Dan Berte On The IoT Security Landscape
Dan Berte, Chief Architect and Director of IoT Security at Bitdefender, discusses how both IoT manufacturers and organizations using IoT devices can minimize the risks associated with them.
From smart homes to industrial automation, IoT devices are embedded in every facet of modern life, revolutionizing the way we live, work, and interact with the world around us. However, as well as providing us with new levels of connectivity, the proliferation of IoT devices has also introduced a new frontier of security vulnerabilities.
“Most of the time, what happens is, once you get root access to a device on the network, the potential is to access any other device on the network or just exfiltrate private information from that,” says Dan Berte, Chief Architect and Director of IoT Security at Bitdefender. “Nobody’s going to stand there and just watch your camera, but they could harvest information out of your IoT devices. Once you get complete access to the device, it’s easy to do whatever you want with it.”
Bitdefender is a cybersecurity provider that delivers best-in-class threat prevention, detection, and response solutions to SMBs and large enterprises globally. Known best for their endpoint security solutions, Bitdefender is also a leader in the IoT security space, with their innovative IoT Security Platform and Bitdefender BOX solution.
In his current role, Berte is responsible for accelerating Bitdefender’s recognition as a leader and innovator in the IoT space, which he does by promoting the company and its award-winning IoT technologies at industry events and analyst briefings. He also works closely with Bitdefender’s vulnerability research programme and the policymaking around the company’s IoT product suite.
In an exclusive interview with Expert Insights at the 2024 RSA Conference in San Fransisco, Berte discusses the risks associated with IoT devices, and how both IoT manufacturers and the organizations using these devices can minimize those risks.
You can listen to our full conversation with Berte on the Expert Insights Podcast.
Note: This interview has been edited for clarity.
Could you please introduce yourself and tell us a bit about your security background, and your current role at Bitdefender?
Absolutely. It’s a funny one—I’ve been with Bitdefender for more than a decade, which sounds really weird here in the Silicon Valley area, where that’s a long time. So, I’ve seen a bunch of stages of development of IoT research and IoT products. I was one of the first teams developing Bitdefender BOX, and later spent into the bigger efforts that we were doing in IoT. Currently, I deal with the vulnerability research programme and other research and product bits, and anything related to policy, outbound, and policymaking around it. It sounds a little bit boring, maybe, but it’s entirely exciting.
Not at all, that’s exactly what we want to talk about today, specifically around that research piece! Over the last couple of years, Bitdefender and Netgear have been producing IoT Security Landscape Reports, in which you analyze key IoT trends, vulnerabilities, and attack scenarios. These reports have found that IoT attacks have steadily risen year on year. Why is IoT becoming such an attractive attack vector for cybercriminals?
It’s a largely unregulated, kind of a wild west situation in the IoT space, compared to more entrenched, classical systems, let’s say a PC or a Mac. These platforms have been around for a long time, they’re regulated, and there’s security in place for them. There’s a roadmap, people know what’s going on. With IoT—innovation being one of the things that’s pushing things a little harder—security’s a little down the road, as property.
Because of all these factors together, IoT has put billions of devices out there in the wild that are more or less unregulated when it comes to their security standards. So, they’re very tempting and very attractive for attackers to target.
There are lots of different IoT devices available to consumers today, from smart assistants and appliances designed to streamline everyday life, to plugs designed to improve energy efficiency and save consumers’ money. Attackers can exploit different devices to target different outcomes—what are some of the most common vulnerability outcomes associated with different device types?
We usually look at the outline of the household, and the dynamic of year over year changes. [That includes the] number of average devices—and it’s always an increase, of course—but at the same time, we look at what the popular devices are.
I’ll do an experiment with you. Think of how many connected devices you might think you have at home currently. Then list them, try to see if that’s an accurate number. I’ll spoil it—I promise you, you’re probably think of half of the actual number. Because we forget that the router is actually an IoT device, that the old printer’s an IoT device, and so on and so forth. The Apple Watch, the Kindle—all these things are connected devices.
