Convergence of Things: Tech Trends Meet for the Good and the Bad with Ulf Lindqvist
Dr. Ulf Lindqvist reports in from the Computer Science Laboratory at SRI International where he’s the Senior Technical Director managing research and development. Focusing on critical infrastructure systems, including specialized systems in the Internet of Things, Dr. Lindqvist established and leads SRI’s infrastructure security research program. Yeah, so we’re pretty interested in the good doctor!
In this episode, Brian and John explore the path from academia, the right to repair, and the long timeline of researchers. Dr. Lindqvist describes what goes into a device lab — and it turns out you don’t just drive a car into it for connected vehicle testing.
John Vecchi: Hello everyone. You’re listening to the IoT Security podcast live on Phosphorus Radio. I’m John Vecchi.
Brian Contos: And I’m Brian Contos. And we’ve got a really special guest today. Joining us is Ulf Lindqvist. Welcome to the show, Ulf.
Ulf Lindqvist: Thank you, Brian. Happy to be here.
Brian Contos: So Ulf we’ve known each other for over a decade I guess now, maybe even close to two. It’s been a while. But you have an amazing background and I was hoping you could share with our listeners a little bit about how you came up and eventually how you got into cybersecurity and what it is exactly that you do now.
Ulf Lindqvist: Yeah. Absolutely. I’ll be happy to, Brian. So I’m in the computer science laboratory at SRI International, which is an independent nonprofit research institute where we do world-leading innovation to make the world a better place. I started in Sweden where I grew up. I went to college there and I took a class on introduction to cryptography and I thought that was completely fascinating. I loved the sort of the puzzles, the mind games that comes into protecting data from active adversaries. And then in my last undergraduate year, they had a new class in computer security and I was fascinated by that. I really wanted to work on that and I got the opportunity to get into the PhD program there with a professor who had started the computer security class and that really changed things for me.
It was wonderful to be able to do research in this area that I was really interested in. Started with attack analysis and then I got a chance to spend a summer at SRI and work on intrusion detection research and that sort of became the second half of my thesis. And as soon as I graduated in Sweden, I moved to California, started working at SRI and I’ve been there ever since. Actually, today is the anniversary of me moving to California 23 years ago.
Brian Contos: Oh wow. Wow. Congratulations. Yeah.
Ulf Lindqvist: Thank you.
Brian Contos: That’s awesome. Well what I love about your story from academia to SRI and moving forward is there’s been a constant thread of research throughout it. I mean you always seem to be on the cutting edge of not the next thing but usually the next next thing, which is really great. And I remember, boy, it might have been 10 years ago, you and I were chatting about IOT, maybe a little less than 10 years ago. And one of the things that you brought up were automobiles and you were talking about things that nobody was really thinking about that I think it was right to repair in some of those devices. Could you talk a little bit about that? Because it was at the time you were the only one talking about this and then it turned out to be a huge topic.
Ulf Lindqvist: Thank you Brian. I think you’re giving me a little too much credit, but I’ll take it. Well first of all, generally I think it’s very important to be forward looking and I make this point as often as I can. So my job is to be in research, it takes time to sort of analyze what the problems, challenges, gaps are, figure out how to get that kind of research funded and started. And then you do the research and then what we call technology transition, getting the technology from the lab and out for testing pilot deployments, validation in the real world and finally into products. And that’s a long cycle that can easily take, at best case maybe five years but more likely 10 years, which means we have to be looking at the problems that are coming at us 10 years from now, not just looking at the problems that we have today because if that’s what we’re addressing when we start the research, we’re going to be 10 years behind when we finally get something that’s working and deployable.
And there are few places that have the charter to have this long-term outlook and that’s one of the things I really like about SRI and other research labs that we need to be looking at what’s coming down the road. And specifically for vehicles, we’ve seen of course enormous development not just in self-driving vehicles but generally connected vehicles and the whole right to repair issue. We need to be able to have some transparency into what these 50, 100 or more computers in a vehicle are actually doing. A lot of people categorize a car these days as a computer with wheels rather than a traditional car.
