Bridging Worlds: The Evolving Landscape of IoT Security and Regulation

Aseem Jakhar: People get all excited that, oh, this is a backdoor that might be or might not be. You can’t say that that is a backdoor unless it is being used for something bad. So I think all devices do that, all products do that. So there’s really no way of pinpointing and saying that, okay, this is a backdoor and this is not.

Phillip Wylie: So. Thank you for joining us on this episode. Today I’m excited to be joined by Aseem Jakhar. Aseem is a co founder of Nullcon Hardware IO as well as a hardware and IoT security researcher. In this episode, we discuss IoT security, the safety of Chinese devices, as well as how you can learn security research and how to better secure your environments. I hope you enjoy this episode. Yeah. Today I’m excited to be joined by Aseem Jakhar.

So Aseem and I have been connected through social media for many years, but we didn’t get to meet until the RSA conference this year and I was fortunate enough to run into him during Black Hat and DEF CON. So Aseem’s got a really cool background. It’s not often you find people with the IoT and hardware hacking background. And one of the things that really surprises me about that is back I remember about 2012, how the IoT thing was really taking off. I was consulting at AT&T. We were getting training on IoT security. And it’s just one of these things that it’s strange that with AI, it’s really taken off. With cloud, it really took off, but security around IoT just seems to, at least here in the US really hasn’t caught on.

So welcome to the show, Aseem, and kind of, what are your thoughts on that, why it really hasn’t seem to take off? I mean, you see the international perspective, so you see things outside the U.S. my experience with hardware and IoT security is mainly related to here in the.

Aseem Jakhar: U.S. all right, first of all, thank you for having me here, Phil. Really excited and honored. It’s true. I think even I started around the same time, 2012, 2013, I was doing a lot of mobile research, specifically on Android. And then all of a sudden we started seeing all these devices pop up and research was coming up and that’s how I got into IoT and hardware security. And I thought it was going to be a boom. However, the main issue of security or implementing security in IoT has been really around compliance and regulations, which actually didn’t come up till recently.

So, you know, there were a lot of startups coming up with really cool Products like anything you just put in a computer and it becomes IoT anything from fridge to toothbrush to whatever you can think of. And all of them were trying to reach the market because hardware had become cheap so anybody could prototype and then reach the market. And interestingly enough, there were no compliance or regulations that could stop them to start selling. And I see, I think that was probably the major reason why nobody cared about security, because nobody’s asking for security. Right. And then I think around Covid or after Covid, things started to pick up. A lot of countries were doing their own work around regulations and that’s when Singapore came up with something. Europe has come up with something, us came up with.

Phillip Wylie: The.

Aseem Jakhar: IOT Star or I forgot what it’s called. That all happened post Covid. So I think now is the time where we are going to see a lot of security being built in into these devices. There have been a lot of regulations, but mostly around safety. If you talk about automotive and medical as well. And I think we are seeing now FDA is also coming up revising their cybersecurity guidelines and standards. So I think now’s the time when people are going to realize that they have to put security because otherwise they won’t be able to sell their products.

Phillip Wylie: Yeah, that makes perfect sense because that’s even like if you look at just your standard infrastructure and web application pen tests that really didn’t catch on too much until PCI required it. And one of the good things about regulation, you know, some people don’t like regulation, but the good thing about regulation is it does require some kind of security and safety and it does put things on people’s radar because like before pci, no one, a lot of companies didn’t know that they needed to have a pen test done.

Aseem Jakhar: Exactly.

Phillip Wylie: So just out of curiosity, you’ve seen things evolve over the years, kind of. What’s your opinion of IoT? One of the things I wanted to interject before you comment is one of the things I think people don’t realize is how long IoT has actually been around. I was thinking that about before the call because I was thinking about some of the footholds that we used to try to get as a pen tester. We would try to see what we could get credential wise from printers, network connected printers. And you think about there’s been network connected security cameras, there’s been a lot of devices that were connected before the term IoT came about. So it’s kind of interesting that people sometimes view it as a new technology, but it’s really not, as it happens.

