Sensing IoT - Home
Hacking IoT
Irena Bojanova
FEB 12, 2016 12:17 PM
A+ A A-

Hacking IoT

Would the IoT introduce all the vulnerabilities of the digital world into our real world? Do we even know the scale? Each person/object may have multiple devices/sensors, each with a different aspect of exposure.

IoT surely opened a new frontier for hackers. "People are connecting stuff to the Internet that we never thought would be connected" and hackers for hire along with purely malicious hackers are working on breaking into this vast array of connected devises. Many researchers also jumped into the game and via demo-hacking and exploits are trying to force the firms to fix particular issues. 

The reality shows that: Almost every fitness tracker on the market exposes person’s location and from there detailed live insights. Toys can expose kids to eavesdropping and ID theft. Cars’ brakes can be disabled while somebody else is driving. Homes can be robbed or set on fire, while impossible to prove this was a crime. Patients could be hurt through hacked medical devices. A nations’ power grids can be taken out. Table 1 lists some of the risks the marketplace is exposing us through any kind of “things”.

Table 1. Real/Demo IoT hacks in any kind of “things”. (Good news is companies usually respond and fix most of the issues. The point is these hacks were possible and more can be expected.)

“Things” Kind


Worst Risk(s)

Kids Toys

VTech Kidizoom smartwatch
VTech InnoTab tablet

Identity theft (child’s ID info is valuable as they have clean credit and long to live).

Hello Barbie doll

Intercept a child’s communications.


Jeep Cherokee

Disable transmission and brakes while somebody else is driving.

GM vehicles

Locate, unlock, and even start the car.

Tesla S

Remote control of the car: start and drive; cut engine while somebody else is driving.

Metromile Insurance Dongle

Remotely control windshield wipers, apply/disable brakes while car is in motion.

Progressive Insurance Dongle

Remotely unlock doors, start the car, collect engine information.


Belkin WeMo

Electricity waste, home hazard (e.g. fire).

Samsung Refrigerator

Steal Google login credentials.

Satis Toilet

Water waste, house flood.

Hue Lights

Perpetual Blackout

Nest Thermostat

Network access, identity theft, malicious attack.

Kevo Lock (with Key Fob)

Open/close, impossible to prove robbery.

Chamberian MyQ Garage


View/email state & use (create profile of owners’ habits), open/close door, change code.



Access voice commands & responses, user’s contact database; view saved data from sensors (e.g. temperature, humidity, air pressure).

Wink Hub


View/ change all paired products/services (e.g. light/power switches, door sensors).

Smart cameras; Baby monitors 

Network access, identity theft.

Health and Fitness


Fitness trackers (Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone UP 2, Mio Fuse, Withings Pulse O2, Xiaomi Mi Band)

Locate and long-term track a person; even get detailed insight in a person’s life.


Speed/slow down heart’s rate, shock a heart repeatedly via defibrillator, and practically kill the patient.

Bionic Arm

Make the arm act improperly from a legal perspective. (“The arm did it!”)

Insulin Pump

Administer lethal dose of insulin.





SCADA machine with IoT devices *

Full control of energy, chemical and transportation, etc. systems.

Ukrainian Power Grid

Took out sections of the grid – 100K people left without power for six hours.

* The problem is the SCADA systems were designed in the pre-Internet era – they were supposed to be in isolated environments that do not talk with the outside world; we wouldn’t want these connected to the Internet.

Next posts will focus on some hands-on demos on IoT security and privacy issues.

Have ideas or sources on IoT security and privacy issues? Please share them in the comments section.


Repository of IoT failures

Consider reviewing/reporting incidents to the Repository of IoT Failures , created by the NIST researcher, Phil Laplante.

Although there may be some slight overlap with the National Vulnerability Database (, the new database is intended to focus on sensor failures and vulnerabilities in the IoT only, whether they are from technological, environmental, insecurity or other causes.



Irena Bojanova is a computer scientist at NIST. She serves as Integrity Chair, Publications Board, IEEE CS; a Co‐Chair  of  IEEE  Reliability Society IoT Technical Committee, and a founding member  of IEEE Technical Sub‐Committee on Big Data. She is Associate EIC of IEEE IT Professional, and AE of the International Journal of Big Data Intelligence (IJBDI), Previously Irena served as the founding chair of IEEE CS Cloud  Computing  Special  Technical  Community and EIC of the IEEE Transactions on Cloud Computing,  She  is  a  senior  member  of  IEEE  and  can  be  reached  at:

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment:

Computing Now Blogs
Business Intelligence
by Ray Major
Agile Careers: by Jim Coplien
Cloud Computing
A Cloud Blog: by Irena Bojanova
The Clear Cloud: by STC Cloud Computing
Enterprise Solutions
Enterprise Thinking: by Josh Greenbaum
Inspired by Games: by Joann Hoffman and Wanda Meloni
Healthcare Technologies
The Doctor Is In: Dr. Keith W. Vrbicky
Hot Topics
NealNotes: by Neal Leavitt
Industry Trends
Internet Of Things
prpl Matters: by Art Swift
Sensing IoT: by Irena Bojanova
Mobile Computing
Shay Going Mobile: by Shay Shmeltzer
NGN-Insights: by Martin Nuss and Uday Mudoi
No Batteries Required: by Ray Kahn
Software Technologies: by Christof Ebert