Last year, we saw the Mirai attack on IoT devices and digital cameras used as a distributed denial-of-service (DDoS) attack on the DNS servers on the East Coast. This attack caused services from Netflix, Amazon and others to be disrupted for several hours. The example of Mirai should be a wake-up call to our businesses and central commerce systems of the U.S. If devices can be compromised and turned into a botnet army of robots causing systems to stop functioning, we can start to imagine what type of damage can be triggered by a systematic attack on businesses and U.S. commerce. These botnet attacks would be as costly as the natural disasters we have seen with Category 5 hurricanes attacking the U.S. economy today.
As we think about cyberattacks in the IoT space, markets and verticals all have the same vulnerabilities. The attacker has the intention to cause the behavior of a platform to act different than it was intended. If it’s a virus similar to Mirai, causing a DDoS or chipset vulnerability, then the attacker can remotely control functions of the device, such as Wi-Fi, to an exfiltration of the network through malware deployment through the IoT device.
The technology industry has a few areas of concentration that are priorities: device design and device monitoring. In device design, security by design must be a priority in all IoT devices, regardless of value. As an example, an IP camera produced in large volume for mass distribution and a sensor for our critical infrastructure should both, in theory, have the same security objectives — prevent third-party attacks. To be fair, a sensor monitoring a nuclear power plant may be subject to both manufacturing compliance and security evaluation. However, the basic concepts of device protection and prevention of attack should be commercialized in any IP connected device. We can argue that IP-connected lightbulbs are just as big a cyber-concern as a heart monitor. The attackers are looking for the most vulnerable connected device from which to deploy their attacks.
For example, an article this week mentioned that an infusion pump used in critical care and neonatal care was subject to a communications attack. The attack allows the pumps’ communications to be hijacked. The responsiveness of the manufacturer for a real remediation was lackluster; the corrective action was network segmentation, static IP addresses and complex passwords. Similarly, there was a recent recall of pacemakers where the patients were asked to visit their physicians for a firmware update to correct a life-threating flaw where an attacker could give malicious commands to the device.
These examples are as serious in our businesses as they are in medical devices. Another concerning example is in the GPS communications segment. Cyberattacks of ships’ navigation could intentionally cause maritime accidents. Whether these are military, shipping lane or commercial targets, they are all extremely damaging. There are examples of GPS hacks for toll way fee evasion, hacks to employee tracking in telematics systems, and even more complex nefarious attacks in GPS jamming or GPS spoofing. Attacks on radio frequency signals are different than those of IT systems; however, the attack on GPS devices is similar to IT systems issues whereby assessment and monitoring are good tactics.
Attackers can issue malicious commands or enter networks to exfiltrate data. As mentioned above, design of IoT is critical, including updating patches and continuously monitoring IoT devices. We watch device behavior to understand when they are acting differently as this is a sign of a cyber-event.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.