The Internet of Things (IoT) has allowed our world to become more integrated and convenient than ever. However, as machine-to-machine and machine-to-human means of communication become more sophisticated, so do bad actors with malicious intentions. The following IoT breaches (and a bonus one) demonstrate the current vulnerabilities in IoT.
This post also serves as a reminder that it’s never too late to adopt a more proactive approach to IoT security. Alternatively, introduce a culture of security within your organization.
Reach out to one of our industry experts to learn more.
Mirai botnet
While this attack took place in October of 2016, as of today, it remains the largest DDoS attack ever launched. Mirai botnet was so ‘successful’ that it managed to cripple huge swarths the internet including Twitter, Reddit, and Netflix.
The botnet is named after the Mirai malware that targeted connected devices. Attackers specifically targeted DNS service provider, Dyn, using a botnet of IoT devices. Once it infected a vulnerable IoT device, it automatically searched for other vulnerable devices via the internet.
When it found another vulnerable IoT device, Mirai would use the default name and password to login into the device and the process repeated itself. Many of these devices had outdated firmware or weak default passwords, making them easy targets to hack.
Cardiac pacemakers & insulin pumps
We have outlined the astronomical potential of IoT in medicine and healthcare. However, given the sensitivity of data transmitted and lives at stake, ensuring security remains at the forefront of any digital solution is vital.
Nothing proves this point more than the St. June Medical incident. In 2017, the FDA announced that they had discovered a serious vulnerability in implantable pacemakers.
The transmitter that the pacemakers used to communicate with external services was left exposed. When attackers gained access to pacemaker’s transmitter, they were able to alter its functioning.
Similarly in 2019, the FDA issued an alert regarding the security of Medtronic insulin pumps. Although no harm came to any patients, it was discovered that malicious actors could easily hack and remotely access and control the pump’s settings.
Unwanted surveillance
TRENDnet, a manufacturer of networking products, brought their SecurView security cameras to the market in 2013. One of the top selling points being that they were supposed to be secure.
However, it turned out that anyone who was able to find the IP address of a SecurView device could easily look through it. It was later uncovered by the FTC that TRENDnet was transmitting users’ login information over the internet without any encryption.
In 2017, Germany banned the ‘My Friend Cayla’ interactive doll over similar spying concerns. Essentially, bad actors could use an insecure Bluetooth device installed in the toy to listen and talk to a child playing with the doll.
The best way to prevent breaches like this from happening is to work with a service provider who is well versed in the latest security measures. They will be able to guide you through the latest global security regulations. Ensuring your IoT solution is secure from end-to-end.
The Jeep (whitehat) hack
In 2015, a team from IBM were access the onboard software of a Jeep SUV. They managed to exploit a vulnerability in the firmware update mechanism.
During this time, researchers took full control of the vehicle from the driver. This meant they were able to alter the speed of the Jeep, as well as turn the wheel and cause the car to veer off the road.
Thankfully, this research took place under a controlled environment. Yet, as we accelerate towards driverless car technology, it is increasingly important that we make sure these vehicles are as secure as possible.
Freezing cold
The rise of smart homes and in particular, smart thermostats, offers numerous advantages including improving your home’s comfort and energy efficiency. However, this also gives hackers another avenue of exploitation.
In 2016, hackers left the residents of two apartment buildings in Lappeenranta, Finland, in the cold for nearly a week by launching a DDoS attack on their environmental control systems via thermostats.
As both the central heating and hot water systems were attacked, the environmental systems were rebooted in their attempt to fight it over. However, this caused the systems to get stuck in an endless rebooting loop.
Bonus one
Researchers in 2018 highlighted the vulnerabilities in the most intimate of IoT devices different sex toys marketed under the name Vibratissimo. Multiple vulnerabilities risked the privacy of user data and the physical safety of users.
Hackers could breach the ‘back door’ of vibrators to access data that included explicit images, chat logs and passwords that were available in plain text. The toys could even be hacked to remotely control functionality without user consent.
How to stay safe?
Connected devices have certainly made our lives easier. However, most of them lack the security features that are standard in computers, tablets, and even smartphones.
For end-users, before acquiring a new IoT device and bringing it home, you should always consider whether it really benefits you. As for manufacturers and distributers of IoT devices, take concrete steps today to ensure breaches such as the ones outlined above do not happen again.
This attack demonstrates the importance of creating strong passwords and regular firmware updates. This is in line with the latest PSTI Bill that was introduced in the UK as the world’s first IoT security standard.
To stay updated on the latest security updates across the globe, sign up for our quarterly newsletter.