John Vecchi: Fascinating, Ulf. And can you tell us a little bit about the lab itself and when you test these, do you actually bring in the vehicles? Where is the lab located? What are the kinds of different… in order to do research that forward looking on different types of the attack surface how do you actually… what does the lab look like for our listeners who are trying to visualize that?
Ulf Lindqvist: Yeah, so with vehicles that’s a bit challenging because of the logistics around that. So we haven’t done much on hands work on an entire vehicles, more like parts of it and working with various partners that have lab facilities. We do have an fairly large IOT security and privacy laboratory at our headquarters in Menlo Park. I’m based in San Luis Obispo, California down the coast right between San Francisco and Los Angeles. We have a smaller lab facility here where we work on various kinds of devices used in industrial settings, in consumer settings, that kind of thing. But we’re not as much as an underwriters lab that sort of taking devices and pull them apart. We do some of that, but we’re particularly looking at what’s coming down the road when these devices interact with each other in unpredictable ways using physical channels.
And a classic example that we recreated in our lab, it was discovered by some related researchers, but we demonstrated that in our lab as well is if you hack into a smart TV and can get that to through its speaker, issue voice commands that are actually inaudible to humans using ultrasound, but then that gets picked up by a device like a Amazon Echo or Google Home device or Siri and gets interpreted as if it was a human speaking it.
You’re sitting there in the room, you can’t hear that this is going on, but your TV is actually telling your Alexa to do something. I think that’s a fascinating example of unforeseen interaction and how attackers can abuse these devices in ways that were never really anticipated.
Brian Contos: That’s amazing. I love that story because it’s just out there. Most people wouldn’t think of that as a line of attack. And I remember a few years ago, it might have been about eight or nine years ago, there were some researchers at a university that had found a way and they wrote an algorithm that if they were able to record somebody typing on their keyboard based on pattern analysis and which keys are used most commonly and what’s the space bar sound like and all that, they’re able to actually basically snoop on somebody just hearing them type on their keyboard, which I thought was really, really cool. It’s not like they make different sounds, but just the algorithms and the pattern discovery, anomaly detection, all that type of thing kind of come into play and you just see these really interesting use cases. But that went with the sound coming for your speakers. That’s just crazy.
John Vecchi: That’s crazy. Yeah.
Brian Contos: I remember I was with you in your office in the Bay Area before you had moved down to slow and your desk was just covered with different types of IoT devices, stuff you’d see in the enterprise, stuff you’d see on the consumer level, a pretty good mix. I’m wondering what types of things do you have in your lab today? What kind of maybe newfangled IOT devices are you working with right now?
Ulf Lindqvist: So one challenge is that some of the clients we work for don’t want us to talk about what devices we’re looking at. But I think one fascinating one we looked at a couple of years back was this neurostimulator device basically looking like the kind of headphones I’m wearing now, but also had electrodes that go onto… that touch your scalp. And the whole idea between these types of devices was to stimulate various parts of your brain with electricity and it was used by athletes who wanted to get better movement in their throwing arm, that kind of thing. And of course we were thinking what if you hack into this thing, can you actually zap someone’s head by greatly increasing the voltage or current in this thing? So we set out with an interesting experiment, we outfitted a styrofoam head with some electric sensors and went at it and we were able to increase-
Brian Contos: Did you melt the head off? Was there a melted styrofoam head in your office?
Ulf Lindqvist: We were sort of hoping for that for effect, but didn’t quite get there. No sparks flying, but we did manage to double the voltage I think, which was certainly concerning. But things like that, and this sort of really brings us to one reason why we are passionate about this area and making sure to secure these kinds of systems because they interact with the physical world. A lot of IoT devices are sensors, which could also be serious because the sensor data is used to make decisions. And if you affect the sensor data you can have other effects. But there are devices that actually have… that are actuators that have a direct effect on something physical, whether they control the brakes in your vehicle or if it’s this thing that’s actually electrodes on your head or if it’s a therapeutic device or if it’s… performs some other critical function. This is where it gets really important that these devices are secured against malicious manipulation.