Aseem Jakhar: With every technology, unless and until someone come up with a jargon for that technology, you don’t recognize it. And then that technology becomes sandbox. So whenever somebody talks about IoT, they say, oh, you do IoT, but you don’t do like OT device security or defense equipment security. We don’t want IoT security. We don’t want this embedded device security. So they don’t realize that the way you define IoT, or at least the way I define IoT, is something that bridges the gap between the physical world and the virtual world. Like something that can take commands virtually and then do some operations, either controlling the physical world or reading some stats or data from the physical world and then converting it into virtual data as well. So cameras, printers, they’ve been around and they do exactly what an IoT device is supposed to do.

So I think it’s more to do with the jargon rather than the technology per se.

Phillip Wylie: Yeah, that’s a good way to describe it. You have all these devices come up and no one really thought to categorize them. So it’s interesting to see. One of the things I find interesting, though, is because going back to I mentioned about printers being connected devices to the network and you’re able to get credentials from that. People, pen testers and threat actors alike are able to gain footholds through devices like printers. So sometimes people, I think when they’re securing their IoT environments or thinking about IoT security, they don’t really realize how it’s affecting their IT infrastructure.

Aseem Jakhar: Yep, yep, yep, yep.

Phillip Wylie: So it’s kind of interesting because one of the things too that I wanted to make sure to discuss with you is so you really must be all in on the hardware and IoT stuff because you’ve co founded a conference hardware IO and fortunately I was able to go to the one in the US this year. It was kind of funny the week before that, my manager came up and said, hey, could you be at this conference? And it was funny. It was one that I learned about a couple years ago and I got asked to go. And so, yeah, I was excited because the nice thing, you know, working as an evangelist or working for any capacity at a startup, sometimes you’re working a booth at a conference. So I thought, you know, well, it’s cool, I get to work the booth, I’ll still be there. But it was really nice because I got to go as an attendee because we were sponsoring the ctf. There wasn’t a booth, which was kind of nice. So I was excited to get to join.

So kind of tell us a little bit about hardware. I o what kind of inspired that and how long have you been hosting the conference?

Aseem Jakhar: Yeah, so we started the conference in 2015 and before that the way I got into the industry, or let’s say on my own, was through a conference called NALCON. We started that in 2010. That’s when I left my job at IBM and then started working on the conference. And then we started a consulting as well because you have to do something the whole year because it was an yearly conference, we need to have something due in the other months. But so nulcon quickly picked up in in India and then we were looking at expanding nulcon and then we looked at us, Europe, Asia and we were thinking of doing nulcon outside. And then we realized that there are already a lot of extremely good conferences in us, in Europe and in other parts of Asia as well, which are kind of similar to nalcon, like, which deal on a broad level, cybersecurity. That was around the time when I had started researching on IoT. It was quite interesting.

And so me and my co founders were discussing and I thought, hey, why don’t we look at the hardware and IoT security space? Because we have been doing a lot of research and work already in this area. And then we started to search for conferences around hardware and IoT security. And interestingly, there were extremely few, very few conferences and most of them were more academic focused. And so that kind of inspired us to do a hardware focused conference, but not focused only on academics, but more focused on the practical implications. Kind of like how we did nalcon to talk about attacks, talk about mitigations, but from a practical perspective. And that was the reason that we started Hardware IO. So we looked at a lot of places in Europe and then eventually landed in Netherlands where the municipality of Den Haag said, if you guys plan to do the conference here, we’ll support you. And so that’s how we got started in 2015.

Phillip Wylie: Yeah, you definitely filled a niche that needed to be filled because like you mentioned, all these other conferences are broadly based. They’re not really focused in on certain areas. So it was definitely needed. And one of the things that was, you know, is really, really cool being there because it was nice to see that you had like Joe grand there teaching, you know, some courses and stuff. And so anyone that doesn’t know who Joe grand is, look him up. He was really well known hardware hacker and he’s helped some people recover their crypto wallets that have lost it. So there’s some good YouTube videos on that. So just the quality speaker and researcher was very, very amazing there.

One of the things I found interesting, comparing hardware i o to other security conferences. You go to a lot of the security conferences. There’s a lot of people standing out in the hallways during talks doing lobbyconn. But there people are in the rooms, you know, watching the talks, participating in the trainings is really kind of a difference. I mean, not to say people weren’t socializing because whenever there were breaks, whenever there were dinners and that kind of thing, people were there. But it was really interesting that people were in there, you know, taking advantage of the talks. And maybe part of that is because the lack of conferences it offers that type of content.

Aseem Jakhar: Yeah, yeah, yeah.

