The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History

Today, we can connect nearly everything we use to the internet. As we continue to rely on these devices, it's no surprise that the security of these devices is a major concern. We've all heard of cybersecurity concerns when it comes to IoT devices and there's an inherent risk that comes with connecting more and more devices to the internet and to each other. Malicious hackers can launch attacks and infiltrate thousands or millions of unsecured devices, crippling infrastructure, downing networks, or gaining access to private information. In this article, we'll focus on some of the biggest IoT hacks and vulnerabilities we've seen before and the effects they had.

1. The Mirai Botnet (aka Dyn Attack)

Back in October of 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet. This lead to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.

This IoT botnet was made possible by malware called Mirai. Once infected with Mirai, computers continually search the internet for vulnerable IoT devices and then use known default usernames and passwords to log in, infecting them with malware. These devices were things like digital cameras and DVR players.

Since then, the legacy of the Mirai botnet has continued to influence the IoT security landscape. In recent years, variants of the Mirai malware have emerged, showing that the threat from such botnets is far from over. These new variants have targeted a broader range of IoT devices, from routers to connected cameras, expanding the potential for large-scale DDoS attacks.

The resilience and evolution of Mirai-like malware underscore the critical need for stronger security measures in IoT devices. Manufacturers and users must be vigilant in updating device firmware and changing default credentials, a lesson that has only grown in importance since the Mirai incident.

According to PC Magazine, here are four straightforward loT security lessons that businesses can take from the incident:

• “Devices that cannot have their software, passwords, or firmware updated should never be implemented.
• Changing the default username and password should be mandatory for the installation of any device on the Internet.
• Passwords for IoT devices should be unique per device, especially when they are connected to the Internet.
• Always patch IoT devices with the latest software and firmware updates to mitigate vulnerabilities.”

Reflecting on these lessons in the context of the evolving threats, it's clear that the IoT landscape demands continuous vigilance and adaptive security strategies. The IoT ecosystem is now more complex, and the stakes are higher, making the implementation of robust security protocols more critical than ever.

2. The Hackable Cardiac Devices from St. Jude

In 2017, there was a big worry about some heart-related devices made by St. Jude Medical. Turns out, these gadgets, such as pacemakers and defibrillators, which are super important for people with heart issues, had some serious security holes. The FDA (Food and Drug Administration) confirmed this, and it was kind of a big deal.

These vulnerabilities meant that a hacker could potentially get into these devices. Imagine someone messing with a device that's supposed to keep your heart beating right. They could drain the battery or even worse, make it do the wrong thing, like give the wrong kind of shock. This was scary stuff for anyone relying on these devices to stay healthy.

The whole problem was linked to the part of these devices that talks to doctors remotely – the transmitters. Hackers could break into these transmitters and take control. This wasn’t just about keeping personal health info safe; it was about keeping people alive and well.

It kicked off a lot of talk about making sure these kinds of medical gadgets are safe from hackers. St. Jude's situation was a wake-up call, showing everyone that as more medical stuff gets hooked up to the internet, the more we’ve got to be super careful about security. It was a real-life example of why it's so important to build these devices tough enough to keep out hackers, right from the start.

3. The Owlet WiFi Baby Heart Monitor Vulnerabilities

In 2016, the Owlet WiFi Baby Heart Monitor, a device many parents use to keep an eye on their baby's health, ran into some serious safety concerns. A security expert, Jonathan Zdziarski, looked into how the monitor worked and found some worrying issues. He discovered that the way the monitor talks to its base station over WiFi wasn't secure at all. This means that someone nearby could potentially peek into the data being sent, or even mess with the monitor's functions.

What's more, Zdziarski found that if the little sock with the sensor, which the baby wears, came off and was put back on, the monitor wouldn’t start working again on its own. Parents would have to manually turn it back on. He also pointed out that the system didn't seem to have a way to update itself to fix these problems, which is pretty important for security. The company behind Owlet did later say that they had a way to update the monitor, but these findings still raised big red flags about how safe and private these kinds of smart baby monitors are.

4. The TRENDnet Webcam Hack

In 2012, TRENDnet's security cameras, which many people use in their homes for things like baby monitoring, had a big security problem. Due to a mistake in their coding, hackers could easily get past the password and watch the video from these cameras. This meant that private videos from homes were ending up on the internet for anyone to see.

In response, TRENDnet worked fast to fix this. They updated the software in their cameras to close this security hole. They also had to make a deal with the U.S. Federal Trade Commission, promising to improve their security overall and be more honest about how safe their cameras are. They also agreed to keep their users in the loop about any security updates and provide help for two years.

This hack showed how important it is for companies to take the security and privacy of their internet-connected devices seriously.

5. The Jeep Hack

In 2015, a significant hacking incident involving Jeep Cherokees made headlines and underscored the importance of cybersecurity in vehicles. Two security researchers, Charlie Miller and Chris Valasek, demonstrated a remote hack on a Jeep Cherokee. They could manipulate the car's features like wipers and radio, and eventually stop the engine while it was on a highway.

This was possible due to a vulnerability in the car's infotainment system, manufactured by Harman International. The hack impacted 1.4 million vehicles and required a physical product recall, marking a watershed moment in the awareness of cybersecurity vulnerabilities in automobiles​​.

The aftermath of this incident led to significant changes in the automotive cybersecurity landscape. Harman International, recognizing the gravity of the situation, developed a cybersecurity product and acquired TowerSec, a cybersecurity company, to enhance its manufacturing processes and software security.

This move was part of a broader industry trend, with automotive cybersecurity becoming a rapidly growing market. The complexity of modern vehicles, which can contain up to 150 electronic control units running various operating systems, makes securing them a challenging task.

Post-hack, automotive companies started to focus more on cybersecurity, with requirements for it expanding significantly. They also began shifting the responsibility for security testing and implementation to their suppliers, like Harman, who are now expected to take a more proactive role in ensuring the cybersecurity of components they produce for vehicles​

This article was originally published on May 17, 2017. Updated December 13, 2023.