John Vecchi: And we call it, we refer to the entire area as xIoT mostly because… and we estimate, and there are various estimates, but the estimates we look at upwards of 50 billion or more of these connected devices. And from an xIoT perspective that’s extended internet of things, which includes enterprise IoT devices, printers, phones, cameras, all the things you think of, network connected devices like wireless access points and switches and load balancers and all those kinds of things as well as, as you mentioned some classic cyber physical systems and Gartner calls it cyber physical for the reason you mentioned, things like PLCs and HMIs and SCADA devices and robotics and all those kinds of things. And so it’s very broad, it’s very big and it encompasses a lot of devices. Many of them, which we will probably cover today are very vulnerable and then not really looked at and kind of not too considered too terribly much. But when you think of the span of those, how do you grasp that from a research perspective? The span, I mean the amount of those devices, how do you even grasp that from devices?
Ulf Lindqvist: Unfortunately we don’t have unlimited resources, so we have to pick and choose things. And I should mention at SRI we work for clients, often government clients, the agencies within the Department of Defense, Department of Homeland Security and National Science Foundation and others. And we also work for commercial companies. So that sort of directs some of the priorities in terms of what we’re looking at because as fun as it is to do research, we need to get that funding from somewhere as well. So that helps with the directions. But we’re also, as I mentioned before, we try to do this really forward looking approach where we see, okay, so what’s going to be coming? What’s going to be important some years from now? And of course one of those things is with devices getting smaller and smaller, you can imagine a lot of implanted sensors in the body that could actually measure things in your joints, in your blood vessels and so forth.
And that’s obviously an area of concern because suddenly the technology gets very personal when it’s actually implanted in your body. We also have a lot of interest in aerospace related applications, whether it’s drones, swarms of drones, or going further away from the surface of the earth into space. There’s a lot of growth in space right now, especially with these large constellation low orbit arrangements that can provide a lot of new capabilities for other applications, high precision navigation and timing, ubiquitous connectivity, all those kinds of things. So some people even talk about an internet of space things. So that’s certainly an area of high interest.
Brian Contos: I mean a satellite’s an IoT device, it just happens to be moving really, really fast.
Ulf Lindqvist: Right.
Brian Contos: But when you were talking about the increasing the voltage times two on the styrofoam head and the swarms of drones, it reminded me last year I was at a dinner with some folks from the University of California School System. So I think most of our listeners know the UC System’s made up of all the University of California School. So you’ve got Berkeley, UCLA, UC San Diego, Irvine, on and on. And couple issues that they had is they have… let’s take the football team for example. They have very special nutrition and dietary regiments that they have to follow and they have basically these protein shake machines that looks like a traditional soda machine, but it’s specific to each individual player in their needs. The quarterback might have a gluten allergy and the defensive ed might need extra vitamin C or something. And everything’s very carefully measured and it’s customized for the individual.
And there was a fear that before the big game, the person that has a allergy to whey just drank a whole shake full of whey or something like that and now they can’t perform. And it’s these edge use cases if we… and to think, come at it from a cybersecurity perspective, but we start thinking about how these devices are used and they’re interacting with the individual. You see, it really has a profound impact and can impact human safety health. In that case, you could potentially even kill somebody if they’re drinking something they’re allergic to. And the other one they were talking about were drones and this whole idea of you’ve got a whole bunch of people at a big football game, you could have 10, 20, 30,000 people there and there’s a swarm of drones that if each drone is connected to some type of weaponized aerosol spray or some other kind of apocalyptic idea, how do you deal with that? What do you do to address that?
Is it a giant net? Is it other drones to take out these drones? Is it some type of radio control frequency net or something like that? And these aren’t questions that I think most people considered. You probably did, but most people didn’t consider just a few years ago. So all that to say this, what are some of those apocalyptic use cases or what’s the next drone or poison shake machine idea that you see that’s maybe not here right now but coming around the corner?
Ulf Lindqvist: Yeah, I’m not sure I want to give the bad guys more ideas than they already have, but I think I’ll speak in more general terms. Any technology use can be misused and we have to make sure that we think that way. And I think for anyone who’s actually been personally targeted by attackers, when you actually see that they’re adapting to what you’re doing in your organization, they might impersonate your boss or your coworker to try to do some phishing. When you realize that they’re actually looking at you, this is not just a broad attack, they’re coming after you, imagine if that was in the physical world or that they were messing with a system that you depend on, whether it is your protein shake maker or your car or whatever that is, that gets pretty scary pretty quickly. And then an area that I want to mention that we’ve started to look into is quantum computing.
