The Internet of Things (IoT) has seen many billions of devices being connected to the internet and transmitting all kinds of data, ranging from simple temperature readings to images captured by cameras. However, there is a growing concern that companies don’t implement strong enough security measures into IoT devices. Unsurprisingly, this lack of security has already lead to crippling security breaches globally.
Stuxnet is a highly sophisticated computer worm designed to hunt down specific machinery used in the nuclear industry. Unlike most worms, Stuxnet has many safeguards that prevent it from being detected on machines running certain security programs, such as self-disable and self-erasing. Stuxnet, once on a network, begins to look for centrifuges (machines used to isolate isotopes of uranium) and reprogram them to perform varying cycles that result in the centrifuges disintegrating.
Since the centrifuges are a form of IoT device (since they connect to a local network) Stuxnet was one of the first instances of a computer worm destroying real-world devices, as opposed to just hacking them to perform software damage. An example of common software damage would be the denial of service.
While the creators of the worm are not confirmed, it is widely believed that the United States and Israel teamed together to create the sophisticated worm to damage the Iranian nuclear program. Had the centrifuges in the nuclear plants been running some basic level of protective software, they could have avoided being damaged from this breach of security.
Mirai is IoT specialized malware that uses common usernames and passwords to gain access to IoT devices. For example, IP cameras, monitors, and loggers running Linux may have default credentials such as “admin” and “password,” allowing the malware to easily access the system, install itself, and then turn the IoT device into a bot. While individual IoT devices cannot perform much of an attack, the combination of millions of simple devices allows the collection of bots – called botnet – to perform distributed denial of service (DDoS) attacks on major networks.
One feature about Mirai that makes it somewhat interesting is that it is hardcoded to ignore specific IP ranges, including IP addresses owned by GE, HP, and the US Department of Defense. This shows that the creators wanted to avoid users who either pose a threat to Mirai or the creator(s) themselves. One noticeable attack occurred on October 21st, 2016, when the Mirai botnet attacked Dyn, a company that provides domain name services to major companies including Netflix, GitHub, Twitter, and Reddit.
Mirai perfectly demonstrates how designers of IoT devices with integrated, publicly available software must recognize that default login credentials should be changed and can be potentially abused for serious attacks.
Casino Data Leak
When it comes to hacking servers for sensitive information, most would think that it involves some kind of clever infiltration of the main server either by backdoors or some clever security flaw, such as Heartbleed. One casino, however, had customer data stolen from them in the most bizarre way imaginable; via the aquarium.
Most aquariums require a heater with a temperature monitor and old heaters use a simple thermostat, but more modern systems use IoT temperature sensors that allow a central system to monitor the aquarium remotely. However, in order for the temperature sensor to gain internet access, it requires to be connected to a local network. If Wi-Fi is used, then outside attackers have an entry point. Once they are in, they can make the sensor send any data they wish.
Using a trivial vulnerability in the smart thermometer, hackers gained access to the network, retrieved data about high-paying customers, and then extracted the data back through the temperature sensor and into the cloud. What makes this attack daunting is that even the simplest device with internet access can bring down the strictest networks. All it takes is for an engineer to decide (or forget) not to implement security on something as simple as a temperature sensor.
The Jeep Hack
While only done in tests to prove a point, two white hat hackers demonstrated how a Jeep Cherokee can be hacked remotely (via the internet). Actions the pair were able to perform range from trivial pranks, such as turning on the A/C, to being able to steer the car and turn the engine off. The vulnerability comes from the Jeep’s use of a dashboard system called Uconnect, which provides an access point to rewrite the firmware on the chip. With the ability to re-write the firmware, the chip can then access the rest of the car controls via the CAN bus.
While only a handful of cars have been tested for this weakness, it is believed that many cars that utilize the Uconnect system are at risk. Since car manufacturers are desperate to integrate smartphone technology into their vehicles, the vulnerabilities that come with it are not being heavily considered. A device that can be remotely accessed should not be connected to a common industry connection (such as the CAN bus).
Fortunately, no attack has yet been done by harnessing medical implants, but in 2017 the FDA recalled close to half a million pacemakers in the fear that they could be remotely hacked. The recall did not see devices removed from patients, as such a procedure is dangerous, but instead, a firmware update was applied remotely by medical staff.
These devices can be controlled remotely with little security measures. The fear behind the recall is the potential for hackers to change the firmware, causing the battery to run flat, for example. While this example demonstrates the importance of security when it comes to health and wellbeing of patients, it also illustrates the complexity of these otherwise simple devices.
The common denominator in IoT attacks is the assumption by engineers that because their device is simple, it does not require strong security measures. The truth, however, is far from that. An IoT device connected to a network is simply a potential bridge between the internet and a malicious entity.