Talk

Outsmarting IoT Defense: The Hacker's Perspective

Watch Now

37:18

EOC 2023

Login to Watch

Natali Tshuva

Natali Tshuva brings over 10 years of experience, both as a researcher and a team leader, in the field of cyber security and software development. After graduating magna cum laude B.Sc. in Computer Science at the age of 19, as part of a special program for gifted and talented kids, Natali was handpicked to serve in IDF’s 8200 elite technology unit (the Israeli equivalent of MI6 or NSA) as a security software engineer. Prior to founding Sternum, Natali held several cybersecurity-related roles, including leading different R&D and research teams for global cyber intelligence market leaders. Having identified critical gaps in the IoT security market with life-saving consequences, Natali now leads all aspects of Sternum’s vision and mission execution both technologically and commercially. Natali holds an M.Sc. in Computer Science from Bar Ilan University and when she is in between meetings she rejuvenates with creative writing and all sorts of sports.

View full profile

Topics Covered

Security

Talk

Outsmarting IoT Defense: The Hacker's Perspective

Natali Tshuva

37:18 EOC 2023

Natali Tshuva

37:18

Endless patching is a race that cannot be won. To build sustainable, secure IoT solutions we must change that ineffective paradigm.

To appreciate what we can do differently, we should start by considering both the defender's and attacker's perspectives. This session will provide a unique view of that attacker's perspective, from former exploit/attack experts within the IDF Unit 8200. We will review the impossible task of identifying and mitigating all vulnerabilities - and will demonstrate the inadequacies of current IoT security practices focused on continuous patching, static analysis, encryption and risk controls. We will also explain how attackers can easily evade such barriers.

By contrast, the session will explore methods for achieving embedded, on-device runtime exploits protection to immunize devices from all underlying vulnerabilities, and provide zero-day protection as well. These methods, commonplace in IT endpoint detection and response, are just now finding their way into heretofore unprotected and unmanaged IoT edge devices.

1 / 4

Please log in or create an account to test your knowledge and see the answers.

What is the main reason Natali argues that endless patching is a losing strategy for IoT security?

A Vulnerabilities are inevitable because of large codebases, many third‑party components, and attackers only need one successful exploit.

B Patching typically introduces more bugs than it fixes in IoT firmware.

C Most IoT devices are air‑gapped so patches cannot be applied reliably.

D Encryption and secure boot make patching unnecessary, so vendors stop doing it.

E Attackers prefer physical hardware attacks so software patches are irrelevant.

Which defensive approach does Natali recommend as a practical way to protect IoT devices against zero‑days and unpatched vulnerabilities?

A Deploy on‑device, real‑time exploit prevention that fingerprints exploitation techniques (RASP/EDR‑style on the edge).

B Rely exclusively on continuous remote patching to close any vulnerability as soon as it appears.

C Depend only on static analysis during development to catch all exploitable bugs before release.

D Use encryption and secure boot as the sole protection to prevent all attacks.

E Remove all third‑party libraries from devices so no external vulnerabilities exist.

Why does Natali say static analysis and passive testing are insufficient as the primary IoT security solution?

A Because they typically miss about half of vulnerabilities and are reactive rather than providing real‑time protection.

B Because static analysis always causes unacceptable runtime overhead on constrained devices.

C Because static analysis only finds encryption configuration issues.

D Because static analysis is illegal to run on third‑party code.

E Because static analysis requires cloud connectivity to function and most devices are offline.

What technical observation underlies the 'exploit‑fingerprint' protection strategy described in the talk?

A Different exploits of the same class (e.g., stack overflows) follow predictable, detectable behaviors, so detection can target the exploitation technique rather than the specific vulnerability.

B Every vulnerability requires a completely unique exploit pattern, so detection must catalog all possible vulnerabilities first.

C Only hardware modifications can stop exploit techniques, so software detection is futile.

D Fingerprinting specific vulnerabilities (CVE IDs) is easier and more reliable than fingerprinting exploitation behavior.

E Blocking all network connectivity is the only reliable way to stop exploit attempts.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
inline code	surround text with single `backticks`
code block (multi-line)	wrap on its own lines with three backticks: ``` your code here ```
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

MaxP

Score: 3 | 3 years ago | no reply

Thank you for this very interesting talk. I think the approach presented is actually a turning point in making IoT more secure. Could you shed some light on how fingerprinting is technically achieved? Thank you

Partners & Sponsors

STMicroelectronics

Amazon AWS

Golioth

The Qt Company

Memfault

NXP

SEGGER Microcontroller

PE Micro

PX5

Become a Sponsor