EP 52: Hacking Cellular-Enabled IoT Devices

Embedded devices need basic security measures like multi-factor authentication and unique credentials to reduce vulnerabilities and protect against cyber threats. Mauritz Botha, co-founder and CTO of XiO Inc., explains that cloud-based SCADA can update old systems and provide the visibility that’s currently missing.

As industrial enterprises lurch toward digital transformation and Industry 4.0, a new report looks at the security OT systems and finds it wanting. Grant Geyer, the Chief Strategy Officer for Claroty, talks about the findings from over one million devices in the field today, and what industries must do now to secure them.

I recently rode in a Waymo, Google’s self-driving taxi service, and it was fantastic. What if we took that vehicle off the safe roads of California and put it in a warzone like Ukraine? If it was captured, could the enemy get its data or its algorithms? Brent Hansen, Chief Growth Officer at Cigent, talks about the data risks associated with autonomous vehicles and remote servers, and how data security is essential in these in the field locations.

Imagine your best worst day during a cyber attack. Can you switch to manual systems in case of a failure? Has your team practiced for that? Dave Gunter, OT Cybersecurity Director at Armexa, discusses how a water and waste water utility in Kansas responded correctly to a cyberattack in 2024 by falling back to manual and issuing clear, and concise press releases to assure the public that their water was safe to drink.

This is the story of how the security of OT devices in the field can be modernized virtual isolation in the cloud, adding both authentication and encryption into the mix. Bill Moore, founder and CEO of Xona, explains how you can virtualize the OT network and interact with it, adding 2FA and encryption to legacy systems already in the field. 

This is the story of the secret life of cellular chips and why we need to mitigate against the unintended access they provide. Deral Heiland, Principal Security Research for IoT at Rapid 7, describes a research project he presented at the IoT Village at DEF CON 32 where they compiled AT command manuals from various vendors, discovering unexpected functionalities, such as internal web services.

When we think of IoT, we first think of our smart light bulbs, our smart TVs, our smart baby monitors. However, we don't typically associate IoT with high-performance race cars, and yet they collect terabytes of data each race. Austin Allen, Director of Solutions Architecture at Airlock Digital, discusses the growing presence of smart devices and the responsibility of securing them—should it be the developers who write the code, or the individuals who implement it?

What would happen if your GPS signal were jammed? It would impact more than just navigation – you'd also lose access to financial data and power. Joe Marshall, Senior IoT Strategist and Threat Researcher at Cisco Talos, discusses an innovative solution to maintain the country's power grid operations in the event of GPS jamming, whether it's a precautionary measure or an act of war.

Cybercriminal tactics against ICS include direct threats against individuals for MFA credentials, sometimes escalating to physical violence if they won’t share. Jim Coyle, US Public Sector CTO for Lookout, warns about the increasing use of Android in critical Industrial Control Systems (ICS), such as HVAC systems, and how stealing MFA tokens from mobile devices could affect critical services like healthcare, finance, and water supply, depending on the goals of the attackers.

If smart buildings are vulnerable to hacking, what about smart offices? Even devices like printers and lighting systems could give an attacker a way in. John Terrill, CSO at Phosphorus, recalls a moment while working at a hedge fund when he found himself in a room filled with priceless art. He realized that the security cameras safeguarding these artworks were operating on outdated software, potentially containing known vulnerabilities.