Private networks can help minimize the risk of cyber attacks for IoT applications through bypassing the public internet.
By Risa Takenaka
IoT, or internet of things, refers to any system of interconnected computing devices, machines, or objects that can communicate and transfer data in real time between one another without requiring human or computer interactions. IoT devices are connected to one another and to a cloud infrastructure through a wireless network, most commonly the public internet. The potential use cases for IoT systems range across industries, but one of the most cited barriers to adoption include the lack of security.
There are different kinds of security issues related to IoT systems, but the device types posing the highest level of risk are those that can be hacked to give virtual access to a network. For example, a physical device like a HVAC unit can be tampered with to bypass a building's physical security, and can open up access to virtual targets such as the company's data center. These IoT devices are ubiquitous, and can have particularly damaging effects when hacked, because they bridge the gap between the physical and cyber realms. Below are examples of what an actual attack on IoT devices can look like.
IoT devices often lack the regular software security updates that a computer has, which means that hackers can easily take advantage of bugs and other weaknesses. This makes IoT devices particularly vulnerable to botnet attacks, which is when an entire IoT system and the devices within it become infected with malware. While a single infected IoT device typically does not pose any serious threat, a group of them can bring down even the most sophisticated systems. During a botnet attack, a hacker creates an army of bots by infecting them with malware, and can use them to perform malicious activities such as leak credentials, gain unauthorized access, steal data, and deny services to authorized users via a distributed denial of service (DDoS) attack.
One of the most well known instances of an IoT botnet attack was the Mirai bot attack in 2016. Over 600,000 vulnerable IoT devices including CCTVs, home routers, network attached storage units (NAS) were infected and directed with requests to bring down the popular Internet infrastructure company, Dyn, which provided services to platforms like Twitter and Netflix. The hackers successfully carried out one of the largest DDoS attacks to date, which resulted in a massive internet outage for much of the East Coast.
Here are some other examples of how botnets can be used to carry out malicious activities:
Industrial IoT devices within manufacturing plants, transportation systems, and water treatment facilities can be hacked to threaten the availability of these services for many people. For example, a cooling and heating system can be triggered at the same time to create spikes on a power grid and leave cities without power.
Infected IoT devices can be used to mine cryptocurrency, redirecting CPU resources to benefit the hacker. IoT botnet miners can easily flood and disrupt the crypto market through a heavy influx of newly mined cryptocurrency.
With IoT, data is always on the move. The IoT enabled devices which transmit, store, and process data could be a smart thermostat, HVAC, TVs, medical devices, or many other possibilities. The issue with privacy and security is that these devices often send the collected data to the cloud without any encryption.
These attacks can be especially dangerous for industries like healthcare and banking, which regularly utilize private and confidential personal information. For example, let's take a medical IoT device that monitors blood pressure and informs physicians to prescribe personalized treatments based on these metrics. A hacker who gains access could compromise or alter this information, which would put the patient's health in danger and block access to proper care. In an industry like finance and banking, information like card numbers or pins can be compromised and lead to fraudulent activity. Data integrity is critical because someone's financial identity could very easily be compromised with this information. The overarching risks related to data security should be taken seriously, even for IoT use cases that lie outside of these specific verticals, and IoT providers should take all possible precautions to minimize their security risks for their services.
It is difficult to secure each and every IoT enabled device connected to a network because of the sheer number of these devices, and this means that hackers can access an entire building through compromising just a single physical device within it. Here are some other examples where building systems were the final targets of reported attacks:
A casino was hacked via the Internet-connected smart thermometer in a fish tank.
In Austria, hackers gained access to, and disabled electronic key systems in a hotel, and demanded ransom for guests to regain access to their rooms.
Two apartment buildings in Finland were targeted in a DDoS attack, where a hacked IoT device targeting the heating system for the buildings left residents in the cold.
In healthcare IoT, connected medical devices such as remote care biometric sensors, blood pressure monitors, and insulin pumps operate as IoT systems. These devices are valuable because they can allow medical professionals to remotely manage patients' treatments in a personalized manner, or administer medical fluid such as insulin or saline automatically. However, these devices can be extremely risky because of their potential impact to harm patients in the case of a cybersecurity issue.
For example, an insulin pump manufactured by the well-known medical device company, Medtronic, was recently recalled because of its vulnerability to cyberattacks. Specifically, the wireless communication between the pump, and other devices such as blood glucose meters, provides an avenue of attack by hackers to gain remote control of these devices. This could have potentially deadly implications because an unauthorized person could change the settings of the pump, which could lead to overdelivery or under delivery of insulin. Furthermore, insulin pumps often have capabilities to integrate patient data into electronic health records, which means a hacked device can put the whole database at risk of a breach.
IoT point of sales devices such as card readers and pin pads collect data that can be used to hack credit cards or steal personal information at scale. Late last year, millions of point of sale payment devices made by the two largest manufacturers in the industry were found to contain vulnerabilities that made them susceptible to hacking. The weaknesses were twofold:
The first issue was that the IoT devices used default passwords that allowed people with physical access through a "service menu." Hackers could easily navigate the functions on these menus to write malware onto the terminals. Once the malware was written, it could capture the credit card information of anyone who used the device afterwards.
The second issue was that, despite the fact that the card numbers were encrypted, the encryption took place in the same internal system that was already compromised by the malware.
IoT is a relatively new technology trend, and there are many unsolved challenges to ensuring security. Some of these include factors mentioned above, such as the lack of automatic software updates on devices and the widespread use of default passwords. In addition to these challenges, there is also a lack of user knowledge on the widespread damage that can be done when IoT devices are collectively hacked.
Software updates, which usually offer a line of defense against cyber vulnerabilities, are not widely used in IoT devices. Part of this is due to the fact that the multiple OEMs involved in manufacturing and producing these devices are often misaligned in the proper steps for providing software updates. Furthermore, many devices have low processing power, which is just enough to execute the tasks that they are used for. While pushing security updates is straightforward if a device is on your network, updating devices via the Internet can be a more sophisticated process.
Many OEMs involved in IoT device manufacturing and production lack the proper knowledge on best security practices. This leads to the use of default login and passwords at several stages of the production-supply chain, which continue to be used after implementation. As a result, weak or hard-coded passwords are prevalent in large scale IoT applications. The Mirai botnet referenced earlier was possible because of household IoT devices that were shipped to customers with default passwords, and which did not include instructions to change the passwords before installation.
While there are several barriers to securing IoT applications, that is not to say that there are no steps to minimizing these risks. Many security issues of IoT devices trace back to the fact that these devices are connected via the public Internet, where there is a large surface of attack for hackers to find and act on vulnerabilities. One solution that answers to this specific aspect of the problem is to leverage a private network to connect your IoT devices. By connecting devices directly to a corporate network, they can avoid touching the public Internet altogether, which means they will be less targeted and less likely to be found by hackers in the first place.
Private networks can help minimize the risk of cyber attacks for IoT applications, and it also makes it easier to update passwords to SIMs because it makes two-way communication more seamless. Thankfully, Telnyx Private Wireless Gateways offer a self-service, simple solution to empower businesses to connect their IoT devices as securely as possible. With a platform that makes it possible to buy, provision, and deploy IoT SIMs for your devices -- whether it's 10, or 50,000 -- Telnyx Wireless offers an out-of-the-box solution that puts security at the forefront.
Ready to try Private Wireless Gateways in beta? Sign up for a Telnyx account to order your SIM cards, or head to our step-by-step tutorial to set up a Private Wireless Gateway on your SIMs!
Related articles