We tend to think of our world full of interconnected devices as fun and convenient. Why not monitor your toaster with a phone app—what could possibly go wrong? The downside, we now know, is that cybercriminals will quickly enlist these Internet of Things (IoT) devices in devastatingly powerful botnets, or leverage them to eavesdrop on your conversations or hold your home theater for ransom.
Yet the avalanche of Internet-connected devices filling our homes and workplaces just keeps growing. Among the most useless are:
- A web-connected tray that tells you how many eggs you have left and the age of the oldest ones.
- A smart piggy bank that lets you remotely check how much change you have and set goals for saving change.
- A wifi-connected device your home-alone dog wears that allegedly sends you Tweets via your home computer anytime your dog barks or does something interesting. (Reviews say it’s completely bogus.)
As computer chips get smaller and cheaper to produce, manufacturers will make every possible device “smart,” even if there is no benefit to consumers in doing so. The beneficiaries of Internet of Things capabilities are the manufacturers themselves, who use the connectivity to glean analytics about both their devices and their customers. Many devices will connect to cellular networks without consumers being aware of it or being able to prevent it, much less patch the firmware.
How much time and money do you think the manufacturers of these devices will invest in securing them? How likely will you or other consumers be to reset the default passwords or update the firmware to guard against vulnerabilities? Hackers are banking (literally) on “not much” and “not very.”
6 Recent IoT Hacks
Just how far can this whole IoT device hacking thing go? Here are some of the most off-the-wall hacks recently reported:
Online gas stations ready to detonate on command
Kaspersky Lab recently announced research on gas station vulnerabilities, noting that hundreds of internet-connected facilities used by the public or by vehicle fleets were wide open to cyber attacks. Many gas pumps are connected to the web with default passwords that the owners can’t even change, giving attackers complete control of the units.
The research showed hackers can remotely change gas prices, steal credit card data, pirate gas, mess with temperature and pressure monitors, and basically “do anything they want”—including potentially cause an explosion or shut down the system. Researchers further noted there seemed to be no way for users to update the code, and that the vendor was not interested in their findings.
Hacked carwash destroys vehicles
Security researchers recently hacked an automatic carwash, causing it to trap the vehicular victim and pummel it with the system’s robotic arm. They located 150 of the vulnerable carwashes online, guessed their default usernames and passwords, and experimentally disabled safety features at one facility.
Is that a toy or a tool of espionage?
My Friend Cayla, a web-connected doll, is so blatantly insecure and simple to hack that German regulators dubbed it “an illegal espionage apparatus” and recommended that parents destroy it. Retailers were prohibited from selling the dolls unless they disconnected its web connectivity. Many other connected toys are equally inviting to hackers and identity thieves, who can use the toys’ cameras and microphones to spy on families or potentially track a child’s location.
Who’s monitoring Junior?
Internet-connected baby monitors and pet cams now offer video cameras, infrared sensors and other features that hackers find just as convenient as parents. Besides being ideal for use in botnets, these smart devices are great for eavesdropping, pursuant to identity theft, extortion, blackmail or scamming. More and more people are reporting cyber predators speaking to them or their children through their baby monitors.
(Here’s guidance on how to secure your baby monitor.)
Hacked thermostats freeze Fins
When hackers co-opted the environmental control systems of two apartment buildings in Lappeenranta, Finland, for use in their botnet, they caused the heating controllers to go into a continuous reboot cycle. For the several subzero temperature days it took to fix the problem, the heat never actually kicked on.
A fish called “pwned”
In a 2017 threat report, cybersecurity company Darktrace described how cyberthugs hacked an unnamed North American casino through a web-connected thermometer in its lobby aquarium—despite the device being isolated on its own VPN. Once they owned the thermostat, the hackers jumped to the casino’s network and eventually exfiltrated a database pertaining to high-roller gamblers.
The trend here is obvious:
More vulnerabilities, more unforeseen risks, more outlandish scenarios.
To talk with experts about your organization’s IoT vulnerabilities and risks and how best to manage them, contact Pivot Point Security.