Phillip Wylie: So you host two per year. So you do one in the Netherlands and one in the US or that you plan to expand beyond that?

Aseem Jakhar: We haven’t decided. We’re looking at other places as well, but we haven’t fixed a timeline yet. Maybe something in Asia or maybe in India, but not decided yet.

Phillip Wylie: Yeah, very good. It’s good that you offer that. And so I’m hoping next year I get to go to the next one. So with your expertise, there’s really, you know, being in IoT and hardware hacking, there’s a lot of people interested in it. So what’s your advice to anyone that wants to learn, you know, hardware research, IoT research.

Aseem Jakhar: Okay. So, yeah, so I had a difficult time when I had started because there was no good free source of knowledge for hardware security specifically. So I did what everyone does in security. I just bought devices, looked at random videos, tried to hack something, read up continuously, read up on different protocols, different things, and learn. And so, yeah, I pretty much did it using random devices, random videos, random blog posts. And then I started offering trainings as well. So I did practical IOT hacking training at Black Hat and other conferences. And then it struck to me that because the subject itself is quite vast, I mean, not even including the cloud part or the mobile part, just the device part.

If you look at it, it’s quite vast. And the amount of knowledge, I don’t think a single person can have the knowledge when it comes to being able to effectively do security research or security analysis on a device. Even if you look at it in simple terms, there are three major attack surfaces on a device. You have the code, which is the firmware. You need reverse engineering and software security knowledge for that. You have the hardware, you need hardware and hardware security knowledge for that. And then you have the RF interfaces like Bluetooth, low energy, wi, Fi, Lora, Zigbee, Z Wave, whatever. You need specific RF knowledge for that.

So the knowledge is quite vast. So what I started to do was when I started writing some blog posts and then combined them, we created a free ebook which is also available on our store as well on exploity. And then so when I used to do training, I used to carry a lot of different devices like smart bulbs and routers and cameras and whatnot. And then even if I’m doing The training for 20 people, like 20 of each is too much to carry. So then what we did was we looked at the attacks and I looked at what are the basic things that somebody needs to know when they want to learn. How do they go about analyzing an IoT device device. So what we did was we created one board, we call it diva board or vulnerable board. And we put most of the stuff in that single board.

So now those 20 of each devices became 20 of these boards easy to carry. And then you can do everything on the same device. So we created challenges which are specific to different hardware interfaces. So you can run, for example, you want to do something on jtag, you can run different labs and learn how do you analyze jtag, how do you interact with jtag, similar with other different interfaces to kind of make it easier. And you need to put a structure to the knowledge, otherwise it becomes like chaos. You don’t know what you’ll be reading next or what you should be reading next. So yeah, so I agree it’s quite difficult, but I’m just trying to put a structure to it.

Phillip Wylie: So how can people find your training?

Aseem Jakhar: So we have online trainings now, video based trainings. If they go to our website, Exploity IO we have links to our e commerce store where you can find the board. We have a kit we call Exploity kit which, which is kind of like a DIY learning kit. So you get the kit, you get the lab manual and you can start and you can learn anywhere, anytime, on your own. You don’t need anything else that’s on the store. So it’s store exploity IO and then we have video based trainings which are on academy exploity IO all talking about different subjects like hardware hacking, firmware hacking, automotive hacking, arm reverse engineering, which is. Which is required if. Because most of the devices are on devices.

And so yeah, so it kind of helps people to kickstart their career or knowledge or experience in IoT security.

Phillip Wylie: Yeah, very interesting. It’s something I want to learn more about since I work for a company that does that type, type of stuff. But one of the things that that found was interesting was, was, you know, talking to you around defcon, seeing some of the things that you were doing with our CEO and founder. And I know you guys do some research for us and one of the things I found interesting is it seems like you’re getting into to AI for your research.

Aseem Jakhar: Yeah, yeah, yeah. Everybody’s doing AI, so why not? I have honestly found AI extremely helpful. Extremely, extremely helpful in saving time. I won’t say that this is the end of the world and you know, AI can do everything, but if you are smart enough, I think you can make AI do something in minutes, which will take you maybe a day or maybe a week to do. AI is very good in analyzing and then giving you options to automate. So I think it’s extremely, extremely helpful to shorten the time span on your research. You still need to put your head because AI doesn’t know what it doesn’t know and so that’s where your skills come into picture. So we are trying to use AI for a lot of firmware analysis right now and it’s been quite helpful.

