Connecting everything around us from our cars to our homes to even our body is very exciting, and it definitely does automate our daily life. Let’s not deny that with our love for the Internet of Things (IoT), we will be more than delighted when our air conditioner reads our mind, lights bulb glows on entering the room, using an automated car, connecting our body to a Smartphone and many such spoon-fed activities that ease our life. But we should be careful of various IoT hacks.
However, on the other side of the spectrum (which people hardly think about) is the safety and security of your data. All of your data is interconnected, which in fact reduces the efforts needed by the hackers to hack the entire system.
One major reason is that a large number of Internet-connected devices lack even the most basic cyber security protocols, making them hackable in minutes. Most secure and trusted machines do give hackers a tough time, but one tiny loophole is sufficient enough for them to conquer your data. In fact, Intel’s prediction for threats in 2017 includes that IoT malware will open backdoors into the connected home that could go undetected for years!
To add on to the fear, there are a lot of such efficient IoT hacks reported in the recent past. Let’s take a look at top five IoT Hacks and how were they done.
Top 5 IOT Hacks are as follows:
You are on the driving seat, but it is not you who is driving
Charlie Miller and Chris Valasek, automotive cyber security researchers proved earlier that hacking Jeeps is something that is child’s play for them especially because all the carmakers are doing their best to turn an automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, support utility vehicles (SUVs), and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. Uconnect’s cellular connection lets anyone who knows the car’s IP address gain access from anywhere in the country.
In 2015, they attacked the jeep over the Internet that is from around 15 kilometres away from the target. They toyed with the air-conditioning, radio, and windshield wipers, disabled brakes at low speeds and managed to paralyse the vehicle. This made Chrysler announce for a recall of 1.4 million vehicles and fix the vulnerabilities. But now, these researchers have come out with better hacking tricks.
By sending carefully crafted messages on the vehicle’s internal network known as a controller area network (CAN) bus, they are now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed. Unlike last year, instead of cutting the transmission on the highway, now they can turn the wheel 180 degrees!
One major problem is that this hack can be performed only with a laptop that is directly plugged in, into the jeep’s CAN network via a port under its dashboard. But they do promise this would get wireless sooner. Instead of merely compromising one of the so-called electronic control units (ECUs) on a target car’s CAN network and using it to spoof messages to the car’s steering or brakes, they also attacked the ECU that sends legitimate commands to those components, which would otherwise contradict their malicious commands and prevent their attack.
By putting that second ECU into “bootrom” mode—the first step in updating the ECU’s firmware that a mechanic might use to fix a bug—they were able to paralyse that innocent ECU and send malicious commands to the target component without interference. More about this can be found on hacking a jeep.
Adventures of Barnaby Jack
Barnaby Jack, a hacker programmer and computer security expert has managed to hack multiple devices including automatic teller machines (ATMs), pacemakers, hear implants and insulin pumps At a Black Hat conference in 2010, Jack gave a presentation on “jackpotting”, or exploiting automated teller machines to make them dispense cash without withdrawing it from a bank using a bank card. Jack gave demonstrations of different kinds of attacks involving both physical access to the machines and completely automated remote attacks. In both cases, malware was injected into the operating system of the machines, causing them to dispense currency fraudulently on the attacker’s command.
During the remote attack, malware is installed on the target system via exploited vulnerabilities in the remote management system, most notably the use of default passwords and remote management transmission control protocol (TCP) ports. The attacker then executes the malware, causing the target ATM to dispense a given amount of currency. He also developed software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius.
Jack also came up with a system that scans for any insulin pumps that communicate wirelessly within 300 feet, allows you to hack into them without needing to know the identification numbers and then sets them to dish out more or less insulin than necessary, sending patients into hypoglycaemic shock or ketoacidosis. With more such hacker’s who find out the vulnerabilities in various medical devices, hacking the human body is also easy. More about this can be found on hacks by Barnaby Jack.
World’s first digital weapon
Stuxnet, a highly sophisticated computer worm was discovered in 2010 and was essentially the world’s first digital weapon. It was developed by the American and Israeli governments and used to wreak havoc on an Iranian nuclear facility called Natanz. It targets industrial control systems that are used to monitor and control large-scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing.
This was the first attack that allows hackers to manipulate real-world equipment, thereby making it very dangerous. It was the first computer virus to be able to wreak havoc in the physical world. It was sophisticated, well-funded, and there were not many groups that could pull this kind of threat off. It was also the first cyber attack that specifically targets industrial control systems. It targets the computer system of machines used to enrich uranium, known as centrifuges, and instructs them to spin the machines out of control. Eventually, the forces break the centrifuges.
At the same time, Stuxnet would report to the control room that nothing was amiss. Over a few years, about 20 percent of Iran’s centrifuges spun out of control and were destroyed. Iran’s nuclear scientists had no idea why so many centrifuges were busted. It indeed turned out to be a brilliantly sophisticated attack. More about this can be found on an unprecedented look at Stuxnet.
A kindle of devices attacked at once
A massive Distributed Denial of Service (DDoS) attack against Dyn, a major domain name system (DNS) provider, broke large portions of the Internet in October 2016, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify. According to security intelligence firm Flashpoint, Mirai bots were detected driving much, but not necessarily all, of the traffic in the DDoS attacks against DynDNS.
Mirai is a piece of malware that targets Internet of Things (IoT) devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet, which is then used to conduct DDoS attacks. Since the source code of Mirai Botnet has already made available to the public, anyone can wield these attacks against targets. This time hackers did not target an individual site, rather they attacked Dyn that many sites and services are using as their upstream DNS provider for turning internet protocol (IP) addresses into human-readable websites.
This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time. These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure. Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber attacks.
An online tracker of the Mirai botnet suggests there are more than 1.2 Million Mirai-infected devices on the Internet, with over 166,000 devices active right now. More about this can be found on massive Internet outage.
Not so Smart Refrigerator
White-hat hackers at Pen-Test Partners were able to use fake security credentials to intercept communications between the fridge and Google Calendar. Cybercrooks could potentially use a similar technique to steal your Google login names and passwords. However, those thieves would first need to log onto your Wi-Fi network to access the fridge. Besides the fridge, the hackers also found 25 vulnerabilities in 14 allegedly smart devices, including scales, coffee makers, wireless cameras, locks, home automation hubs, and fingerprint readers.
The hack was pulled off against the RF28HMELBSR smart fridge, part of Samsung’s line-up of Smart Home appliances which can be controlled via their Smart Home app. While the fridge implements SSL, it fails to validate SSL certificates; thereby enabling man-in-the-middle attacks against most connections.
The internet-connected device is designed to download Gmail calendar information to an on-screen display. Security shortcomings mean that hackers who manage to jump onto the same network can potentially steal Google login credentials from their neighbors. More about this can be found on hacking a smart refrigerator.
An omen?
Not just these IoT hacks, attacks on surveillance camera, Bluetooth devices, and email accounts are getting common these days. Additional to these, there are weird attacks like ‘Smart toilet’ hacks that took place in Japan, home automation attacks on light bulbs. In short, the threats through IoT hacks are real and our data is prone to the attacks. Therefore while using IoT devices make sure that security is built on the foundation of the system and validity checks, authentication, data verification, encryption is carried out frequently.
If you know any more IoT hacks, let us know in the comment section below.