Last month, we discussed how security experts can secure the critical infrastructure using the Internet of Things (IoT). We settled on a number of recommendations, including putting newly connected “things” on their own private networks and using live-action intelligence to anticipate emerging threats.
These are valuable suggestions. However, they do not reveal much about how transformative the Internet of Things will be for the security industry.
Here’s a little perspective. In a recent survey conducted by the FOW Community, leading IT companies predicted that between 26 and 212 billion devices will be connected to the web by 2020. That means devices will outnumber the human population by at least a factor of three.
Naturally, that presents a host of challenges for information security professionals. All of these devices will generate unprecedented amounts of data, making them prime targets for hackers and insider threats. We will therefore have our hands full setting access rights for employees, especially when it comes to those who work remotely.
Additionally, we will need to dedicate much of our time to constantly monitoring all of these “things” for new vulnerabilities that could, by virtue of their connectivity, lead to data breaches unprecedented in scale.
All of these challenges may for some seem like light years away, but that’s not the case.
In fact, we are already hearing about the vulnerabilities of newly connected devices, the functions of which threaten not only our network security but, in many cases, also our health and well-being.
The Internet of Things is here—whether we are ready or not. To demonstrate this point, here are five IoT devices that can already be hacked.
Earlier this year, it was reported that 17 UK hackers had been arrested for using malware to capture nude pictures of Miss Teen USA using her webcam.
The hackers allegedly used an RAT called Blackshades Remote Access Tool to infiltrate the teen’s computer.
Blackshades RAT works by sending a seemingly innocent link via a social media platform. Once the victim clicks on the link, their computer downloads malware that initiates a keylogger, grants the hacker access to stored documents and activates the webcam.
Today, hackers are capable of selling webcam access on the black market and even using the images unlawfully taken of their victims as ransom, threatening to release the pictures to the world unless they are paid.
In total, it is estimated that nearly 100 hackers have been arrested for using this particular spyware software.
At the Black Hat conference in Las Vegas, researchers demonstrated how they were able to infiltrate the networks of newer cars and gain control of their steering, radio and automated driving features.
Many people do not realize that cars have networks of hundreds of small computers that control anything and everything from the vehicle’s airbags to its brakes. This makes for hundreds of millions of lines of code that hackers can exploit.
The vulnerabilities are especially glaring for some of the newer models on the market. For example, the 2014 Infiniti Q50 is one of the easiest cars to hack because its entertainment system and Bluetooth run on the same network as the brakes and steering, thereby allowing hackers easy access to some of the vehicle’s more critical functions.
Two hackers have allegedly created a device that seeks to counter car hacks by disabling the car’s network connectivity in the event of suspicious behavior. However, this raises the issue of false positives at inopportune times during one’s commute.
Proofpoint published a report earlier this year regarding an IoT attack that occurred between December 23, 2013, and January 6, 2014. The incident involved nearly 100,000 connected devices sending more than 750,000 malicious emails—a quarter of which emanated from non-traditional “things,” including a few smart TVs and at least one refrigerator.
Many of the devices above were vulnerable to hackers due to poor password configuration or, in many cases, by customers simply using the default passwords, which hackers can easily search online.
Attacks such as those launched by smart TVs and fridges do not at this point threaten people’s lives. However, they do compromise people’s privacy insofar as they reveal information about victims that they might not otherwise want disclosed.
This information could theoretically, in turn, be used for physical burglaries, depending on the nature of the stolen data.
In September of this year, researchers at 44Con in London demonstrated their ability to hack into a Canon Pixma Printer and run a copy of the classic first-person shooter video game Doom.
Mike Jordon, head of research at Context and the main presenter of the demonstration, was able to successfully infiltrate the printer by exploiting a vulnerability in its firmware. Using this bug, he was able to change the printer’s web proxy settings and DNS server.
The printer, like most vulnerable IoT devices today, had no sign-in capabilities and had weak encryption protecting the firmware file, making it very easy for Jordon to infiltrate his target.
Microprocessors are embedded in all kinds of medical devices these days, including pace makers, insulin dispensers and defibrillators.
Most notably, back in 2007, former U.S. Vice President Dick Cheney was concerned that terrorists would hack into his pace maker. He therefore disabled the wireless connection to his device.
Then, a few years later in 2011, security researcher Jay Radcliffe successfully tinkered with his best-selling insulin pump, using a hole in the pump’s wireless connection to demonstrate how he could reset the amount of insulin released with the possibility of pumping a fatal dose.
Radcliffe presented his findings at the 2011 Black Hat conference.
Unfortunately, there is not much people can do to fix these vulnerabilities, yet. In 2013, the Food and Drug Administration created a set of guidelines for encrypting wireless medical devices, but no sweeping federal requirements currently exist for these devices—a lack of oversight which enables manufacturers to use whatever standards they so desire.
A Vulnerable World
Although the vulnerabilities in many of these everyday devices may seem harmless to some, they could lead to more serious consequences one day. As security experts, we should make an effort to discuss – and address – the challenges associated with the Internet of Things before we are completely outmatched by newly connected devices in a couple of years.