Phillip Wylie: Yeah, it’s interesting that you mentioned that because one of the things too is for anyone listening or anyone’s playing around with AI, you kind of have to understand whatever you’re trying to automate or scale because if you don’t understand it, you’re not able to build the prompts out. And this is like totally nothing to do with security or technology. But recently, you know, I’ve been in powerlifting for many years, lifted weights for many years of my life. And I wanted a new routine and so I was able to feed into it. This is my age, this is my health concerns. These are my goals that I want to improve. And it come out with a really in depth workout routine and diet routine compared to some of the things you may just see online. But from what I’ve seen, you really just have to know the subject.

So correct me if I’m wrong. So if you don’t know anything about IoT, it’s going to be very difficult just to depend on AI to help you with that.

Aseem Jakhar: Yeah, I mean, AI will do exactly what you will tell it to do. So you have to be smart enough to ask the right questions.

Phillip Wylie: So what’s kind of your favorite AI platforms to use?

Aseem Jakhar: I think most of the sensitive part, I just use local like I use Ollama a lot. Otherwise I think I use for some for coding. I’ve tried Copilot and Cursor, both are good and in general I found Claude to be. I don’t know, I. I was using ChatGPT for a long time and then I tried Claude and I think personally I find Claude better. I don’t know the exact reason, but I think it gives better answers.

Phillip Wylie: Yeah, that’s kind of been my experience too, especially for writing. I think I like Claude better than ChatGPT and just kind of the way it formats stuff.

Aseem Jakhar: Yeah, yeah, yeah, yeah.

Phillip Wylie: And so for anyone, you know, kind of to, you know, share some information for folks that may not be interested in security research, but they just want to have a more secure connected environment with their IoT devices or OT. So what are some of your recommendations for people to secure those devices exactly?

Aseem Jakhar: You look at the traditional home and office automation devices, there is not much that the users can do from their end when it comes to securing the device. The devices are typically used for automating some stuff and the whole idea is that there should be no, no human in the loop, right? It should be self sustainable and should be provisioned easily. So it won’t give you like a God level access to. Let’s say oh you want to do this, you can set rules and this and that. But I think there are certain things typically that you can, you can do in terms of whatever the device provides you with. Like specifically around privacy. Look at what data the device is asking and whether if you have a choice to restrict some of the things, prefer not to enable things which you think are giving away a lot of data to the device and take care of updates. Updates is something that users can control.

If the updates are not automatic, then I think you just need to make sure that there is an option to update the firmware on the device, typically through the mobile app. I think one of the other issues is destroying the device. Like once you are done with the device it still holds. Most of the devices will still hold at least the WI FI credentials of your device. Nobody, I think most of the vendors don’t wipe that information out or there’s no option to wipe it out. Unless if there is a factory reset which will reset everything. But try and delete that or if you’re destroying, make sure that it’s not usable by anyone or extractable. So always try and find a factory reset or a way to delete the credentials or if there’s any other information on the device and just destroy it.

Phillip Wylie: Yeah, it’s kind of interesting thinking about the security of these devices because the US government was really worried about TikTok and the information being gained there. But in my opinion I’m more worried about some of the hardware that comes out of that region, phoning home information because I heard about one of these streaming boxes that you could buy from China that you’re able to stream different video content and I’ve seen where cases where people were, you know, monitoring those devices and they were like phoning home to China. So I don’t know what your thoughts are, but I’m more worried about these hardware devices than TikTok.

Aseem Jakhar: Yes, I mean, I’ll agree on that. I think there’s no way to essentially put a stop to this behavior because there has to be a way, technically there has to be a way for a device to phone home for updates or for anything. Right. So it will connect back. How that will be used I think typically will be for if, if someone is trying to target some person, a well known person. But I think I don’t see that there is a clear solution for this.

Phillip Wylie: Okay, so are there any kind of safeguards someone could put in place with these type of devices?

Aseem Jakhar: Again, I don’t see where there are options that you can choose on these devices to say okay, don’t phone home. You won’t see a, an option like that maybe trying to stop it on, on a specific region, try and stop outbound connections or I mean to those regions. I think that’s, that’s more or less what you can do from, from, from a user perspective.