I know that’s not exactly IoT, but it’s out there, it’s an emerging area, it’s going to be coming at some point. It’s not really practical yet. But one can also imagine when quantum computers do become available, they can do much more accurate simulations of physics and materials and chemistry. And of course the issue that we’re worried about in cybersecurity that they could easily break the encryption that we’re using today. You can imagine a lot of nefarious uses of that and therefore it’s important to monitor that and come up with ways to ensure that those kinds of very powerful systems can’t be misused. So I think I’ll leave it at that and not invent new terrible ideas on the fly here.
Brian Contos: Leave Hollywood for that.
John Vecchi: What about alpha? I mean is there a sense, do you look at vectors that are happening today to give you insight to what might happen in the future? So for example, we talked about drones. And you’ve seen ripping from the headlines, we’ve seen recent stories of hackers leveraging drones and they’re loaded up with incredibly sophisticated equipment including a raspberry pie and other things. And then they’ll land these drones somewhere near a building or a roof and they’ll hack into… they’ll proceed to kind of attack from that drone. So you’re seeing some ways that drones are being used as a vector for attack, leveraging IOT devices. Are those things you look at that maybe help you see what might happen in the future? Or are you just so far ahead that the vectors of today hardly even matter much?
Ulf Lindqvist: No, I think what we’re seeing is a convergence of various technologies. They’re things that are developed separately, but some creative people, whether they’re doing it for good or for bad, can put together and make it work together. The drones work well because of miniaturization of electronics, the availability of navigation services, advancements on the software side in AI and autonomy sensors, all those kinds of things. You know might be running your drone through virtual reality headsets as all the development in extended reality there as well. So all of those things coming together, which can do great things, but as we’ve seen used with some creativity in the current war in Ukraine, strapping explosives, bombs to the drones and use civilian commercial grade drones as weapons and quite effectively. So I think we need to again, look at the convergence of things, look at how things are being used creatively, both to do great things, but also how they could be used for bad purposes.
So I think that’s the view of what could be coming on the threat side. We should never underestimate the organization, the creativity, the patience of some of the adversaries out there. These are most often not stupid criminals unfortunately.
Brian Contos: A topic that’s been coming up a lot, and I’m wondering if this is crossing your radar, is smart buildings, smart ships, which are pretty much like smart buildings, but they float. Smart cities. And when people say that, what that really boils down toward building management systems or building automation systems, BMS or BAS. I was recently in Krakow Poland, I was speaking at one of the B sites there. And the BMS and BAS systems were coming up a lot. There was a lot of talks about it, there was a lot of discussion after the fact in the hallways, people were really focusing on this. And it ran across everything from general building automation and lighting and HVAC and access controls and fire suppression systems and so on and so forth. Is that something that… I’m wondering, are your clients interested in that and having and the team investigate that or is something that you personally have looked into and started analyzing?
Ulf Lindqvist: Yeah, we’ve looked a little bit into building management systems, there’s of course a great interest into that from a energy savings sort of green energy renewables perspective. If you can really control the building’s energy usage, much more fine grained than we have today. Of course there’s energy savings to be made. And you can look at this concept of smart cities where various integrated IOT based systems can sense today we got this many commuters coming in on the roads on mass transit. This is the time when we need to start pre-heat or pre-cool the building and be prepared, which might be even more important when you have a more, should we say unpredictable flow with more people working from home part of the week, that kind of thing. So lots of gains to be made there. But then of course you can look at privacy issues.
If the building management system owned by the employer knows that now Steve has now spent 20 minutes in the break room and another 20 minutes in the bathroom, does that play into decisions made by the employer or not? There’s a lot of privacy issues going into that. And then of course the security issues and we’ve probably seen Hollywood scenarios, but they’re not too farfetched where imagine a massive cyber attack on a data center and at the same time the doors are inaccessible, the support staff can’t even get into the data center to turn things off. So again, lots of use cases where we have to look through both the possibly questionable use of seemingly good technologies and then the outright bad use of those.
