The Evolution of IoT Hacking

IoT hacking has become a low-effort, high-reward for cybercriminals. Manufacturers and operators must prioritize security standardization to manage risks.

Kayla Matthews
Image of an Amazon Echo Getting Hacked

Things progress in a society in unstoppable ways under the right conditions.

Sometimes, that inevitable reality brings good things, like medical advancements and inventions that help people get more out of life. But crime methods also evolve. Internet of Things (IoT) hacking is a good example.

Hacking in a general sense rose to public awareness in 1961, but unrelated to computers. The term initially described members of a model railroad club at MIT that figured out how to manipulate those toys. Later, however, the team progressed to computers, as did others in society.

“IoT hacking” is a much newer phenomenon, but it has demonstrated a massive potential for destruction within a relatively short timeline.

The Mirai Botnet

The attack mechanism known for bringing IoT hacking to mainstream awareness is called the “Mirai” botnet. A botnet is a network of Internet-connected things that get infected with malware. They’re then controlled as a group—a network of bots or “botnet”—to carry out tasks without the owners’ knowledge.

A report about the Mirai botnet got published in late August 2016. However, there were earlier attacks on Internet-connected utility systems as early as 2011. Moreover, in 2014 security analysts discussed the risk of hackers getting access to smart utility meters in homes.

The 2016 Mirai report didn’t initially garner much interest, but all that would change within a month. In September 2016, the first widescale IoT attack happened with the help of the Mirai botnet. By November 2016, Mirai infected more than 600,000 IoT devices. Most of them were Internet routers, but Internet-connected cameras got attacked as well.

One of the reasons why Mirai spread so quickly is that it’s self-propagating. A replication module looks for vulnerable devices by scanning the whole Internet. Next, an attack module carries out a distributed denial of service (DDoS) attack by overwhelming the devices’ networks with requests they can’t handle.

Security Flaws Affect Millions of Different IoT Devices

By 2018, hackers had changed their methods somewhat by not attacking individual networks and devices but rather the wireless protocols for smart home devices. Specifically, they focused on Z-Wave, a wireless protocol for smart home gadgets. Z-Wave is what lets the connected devices in smart homes “talk” to each other.

However, during spring 2018, researchers uncovered a vulnerability affecting up to 100 million smart home gadgets. The problem had the potential to affect everything from door locks to alarm systems. A hacker could then disable those things and leave a house open for burglaries.

It’s Me, Alexa. Or Is It? 

One such smart home gadget that functions as a doorway for hackers is the seemingly innocuous smart speaker. In late 2014, Amazon released its Alexa personal assistant technology inside a smart speaker shell. It changed the ways people interact with technology quickly.

By 2017, content from technology writers warned voice hacks are not far-fetched. Yearly cybercrime costs could be higher than $6 trillion by 2021, estimates say.

Voice hacking could amplify the damage as more and more connected speakers pervade our daily lives. Cybercriminals only need a voice sample to play back for smart speakers in order to access anything a genuine device owner does while speaking commands.

Although people may be concerned about the mere existence of voice hacking, banking by smart speaker, which arrived in the summer of 2018, ushered in a slew of new risks.

Cybersecurity researchers also raised another concern about smart speakers unrelated to voice impersonation. In 2016, they released findings that it was possible to hide voice commands in white noise smart speaker assistants could hear, even when humans couldn’t.

They warned that if hackers carried out such an attack, a smart speaker could be performing commands in the background—such as ordering products—while a person listens to an audiobook or music.

Hackers Get Smarter Faster Than Cybersecurity Pros

One of the problems with most hacks is that cybercriminals come up with new methods faster than devices get secured. Moreover, the IoT sector is extremely fast-moving. There is a constant desire to release new products sooner than competitors. Security often gets sacrificed or completely overlooked in the hustle.

Another challenge facing the IoT market is that there are no manufacturing standards for companies. Hackers are aware of the lack of meaningful standards and see IoT devices as easy attack points. In addition, because the gadgets are so popular, hackers can have a broad reach for minimal effort. In the summer of 2018, the FBI even warned about the dangers of cybercriminals using connected devices.

Seemingly Innocent Habits Could Worsen Attacks

Today, people use IoT devices to brew their coffee in the morning, turn off the lights before going to bed, and track how active they are on a typical day — and those cases are just a sampling of consumer Applications, let alone the myriad of industrial scenarios in which IoT is transformative. Many users don’t practice basic Internet security rules, such as setting strong passwords and performing software updates. Hardware manufacturers are some of the worst culprits.

IoT enthusiasts often don’t see the harm in their casual approach to device security.

But, as the examples above demonstrate, hackers are already accustomed to techniques that cause devastating damage, and they’ll likely continue to outsmart device manufacturers and owners until security gets prioritized—and standardized—across the entire industry.

Author
Kayla Matthews
Kayla Matthews
Kayla Matthews is an IoT enthusiast and senior writer at MakeUseOf. You can also find her writing on VentureBeat, The Next Web and ProductivityBytes.com.
Kayla Matthews is an IoT enthusiast and senior writer at MakeUseOf. You can also find her writing on VentureBeat, The Next Web and ProductivityBytes.com.