Co-Founder/Director R&D, Payatu
Aseem Jakhar is the Director, R&D at Payatu https://payatu.com a cyber security services company specialized in IoT, Embedded, cloud, mobile security. He is the founder of null-The open security community, a registered not-for-profit organization and one of the largest security communities in Asia https://null.co.in and also organizes https://nullcon.net and https://hardwear.io security conferences. He currently spends his time trying to solve the IoT Security problem. He is an active speaker and trainer at various security conferences like AusCERT, Black Hat, Defcon, Brucon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including:
– EXPLIoT – IoT Exploitation Framework
– DIVA Android (Damn Insecure and Vulnerable App for Android)
– Jugaad/Indroid – Linux Thread injection kit for x86 and ARM
– Dexfuzzer – Dex file format fuzzer
“EXPLIoT – A journey to secure IoT”
Let’s face it, IoT security is a nightmare for IoT Manufacturers and service providers. This is primarily because of the technologies and processes involved in making an IoT product. In fact it should ideally be called an IoT ecosystem rather than a product. The primary challenges that the IoT security teams face are:
1. Complexity of the eco-system
2. Huge attack surface and respective coverage of the assessment.
3. IoT DevSecOps
After working on IoT security testing for a couple years, we realized these challenges. It was hard to move from one assessment to the other, given how unique each IoT ecosystem was. There was a lot of time spent on learning and setting up the required tools including hardware, radio and software.
So, we went back to the drawing board to find order in the chaos.
To start with, we envisioned a software that would allow developers and testers to automate some of the tedious tasks and test cases. We began our journey with writing a flexible and extendable framework that would help the community and us in writing quick IoT test cases and exploits with ease.
EXPLIoT framework is open source and the code can be found here – https://gitlab.com/expliot_framework/expliot
The current functionality empowers engineers with hardware, radio and IoT protocols test cases such as UART, I2C, SPI, JTAG, CAN, BLE, ZigBee, MQTT, CoAP, ModBus etc.
The framework can be used as standalone or integrated in IoT DevSecOps as per the requirements. It can be easily extended by the IoT Security teams for custom or specific use cases.