customers for us in the 5-HT ecosystem, and we are happy to help them secure their network with the IoT Inspector.