5
Infamous IoT Hacks and Vulnerabilities
IoT devices are growing
exponentially in numbers, but along with growth comes growing pains in securing
these devices. We have yet to find a silver bullet to solving IoT security, and
consumers and enterprises alike are worried about potential risks involved in
implementing an IoT solution, or purchasing a consumer device like a smart
lock. We’ve seen some pretty scary instances of hacking into IoT devices, from
smart home products for children to the takedown of the internet. Here are 5
infamous IoT hacks to teach us how important it is to build security into
devices in the future.
Mirai DDoS Botnet
The most infamous IoT botnet attack, the Mirai DDoS
(which means distributed denial of service) botnet successfully slowed
down or fully stopped the internet for nearly the entire East Coast. The tech
company Dyn got the worst of it. The botnet was able to scan big blocks of the
internet for open Telnet ports and log in to them using 61 username/password
combos that are frequently used as the default for these devices. Using this
strategy, the hacker, a Rutgers University student, was able to amass a botnet
army.Thankfully the botnet was not
deployed under malicious intent (apparently they had been trying to
gain an advantage in the computer game Minecraft), but
it goes to show how potentially dangerous the vulnerabilities in IoT devices
can be if accessed.If you’re
looking for a deeper dive into how this was pulled off, Incapsula put together
a great analysis of the Mirai botnet code.
Jeep and a Virtual Carjacking
Back in
2016, two hackers, Charlie Miller and Chris Valasek, successfully took control
control of a Jeep Cherokee in a completely virtual carjacking. Don’t worry, the
driver was in on it to demonstrate the importance of building in security
measures. After finding a vulnerability in the vehicle, the hackers took
control of the vents, radio, windshield wipers and more, all while the driver
was in motion. Soon after, Miller and Valasek’s faces came up on the car’s
digital display – and the driver lost control of his vehicle’s brakes,
accelerator, and steering. Eventually they were able to make the vehicle come
to a full stop.The duo released a full list of the most hackable
cars, prompting automakers to patch up some software and encourage
users to frequently update their systems.
Owlet WiFi Heart Monitor for Babies
Owlet is a heartbeat-monitoring sensor that babies wear in a
sock. The device relays heartbeat data wirelessly to a nearby hub, and parents
can set up an alert to their smartphones if anything is out of the ordinary.Seems like it would bring a lot of peace of
mind. However, it was discovered that the network linking the WiFi hub to the
device is completely unencrypted and doesn’t require any authentication to
access. That means that someone can hack into the system if they’re in the
range and prevent alerts from being sent out to parent. Yikes.
Devil’s Ivy & the Rube-Goldberg Attack
This year, Wired reported on an increasingly popular, although
elaborate, IoT hack known as the Rube-Goldberg Attack. It uses a vulnerability
called Devil’s Ivy and works something like this:
· The attack starts by targeting a security camera
that is vulnerable to an inveterate IoT bug known as Devil’s Ivy.
· The attacker finds such a vulnerable camera
that’s on the public internet to start the attack.
· The attackers uses the Devil’s Ivy exploit to
factory reset the camera and take over root access, giving them full control
over it.
Exploiting an IP camera can give a hacker complete access to the
video feed inside a company building, for example, where they can pick up on
employee access/security codes, schedules of security officers, and more. Researchers
at Senrio actually did a public demonstration of this kind of chained attack,
hoping to raise awareness about the urgency of addressing the IoT security
crisis.
CloudPets
An internet-connected stuffed toy that allows parents and kids
to send audio messages to each other sounds like a great idea on paper. But
CloudPets toys had another unexpected surprise. The emails and passwords of
parents, as well as the message recordings themselves, were left exposed online
to hackers.“Anyone within range—10
meters with a normal smartphone—can just connect to it,” said Paul Stone, a
security researcher who studied how CloudPets’ toys work. “Once you’re connected you can send and
receive commands and data.”One user took a video of the
hijakced fluffy animals to demonstrate how creepy it could get.Troy Hunt, who
discovered the vulnerability, said there was clear evidence that cybercriminals
have held the database for ransom, at least twice, demanding money from the
company in exchange for the data’s safe return.What’s the takeaway here,
besides to scare you? Definitely do you research before buying an internet
connected product, especially one that lives in your home or that your children
interact with. If you’re building an internet-connected product, let this be a
lesson in what poor security looks like.
No comments:
Post a Comment