And what’s going on in these in these households is that with the more popular devices, the prevalence makes it easier [to target]. For example, everybody has TVs—I think there’s on average about four TVs per households in the U.S. In the last report we released, we saw that TVs are at the top, both in terms of prevalence in the household but also prevalence in the liabilities that are found in them. So, then you have a deadly mix. I’m not saying TVs are the most offensive, but in this case, they’re up at the top. Cameras and these network-attached storage devices used to be up there, that hold your files and your important information.
So, it’s a mix of what the popular device is, with what the more prevalent type of attack is. And you’re seeing Denial of Service type of attacks, you’ve seen buffer overflow, and so on. And [these attacks are] pretty simple and straightforward, actually; it’s all mostly automated. Once the vulnerabilities are found, they’re exploited.
As well as the cybersecurity risks you’ve just outlined, IoT attacks can also introduce privacy and even physical security risks. Could you tell us about these?
Unless you’re a very important person, an attacker is not going to connect to a camera feed and look at your backyard. That’s not going to happen. Unless you’re some sort of journalist or public politician or some something like that. [In those cases], it’s called a targeted attack, and then of course, that might happen.
But most of the time, what happens is, once you get root access to a device on the network, the potential is to access any other device on the network or just exfiltrate private information from that. Nobody’s going stand there and just watch your camera, but they could harvest information out of your IoT devices. Once you get complete access to the device, it’s easy to do whatever you want with it.
Let’s say you’re using a Gmail address to sign into that particular device, and the same Gmail address with the same credentials—because you were lazy one day—to sign into your bank account. If I can find your Wi-Fi information, I can sell this information, and somebody else could run it, match it, and get access to banking information, and so on. So, there are different ways this data can be leveraged.
At the same time, you mentioned physical outcomes. That’s also possible. There’s a prevalence of solar arrays in residential areas right now. There are days when it’s super hot outside, the grid is failing, and there are outages. And now an attacker can disable a whole grid—let’s say the whole west coast—of one particular manufacturer [of solar arrays]. The grid gets taken down via an attack, and that’s a national security issue.
It’s kind of simple and lightweight to the end user, until it isn’t. If something takes down your home internet, and it gets a DDoS, and your ISP is calling like, ‘Hey, we’re disconnecting you because you’re doing shady things’ and then they resent you—that’s the extent of your concern. But it can go so much worse than that. Now, I’m not here to spread any FUD or anything like that, but it’s a real threat.
Most IoT attacks rely on already known CVEs that are included in automated attack toolkits. Although IoT firmware manufacturers are likely to know about these vulnerabilities, it often takes significant time for them to assess, patch, and deliver fixes for them. So, how can they go about preventing devices from entering offices and homes with those vulnerabilities in the first place?
That’s correct, that’s what’s happening most of the time. The unfortunate situation is IoT manufacturers have a pressure to put the product on the market and to create that revenue. And they will have to decide, if indeed we’re talking about a known vulnerability that’s already been reported, [whether to delay go-to-market and fix it]. But the scariest thing is that there may be zero days out there, which are completely unknown.
I think as a researcher (and we’ve actually released research on this as well), if I could do anything to change the world—if you could give me a magic wand and be like, ‘Dan, what do you want to do?—I’d actually make vendors have a process where they can react really quickly to researchers reaching out and notifying them. Because, in our experience, the worst time we’ve had was contacting vendors and getting them to work with us on patching that vulnerability. There are always going to be vulnerabilities, and patching them isn’t easy. It’s not trivial, but it’s always doable, given enough time, and so on and so forth. But sometimes we reach out people on Twitter or LinkedIn, to be like, ‘Hey, put us in touch with somebody in your company that can help us with this disclosure,’ and you can’t talk to anybody about it! So, it’s a tough process.
But long story short, I feel the pressure that the companies have prevent them from [fixing these vulnerabilities]. And I think many times, it’s probably either, they don’t really know the effects of the potential risks they’re putting on their the customers, or they’re thinking, ‘We’ll deal with it when we need to deal with it.’
