Pieter Meulenhoff
Quality control, internships & security training , Eurofins Cyber Security
Pieter Meulenhoff, a specialist in the quality and security of ICT over a broad spectrum: from em-bedded applications, datacenters up to applications and software. At Eurofins Cyber Security Pieter is responsible for quality control, internships and security training on the topics of Internet of Things and secure software. Pieter is a lecturer at the Applied University of Amsterdam on the top-ic of cybersecurity and IoT.
During his career, Pieter has performed various projects that are related to the topics of IoT and applied research: He was the lead author of a research report for OFCOM, the British telecommu-nications regulator, on the topic of Deep Packet Inspection (DPI). Reverse engineering of various (radio) protocols and low-level interfaces in products such as smart watches, child toys, heating appliances, pellet stoves and sound systems.
Technical trouble-shooter of various embedded systems on the topic of quality and security such as: instability in a smart beer tank system, failing OV-chipcard registration, unreliable intercom sys-tem. Creates assignments for interns at Eurofins Cyber Security on the topic of IoT where the goal is to analyse the security of a specific product. These assignments often lead to the discovery of new vulnerabilities and publication such as ‘Apparaten hacken’ by the Dutch Consumer Organisa-tion in September 2019.
Author of several patents on the topic of security and performance in edge devices (customer routers) in telecommunications networks.
ABSTRACT
Throughout 2019 Qbit(Eurofins Cyber Security) worked with the Dutch Consumer Organization (Consumentenbond) to perform security assessments on various consumer devices such as baby monitors, security camera’s, alarm systems, smart watches, adult toys etc. The results of these tests are rather worrying. Qbit is coming forward with this information with the intent that policy makers, IoT device manufacturers and independent testing organizations can take notes and learn lessons from this case study as well as set-up additional research or problem solving projects.
During the project, 12 frequently sold devices were fully assessed for security issues and in total 169 vulnerabilities were discovered. As an example: one of the vulnerabilities considered critical enabled an attacker to obtain remote camera access and control of the device, as well as being able to retrieve the physical location of the device and obtain the credentials for the Wi-Fi network that the device was attached to.
During our project with the Dutch telecom agency, we’ve analysed over 400 requirements to come up with the essential requirements to put into future legislation/regulatory measures, that are sufficiently specific, testable and implementable.
Had these essential requirements been followed by the manufacturers of the tested devices a huge amount of the discovered vulnerabilities (and particularly the notable issues, that are considered critical-medium risks) would not have existed in the first place. This is to show a Proof of Concept that these essential requirements obviously do not tackle all issues, but do ensure that the current lack of security in IoT can be greatly improved with simple solutions.