5 Internet of Things security fails

Who has never got its computer infected by malware which launches ads in a browser? Is well known that anything connected to Internet is subject to be infected. Any responsible CSO would ask you to have your coporate very sensitive data, such as your digital signature keys, stored in a device which is NOT connected to Internet. We mean, not connected to Internet, at all. This is the only way to keep data 99% secure today.

Internet of Things means, oh surprise, “things connected to Internet”. In other words, Internet of Things means, “Things that can be hacked”. And this is where the story gets more interesting, because hacking IoT is incredibly more appealing for both ethical and less ethical hackers than hacking computers. The possibilities of having a big social or economical impact in IoT hacking are multiple times higher than the traditional devices hacking.

Let’s go through five inglorious Internet of Things security fails:

1.- The day Internet fell against an army of IoT devices.

Wednesday 21st of October 2016, a large part of the Internet was down. Sites like PayPal, Spotify, Verizon or others were inaccessible for hours, causing millions of dollars in revenue lost. The attackers took control of a large number of and surveillance cameras and other devices and generated massive amounts of traffic that overloaded the DNS servers used to route traffic in Internet. These ended up with the DNS servers crashing and half of the Internet down.

By DownDetector — DownDetector Level 3 Outage Map, CC BY-SA 4.0

2.- CCTV System hacked during Trump’s Inauguration preparations.

Washington DC city officials confirmed that more than 70% if the city’s CCTV system was infected with “ransomware” two days before the inauguration speech of the new elected president Trump. Two british people were arrested for it recently.

As any other ransomware attack, the hackers left the devices unusable and requested money for its recovery. City’s CTO confirmed no ransom was paid and the problem was resolved technically after some hours. However, this raised a lot of concerns about potential hackings to surveillance cameras that could affect citizens privacy or security at some point of time.

3.- Your Smart TV is listening to you…oh wait, whoever can listen to you.

Voice interfaces and assistants are becoming more and more popular. We are all starting to see people talking with devices without thinking they are crazy. “Hi Siri”, “OK Google”, “Alexa”? It is interesting to mention that a lot of the words that we pronounce in front of these assistants are sent immediately to a server in the Internet for analysis and response. However, if the right encryption technology is implemented, only the server should be able to “listen” what you said.

In 2015, Samsung was one of the pioneers a voice assistant in some of their Smart TV models, sending user words to Samsung Servers through Internet for management. At that time, engineers were not brilliant enough to put any encryption on them. What does it means? Not only Samung, any person with basic Internet networking skills could remotely listen to things you said in front of your Smart TV when these travels through Internet.

4.- Connected cars. Hack them. Crash them.

One of the verticals that is adopting Internet connection quicker in its “Things”, is the car industry. There is a number of futuristic use cases such as driverless cars or remote car management that requires it. This is what Chrysler thought when designing their brand new UConnect module on its cars.

UConnect used the GSM network to access Internet, and allow car owners to start their cars remotely, get assistance, navigate, and other nice features. However, in June 2015 two white hat-hackers, Charlie Miller and Chris Valasek, were able to demonstrate to an scared journalist how they were able to, among other things, stop his Jeep Cherokee in the highway. UConnect firmware update system had a hole by which they changed the firmware of UConnect, with one that controlled the engine of the car.

5.- The Internet of Toys. My friend Cayla.

This is one of the IoT security flaws that got more press in the recent months. Likely because it involves our younger generations. “My friend Cayla” claimed to be the first world interactive doll, equipped with a microphone, a bluetooth connection, and Internet access: the perfect combination for a hacker.

Through an insecure Bluetooth configuration it was extremely simple to connect the device and remotely listen to conversations or change the doll database in order to modified pre-recorded sentences. My friend Cayla was banned by German government, qualified as an “espionage device”

This post was originally published at barbaraiot.com on April 12, 2017. If you like it and want to receive similar content subscribe to our Newsletter