Prakash Sangam: Can IoT Devices Become Ticking Time Bombs?

The millions of IoT devices we use knowingly or unknowingly make our modern societies function. These include utility meters, traffic lights, and they even connect to the national grid. 5G is elevating their use to even higher levels and making them an integral part of the country’s critical infrastructure.

But that also is making that infrastructure more vulnerable to security threats. Reps. Mike Gallagher and Raja Krishnamoorthi of the U.S. House Select Committee on China understand this threat and are rightly sounding alarm bells. It’s fascinating how these seemingly benign and almost invisible IoT devices can be such a grave threat.

IoT devices are an integral part of the national critical infrastructure

The U.S. IoT market is massive, estimated to be $199B in 2024, according to Statista. IoT technology is found in almost any connected device for individual or industrial use. Since IoT devices manage and control the country’s critical assets, including power, water, natural gas, and many industries, even more with 5G IoT, they are part of national critical infrastructure.

Imagine the havoc the sudden collapse of the national grid or large-scale disruption of utilities can create. Such catastrophes can bring the country to a screeching halt, threaten lives, and cause lasting damage.

Despite its critical role, IoT security hasn’t gotten the attention of regulators and governments it deserves. It was considered a “business risk” to be managed by the industry. Fortunately, that is starting to change. The recent letters from the congressmen to the FCC, the Department of Defense, and the Treasury Department regarding cellular connectivity modules used in IoT devices indicate that lawmakers are now treating this as a national security issue.

Vulnerabilities of IoT devices

When it comes to cellular IoT devices, the biggest threat is the security of the connectivity module (aka IoT module) on which they are built. This module is the gatekeeper, which controls all the data going in and out of the device. If the module is compromised, the whole device, and in many cases all the systems it connects to, are compromised.

Note: For more details on IoT device security, please check out my article series here.

Connectivity modules could have many vulnerabilities. There could be backdoors built into the hardware or the software when modules are shipped from the factory (called “Zero Day” attacks) or introduced during numerous upgrades modules receive during their more than ten years of lifespan. These upgrades are similar to the ones our smartphones receive but are usually automatically executed.

Because of prohibitive costs, operators can’t examine and verify all the devices and their firmware updates. No matter who and how these vulnerabilities are created, they can be exploited by bad actors. If those bad actors are state-sponsored, the risk is even higher.

As FBI Director Christopher Wray mentioned in his recent testimony, “Hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities.”

The attackers can stay dormant for a long time and attack at a time of their choosing. Hence, it wouldn’t be wrong to say that any device with such vulnerabilities can become a ticking national security timebomb.

IoT security: A tragedy of commons

IoT is a largely low-margin, low-revenue (per subscription) business with a highly cost-competitive market. Most operators manage security as a business risk. They invest just enough to protect against fraud and liability. National security probably never makes it to their priority list.

Considering the complexity, cost, and potential risks involved, the responsibility of ensuring the security of IoT devices, from a national security perspective, rests squarely on the regulators and the government. The simple and highly reliable approach to achieve that seems to be establishing a fully trusted supply chain comprising local players and players from trusted national partners.

This is where things get complicated. According to Counterpoint Research, almost a quarter of the US cellular connectivity module is controlled by one Chinese company, Quectel. More alarmingly, a large portion of the IoT modules used in the cellular network used by first responders called FirstNet are also Chinese.

And that’s precisely why these congressmen are concerned and asking relevant US departments to intervene. As opined by many law experts, Chinese laws require all Chinese companies “to support, provide assistance, and cooperate in national intelligence work.”

So, then the question arises: Is the Huawei-like approach of totally banning these companies the right strategy? If not, are there any other remedies available? What are the pitfalls? All these questions need to be addressed before taking any substantive action. Look out for my next article for details on them and possible answers.

Prakash Sangam is the founder and principal at Tantra Analyst, a leading boutique research and advisory firm covering 5G, AI, Wi-Fi, Cloud, and IoT. He is a 3GPP/ETSI member and has more than 20 years of hands-on tech experience working for Qualcomm, Ericsson, and AT&T. He hosts Tantra’s Mantra podcast, a newsletter, and is often quoted in international media, and on the speaking circuit for leading industry events. This Expert Opinion is exclusive to Broadband Breakfast.

Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.