These five examples leave no doubt that the Internet of Things (IoT) is way too sloppily secured.
If you don´t ensure the flow of data sent between your devices and the Internet, you will be exposed to hackers sooner or later.
A while ago we wrote about five IoT solutions that went wrong, and why. This is the sequel. If your devices are communicating openly over the Internet, they will be hacked. That's exactly what happened in the examples below.
1. The Dyn attacks in 2016
What do Facebook, Netflix, Spotify, Twitter, Amazon and Reddit all have in common? They are all hosted by Dyn servers, along with a staggering amount of popular websites and services – servers that were attacked on October 21st 2016. A veritable army of captured IoT devices launched the biggest DDoS attack against the Internet in history, rendering large parts of it unusable.
The attack was measured at 1.2 Tbits – twice the strength of the previous record holder. The botnets behind it all, mainly Mirai and BASHLITE, gained control of the offending devices by testing common username/password combinations. It's quite frustrating to know the Internet is under constant threat because so many people don't bother changing the login information from admin/admin.
2. Pacemakers open for attack
What's scarier than the Internet being attacked? Answer: knowing the technology keeping your heart pumping could be stopped at any time. At St. Jude's children's hospital in Tennessee, they luckily discovered in time that both pacemakers and defibrillators had open and exposed connections to the Internet.
Anyone with evil intentions could have disturbed the heart rhythm, administered shocks, or emptied the batteries of the life sustaining devices – meant for children. Only pure luck that nobody attempted anything before the exploit was fixed, kept the story from having a much more dramatic ending.
3. University network attacked itself – over seafood
In the Verizon Data Breach Report for 2017, we can read about an unspecified university where the entire network was ground to a halt through a rather unconventional DDoS attack. Somebody had requested 5000 IoT devices – mainly light sensors and vending machines – to use all available bandwidth to search for seafood restaurants. The students struggled to use the Internet for anything, and most couldn't even get online during the attack.
This is an uncommon form of attack where the victim's own devices are used against them, while the threat normally comes from external botnets. Security experts finally managed to stop the attack before the network crashed completely. Hopefully the attacker at least managed to find a nice piece of fish by then.
11 year old hacked teddy bear
To IoT enthusiasts, eleven year old Reuben Paul is perhaps better known as the Cyber Ninja. With some probable help from his father, IT expert Mano Paul, he's held several popular talks on IoT security since he was eight years old, and founded the non profit Cyber Shaolin that teaches children about data security.
At a security conference in Hague 2017, he used a Raspberry Pi to search for and gain access to Bluetooth-connected devices in the area. He then used those devices to hack into a teddy bear connected to the Cloud, brought for the occasion, to make it light up and display warnings about how important it is to secure your IoT devices properly.
It's cute, but also quite alarming, seeing as many of the hacked devices belonged to proclaimed IoT experts.
5. Hijacked 150 000 printers for the fun of it
In february 2017 a bored high school student in the UK was drinking coffee and coding. He decided to write a small program in C to gain access to unsecured printers around the world. He was shocked when he saw how many immediately responded – 150 000 of them.
Luckily the student didn't have too malicious intentions, and settled on printing some fake warnings that the printers were captured by a dangerous botnet controlled by Vladimir Putin's forehead (yeah) – along with an encouragement to secure the open ports. A similar method has been used in the past to remotely print anti semittic propaganda.
Luckily the printer's weren't captured by a real botnet this time. But they could easily have been.