Billions of industrial IoT devices could be flawed

• IBM identified vulnerabilities in a series of IoT connectivity chips used in the medical, energy, and manufacturing sectors
• The security flaws could be loopholes for bad actors to exploit

By 2025, the number of internet-connected devices used globally is expected to reach up to 55.9 billion. Regardless of where this technology is deployed — in factories, hospitals, airports, public spaces, or homes — there is no reverse in the proliferation of the Internet of Things (IoT), and therefore, the security of these devices is significant. 

Recently, IBM’s X-Force Red hacking team discovered a vulnerability in a series of IoT chips that can be exploited remotely, leaving billions of industrial, commercial, and medical devices at risk. The discovered security flaw affects Cinterion EHS8 M2M modules developed by French maker Thales. 

The EHS8 modules are designed for industrial IoT machines that run in various sectors such as manufacturing, energy, and medical. The main purpose is to secure communication channels through 3G and 4G networks. 

Thales is one of the key manufacturers in making the components needed for smart devices to connect to the internet and securely store information as well as verify identities. The French company reported its devices connect over three billion things every year globally, and more than 30,000 organizations rely on its solutions. 

As part of the ongoing research, the IBM team found attackers targeting the EHS8 module can exploit it remotely and gain complete control over the machine hosting it. This poses a serious threat since EHS8 modules store sensitive information like passwords, encryption keys, and certificates to enable communication. If attackers manage to infiltrate following IBM’s approach, they could “potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases.”

In the medical field, bad actors would be able to manipulate medical devices to cover up concerning vital signs, simulate fake panic attacks, overdose patients, or disrupt essential life-saving functions. In the energy and utility sector, hackers can manipulate smart meter readings, knock down the power supply, and even damage a power grid. 

Thales has been working with IBM since the discovery of the vulnerabilities last year in September and has released a security patch for the affected devices. 

Bearing in mind the dire consequences, IBM X-Force Red suggests several steps organizations can take to mitigate the risks. Companies should consider the kinds of data stored in internet-connected devices that are vulnerable to cybersecurity risks and if there’s a safer alternative. In addition, cybersecurity teams can add an extra layer security layer to all connected devices by analyzing and detecting suspicious behaviors actively. 

Companies can consider employing a hacker to identify any security flaws or unpatched areas. In the hacking community, there are a few categories of hackers, and their purposes are determined by the color of their ‘hats’. In this case, white hat hackers — also known as ethical hackers — generally, help companies to source out vulnerabilities in systems and devise a plan to strengthen the security fortress.