Phillip Wylie: Yeah, I would think if you’re, if you’re using these devices in your home, it might be idea to put it on a different, put all your IoT devices on a different subnet. That way it’s not on the same subnet as your computer or maybe your home nas.

Aseem Jakhar: Yeah, yeah, yeah, yeah, exactly.

Phillip Wylie: So it is interesting that you bring up a point. So that’s kind of good. Something never thought about was that these devices are going to phone home regardless. So it may not always be nefarious. So it could be legit needs to phone home for some of these hardware, which is kind of interesting to hear because anytime you hear about people talking about the hardware doing this type of thing, it always seems like it’s. I don’t know if they didn’t do enough research on it, but it’s not always nefarious. But it’s kind of interesting to hear that point of view because I mean I know you’re not saying that that’s not the case, but it is good to keep in mind that, you know, you just have to research deeper to find out what, what it’s actually doing when it’s phoning home.

Aseem Jakhar: Yeah, yeah. I mean, sometimes there are legit reasons, but people get all excited that oh, this is a backdoor that might be or might not be. You can’t say that that is a backdoor unless it is being used for something bad. So I think all devices do that, all products do that. So there’s really no way of pinpointing and saying that, okay, this is a backdoor and this is not.

Phillip Wylie: Yeah. So it kind of goes back to in your environments, kind of having that zero trust mentality not to trust anything. Yeah, yeah. So that’s pretty interesting point. But so as far as like consumer type IoT devices, is there any guidance and advice you’d give anyone that’s maybe buying some connected devices for their home?

Aseem Jakhar: I think right now, I think it’s still an year when these regulations are going to be mandated, but I think once they do, then a good way would be to look at devices which comply to these regulations. Right now there is no way when you look at the device, you can say that it is secure or not secure. So maybe I think vendors that are trusted, you can look at vendors that are trusted and if there is information available on security updates for the device, because that is also now being so these regulations. Let’s talk about the regulations first. So these regulations are mandating some of the things for the vendors like end of life has to be clearly mentioned, updates have to be clearly mentioned. Like till when are they going to receive software and security updates? When is the end of life of these devices? The vendors are mandated to have vulnerability disclosure program. So for technical users it’s easy to verify when they’re going look up the company whether they have all of this or look up at the product whether you have this. But I think once the regulations kick in, then at least the big players will, will be motivated to quickly get their devices compliant, trusted.

Plus if they have all this information available in the product catalog or on their website.

Phillip Wylie: Yeah, that’s very interesting and it’s good that the regulation is starting to bring about awareness of these devices and so hopefully that will will drive the security of these devices. So we’re getting down close to the end of the episode. Do you have any closing comments you’d like to share?

Aseem Jakhar: I think for folks who want to get into IoT and hardware security, if you’re not from hardware background, I don’t think that really matters. You just need to decide on the area of IoT security that you want to focus on. So you could be focused on firmware for example, which requires little bit knowledge. Or if you want to focus on hardware, then you can study hardware and then hardware security. Or you can just completely go on the wireless and the RF side and learn more rf. If you want to specialize, I think the best way is to focus on one area, read up on everything, whatever you like, focus on that area. I think that’s the best strategy when you’re trying to learn. And from a user perspective, I think there are certain things that you can do which we’ve already discussed in this.

There are limitations in terms of what security you can see on the device. If you see security features on the device, I think make sure that you kind of enable or tick the best practices. Last thoughts? Even though regulations will come, I think we’ll still see a lot of vulnerabilities on these products because regulations have been around not for IoT but for software as well or technology as well. It’s been around forever, but we still find zero day vulnerabilities in systems. Right? So it’s not, it’s not a one stop shop solution for security, but at least these devices will start getting removing the low hanging fruits at least so they’ll not be easily hackable by any random guy on the Internet.

Phillip Wylie: Well, I appreciate you joining us today. This was fun chatting with you and I look forward to the next time I see you in person. Hopefully next time we’ll get more time to more time to chat. And for everyone watching today, please like or subscribe and share this with your friends because one of the best things we can do as security professionals is share important and useful content with our peers and friends. So thank you for joining us on this episode. If you enjoyed this episode, go to Phosphorus IO where you can find past episodes of the podcast, blog posts, white pages, papers and information on our product that helps ease your IoT and OT security needs. So thanks and we’ll see you on the next episode of the IoT Security Podcast.