Hacking a PC is so 1999. These days, if you want props as a cybercriminal you’ve got to hack stuff. Smart fridges, smart cars, smart, erm, fidget spinners? You name it; if you can hack a smart device you’re basically X-Men’s Magneto without the silly helmet. Hacked cars, killer drones. It all sounds scary, doesn’t it? And you might have read about spying microwaves and rogue Japanese smart-toilets in the headlines, and now IoT security seems like a job for the army and navy.
Thankfully, most of these headlines are false or at least scaremongering. The vast majority of reported breaches are found and fixed by security researchers like our friends at Secarma before you even read about them. In reality, IoT security doesn’t mean surrendering to an army of evil kids toys and killer-smart-toasters – IoT security means paying more attention to detail and checking your blind spots.
To demonstrate that fact, we’ve collected the five most interesting and unpredictable IoT breaches of 2017. If this was your business, would you have seen these hacks coming?
Why would a teddy need an Internet-connection? Well, these bears are an upgrade from the talking toys we had as children; instead of squeezing the bear’s hand to hear one of five pre-recorded message, these bears were designed to allow kids and their far-away parents to send and receive their own custom recordings. In effect, it was a fluffy voicemail service. A cute idea, but a not-so-cute ending.
To make this magic work, the bear needed a device to pair with which would manage the inbound and outbound recordings, as well as a second device for the off-site parent to run a dedicated app. These recording were stored in a database which, amazingly, had no firewall or password protection. In total 800,000 customer’s details were compromised, and two-million intimate recordings from parents and their children.
A casino in North America was a victim of its own opulence when its internet connected fish tank was used to gain access to the casino’s network. The casino even configured the tank to use a VPN to isolate the tank’s data. Despite all these precautions to protect the tank, hackers still managed to compromise it and sent 10 gigabytes of data to a device in Finland before the threat was discovered and stopped.
The casino remains unnamed, but it has a ‘connected fish tank’ so, Vegas? It sort of has to be Vegas, doesn’t it?
A UK student, who said his motivation was simply boredom, managed to take control of 150,000 thousand internet connected printers on a quiet Sunday evening.
The teen, who built the program in C, told Motherboard that he hacked the printers because he didn’t have much else to do. The hack would ultimately result in many thousands of printers, most of which were receipt printers in restaurants, spitting out whatever message he could think of. And what he thought of – being a typical teen hacker – was simply bragging rights – which is why his message, peppered with ASCII art, read: “the hacker god has returned, your Printer [sic] is part of a flaming botnet”. Confused restaurant staff across the world took to Twitter with photos of the printouts, looking for answers.
Thankfully, this IoT device doesn’t connect directly to the internet-at-large. The Armatix IP1 smart gun is designed to fire only when in range of a connected and paired smart-watch. A hacker by the name of Plore had his interest piqued by the security of the gun and wanted to see if it could be hacked. Not content with the success of first low-tech hack- simply holding magnets near the barrel- he also recreated the exact signal that the watch was transmitting in order to bypass the gun’s security a second time.
Whilst the notion of a hacked gun seems scary, when hacked this smart-gun is as safe as every other existing gun on the planet.
One of Europe’s top hotels, the Romantik Seehotel Jaegerwirtmodern, relied on its advanced IT system to take bookings and prime its guest’s key cards to open their room. After hackers got into their system they effectively held guests and their belongings to ransom. Guests would be able to leave their room but would be unable to re-enter, even with their now defunct key card. This left the guests belongings inaccessible.
The hotel admitted after the incident that it had been hit three times in total, and had decided to pay three ransoms in Bitcoin to the attackers in order to give its guests quick re-entry. Whilst the hackers have no doubt tried a fourth attack, they have finally been foiled; the hotel has gone back to using old-fashioned keys.
Whilst still in the hypothetical stage, we couldn’t resist including some new results from Zhejiang University. The Chinese security research team devised a way to give voice commands to home assistants such as Alexa, Google, and Siri. Dubbed ‘DolphinAttack’, the technique takes advantage of ‘supersonic’ sound – that’s sound that we can’t hear but our devices can. The technique isn’t foolproof – attackers would still have to be close by whilst emitting the sound from a speaker – but the team suggests that it could be used to order devices to call premium-rate numbers and visit malicious websites.