- Job title of nominated professional: IoT Research Lead at Rapid7
- Company (where nominated professional or team is working): Rapid7
- Website: http://www.Rapid7.com
- Company size (employees): 850
In 3 bullets, summarize why this professional or team deserves recognition:
• The knowledge gained from Deral’s research projects has done more than just uncover vulnerabilities – it has also helped the security industry shape, identify and develop a deeper understanding of issues plaguing IoT. Additionally, his work has encouraged younger researchers with the opportunity to work with many customers, manufacturers and organizations to help better define methods around mitigating security issues related to IoT.
• By creating a focused effort in IoT research, Deral has enabled Rapid7 to better serve its customers and the security community at large by sharing the knowledge the company gains during these efforts. IoT is expected to surpass 20 billion connected devices by the end of the decade, and Deral is one of the first leaders in the industry to push forward a focused effort to better securing the new IoT-driven world.
• Deral is an advocate for the information security community. He has given presentations at over 30 conferences, including Black Hat, BSides, and DEF CON, and is passionate about spreading education, citing his groundbreaking research. He identified a niche in the Dayton market, which led to the creation of the Ohio Information Security Forum. As a labor of love, Deral has spearheaded a group that meets each month to share, collaborate and network with professionals in the information security field.
In less than 300 words, summarize the achievements of the professional or team in the nominated category
Deral Heiland is the IoT research lead at Rapid7, responsible for the company’s Internet of Things (IoT) practice area. He came into the role with more than a decade of experience as a security penetration tester and nearly 15 years of experience conducting security research across such areas as protocol-based attacks, embedded device exploitation and web vulnerabilities.
Deral focuses on the ecosystem around IoT – not just the device – helping to educate manufacturers about potential security risks in their products, enterprises about the risk IoT devices in their environments represents, and consumers about the risk they take on when using IoT devices.
In July, Deral published a report on Osram LIGHTIFY, citing nine issues affecting the Home or Pro versions, with the practical exploitation effects including the accidental disclosure of sensitive network configuration information. Deral worked with Osram to create a patch that helped configure the mobile app to prevent storing potentially sensitive information, such as WiFi PSKs and passwords in cleartext. With Deral’s assistance, Osram was able to patch the vulnerabilities.
In October, Deral discovered three vulnerabilities in Bluetooth-enabled trackers made by TrackR and iTrack that attach to a key ring or wallet as a way for consumers to locate things such as car keys or other small items. He found that these devices were not encrypted, and, as a result, communications could potentially be intercepted and read by third parties. While these vulnerabilities were not easily fixed, Deral helped TrackR develop a strategy to better protect its customers and ensure hackers could not listen in on their conversations or steal secure data. The company CEO praised his work and thanked the research team for helping to solve a potentially dangerous problem.