The opportunities enabled by IoT technology are vast and diverse, with increased connectivity expected to transform the operations of major industries like healthcare, finance, and public infrastructure. Yet these possibilities come with heightened threats. Every day, the IoT attack surface expands as tons of new smart devices get rolled into the Internet, with the number of active IoT devices expected to surpass 20.4 billion by 2020, according to Gartner.
The end of 2018 is still over two months away, but we can already point out at least 4 notable cases from this year that gave us a nice reminder of how essential security is for IoT. Here we take a look at the most shocking IoT security incidents that took place in 2018.
1. When was the last time you rebooted your router?
Last May, security researchers from Cisco Talos uncovered a Russia-linked botnet affecting at least 500,000 vulnerable routers and network-access storage (NAS) devices located across 54 countries but primarily in Ukraine, suggesting political motivations. The takeover was made possible by a malware called VPNFilter, which granted hackers control over infected devices, including the option of turning them off and taking them offline. Additionally, the malware allowed hackers to compromise user data by snooping on traffic passing via affected routers, and perhaps more concerningly, learn about the software used to manage critical infrastructure. The situation took on more scale as the FBI intervened: first by encouraging router owners to immediately reboot their devices, install patches, and use security software, and then by announcing it had seized a domain used to sustain the botnet. While actively working on remedying the incident, the FBI called for worldwide backup to take down the hackers.
Not only was this case shocking due to the massive number of infected devices, but it also suggested an alarming lack of consumer awareness on how to secure smart environments.
2. Steel alone won’t keep smart cities steady
We all know Rome wasn’t built in a day, but did you know how easy it can be to take down a smart city? This past summer, security researchers from IBM and Threatcare identified 17 vulnerabilities from four smart cities built on leading smart city systems deployed across the world. Out of the 17 zero-day bugs, eight were found to be critical. Many of the vulnerabilities were caused by elementary flaws in security design, such as allowing the use of default passwords and leaving networks unsecured online, making these systems accessible even for amateur hackers. Particularly concerning were the discoveries of authentication flaws and encryption issues in server communications systems, as both technologies are essential for preventing security breaches.
To much relief, the smart city system developers behind the vulnerable products (Libelium, Echelon, and Battelle) took note of IBM and Threatcare’s research and have since released patches for the zero-days. With the number of IoT system vendors growing in a regulation-wise lax environment, it’s important for vendors and users alike to hold each other responsible and challenge their standards of security–especially when it comes to critical infrastructure.
3. DIY keys for luxury cars
Despite having a pretty clean record in terms of critical security flaws, Elon Musk’s electric car venture Tesla made the headlines last month when its Model S cars were discovered to be vulnerable to a key fob attack, which is a technique often used to steal high-end cars. A team at KU Leuven University in Belgium was able to clone a Model S key fob and then use it unlock and drive a test vehicle. Using just $600 worth of equipment for reading radio and computing signals, the researchers could learn the vehicle’s identifier transmitted by the car, and then trigger a response from the key fob by impersonating the car. Using the response pairs, the researchers were able to narrow down the real keys that could be used to impersonate the key fob. More specifically, what made Tesla’s key fob technology so vulnerable was its reliance on easily crackable, 40-bit cipher and a lack of mutual authentication.
Tesla promptly responded to the reports by clarifying it had already rolled out more robust cryptography for its Model S key fob system in June. Along with the statement, Tesla further proved its commitment to security by officially announcing its bounty program to encourage researchers to report their findings without having to worry over potential legal lashback for hacking into Tesla’s cars, managing to contain any potential damage to corporate image caused by the key fob security scandal.
4. When the heart just keeps skipping beats
If you’ve kept an eye on recent developments in IoT, chances are you have heard about vulnerable healthcare devices. In January 2017, two renown security researchers disclosed severe vulnerabilities in the Medtronic CareLink 2090, a monitoring device that doctors use to control pacemaker settings. Again, poor authentication and encryption features left the device software vulnerable to malware infections. When the researchers shared updates on the case at the 2018 Black Hat conference last August, many were shocked to hear that some of the vulnerabilities still persisted. This was despite notifying Medtronic of the security flaws 570 days ago and delivering a proof-of-concept 155 days ago, as of August 9.
In most cases, vendors tend to step up when vulnerabilities are disclosed to the public, even if they did not actively respond to any research shared in private. Yet as this case shows, vulnerabilities can remain unaddressed for extended periods of time, even when dealing with something as sensitive as medical devices that could be used to threaten patients’ lives.