The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History

IoT hacking can be extremely effective, producing DDoS attacks that can cripple our infrastructure, systems, and way of life.

The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History

IoT is in no way immune to hacking. Hackers can launch DDoS attacks by infiltrating and leveraging thousands or millions of unsecured devices. They can cripple infrastructure, down networks, and as IoT advances into our everyday lives, those attacks may very well put real human lives in jeopardy. And even if hackers don’t outright threaten lives, they can compromise gateways and deeper levels of IoT networks in order to reveal and exploit sensitive personal and corporate information.

And things are about to get worse. Experts predict that by 2025, there will be as many as 75 billion connected IoT devices. Much of the embedded firmware running on these devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems and data around the world at risk.

If you’re in the IoT space, read on to understand these hacks and vulnerabilities. They’ll open your eyes to how the future could (and likely will) look and prompt consideration on why devices must be secured today.

Here are the 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History:

The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History - Mirai
Image Credit: Adaptix Networks

1. The Mirai Botnet (aka Dyn Attack)

Back in October of 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet. This lead to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.

This IoT botnet was made possible by malware called Mirai. Once infected with Mirai, computers continually search the internet for vulnerable IoT devices and then use known default usernames and passwords to log in, infecting them with malware. These devices were things like digital cameras and DVR players.

According to PC Magazine, here are four straightforward loT security lessons that businesses can take from the incident:

  • “Devices that cannot have their software, passwords, or firmware updated should never be implemented.
  • Changing the default username and password should be mandatory for the installation of any device on the Internet.
  • Passwords for IoT devices should be unique per device, especially when they are connected to the Internet.
  • Always patch IoT devices with the latest software and firmware updates to mitigate vulnerabilities.”
The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History - St. Jude Medical
Image credit: Chicago Tribune

2. The Hackable Cardiac Devices from St. Jude

Early last year, CNN wrote, “The FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said.

The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks.”

The article continued to say, “The vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. The FDA said hackers could control a device by accessing its transmitter.”

The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History - Owlet Baby Heart Monitor
Image credit: Owlet

3. The Owlet WiFi Baby Heart Monitor Vulnerabilities

Right behind the St. Jude cardiac devices is the Owlet WiFi baby heart monitor. According to Cesare Garlati, Chief Security Strategist at the prpl Foundation:

“This latest case is another example of how devices with the best of intentions, such as alerting parents when their babies experience heart troubles, can turn dangerous if taken advantage of by a sinister party.

Sadly, this is more often than not in the case of embedded computing within so-called smart devices. The connectivity element makes them exploitable and if manufacturers and developers don’t consider this and take extra steps to secure devices at the hardware layer, these are stories that we will, unfortunately, keep hearing.”

The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History - TrendNet Securview
Image Credit: Trendnet

4. The TRENDnet Webcam Hack

And, continuing with the baby theme, TechNewsWorld reports, “TRENDnet marketed its SecurView cameras for various uses ranging from home security to baby monitoring and claimed they were secure, the FTC said. However, they had faulty software that let anyone who obtained a camera’s IP address look through it — and sometimes listen as well.

Further, from at least April 2010 [until about January 2012], TRENDnet transmitted user login credentials in clear, readable text over the Internet, and its mobile apps for the cameras stored consumers’ login information in clear, readable text on their mobile devices, the FTC said.

It is basic security practice to secure IP addresses against hacking and to encrypt login credentials or at least password-protect them, and TRENDnet’s failure to do so was surprising.”

The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History - Jeep Hack
Image Credit: Wired

5. The Jeep Hack

The IBM security intelligence website reported the Jeep hack a few years ago, saying, “It was just one, but it was enough. In July [2015], a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus.

By exploiting a firmware update vulnerability, they hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even veer off the road. Its proof of concept for emerging Internet of Things (IoT) hacks: While companies often ignore the security of peripheral devices or networks, the consequences can be disastrous.”

We need to develop better security protocols, strategies, and standards if the IoT revolution is to continue to deliver value to people without compromising their security and privacy. But how shall we do this? Industry leaders need to put their heads together.

Written by Terry Dunlap, Founder & CEO of Tactical Network Solutions (TNS) in Columbia, Maryland. Originally posted on the TNS blog.