Skip to main content

Hacking to help: How micro cyber-research teams are helping vendors

(Image credit: Image Credit: Pavel Ignatov / Shutterstock)

The increasing dependency on technology by both consumers and businesses over the past few decades has led to heavy investment in cybersecurity. To mitigate against risks of cyberattacks or data breaches, vendors are tasked with securing their products in order to ensure they are safe to use for customers. This has led to the popularity of micro cybersecurity research teams who work solely to find vulnerabilities in products. Not only does this help cyber-researchers prove their expertise, it is also developing a crucial working relationship between security professionals and manufacturers that addresses these security flaws.

Dedicated research

As businesses have become even more technology-centric, cybersecurity has grown into a specialised field. From incident management to threat intelligence and intrusion detection, cybersecurity now encompasses a multifaceted approach to securing systems and products for both consumers and businesses.

Micro cyber-research teams are another growing area within the cybersecurity space. Independent of cybersecurity testers, these smaller research teams are dedicated to hacking products to source any weaknesses or flaws. With IoT and smart devices flooding society, and leading to a rising number of hackable products, these micro teams are receiving investment from large security companies in order to address this development.

This trend hasn’t necessarily proved detrimental to manufacturers or vendors either. Once the researchers discover a flaw, they notify the manufacturer and then disclose their discovery to the public once a 90-day period has passed. The manufacturer will generally acknowledge the identified issues on its products, and make the necessary arrangements to fix them. This cooperation is often seen as a positive exchange by the information security (InfoSec) community, in spite of the severity of the disclosed vulnerabilities. In some cases, manufacturers offer rewards such as formal recognition or financial compensation for their efforts.

Hacking methodologies

Most micro cyber-research teams utilise similar methodologies when identifying vulnerabilities in devices. Teams can either attack devices locally or by utilising physical hardware hacking tools and techniques. Product information can easily be found online; from marketing materials and online manuals to FCC numbers which identify products that contain wireless or Bluetooth locations. General news coverage and public forums can also help the research teams conduct a wider Threat Intelligence report.

The proliferation of IoT has led to greater connectivity between different kinds of devices, especially in home devices for consumers; the likes of TVs, printers, hoovers, Amazon Alexa and Google Home are great targets for these research teams. If a vulnerability is found in one IoT device, a cyber attacker can infiltrate the system and wider network the device sits on, affecting several devices at once. The popularity of the IoT market has meant some manufacturers and vendors may be rushing to get their products out to the market instead of taking the necessary time for security testing. However, with the micro cyber-research teams exposing vulnerabilities, manufacturers are challenged with ensuring there are adequate and robust security measures to defend the IoT network.

Rewards for cyber-researchers

While larger companies may be inclined to offer rewards to researchers for their time and effort in locating vulnerabilities, the majority of micro research teams will be compensated by the reputational boost of earning CVE numbers. Sponsored by the U.S. Department of Homeland Security, the CVE system labels publicly disclosed cybersecurity vulnerabilities and exposures, and the platform actively promotes the sharing of this data. Free for public use, the identifiers for each vulnerability can help users accurately access information about the security issues. This not only helps the wider InfoSec community tackle these vulnerabilities and raise awareness of the security flaws in certain devices; CVE numbers also provide important recognition of expertise in the cybersecurity field.

Collaboration for the future

The investment in these micro cybersecurity research teams, especially from big names in security such as McAfee, suggests this is a promising area of growth within cybersecurity. The research and subsequent recognition can help companies improve their reputation in a competitive industry. Listing CVE numbers on their website can signify a company’s expertise and act as a magnet for new business. Additionally, the individuals from the research team themselves often benefit, with praise and respect from peers and even invites to the largest global cybersecurity conferences.

Crucially, however, the rise of micro cyber-research teams can also be very beneficial to manufacturers. With these teams providing free security testing for products, manufacturers may feel more reassured in their product’s safety and less reliant on spending heavily on their own security testing.

Not only may this help reduce considerable costs for manufacturers, it can help the two parties develop a beneficial working relationship. By working together, manufacturers and cyberteams can improve the security process for new products; as well as exchange important information on improving the security of customers and their data.

Daniel Chandler, Management Consultant in Cyber Security, 6point6 (opens in new tab)

Daniel Chandler is a management consultant in Cyber Security at 6point6 specialising in defensive security; he focuses on security operations, threat intelligence and blue team engagements.