It isn’t often that we reward young people for breaking and entering, but that is exactly what happened when students from Abertay University took part in a unique cyber security vulnerability pilot organised by CENSIS as a hackathon earlier this year. The students were challenged to launch a cyber-attack on IoT devices designed and built specifically for the exercise by CENSIS, with three of the best ethical hackers recognised for their success.
The hackathon challenge wasn’t just about breaking and entering though, it aimed to give the students a better understanding of the typical vulnerabilities of IoT systems to cyber-attacks and get them involved in a common real-life scenario with the specially designed IoT hardware. With various levels of complexity, the students had to explore the IoT system’s hardware and software, exposing its weaknesses and show how they would take advantage of security flaws. Understanding the approaches the students used will help improve how companies developing products and service are advised to better protect themselves from cyber threats.
The hackathon challenge delivered across the summer of 2021 was part of the wider year-long IoT cyber challenge programme delivered by CENSIS and supported by Scottish Enterprise and the Scottish Government. With the goal to boost Scotland’s adoption of secure IoT technologies and help businesses and developers enhance their security and resilience of IoT networks and devices. It is hoped that activities such as the hackathon, will encourage students to consider careers that have a focus on IoT cyber security.
Cade Wells, acting business development director at CENSIS, said: “We often look at cyber security from a defensive perspective, but it’s equally important to put ourselves in the shoes of an attacker”. By creating the hackathon challenge we wanted to give the students a deeper understanding of IoT systems and their vulnerabilities to cyber-attacks and build knowledge about how hacks can be better prevented. We were especially pleased seeing the students hack a physical IoT system rather than a simulation. We are delighted with the results of the pilot and look forward to partnering with Abertay University on additional cyber security activities.”
An initial 15 students participated in the pilot with three winners chosen to receive IoT development kits that will enable and encourage them to further experiment with ethical hacking of IoT.
Fraser, Isaac Basque-Rice and Toby Wilkinson, who are all studying for a degree in Ethical Hacking at Abertay University, were recognised as the standout participants due to the approach they each used to attack the devices, their level of success in identifying vulnerabilities in the IoT system and how well they communicated those findings.
Fraser said: “IoT is a new and exciting industry in cyber security research, so it was a great experience learning how the devices work and how they can break. Doing this showed me many different protocols and different tools and techniques how to break them. My favourite task was grabbing the source code from one of the micro controllers.”
Isaac Basque-Rice said: “I found the whole process to be really enlightening, IoT is a particular interest of mine and so I jumped at the opportunity to get involved with this challenge. The things I learnt from this process – researching into specific IoT components, getting to deploy tools I hadn’t used yet against a real environment, and the general workings of an IoT environment – are invaluable. If CENSIS were to run this project again I would absolutely recommend anyone on my course or with an interest in this field to get involved.”
Toby Wilkinson said: “I really loved taking part in the challenge, it was a unique experience that gave me new skills and knowledge I can take to my honours project and hopefully into my career.”
Dr Natalie Coull, head of division of cyber security at Abertay University, said: “This has been a really worthwhile exercise for the students. The response and take up – particularly given continued Covid restrictions while the hackathon was running – was very positive and we look forward to developing further opportunities with the team at CENSIS. We will also be using the outcomes of the exercise to help us assess the viability of perhaps introducing an IoT cyber security module into ethical hacking academic programmes at Abertay.”
Following the success of the student challenge, the results of the pilot programme will be used to inform a best practice guide that covers potential threats to IoT systems. CENSIS is already in talks to host another Abertay hackathon in the coming months, as well as exploring potential events with other Scottish universities.