IoT hacks are unbelievably effective. By leveraging thousands (if not millions) of insecure connected devices, hackers can produce DDoS attacks that can cripple our infrastructure, systems, and way of life. Or, attackers can go straight for the kill by directly exploiting a device and using it as a gateway to deeper levels on a network where they gather sensitive and valuable private data. And things are about to get worse. Forbes predicts that by 2025, we’ll have over 80 billion smart devices on the internet.
During my Sensors Expo presentation, I’ll talk about five worst IoT hacks and vulnerabilities in recorded history:
- The Mirai Botnet (aka Dyn Attack) – According to PC Magazine, “Millions of insecure Internet of Things (IoT) devices were swept into the Mirai botnet and used to massively overload domain name system (DNS) provider Dyn with a DDoS attack.” The attack knocked out Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a ton of other major websites.
- The Hackable Cardiac Devices from St. Jude – Early this year, CNN wrote, “The FDA confirmed that St. Jude Medical's implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks,” the FDA said. “The devices, like pacemakers and defibrillators, are used to monitor and control patients' heart functions and prevent heart attacks.”
- The Owlet WiFi Baby Heart Monitor Vulnerabilities – Right behind the St. Jude cardiac devices is Owlet WiFi baby heart monitor. According to Cesare Garlati, Chief Security Strategist at the prpl Foundation: “This latest case is another example of how devices with the best of intentions, such as alerting parents when their babies experience heart troubles, can turn dangerous if taken advantage of by a sinister party. Sadly, this is more often than not in the case of embedded computing within so-called smart devices. The connectivity element makes them exploitable and if manufacturers and developers don’t consider this and take extra steps to secure devices at the hardware layer, these are stories that we will, unfortunately, keep hearing.”
- The TRENDnet Webcam Hack – And, continuing with the baby theme, TechNewsWorld reports, “TRENDnet marketed its SecurView cameras for various uses ranging from home security to baby monitoring and claimed they were secure, the FTC said. However, they had faulty software that let anyone who obtained a camera's IP address look through it -- and sometimes listen as well.”
- The Jeep Hack – The IBM SecurityIntelligence website reported the Jeep hack a few years ago, saying, “It was just one, but it was enough. In July , a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus. By exploiting a firmware update vulnerability, they hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even veer off the road. It’s proof of concept for emerging Internet of Things (IoT) hacks: While companies often ignore the security of peripheral devices or networks, the consequences can be disastrous.”
About the Author
Terry Dunlap is the Founder & CEO of Tactical Network Solutions (TNS) in Columbia, Maryland. Clients come to TNS to leverage the Centrifuge IoT security platform, which audits compiled embedded firmware images for vulnerabilities. They also seek ‘white hat’ security training, firmware evaluations and consulting. The company includes former National Security Agency experts skilled in IoT, embedded firmware reverse engineering and security. Formerly, Terry worked as a Global Network Vulnerability Analyst for the NSA. He can be reached at [email protected] or 443-276-6990.