Rapid7’s Deral Heiland on Why Your Network Segmentation Strategy Overlooks IoT Risk

Deral Heiland’s research has uncovered critical vulnerabilities across the IoT spectrum, from office printers to medical devices, revealing how seemingly isolated devices can compromise entire networks. In one investigation, he discovered active credentials for five major hospital systems still present on secondhand medical equipment. 

With extensive experience, including his current role as Principal Security Research (IoT) at Rapid7, Deral breaks down why IoT security requires examining entire ecosystems rather than individual devices, and shares practical frameworks for testing and securing IoT infrastructure at scale. On this episode of The Future of Threat Intelligence, Deral walks David through how his team's testing methodology examines the full attack surface: embedded device firmware, cloud APIs, management interfaces, and critically — the often-overlooked inter-chip communications. 

Topics discussed:

• The development of an IoT testing methodology that maps complete device ecosystems: examining firmware extraction points, analyzing unencrypted inter-chip communications, evaluating cloud API security posture, and testing management interface access controls.
• A technical analysis of inter-chip communication vulnerabilities, where internal busses like I2C and SPI often transmit authentication credentials and sensitive data without encryption, even in devices with strong external security.
• An example of lateral movement through a state government network via unsegmented security cameras, demonstrating how default credentials and shared infrastructure bypassed department-level network isolation.
• A framework for building IoT security testing capabilities, progressing from web/API/mobile security foundations to hardware-specific skills like firmware analysis and bus protocol monitoring.
• Research findings on medical device disposal practices, identifying active directory credentials, Wi-Fi PSKs, and other sensitive data retained in second-hand equipment across five major hospital systems.
• Practical strategies for securing unpatchable legacy IoT devices through network segmentation, behavioral baseline monitoring, and access control reconfiguration.
• Integration of AI tools to accelerate IoT security testing, focusing on firmware analysis automation while maintaining human oversight of test methodology and results validation.
• Implementation of coordinated vulnerability disclosure programs specifically designed for IoT vendors, including practical mitigation strategies for devices that cannot be immediately patched.

Key Takeaways: 

• Map IoT device communication pathways by monitoring all traffic types and documenting API endpoints, cloud services, and management interfaces to understand the complete attack surface.
• Implement protocol-aware monitoring for inter-chip communications to detect unauthorized data access at the hardware level, even when external interfaces are secured.
• Deploy VLAN segmentation with explicit access controls for IoT devices, using separate networks for different device types with monitored cross-VLAN communication.
• Create device behavior baselines using network flow analysis to identify normal communication patterns and detect anomalous activities that could indicate compromise or misuse.
• Establish IoT asset disposal procedures that include secure erasure verification, credential revocation, and documentation of all removed sensitive data before decommissioning.
• Implement network access controls for legacy devices based on known-good behavior patterns, restricting communication to required services and monitoring for deviation from baseline.
• Deploy protocol-specific IDS rules for IoT device traffic, focusing on device-specific anomalies rather than traditional network attack signatures.
• Develop hardware testing capabilities by starting with API/mobile security testing, then progressively adding firmware analysis and hardware protocol monitoring skills.
• Create incident response playbooks specifically for IoT devices, including procedures for evidence collection from embedded systems and cloud service logs.
• Structure vulnerability disclosure processes around providing configuration-based mitigations when patches aren't available, focusing on network isolation and access control recommendations 

Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. Apply now at http://www.cymru.com/rise.