John Vecchi: And Ulf, I mean obviously as you said, you’ve got specific clients who are funding your research. Is any of your research available for just general enterprises and others to read or is it very specific for them? Is it public in any way? How does that work when you actually publish research?
Ulf Lindqvist: Yeah, no absolutely. We definitely publish publicly in conferences on websites and so forth our research to the extent that we can. And even when we do proprietary work for specific clients, we always try to carve out the more general findings to make sure that we get permission to publish that to inform the world and bring the science further. This is a very important part in scientific research that we can actually share results with others and others can build on those ideas and we can build on their ideas and move further. We participate in public conferences and so forth. So to the extent we can, we certainly do. Our publications are available through Google searches and in scientific forums and so forth. So we always try to spread the knowledge as much as we can. Of course some work is more sensitive or proprietary than others. And when you’re in the area of security that tends to relate to things like specific vulnerabilities and so forth. But we always try to share as much as we can as part of our mission.
Brian Contos: Ulf, let’s switch a little bit to attack types. And when we’re talking to our customers about xIoT and they come back and they tell us what’s happened to them or what they’re most concerned about, it kind of falls into three general categories for xIoT. It’s one, it’s attacks that impact the physical world and we’ve touched on a few of those things. So impacting a fire suppression system or locking or unlocking a door, using a security camera to spy on somebody with audio and video, things that have physical world ramifications. The other one in these opportunistic attacks if you will, these are things like the Mirai Botnet from back in 2016 where I’m just like, “Hey, it’s going around.” You’re saying, “Hey, is this a camera? Does it have telnet open? Does it have the default password?” Boom, I’m going to upload some mal or I’m going to add you to a botnet.
And fast forward a couple days, a couple weeks now I’ve got this massive button that I can use for DDoS, malware distribution, phishing campaigns, what have you. So those are those opportunistic ones. And then the big one that’s really been hitting hard, and this was highlighted in some Mandiant research called Quiet Exit, which is where attackers will use traditional methods to get in onto an IT device such as a phishing campaign. And they target you, they get on your laptop. But once they’re on the laptop they very quickly look for an xIoT device, a network attached storage, a wireless access point, voiceover IP phone printer, so on and so forth because they know they can maintain persistence and they can evade detection there. And once there, they use that to attack IT assets, sniff traffic, exfiltrate sensitive data, usually over ICMP or some other protocol.
But they’re essentially using it to attack the IT network. And what we’re seeing is yes, people get the physical world attacks, they know that’s a problem. The opportunistic stuff like botnets, it’s a problem for xIoT, it’s a problem for IoT. But these new attacks that get in through IT hide in xIoT and for sometimes years they’re hiding because no one’s paying attention. And the attack surface is huge because why installing one printer when you can install on 10,000 printers because they’ve all got default passwords or vulnerabilities that could be exploited easily and then they’re attacking your IT infrastructure. That’s the one that our customers are really, really concerned about. And I’m just wondering from your side and your research, is that kind of the leading concern? Is that those pivot attacks that could affect the IT side or is it still more the physical world or those opportunistic bits?
Ulf Lindqvist: Yeah, that’s a good question. So I don’t really have the data to… the others, you quoted that to sort of see what’s most prevalent. But in terms of how to manage that kind of issue, I think we really have to accept that anything, any device today is a networked computer. Even a cable can have processing in it, in the plugs and so forth. And we have to treat it accordingly because humans tend to do abstractions and simplify things. You see something that looks like a computer, that’s a computer. But they may not think that the copier, the printer, the thermostat, the cable are also computer devices and should be treated as such. And if they’re computer devices with computing capabilities, some persistent memory networking, of course they can be used for exactly what you described for an attacker to gain a foothold and a persistence.
And then you can never really get rid of the attacker in your network if you can’t control and monitor these devices and clean them out as needed. I think that’s a great challenge. And there are things generally related to the whole IOT field that applies here where we got these huge numbers of devices, they’re all different, they’re heterogeneous, and in the same… we only have to worry about a couple of desktop or laptop operating systems or even for mobile devices. But for IOT devices there’s so many different systems and configurations, the devices move around, they have long lifetimes, they get deployed and sometimes forgotten and they just hang around your network. So it’s very important to be able to manage these devices to be able to see what you have on your network, what they’re running, how they’re behaving, all those kinds of things. So yeah, great concern.
