Aberdeen Group - Home
When the IoT Attacks: Four Examples of the Highest Security Stakes We’ve Seen
Ryan Arsenault
SEP 24, 2015 14:32 PM
A+ A A-

When the IoT Attacks: Four Examples of the Highest Security Stakes We’ve Seen

by Ryan Arsenault




Remember the good old days? The days when a security breach just meant your credit card data was stolen from the local convenience store and used for a $2,000 propane tank shopping spree a couple thousand miles away?

It was innocent enough, really. No one was hurt — physically anyways. It’s a sad state of affairs that not being physically harmed is now the bar for a security breach being not-that-bad, but this scenario isn’t that far off from the truth. From cars being remotely controlled while driving to baby monitors falling prey to hackers, the Internet of Things (IoT) has raised the stakes of hacking from money lost…to matters of life or death.

Here are four scenarios of IoT technology breaking bad.

Baby, You Can Hack My Car

Our own Derek Brink, Vice President and Research Fellow, IT Security, alluded to the fact that at a previous “Def Con Hacking Conference in Las Vegas, Dr. Charlie Miller and Chris Valasek described and demonstrated their hacks of a recent model Toyota Prius and Ford Escape.”

Through these hacks, cybercriminals would gain direct access to functions including onboard navigation, lights, horns, speedometer, and even things as scary as steering, braking, and accelerating. While seeing someone gasp in horror as the wheel is taken control of abruptly seems like a James Bond plotline (albeit far more realistic than this James Bond abomination), as Brink and company have already pointed out, this is all-too-real.

But Don’t Hack My Baby Monitor!

Yes, even IoT baby monitors are not immune to being hacked. According to ZDNet, citing a Rapid7 report, every parent’s worst nightmare is just a hack away.

In fact, according to the report, a third of the devices tested had a “critical vulnerability impacting their overall security beyond simple weaknesses.” Here’s just one example:

The Summer Infant Baby Zoom web service contains an issue where the method of adding an authorized viewer to the camera does not require any password or secret key for access to the feed. This means that by iterating through a user identifier on a URL, an attacker can add an e-mail address of their choice to every single camera and login at will to view the stream of any camera of their choosing.

I don’t know about you, but my (non-existent) children are never leaving my sight again.

Sleep Tight, Don’t Let the Hackers Bite

It’s the IoT-era Wes Craven (RIP, Clive) storyline: Man falls asleep. Lurker in the shadows outside the door takes something out of his pocket, and raises it to the door to hack it open.

But it’s not a hatchet. In the 21st-century version, it’s a portable programming device with associated software called an arduino, and it exploits a vulnerability in the firmware of a widely-installed hotel room, opening the door. All without any physical force.

Derek Brink again pointed this security vulnerability out in a previous blog post, and I can’t disagree with him when he says that it’s pretty unforgivable for such a security flaw to exist in a product whose only purpose is to keep a hotel room secure. You had one job!

Hackers Have the Key to Your Heart

There’s a scene in the Showtime program Homeland where co-lead character Nick Brody remotely gains access to the Vice President’s IoT pacemaker, accelerating his heart fast enough for a fatal heart attack to ensue.

While this sounds just like something that’s tailor-made for TV, according to the American Association for the Advancement of Science, the scenario isn’t so far-fetched — with a WiFi-enabled device, coupled “with easily available hardware, a user manual, and the device’s PIN number, [hackers] can take control of a device or monitor the data it sends.”

That’s a scenario scary enough to make your heart stop.

IoT Manufacturers Need to Step Up Their Security Game

Soon enough, the charts proclaiming the numerical costs of online fraud will be transformed into charts proclaiming the human safety costs of online fraud if IoT manufacturers don’t have a sound security strategy in place.

As Senior IT Research Analyst Jim Rapoza mentioned recently, “While much of the initial focus of the Internet of Things has been around businesses that are primarily hardware providers, there is a lot of potential for businesses on the software, services, and management side to influence the evolution of IoT.”

That’s a very nice way of saying IoT manufacturers have their work cut out for them when it comes to security controls, at a time when IoT services, including security, are yet in their infancy. After all, we’re still living in a society where hacks on conventional technology (See: The Ashley Madison scandal) can easily wreak very personal havoc on a grand scale.

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: