Two such sessions that caught iTWire's eye were both security related.
Pluralsight author Dale Meredith saw a commercial 'mobile hacking kit' selling for around US$750, but realised it was built around a Raspberry Pi and that the hardware could be assembled for around US$200, even when using the newer Raspberry Pi 4B. While the 4B is more capable, the downside is that case manufacturers are still catching up with the rearranged port locations, so you can choose between modifying an old design with a Dremel tool to carve out an opening, or waiting for a redesigned case, he said.
Other items required and included in the US$200 budget are a 7in touchscreen, keyboard, microSD card, and a power supply. The software needed for the kit is Kali Linux, a distro specifically designed for penetration testing.
Security professionals can also make good use of Raspberry Pi based pico clusters, which are available off the shelf with three, five, ten or 48 CPUs, he said. This makes it possible to run (for example) Linux, Windows 10 IoT, Android and Docker Swarm all in one relatively inexpensive box.
AgilePQ chief cryptographer David Gotrik looked at the security issues around IoT devices.
IoT has been adopted more quickly than any technology in history. It is predicted that 20 billion devices will be deployed this year, but many of then are resource constrained to the point that they are incapable of implementing standard security techniques, even if the developers wanted to do so, he observed. Some don't even have the horsepower to send or receive encrypted data.
More than 90% of IoT devices (and they already account for about half of all devices, with forecasts suggesting that will rise to around four fifths by 2023 as "nearly every industry is doing something with IoT") have been operating practically no security, said Gotrik.
Yet IoT devices often transfer critical, personal or proprietary data, whether that's as simple as the make and model of the device, or an indication of when premises are unattended.
Huge amounts of data will be collected from IoT devices, and it deserves to be protected.
IoT insecurity involves more than just data loss. In 2016, Mirai co-opted large numbers of devices into a botnet used for DDoS attacks simply by using the default usernames and passwords to install the malware.
Malware can be installed and launched within six minutes of a vulnerable IoT device being exposed to the internet, and such devices are probed around 800 times an hour.
Not all of the sources of vulnerability are easily addressed, he warned. There is pressure to keep hardware costs low, and a reluctance to spend more in order to improve security. In some cases, low power consumption is a key consideration (eg, so a device can run for many months on one battery), and the processing needed to calculate a hash for security purposes significantly adds to the power consumption.
Other issues are the lack of security expertise within vendors, a lack of leadership in this part of the IT industry, the use of proprietary protocols, and "security as an afterthought" (a reference to the situation where boards are designed and fabricated before security requirements are considered).
Customers and potential customers can help by ensuring that decisionmakers are educated about the issues, refusing to settle for 'good enough', and by reacting before – not after – a problem occurs.
Unfortunately, "there's not a lot an individual consumer can do" if a manufacturer hasn't provided the necessary facilities such as being able to enable encryption and change the default username and password, he warned. But some measures – such as connecting IoT devices to the guest Wi-Fi network rather than the main network, and installing a good firewall – do provide a degree of protection.
Disclosure: The writer attended Pluralsight Live as a guest of the company.