Q&A: UL Principal Security Advisor Dr. Johannes Bauer

According to a report published last week by Kaspersky, attacks against IoT devices have increased dramatically this year. In fact, Kaspersky honeypots, which are networks of virtual copies of various internet-connected devices and applications, recorded 105 million attacks on IoT devices from 276,000 unique IP addresses during the first six months of 2019. That’s more than seven times higher than the number that were recorded during the first half of 2018.

Of course, these figures should come as little to no surprise to security professionals who have long warned about the dangers posed by unsecured devices connected to networks or the internet. Physical security products themselves have even proven to be among the most vulnerable as evidenced by the Mirai botnet in 2016 that leveraged thousands of compromised surveillance cameras and DVRs.

Many manufacturers have taken notice of the issue and tried to build better default cybersecurity protocols into their products, but there is still a greater need for them to incorporate more robust vulnerability management and push software updates and patches to end-users of their connected products as part of a full Secure Development Lifecycle (SDL). There is also an onus on end-users and integrators to leverage security best practices on their end to ensure that these devices remain protected.

In honor of Cybersecurity Awareness Month, SecurityInfoWatch.com (SIW) recently sat down with Dr. Johannes Bauer, Principal Security Advisor at UL, to discuss the state of cybersecurity as it pertains to the IoT and steps manufacturers should be taking to shore up their products.

SIW: What are some of the ways that cyber criminals go about looking for devices to compromise?    

Bauer: When we talk about an attacker or a group of attackers who do hacking professionally for a living, we’re talking about hackers who are able to carefully plan their attacks and won’t just attack their targets without having done some sophisticated reconnaissance. That could include a multitude of things. One unique example that could work very well for hackers is dropping in on the premise of a location and leaving USB sticks/thumb drives loaded with malware. Perhaps with something that sounds juicy like ‘payroll’ marked on them where someone is going to pick it up and might try to figure out whose it is and plug it into a computer. Who wouldn’t want to peek at a payroll sheet?

On the purely network side of things, businesses typically do what is called fingerprinting so when you are talking to systems – let’s say I’m trying to initiate a connection to a specific system in the cloud and that connection might be rejected – usually the protocol letter is underlined. For example, Transmission Control Protocol (TCP) has a number of ways in which they can legitimately reject a connection. What a hacker is doing there is they’ve mapped out different implementations and they’ve mapped out these variants in the protocol to be able to deduce what is the actual hardware equipment that is in use and from there they can try to scout out vulnerabilities. If you start probing actively as an attacker, you’re going through layers and layers of obfuscation so you’re not doing that from your home internet access, you’re trying to use something like onion routing where your packets are sent through a number of hosts so that it is indistinguishable from the final target.   

What are some of the biggest mistakes made by manufacturers when it comes to ensuring the cybersecurity of their products?

Cybersecurity hygiene is something we still don’t see across the board unfortunately. This means there is some very low hanging fruit in the cybersecurity of some products as a result of failing to properly maintain them, supplying them with patches or keep the software up to date. Something that we often see is that cybersecurity is more of an afterthought; products get produced, they make into the field and the nature of security itself being what it is vulnerabilities are discovered over time. You can almost guarantee a product that is manufactured today is going to have some kind of weakness that is undiscovered because of the sheer amount of code that IoT devices run. We’re talking about millions of lines of code, so there is bound to be an issue there somewhere.  

What are the most commonly compromised IoT devices you’ve come across in your experience?

It’s not a specific type of device that’s under attack. IoT devices are very similar in structure, completely independent of what the actual purpose of the device is. Whether we’re talking about a household appliance or a security device, it can’t be said that a specific class of devices is more susceptible to attack than another one. It really depends on how they are manufactured and how they are maintained.

What do you think IoT product makers are currently doing right when it comes to cybersecurity and what do you think needs immediate attention?

Something that has gotten a lot more attention in recent years is proper secure development cycles for products – thinking of security as a part of quality and incorporating it in the process as the product is designed.  One step in that process is a defense-in-depth approach. You want to have multiple layers of security in your product so that in the event that one fails, there are remediating countermeasures or contingencies on other parts of your system. It is very similar to how safety works in a car. If you drive somewhere, you don’t buckle up just right before an accident happens. Ideally you want to fasten your seatbelt even before you start the engine. It’s very similar with IT security. If it is considered early enough in the design process – where many vendors have really improved over the years – you have a much more secure product in the end.

With regards to what is urgently needed, there needs to be better vulnerability management. We have systems today which are incredibly complex, so on top of the operating system there are hundreds, sometimes thousands of libraries stacked on top of each other and it is very easy to lose track of all these dependencies of your product and each of these dependencies can have a security vulnerability that leads to a total compromise of the product. Maintaining that and getting ahead of the curve is one of the most important issues right now.