David Balaban

@david.w.balaban

IoT Hacks and Vulnerabilities

We are all lucky enough to live a world full of interconnected devices, which is certainly cool and convenient because it’s so easy to keep remote things at your fingertips wherever you are. The flip side of this whole technical sophistication is that anything connected to the Internet is potentially vulnerable. Cybercriminals are busy looking for ways to compromise various smart devices and have had quite a bit of success doing it. It turns out that the Internet of Things is low-hanging fruit for threat actors. The hack scenarios below might seem like science fiction, but they are absolutely real these days.

Your coffee machine acting up? Might be a red flag

No, it’s not because the heating element of your connected coffee machine or smart kettle broke down. It’s because someone has hacked it remotely. When you turn it on, it automatically opens a non-encrypted hotspot that’s easy to compromise. In the upshot, an attacker can get hold of SSID and password to your entire home wireless network, and the consequences may get worse than a bizarre message on the coffee maker’s display. Unfortunately, the manufacturers of these devices don’t care much about securing them against hacks. Things can get scarier if a critical infrastructure entity is attacked via such a prosaic technique.

To avoid this type of compromise, refrain from keeping the factory settings on IoT devices. Also, change the default router password when setting up your wireless home network.

Parental control systems are vulnerable, too

Circle with Disney, a popular product for parental controls and web filtering, has got numerous weak links that expose gaping security holes and allow for hacker intrusion. By attacking this device, perpetrators can run the arbitrary malicious code, inject commands, modify network traffic, install a backdoor and do many more nefarious things remotely. The vulnerable device can be used as an entry point to affect other components of a home wireless network.

Similarly, by compromising Alexa, Amazon’s smart personal assistant, adversaries get sufficient privileges for eavesdropping. Specifically, they can record conversations and steal the user’s Amazon credentials.

To steer clear of this clever attack, again, never keep the default router password and use different passwords for different connected devices.

How about smart locks?

It’s definitely handy to be able to open your door for a courier to drop a package when you’re away. Amazon Key is a fancy product that allows you to do this remotely and have the visit recorded with a video camera. According to security researchers, though, using these smart locks is a slippery slope as they have poor security implementation and the vendor simply fails to roll out updates to their firmware. Therefore, a likely emergence of new attack vectors can turn into a serious concern for whoever owns one of these devices.

Mobile voice assistants aren’t much safer

A brand-new proof-of-concept compromise vector codenamed DolphinAttack has demonstrated how easy it is to circumvent the security of Siri, the iPhone voice assistant, as well as Google’s counterpart for Android and the above-mentioned Alexa service. It turns out that commands generated in ultrasonic frequencies inaudible to humans can be leveraged for a voice assistant to execute various tasks, for example, make a phone call, go to a certain website or instruct smart home devices to do something naughty.

Your work computer got locked down

This is most likely a ransomware scenario, where a perpetrating program such as Bad Rabbit, has infiltrated your computer and crippled its Master Boot Record (MBR). To top it off, the toxic baddie will propagate across the entire enterprise network in a matter of minutes. That’s what happened to numerous government agencies, news outlets and even an airport in Eastern Europe in late October 2017. The entry point for the contagion was a rogue Flash update. The next thing you know is the computer’s screen gets locked with a ransom note demanding Bitcoins for recovery.

Your favorite news website is down

While this may denote a regular maintenance outage, it may as well be a botnet in action. Cybercrooks scan the Internet for poorly protected IoT devices, then hack and use them to pull off large-scale DDoS attacks against popular websites. When lots of connected smart devices try to access a certain site at the same time, it can’t handle the bandwidth and goes down. The felons’ motivation can be anything from politics to extortion. In order to prevent your devices from being exploited this way, be sure to opt out of the default access credentials and apply security patches once available.

Using Uber on your iPhone can be dangerous

Apple has reportedly granted Uber the privilege to access iPhone screens even when the app is closed. This scope of permissions may expose sensitive user data to man-in-the-middle attacks. So, think twice before calling Uber if you are an iPhone user.

Dating services are full of impostors

When someone you have been talking to on Tinder or other chatting service sends you a message with a hyperlink in it, it’s about time you switched on your natural paranoia. This is most likely a phishing scam aimed at duping you into visiting a rogue login page and entering your access credentials. If you end up following the threat actor’s instruction, your account will be compromised. To avoid this type of fraud, never click on links in messages received via social media and dating sites unless you know for sure who the person on the other end is.

Smart home is a vulnerable home, period

It doesn’t take a rocket scientist to wreak havoc with automated systems in a smart home if at least one of its connected components gets hacked. Attackers can remotely crank up the heat through a smart thermostat, mess with the light brightness, increase music volume to its maximum and do many other suchlike things you won’t enjoy. An important recommendation in this regard is to set up a system with no single point of failure.

Even Tesla car, the next big thing, is hackable

A crew of Chinese researchers did a PoC hack in 2016 where they were able to compromise electronic systems of Tesla Model S. While being located 12 miles away from the smart vehicle, the white hat hackers could meddle with its brakes, dashboard computer screen, door locks and other systems wirelessly. Just imagine what real-world cybercrooks can do to this high-end car through a similar technique.

Whether or not you have heard the term “Internet of Things” before, your smart devices make you a part of this interconnected world. With all the benefits of IoT in place, it is full of perils. To raise the bar for attackers, use strong passwords for your devices and apply firmware security patches once released.

More by David Balaban

Topics of interest

More Related Stories