The trajectory of the internet of things is to blanket the globe with billions of small, automated, internet-connected sensors and devices. This vast number of low-compute sensors and devices creates a massive “attack surface area”. For the motivated and nefarious cybercriminal, IoT devices are prime infiltration targets.
Below is a list of 5 of the scariest vulnerabilities that have been discovered and exploited in IoT devices. This list is provided to allow technologists in the IoT industry to review and understand past shortcomings in IoT products, and thereby provide insight to minimum security standards that need to be implemented in all IoT devices.
While chilling, there are important lessons for IoT technologists in the above examples of what not to do. The specific security measures implemented in any given IoT devices are determined by its application environment, the regulations it abides to, and the risk/impact potential if the device is corrupted. However, all IoT devices should be subject to the below base security measures:
Below is a list of 5 of the scariest vulnerabilities that have been discovered and exploited in IoT devices. This list is provided to allow technologists in the IoT industry to review and understand past shortcomings in IoT products, and thereby provide insight to minimum security standards that need to be implemented in all IoT devices.
- Mirai Botnet (aka Dyn Attack)
The largest DDoS attack in history was performed in October 2016. This resulted in many of the world’s most visited websites going down for a day; including Twitter, Netflix, Reddit, and CNN.
The attack was performed by infecting generic IoT devices that had standard, factory-set, default usernames and passwords. These were devices like digital web cameras and DVR players. - Hackable Cardiac Devices
It was confirmed by the FDA in 2016 that St. Jude Medical’s implantable cardiac devices contained a vulnerability that allowed a hacker to take control of the devices. With control of the implantable, a hacker could stop or modify the cardiac pacer shocks, harming the patient.
The vulnerability that was exploited was the communication channel between the implantable and the transmitters. The protocol could be decrypted and hackers could take control of the transmitter to instruct the implantable to execute specific instructions. - Owlet WiFi Baby Heart Monitor
The prpl Foundation uncovered a vulnerability in the Owlet Baby Heart Monitor that allowed it to be hacked to intentionally corrupt the output data. While not as directly harmful as a corrupted cardiac implantable, the corruption of a heart monitor is dangerous if data that is thought to be trustworthy is instead being maliciously modified.
Like the cardiac implantable, the vulnerability exploited in the Owlet monitor resided in the connectivity layer with hackers being able to decode and modify the wireless data in transit. - TRENDnet Webcam Hack
The TRENDnet webcam had faulty software that allowed anyone who obtained the camera’s IP address to look through it and even to listen.
The vulnerability in the TRENDnet camera was that user login credentials were transmitted and stored in plain, readable text. This is a massive no-no for all IoT devices (as well as any digital application) as storing user information in plain text can render all other security measures, as thoughtfully designed as they may be, completely useless. - Jeep Hack
IBM reported that Jeep had a vulnerability in a 2015 model that allowed the vehicles to be hijacked and controlled remotely through a cellular network. The remote hijacker could speed up, slow down, and steer the vehicle.
The vulnerability was uncovered by exploiting the mechanism through which Jeep performed over-the-air (OTA) firmware updates to the vehicle. By adding sinister code to the firmware update, the hackers were able to inject override commands to the Jeep and control the vehicle through its CAN bus.
While chilling, there are important lessons for IoT technologists in the above examples of what not to do. The specific security measures implemented in any given IoT devices are determined by its application environment, the regulations it abides to, and the risk/impact potential if the device is corrupted. However, all IoT devices should be subject to the below base security measures:
- The factory-set passwords and usernames for IoT devices should be unique.
- It should be mandatory for a user to change the default passwords and usernames of devices upon installation.
- Over the Air (OTA) update capabilities need to be designed so that the firmware can only be updated by the device manufacturer. And, even then, there needs to be checks in place to ensure no potentially nefarious code is getting inserted with the update.
- Password and username credentials can never be stored or transmitted in plain text.
- Data that is being transmitted wirelessly should be encrypted, at a minimum through a private key encryption mechanism.
