Here’s the Thing …
It’s no secret that the issue of IoT security is a Very Big Deal these days. Our brave new world of perpetually connected devices—appliances, cameras, thermostats, cars—has created a proportionately huge world of network security problems. The essential dilemma is that all these Internet-connected “smart” devices are often unprotected and easy to hack. Depending on the situation, they can leak sensitive data, generate worrisome surveillance problems, or even present legitimate physical dangers.
IoT security is an enormous, complicated, and really quite serious topic. Those in the market for in-depth analysis will want to consult our more sober assessments. Here we take a high-altitude POV, looking at IoT hacks that have made headlines in recent years, with an eye toward the weird, the funny, and the scary.
Everyone knows someone who doesn’t take the security of home appliances seriously enough. These are the stories you need to help them focus.
Botnet Trouble Since the earliest days of connected things, the most common IoT exploit has involved the hijacking of unsecured devices to power rampaging botnet armies. Using what amounts to forced virtual conscription, hackers take over thousands of connected devices, harnessing the collective computing power of all those machines to stage distributed denial-of-service (DDoS) attacks on websites and online services.
The IoT botnet trend spiked dramatically in 2016, when the infamous Mirai cyberattack on domain-name infrastructure temporarily stalled out multiple high-profile websites and online services, including Twitter, CNN, Reddit, and Netflix.
The outages were caused by a DDoS attack – a botnet assault – with a twist. This time around, the botnet was largely made up of innocent little IoT devices like televisions and home entertainment consoles. The attack was the most powerful of its type. Investigators estimated that hundreds of thousands of hijacked IoT devices were involved.
Child’s Play In February 2017, reports surfaced of a rather disturbing IoT hacking incident. It seems the makers of CloudPets—a popular Internet-connected smart toy for kids—had left a giant database of user information unprotected online.
The account information included the email addresses and easily guessed passwords of more than 800,000 users, according to reports. What’s more, security experts who assessed the flaw concluded that hackers could also access voice messages left between kids and their parents via the CloudPets toy. (CloudPets are basically voice messaging devices in the form of alarmingly cute stuffed animals.)
Things only got worse from there: Follow up investigations found that the stuffed animals themselves could potentially be turned into remote surveillance devices. Spooky!
Toy Stories If the CloudPets incident sounds familiar, that’s because variations on this story have been popping up with regularity in recent years. Internet-connected toys are the same as any other Internet-connected device, from a security point of view. Add microphones and cameras to the mix and things get scary fast.
Maybe you’ve heard this urban legend: A suburban couple is awakened in the middle of the night by the sound of someone screaming obscenities in the baby room. Rushing through the door, they discover to their horror that someone has hacked in to the family baby monitor and camera system. The robotic camera, outfitted with motion-tracking features, looks up from berating the baby as the parents enter the room.
Unfortunately, it’s no urban legend. This particular incident, which really happened back in 2014, is considered by many to be the patient-zero for scary toy hacking stories. In 2017, the FBI even got involved, issuing a consumer warning on Internet connected toys.
Car Talk Experts advise that we’re in a critical early-warning phase, just now, with various IoT security crises lurking on the horizon. Click around online and you’ll find plenty of stories on anti-hacking conventions and security presentations in which experts demonstrate potential hacks that haven’t yet occurred “in the wild.”
In 2015, one intrepid reporter took an admirably two-fisted, experimental approach to the issue of car hacking. Working with security experts Charlie Miller and Chris Valasek, Wired writer Andy Greenberg drove a Jeep down the highway at 70 mph while the good-guy hackers wirelessly hijacked his dashboard controls. The radio blared. The AC went full blast. The windshield wipers freaked out. Eventually, the engine cut out.
The delightfully creepy video of the experiment went viral, contributing to a growing demand for the auto industry to address the potential virtual carjacking dilemma.