John Vecchi: Yeah. And when you look, I mean you’re looking very, very far ahead, Ulf and we’ve talked about just the amazing numbers of these devices, billions of them. And there’s stats that say every minute, there’s hundreds more getting connected to the network every minute of every day and it’s just really growing. But yet, I mean if you ask the common person on the street, what’s IOT, they probably won’t be able to tell you what Internet of Things… what’s that? Although they know very much if you tell them the kind of devices they have and then it clicks. And the enterprise much more aware of it. But as we’ve talked about, still don’t really consider, don’t really quite think about things like… when we see a camera, we see a Linux server. They don’t think of it that way. All of these devices, do you think they will catch up? When will kind of the world, both on the enterprise side and the kind of consumer side kind of begin to really understand the magnitude of the number of devices, what they’re doing and the necessity to secure them?
Do you see that kind of happening eventually? And kind of when? Because I know you’re looking pretty far ahead.
Ulf Lindqvist: Yeah, the hardest thing is to predict human behavior, but I think it really helps with some concrete demonstrations. If we look back at the vehicle security, we had these two hackers, Charlie Miller and Chris Valisek and before them, some folks at UC San Diego and other places that did some very tangible demonstrations of, “Okay, we’re going to hack your car and we’re going to show you what you can do.” And that really, I think opened the eyes for both professionals and the public of, “Oh yeah, a car is actually a hackable computer.” And I think we can see some of that demonstrations both publicly and within companies will help people understand that, as you said, your little camera is actually a Linux server, just like the one that looks like a traditional computer. So I think that will help some, but it also… the miniaturization of devices makes it harder.
How can you even think that a cable that looks just like a connector also has a computer in it? So we’re not making it easier for the humans here by all making things smaller and smaller and smaller. And of course the size of a camera today could be almost invisible and that makes it harder to conceptualize this for people. So I don’t know, I don’t have any really good answers there other than for the people who manage and deploy these systems to give them the right tools and information to be able to control this and make the right decisions.
John Vecchi: Yeah, interesting. It comes back to research in some instances, doesn’t it? To demonstrate this, it’s people, organizations like yours, companies like ours, doing research that can demonstrate the potential of this. And it sounds like that’s the way people pay attention and to actually show them, and it’s interesting, it kind of comes back to conducting research and actually showing that to the world so they can understand the potential.
Ulf Lindqvist: Yeah, right. Absolutely. There’s great value in show and tell for sure.
Brian Contos: Well I think Ulf, you said it a few times, and John you as well, that if you show somebody a picture of a server and a picture of a printer, a voiceover IP phone, a security camera, and a door lock, and you say, which one of these is running Linux? Most of them will probably default to the server and they don’t realize that hey, all of these devices are, and some are running Android or BSD on the OT side, VxWorks and there’s certainly a few different flavors, but these are popular operating systems. And a lot of the times I actually ran across in our own lab that we have at Phosphorus, a security camera that was more powerful than my laptop. It had more storage, it had more RAM, it had better… in fact, I would like it to be my laptop. But it was a very powerful Linux server, but it was just purpose-built to do.
I believe it was running Ubuntu, but I might be wrong. But it just happened to be purpose-built and it’s version of Linux was several years old, so it was loaded with vulnerabilities and it had all sorts of problems, but that’s what it was. So you could log into it, you could SSH into it, you could FTP, it was even running TFTP, HTTP, HTTPS. It was wired and wireless, it had everything opened. And these are powerful devices. And then I think about that and I think about what you just said Ulf about the miniaturization of these devices, and sometimes it might just be on a cable or it might be something that you… it’s hard to even see with the naked eye at some point and probably exists today, especially for some of the biohacking items out there. It just really kind of lays out the importance of… the term attack surface management takes on a whole new level when you start considering these types of devices and their capabilities beyond what we’ve traditionally looked at from an IT sec perspective, I think.
