Rapid7’s Deral Heiland on Why Your Network Segmentation Strategy Overlooks IoT Risk

Deral Heiland’s research has uncovered critical vulnerabilities across the IoT spectrum, from office printers to medical devices, revealing how seemingly isolated devices can compromise entire networks. In one investigation, he discovered active credentials for five major hospital systems still present on secondhand medical equipment. 

With extensive experience, including his current role as Principal Security Research (IoT) at Rapid7, Deral breaks down why IoT security requires examining entire ecosystems rather than individual devices, and shares practical frameworks for testing and securing IoT infrastructure at scale. On this episode of The Future of Threat Intelligence, Deral walks David through how his team's testing methodology examines the full attack surface: embedded device firmware, cloud APIs, management interfaces, and critically — the often-overlooked inter-chip communications. 

Topics discussed:

• The development of an IoT testing methodology that maps complete device ecosystems: examining firmware extraction points, analyzing unencrypted inter-chip communications, evaluating cloud API security posture, and testing management interface access controls.
• A technical analysis of inter-chip communication vulnerabilities, where internal busses like I2C and SPI often transmit authentication credentials and sensitive data without encryption, even in devices with strong external security.
• An example of lateral movement through a state government network via unsegmented security cameras, demonstrating how default credentials and shared infrastructure bypassed department-level network isolation.
• A framework for building IoT security testing capabilities, progressing from web/API/mobile security foundations to hardware-specific skills like firmware analysis and bus protocol monitoring.
• Research findings on medical device disposal practices, identifying active directory credentials, Wi-Fi PSKs, and other sensitive data retained in second-hand equipment across five major hospital systems.
• Practical strategies for securing unpatchable legacy IoT devices through network segmentation, behavioral baseline monitoring, and access control reconfiguration.
• Integration of AI tools to accelerate IoT security testing, focusing on firmware analysis automation while maintaining human oversight of test methodology and results validation.
• Implementation of coordinated vulnerability disclosure programs specifically designed for IoT vendors, including practical mitigation strategies for devices that cannot be immediately patched.

Key Takeaways: 

• Map IoT device communication pathways by monitoring all traffic types and documenting API endpoints, cloud services, and management interfaces to understand the complete attack surface.
• Implement protocol-aware monitoring for inter-chip communications to detect unauthorized data access at the hardware level, even when external interfaces are secured.
• Deploy VLAN segmentation with explicit access controls for IoT devices, using separate networks for different device types with monitored cross-VLAN communication.
• Create device behavior baselines using network flow analysis to identify normal communication patterns and detect anomalous activities that could indicate compromise or misuse.
• Establish IoT asset disposal procedures that include secure erasure verification, credential revocation, and documentation of all removed sensitive data before decommissioning.
• Implement network access controls for legacy devices based on known-good behavior patterns, restricting communication to required services and monitoring for deviation from baseline.
• Deploy protocol-specific IDS rules for IoT device traffic, focusing on device-specific anomalies rather than traditional network attack signatures.
• Develop hardware testing capabilities by starting with API/mobile security testing, then progressively adding firmware analysis and hardware protocol monitoring skills.
• Create incident response playbooks specifically for IoT devices, including procedures for evidence collection from embedded systems and cloud service logs.
• Structure vulnerability disclosure processes around providing configuration-based mitigations when patches aren't available, focusing on network isolation and access control recommendations.

‍

“One thing if I could change about most organizations is one, they need to figure out what they have for assets. Right now, most companies, a lot of companies, I won't say most, don't know what's on their network. The second thing is they need to develop policies and processes, focus on cradle to grave. So I want to know when a device is coming into my organization, I want to continue tracking it within my organization, patching it, maintaining it. And when the day comes that I need to get rid of it, I want to actually get rid of it properly. That's probably some of the biggest issues that I've run into.” 27:16-27:57