Lateral Attacks What do businesses have to fear from IoT hacks? Funny you should ask. In a public demonstration at a recent security conference in San Francisco, officials laid out the specifics on how hackers can get to confidential business information via IoT mischief. The presentation showed how hackers could execute an IoT lateral attack—jumping from device to device to penetrate a corporate network.
In the demonstration scenario, hypothetical bad guys targeted a single office security camera using an IoT exploit already available in the darker corners of the Internet. The would-be hackers then jumped to a router, eventually getting access to all the building’s cameras. By sifting through the camera feeds with image analysis software, the attackers were able to literally look over the shoulders of employees at their desks, grabbing up onscreen passwords and credential information.
This was a purely hypothetical situation, but security officials cautioned that such a scenario is entirely plausible using relatively simple tools on the market today.
Heart Trouble When contemplating a list of potentially hackable IoT devices, there are two words in particular that you really don’t want to hear: surgically implantable.
In January of 2017, the U.S. Food and Drug Administration issued a statement warning that certain kinds of implantable cardiac devices—like pacemakers and defibrillators—could potentially be accessed by malicious hackers. Designed to send patient information to physicians working remotely, the devices connect wirelessly to a hub in the patient’s home, which in turn connects to the Internet over standard landline or wireless connections. Unfortunately, technicians found that certain transmitters in the hub device were open to intrusions and exploits. Uh-oh.
In a worst-case scenario, hackers could fiddle with the virtual knobs and trigger incorrect shocks and pulses, or even just deplete the device’s battery. Manufacturers quickly developed and deployed a software patch, so don’t have a heart attack.
Hot in Here Here’s another urban legend you may have heard: A jilted ex-husband, recently evicted from the family home, decides to get revenge on his ex-wife. When the missus is on vacation, he accesses the house smart thermostat and cranks up the heat for several days, exploding the utility bills. When she returns, he kills the heat at night, resulting in chilly 40-degree mornings.
As you may have guessed, this one isn’t a legend either, although it’s a bit harder to verify. (The story unfolds on an infamous Amazon post from a few years back.) The story conjures a perennial IoT boogeyman, the danger of smart thermostats, and high-tech connected homes in general.
White-hat hackers have since uncovered various exploits around thermostat systems, even demonstrating a ransomware scenario where hackers could lock up your furnace until you pay up the extortion fee.
Insecurity Cameras Home webcams and unsecured security cameras have long been a favorite target of recreational hackers, pranksters, and voyeurs. With a few clicks, pretty much anyone can access a live video somewhere among the massive global network of unsecured cameras. You can even browse through directories listing open camera feeds, like Insecam.com. (There are, of course, less ethical directories, as well.)
Early last year, a pair of eastern European hackers were busted for taking partial control of two-thirds of the outdoor surveillance cameras in Washington, DC. The hackers demonstrated a peculiar kind of moxie by going after police cameras in America’s capital city. Their timing wasn’t great, though. Because the initial attack occurred just before President Trump’s inauguration, the incident drew the attention of U.S. Secret Service.
As you may be aware, Secret Service agents do not, as a rule, mess around. The culprits were quickly tracked down in London, arrested and put in the queue for extradition. The hack had nothing to do with the inauguration, it turns out, and was instead part of a larger ransomware plot.
The Art of IoT Hacking Is there a bright side to the scourge of IoT hacking? Perhaps. Consider the curious case of the surveillance camera art exhibition.
Back in 2015, photographer Andrew Hammerand unveiled a photo collection comprised exclusively of images taken from a single hijacked security camera. Using a simple Google search, Hammerand found an unsecured website atop a cellular tower in the middle of an undisclosed American town. Using the camera’s rotation and zoom controls, Hammerand spent a full year taking pictures of the tidy suburban town and its residents.
The low-resolution images are oddly compelling. Hammerand was careful to obscure images to protect people’s identity and privacy, and in fact the entire project was intended as an oblique commentary on surveillance state concerns. The photos are genuinely compelling, you can still see them at the Open Society Foundations Documentary Photography Project.