Ulf Lindqvist: Yeah, absolutely. Now I agree, and I should also mention that we’re working on technologies to do more of building security in from the beginning, which has always been a challenge. But there are technologies for actually building more high assurance, trusted systems. It tends to take more time, cost a little bit more, but there are technologies like I need to mention something called CHERI. It’s an capability based architecture that SRI has developed together with University of Cambridge in the UK, which is a fundamental new way to design a computer architecture. And this is now actually being adopted by Arm and they have shipped prototype processors where you can experiment with this new type of architecture where that basically eliminates a lot of the memory safety issues, for example, those types of attacks. And there are other methods, other technologies to eliminate whole classes of attacks. So on the bright side, we talked a lot about the vulnerabilities and bad things that could happen, but there are ways to design systems that will significantly raise the bar and provide a lot better security. So we’re of course developing methods like that for future systems as well.
John Vecchi: And do you think all those types of guidance and methods, will it make its way into policy? Do you touch on that? Do you see that at all? So I mean you look in the EU, they’ve got some… starting to have more on the consumer side, but starting to require actual manufacturers to try to think about security, things like this. Is there a policy side that you see here with some of this for manufacturers for example?
Ulf Lindqvist: Yes, I think there’s an important policy side. We don’t work that much directly on policy things, but we communicate with people who do that. We’ve seen some improvements lately as a California legislation requiring some minimum security for new IoT devices sold here in California, not having default passwords, that kind of thing. There’s a standard called Matter that has to do with interoperability between devices, but also security is a very recent effort coming out of the White House on security labeling for IoT devices. All those things we’ve argued for a long time are now starting to happen. It’s too early to see what kind of impact that will have, but at least that’s moving in the right direction because you have these simple problems for consumers in particular, but for business users as well. If I go out and buy new type of IoT device to put into my network, how do I even know what that’s going to do for security? How do I know with what kind of rigor this device was developed? How’s that going to change my security posture when I introduce it into my network?
Is it going to make things better, worse, or the same? Those things are just really, really difficult for even knowledgeable people to figure out. So we’re hoping to see some improvements there and some minimum requirements for security would certainly be helpful on the policy side, I think.
Brian Contos: Yeah. Well Ulf we could literally continue talking for hours and hours about this dear, what you’ve done on the research side is just so fascinating. But before we close out here, I will ask you one last question and I’m really interested in your response because you come at this from a researcher’s perspective. But for those of our listeners that are working in large enterprise and government organizations and they’re concerned about XIOT security, any kinds of words of advice for them and whether it’s thought process or approaches or things like that that you can leave them with?
Ulf Lindqvist: Yeah, that’s a challenging one of course. I mean it’s sort of the same advice as for a lot of other things. Try to make sure your systems can be updated. This is a big challenge because we know vulnerabilities are inevitable. They will be discovered after some time in all kinds of systems. Make sure that you can actually… that there are ways to update your systems and figure out what to do if the manufacturer stops supporting those devices that you depend upon. And one thing we don’t talk enough about is sort of the phasing out end of life for IOT devices. We call it obsolescence, sun setting, that kind of thing. Figure out what is your planned lifetime for this system or device. How can you safely, securely, gracefully decommission it once its time is up? The data that you collected, can that be safely transferred to your new system?
All those kinds of things, because we tend to deploy things and then to some extent forget about them and not really think through the whole life cycle. And then it’s the whole issue of transparency in devices. If you have a choice between vendors and some vendors actually tell you exactly how they protect your data, what they do with the data, how they enable you to secure your devices against intrusions versus the ones who just say, “Oh, this is easy to deploy, just push the button and don’t worry about it.” It might be better to trust the ones who actually tell you what they’re doing. That’s the best I’ve got at this point.
John Vecchi: I love it. Well that’s fantastic advice Ulf, and it’s been wonderful to have you and it’s great that you could join us. So again, thanks Brian, our host and Ulf, thanks very much for joining us today.
Brian Contos: Thank you, John.
Ulf Lindqvist: Thanks for having me.
John Vecchi: And remember everybody, the IoT Security podcast is brought to you by Phosphorus, the leading provider of proactive full-scope security for the extended internet of things. And until we meet again, I’m John Vecchi.
Brian Contos: And I’m Brian Contos.
John Vecchi: See you next time on Phosphorus Radio.