From IoT positivity to vulnerability and tragic death
It’s always good to hear that the Internet of Things (IoT) network is being expanded through some major deals but the technology is still being damaged by security concerns. Business technology journalist Antony Savvas looks at developments.
IoT connectivity firm Wireless Logic has just signed a mobile virtual network operator (MVNO) agreement with BT Wholesale to help it boost its IoT services reach. It significantly strengthens the Wireless Logic IoT offering by combining its global network with coverage from BT Group’s 5G EE mobile network.
The partnership will enable Wireless Logic to offer “future proofed” mobile connectivity for businesses looking to deploy fleets of IoT devices.
Oliver Tucker, CEO at Wireless Logic, says, “We’re offering our customers in the UK and beyond the long-term security of access to EE’s services through our IoT global network.”
“With IoT spending expected to grow over 24% this year our partnership with Wireless Logic sets us both at the forefront of IoT innovation,” adds Alex Tempest, managing director at BT Wholesale.
With Wireless Logic having over 8 million active IoT SIM subscribers across 165 countries this deal is one of many that adds to the growing global IoT ecosystem, but it’s an ecosystem that still seems bereft of full security, indicated by some of the latest research.
Copy and paste risks
Hardware components from Broadcom can be found in numerous devices from leading vendors such as Cisco, DD-WRT or Linksys. But security firm IoT Inspector has just reported that “significant vulnerabilities” lie deep in the Broadcom software development kit (SDK), with security holes not having been filled for at least 10 years.
The vulnerabilities are said to have been a “common thread” throughout products built on Broadcom chip systems for more than a decade, says IoT Inspector, providing a welcome entryway for hackers.
“In addition to the issue of of hardware without prior risk verification, what stands out here is how serious the consequences of copy-paste engineering can be,” says the researcher.
Florian Lukavsky, managing director of IoT Inspector, says, “Although Broadcom published a patch as early as 2011, according to our findings, leading manufacturers repeatedly build these vulnerabilities into products as they rely on a faulty version of the SDK.”
To date, Broadcom has not provided any information about which versions of the SDK are affected. As is the case with the previous Realtek chipset vulnerability (reported by IoT Inspector earlier this year), which was distributed hundreds of thousands of times worldwide through multiple vendors.
“The real vulnerability lies in the supply chain, as device manufacturers use third-party building blocks and install them without checking the source codes,” adds Lukavsky. “Things must change quickly to create transparency and force hackers on the defensive whenever possible,” he rightly says.
I approached Broadcom to get their response to IoT Inspector’s research, but so far they haven’t got back to me with any answers. This is no doubt an issue that IoT watchers will be following, but another one is potentially the world’s first IoT death as a result of a security breach.
A first IoT death?
Teiranni Kidd walked into the Springhill Medical Centre, Alabama on 16th July 2019, to have her baby. As she did this she had no idea the hospital was enveloped in a ransomware attack.
For around eight days, computers are said to have been crippled on every floor of the hospital, and a real-time wireless tracker that was used to locate medical staff around the place was also down.
In addition, patient health records were inaccessible, and at the nurses’ desk in the labour ward medical staff were cut off from the equipment that monitors fetal heartbeats in the dozen delivery rooms.
Tragically, the mother’s baby daughter was born with a severe brain injury and later died. She is now suing the hospital as a result of what she claims were failures in the baby’s care, as a result of the ransomware attack.
The lawsuit alleges the hospital didn’t tell the mother that systems were down due to the cyber attack, and subsequently gave her “severely diminished care” when she arrived to deliver her daughter.
It is believed some other patients were actually turned away from the hospital as a result of the effects of the ransomware attack.
If she had known that hackers had brought down systems, says the mother, she would have chosen to deliver the baby elsewhere.
According to the lawsuit, doctors and nurses missed a number of key tests which would have shown the umbilical cord was wrapped around the baby’s neck, leading to brain damage and death nine months later.
Cyber security company Recorded Future says around 850 healthcare networks and hospitals in the US have so far been affected by ransomware this year, so further potential risks to patients are clear.
What is also clear is that many of the IoT sensors in the health sector and other mission critical areas must be better protected to help mitigate, manage and quarantine such attacks. The move towards zero trust network access (ZTNA) systems is gaining pace, as they are designed to prevent the lateral flow of ransomware and other attacks across networks after they have managed to breach security perimeters.
A six-hour global outage on Facebook’s various communications, data-sharing and advertising apps caused a mini-meltdown in some quarters last week, all because a basic networking upgrade went wrong. As we all increasingly come to rely on technology to run our lives, and perhaps even help to save them, the communications industry must do much better on both security and reliability.
The author is Antony Savvas, a global freelance business technology journalist.