For cybersecurity students in RIT’s new Eaton Lab, the first step in fixing a product is to break it.
“That’s the goal of our penetration tests,” said Issa Hafiri, a computing security graduate student from Palestine, who’s working in the Eaton Lab. “Look at the internet-connected device from an attacker’s perspective and figure out how to leverage its vulnerabilities.”
Beginning last fall, a team of three students and one lecturer began the partnership with Eaton Corp., a global power management company that offers an array of electrical products and services. By performing penetration tests and vulnerability analysis on internet of things devices created by Eaton, students are gaining hands-on experience while helping the company better secure their new products.
“There is a demand for cybersecurity talent throughout the U.S.,” said Max Wandera, director of Eaton’s Product Cybersecurity Center of Excellence (CoE), Electrical Sector. “The lab allows Eaton to leverage our experience to train students majoring in computing security at RIT on our products and build trust and branding that will help Eaton tap into this top talent.”
In the extracurricular lab, Hafiri strategizes with Christian Halbert, a fifth-year computing security student from Nunda, N.Y., Kegan Sovay, a third-year computing security student from Canton, N.Y., and Robert Olson, a lecturer in RIT’s Department of Computing Security. Every few weeks the team receives a new Eaton product to dissect.
The devices come with an architectural review for students to better understand how the device works and would be used in the field. While some devices may need to communicate securely with cloud services using Bluetooth, others could be web-facing and vulnerable to denial-of-service attacks. Security can’t be overlooked.
“We appreciate Eaton’s assistance in providing field experience to students,” said Olson, who is also technical director of the SAFE (Security Assessment and Forensics Examination) Lab in RIT’s Center for Cybersecurity. “This type of hands-on, experiential learning is critical for understanding offensive methodologies and will help students whether they choose to pursue defensive or offensive security roles in the future.”
After analyzing the attack surface of the product and its functionality, the team determines the best avenue of attack and commences the authorized penetration test. From the test results, they develop a comprehensive written assessment that details hardware and software security weaknesses in the product and the associated risks.
“This process is a fun challenge,” said Halbert. “It changes your mindset from looking at the process step-by-step, like in an academic lab, to looking at security from a broad sense.”
Throughout the spring semester, the team will continue their work with Eaton. They even hope to see familiar products come back their way, with a few modifications.
“We’ll get products back and see that the problem is gone because of something that we did,” said Hafiri. “People rely on your work to make their products more secure, and that’s really rewarding.”