Is there anything that could encourage manufacturers to embrace this security first mindset? For example, governments enforcing some type of standard?
100%. When you build an IoT device of sorts, security is not what you’re providing. That’s not your priority; it’s just something you need to check, it’s part of doing business. And then you have to work with different frameworks and different platforms that you don’t control, and you have to trust that they’re doing a good job. In many times, startups and even larger companies, don’t build everything from scratch; they go and talk to a SOC vendor, they’ll buy that, and they’ll buy the platform from somebody else, and so on and so forth. So, when they build that product together, there’s a Swiss cheese situation where they might have different [components with gaps between them].
So, their impetus is not fixing the vulnerabilities until they get pressure from the outside. And since this is not an impetus for most people, as much as we would like the government to stay out of free market business, the only way you can push this kind of stuff is through government regulation, unfortunately.
I think we’re in agreement that it’s impossible to fix all of the problems before these products go to market, unfortunately. So, what can organizations do to protect their networks from risks introduced by IoT devices, particularly those businesses that have embraces the work from home of BYOD ways of working?
We’ve seen a lot of efforts from different companies around the ways to do it. So, for example, there’s partnership that we have with Netgear; most of Netgear’s products, if not all, already include the Bitdefender IP stack called Netgear Armour. That’s available through the Netgear router.
In terms of recommendations, if the company is small and they don’t have a big IT service that will develop some sort of isolation service, the easiest way [to protect themselves] is to just use one of these routers with this IP security functionality that’s built in. Some ISPs already offer some of this technology within their CPS, so that’s one way to go, and of course, IT departments can use stuff like this, or completely isolate potential devices. But because there are so many, as soon as you introduce a VPN the solution of isolating a particular laptop off that particular network or completely setting it separately on a different network, is a big challenge.
That being said, could you tell us about Bitdefender’s layered approach to stopping IoT attacks before they reach the vulnerable IoT devices in your network?
Usually what happens is, as CVEs get reported, we get the feed into the stack. And then we have a technology called Vulnerability Assessments where, as soon as a new device is audited, we shoot a notification saying, ‘Hey, this device is known to have these CVEs outstanding’ and give you a report. We also have a stack of technologies around anomaly detection, that basically learn the behavior of a particular device, and check to see if that device is doing anything anomalous. There are also other tools that are basically able to protect and prevent potential attacks on IoT devices, even though the vendors haven’t gotten the chance to patch them yet. It’s a proactive form of response, an intrusion prevention system that reduces the amount of attacks and prevents potential DDoS attacks as well.
It’s a little technical, but imagine a sandwich of tools that are trying to prevent things without us really knowing that vulnerability exists, maybe if it’s a zero day, for example. That’s a cool thing, because we get these questions a lot; somebody looks at the research we put out, and they see there’s some time between us telling the vendor, ‘Hey, we found this thing’ and the vendor patching it. Let’s say that’s two weeks or a month. So, people ask us, ‘What happens to the customers in the meantime, if they’re running the defence technology? And in most of these cases, because of the layers that I told you about—even though we don’t currently know as a product about the vulnerability—it should be able to detect anomalous behaviors and block these attacks.
Do you have any other words of advice to organizations concerned about the impact of unsecured IoT devices within their environment?
I’ll harken back to what we just talked about. If I could put out a wish out there in the world for anybody, even if you’re not in charge of your own company, there are great examples out there of ‘vendor.com/security and privacy’ where there’s a PGP key and there’s an email, and there’s a dedicated person at the end of the line that is able to answer an email from researchers.
So I feel like, yes, we’re going to get regulation somewhere; the U.S. administration putting out the Cyber Trust Mark project, is basically going to tag devices that respect some standards, and so on and so forth. So, there’s definitely a change towards this. Vendors are being more mindful.
But in the meantime, until we get there, I feel like if everybody could be a little more responsive, we’ll be in a much better place.
Thank you to Dan Berte for taking part in this interview. You can find out more about Bitdefender’s endpoint and IoT security solutions via their website.
About Expert Insights
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.
For more interviews with industry experts, visit our podcast page here.