IoT roundup: A wide-scale security flaw and energy-sector botnets
One of the most fascinating parts of the IoT space is seeing new applications for what is, at core, a fairly simple technology spring up every week. Everything from rat traps to race cars to smart buildings to wildlife photography can fall, in some way, into the general category of IoT.
A new report from UK-based IDTechEx details one such growing market – the monitoring and measurement of water quality and delivery systems. The research firm said that the market just for sensors in water pipes is set to reach $3.5 billion in revenues in the next decade, and that the technology to help keep drinking water safe and available is relatively mature already.
The idea of these automated systems is relatively straightforward. Data on flow rate and pressure in pipes can be correlated with current events to identify times and places in which the system is strained, the report said. Acoustic sensors can identify the dripping of leaky pipes, and chemical sensors can detect whether harmful compounds are present where they shouldn’t be.
IDTechEx said that there are, of course, barriers to the widespread adoption of IoT sensors and frameworks in the water treatment industry, mostly centered on initial investment. There are already high barriers to entry in the field, and even a simple system of automated sensors requires some up-front cost. Yet, particularly in light of the current pandemic, removing the need for maintenance workers to be in the field with their current degree of regularity, speeding up the identification of potential contamination and a host of other advantages outweigh the initial spending.
These benefits are best understood not as brand-new capabilities in and of themselves – water utilities clearly already have the ability to perform safety checks and analyze their systems – but rather as a way to make those tasks much easier and cheaper to perform. As part of a broader smart city initiative, IoT could be a great fit down in the water mains.
M2M communication devices patched
An IBM security team announced this week that it has helped to patch a serious vulnerability in millions of IoT devices manufactured by French defense and industrial giant Thales. IBM’s X-Force Red said that, in September 2019, a flaw was discovered in the EHS8 M2M module, a system-on-a-chip that features GPS and 3G functionality, and is used to build connectivity into devices used in industrial, healthcare and a range of other fields.
Thales advertises that it connects more than 3 billion IoT devices, and while not all of its products are affected, the IBM researchers said that more devices beyond the original EHS8 could be vulnerable.
The team from IBM found that it was possible to bypass security features built into the module, potentially allowing a bad actor to discover confidential information, access a company’s back-end network or even meddle with the functionality of devices connected via the EHS8.
Working with Thales behind the scenes, IBM helped to create a patch for the vulnerability, which was completed in February. The patch can be distributed over-the-air, but many affected devices aren’t equipped to receive updates that way, so users of some of those devices may have to install the patch via USB. Thales has worked to keep affected customers in the loop, but IBM has urged businesses to investigate their supply chains and patch any devices that might be vulnerable.
Botnets, now with added electricity
Researchers at Georgia Tech said earlier this month in a presentation at Black Hat that IoT botnets could be used to manipulate energy demand, by turning large numbers of connected devices on or off at the same time. This could be leveraged by unscrupulous businesses to profit from a slightly more predictable market, or by a rogue nation-state attempting to hurt the economy of a rival.
The proposed attack, according to the researchers, is called IoT Skimmer, and it takes advantage of the generally high level of insecurity among IoT devices, citing the Mirai botnet and other attacks as examples. IoT Skimmer, if put into practice, would be particularly difficult to detect, since it could keep individual devices close to normal power consumption, which could stymie even advanced, behavioral approaches to IoT security.
Most worrying is that such botnets may already exist, the researchers said.
“If you consider all of the smart thermostats and internet-connected electric ovens, water heaters, and electric vehicle chargers that are already in use, there are plenty of devices to be compromised,” said Tohid Shekari, a graduate student at Georgia Tech. “Homeowners would likely never notice if the EV charger turns on when electricity demand is highest, or if the air conditioning cools a little more than they expected when they are not home.”
The answer to a potential IoT Skimmer attack from a technological standpoint is based mostly on detection – smart systems, potentially based on AI monitoring, could create baselines for normal power usage and flag even small variations. But the real mitigating factor could lie in making energy-market data less readily available, so that bad actors would find it more difficult to disguise manipulation as normal variations.
READ MORE HERE