5 Infamous IoT Hacks and Vulnerabilities

Isabel Harner
A photo of code with

IoT devices are growing exponentially in numbers, but along with growth comes growing pains in securing these devices. We have yet to find a silver bullet to solving IoT security, and consumers and enterprises alike are worried about potential risks involved in implementing an IoT solution, or purchasing a consumer device like a smart lock.

And rightly so. We’ve seen some pretty scary instances of hacking into IoT devices, from smart home products for children to the takedown of the internet. Here are 5 infamous IoT hacks to teach us how important it is to build security into devices in the future.

Mirai DDoS Botnet

Arguably the most infamous IoT botnet attack, the Mirai DDoS (which means distributed denial of service) botnet successfully slowed down or fully stopped the internet for nearly the entire East Coast. The tech company Dyn got the worst of it.

The botnet was able to scan big blocks of the internet for open Telnet ports and log in to them using 61 username/password combos that are frequently used as the default for these devices. Using this strategy, the hacker, a Rutgers University student, was able to amass a botnet army.

Thankfully the botnet was not deployed under malicious intent (apparently they had been trying to gain an advantage in the computer game Minecraft), but it goes to show how potentially dangerous the vulnerabilities in IoT devices can be if accessed.

If you’re looking for a deeper dive into how this was pulled off, Incapsula put together a great analysis of the Mirai botnet code.

Jeep and a Virtual Carjacking

Back in 2016, two hackers, Charlie Miller and Chris Valasek, successfully took control control of a Jeep Cherokee in a completely virtual carjacking. Don’t worry, the driver was in on it to demonstrate the importance of building in security measures.

After finding a vulnerability in the vehicle, the hackers took control of the vents, radio, windshield wipers and more, all while the driver was in motion. Soon after, Miller and Valasek’s faces came up on the car’s digital display – and the driver lost control of his vehicle’s brakes, accelerator, and steering. Eventually they were able to make the vehicle come to a full stop.

The duo released a full list of the most hackable cars, prompting automakers to patch up some software and encourage users to frequently update their systems.

You can watch the takeover in this video from Wired.

Owlet WiFi Heart Monitor for Babies

Owlet is a heartbeat-monitoring sensor that babies wear in a sock. The device relays heartbeat data wirelessly to a nearby hub, and parents can set up an alert to their smartphones if anything is out of the ordinary.

Seems like it would bring a lot of peace of mind. However, it was discovered that the network linking the WiFi hub to the device is completely unencrypted and doesn’t require any authentication to access. That means that someone can hack into the system if they’re in the range and prevent alerts from being sent out to parent. Yikes.

Devil’s Ivy & the Rube-Goldberg Attack

This year, Wired reported on an increasingly popular, although elaborate, IoT hack known as the Rube-Goldberg Attack. It uses a vulnerability called Devil’s Ivy and works something like this:

  • The attack starts by targeting a security camera that is vulnerable to an inveterate IoT bug known as Devil’s Ivy.
  • The attacker finds such a vulnerable camera that’s on the public internet to start the attack.
  • The attackers uses the Devil’s Ivy exploit to factory reset the camera and take over root access, giving them full control over it.

Exploiting an IP camera can give a hacker complete access to the video feed inside a company building, for example, where they can pick up on employee access/security codes, schedules of security officers, and more.

Really, really bad, right? Researchers at Senrio actually did a public demonstration of this kind of chained attack, hoping to raise awareness about the urgency of addressing the IoT security crisis.

CloudPets

An internet-connected stuffed toy that allows parents and kids to send audio messages to each other sounds like a great idea on paper. But CloudPets toys had another unexpected surprise. The emails and passwords of parents, as well as the message recordings themselves, were left exposed online to hackers.

“Anyone within range—10 meters with a normal smartphone—can just connect to it,” said Paul Stone, a security researcher who studied how CloudPets’ toys work. “Once you’re connected you can send and receive commands and data.”

One user took a video of the hijakced fluffy animals to demonstrate how creepy it could get.

Troy Hunt, who discovered the vulnerability, said there was clear evidence that cybercriminals have held the database for ransom, at least twice, demanding money from the company in exchange for the data’s safe return.

What’s the takeaway here, besides to scare you? Definitely do you research before buying an internet connected product, especially one that lives in your home or that your children interact with. If you’re building an internet-connected product, let this be a lesson in what poor security looks like.

Author
Isabel Harner
Isabel Harner
Isabel is the Community DIrector at IoT For All and a 2017 Venture for America Fellow. Lover of startups, IoT, and social media.
Isabel is the Community DIrector at IoT For All and a 2017 Venture for America Fellow. Lover of startups, IoT, and social media.