At one point in time, hacking was a craft strictly relegated to affecting laptops and desktop PCs. The Internet of Things (IoT) has showed us that certainly isn’t the case. Projected to have 20 to 50 billion devices connected over the next 3-5 years, IoT gadgets possess truly innovative capabilities, but are riddled with security vulnerabilities that hackers can (and already have) easily exploit. Even more disturbing about these newfound hacking capabilities is that multiple methods of device and network infiltrations exist.
Distributed denial-of-service (DDoS) is one of the most frequently utilized methods of IoT cyberattacks that are implemented using botnets. Hackers are capable of taking down a single network system by targeting it using multiple compromised systems. The 2016 Mirai DDoS attacks marks one of the most recent incidents where this method was implemented. Considered the biggest DDoS cyberattack in history, the breach had an attack strength of 1.2 Tbps and took down over 80 major websites that users in North America and Europe couldn’t access.
Another similar incident occurred in Finland, where one million Deutsche Telekom users lost Internet access. When the Mirai IoT botnet code used to facilitate the Mirai DDoS attack was revealed, the breach highlighted the true vulnerability of default password security. Hackers have since developed more potent and broader forms of DDoD malware, capable of credential stealing, IP anonymization, and traffic hiding. Newer Mirai strains may also include better distortion techniques for tracking the hacker’s activities, and having expansive infection capabilities to target a broader range of devices.
IoT security flaws were put on public display at the 2016 DEF CON Conference, where researchers showed how they could launch cyberattacks on smart thermostats using malware called ransomware. Unlike DDoS, ransomware denies access of users to Internet websites, networks, or IoT-controlled devices in exchange for a ransom of money. This past January, an affluent Australian hotel had their electronic key system and computers locked down after being infiltrated by hackers. It wasn’t until after a ransom of $1,800 in bitcoins was paid that the hackers relinquished control over the hotel’s system interfaces.
Researchers are concerned about future scenarios where people could be locked out of their cars (250 million projected to connect with IoT networks by 2020), homes, or cybercriminals could pull similar heists on medical devices like pacemakers and insulin pumps. While these suggested scenarios could have catastrophic consequences, ransomware hasn’t become a bigger factor than it currently is due to the variety of different IoT systems in operation. As a result, hackers can’t develop a universal type of ransomware to spread quickly enough without taking the nature of the devices into consideration.
One of the biggest issues plaguing IoT security is how smart devices can be used for spying and surveillance. Initial reports of this cybersecurity breach first surfaced in 2014 when thousands of home security cameras were hacked and livestreamed online. While simply changing the default password normally blocked the breached feed, researchers soon discovered another security flaw in D-Link cameras that enabled hackers to override default passwords. As a result, hackers can not only expose countless users and their security camera feed, but can do the same to their target’s networks.
The event that brought malicious IoT surveillance onto the main stage was the WikiLeaks CIA dump, which revealed how the smart TV app known as Weeping Angel (developed and used by the CIA and MI-5) could literally turn televisions into spying tools. Primarily targeting Samsung televisions, the audio in the device’s surrounding area is picked up and recorded, which also documented every time the user turned on the television. While it’s unclear what stage of development this malware is in, its unprecedented exposure to the public has raised a lot of awareness, and made many people realize how vulnerable their IoT-connected devices can truly be.
Filed Under: Cybersecurity, M2M (machine to machine)