5 of the Worst IoT Hacking Threats in History (So Far)

March 11, 2020 - 7 minutes read

With the proliferation of the Internet of Things (IoT) systems, devices, and software, we must not overlook the importance of cybersecurity. In IoT, it is often built into the devices and sensors and varies by manufacturer. Besides this, security often takes a backseat in IoT development, so there’s a strong possibility that defense measures for an IoT’s system are haphazardly cobbled together.

With these poor cybersecurity implementations, IoT is extremely vulnerable to data breaches. Hackers can launch DDoS (distributed denial of service) attacks on entire systems, bringing down millions of servers, devices, and businesses. When multiple IoT systems are affected, they can even put lives in jeopardy, reveal personal and sensitive information, exploit business financial systems, and create more pathways for other hackers to do even more harm.

The Worst Hacking Threats in History (So Far)

Experts forecast that there will be almost 75 billion connected IoT devices by 2025. Unless governments pass laws, regulations, and minimum standards for device security, we’re looking at a huge vulnerability that leaves people and businesses at risk. Here are the five worst IoT security vulnerabilities thus far:

St. Jude’s Vulnerable Cardiac Devices

In early 2016, the FDA confirmed that the implantable cardiac devices made by St. Jude Medical had vulnerabilities that hackers could exploit to access the devices. After gaining control of the device, the hacker could change the pacing of the device, deplete the battery, and even administer shocks to the patient.

This vulnerability was particularly bad because it occurred in an implanted device – something under the patient’s skin – that the patient used to stay alive.

In this case, the vulnerability was in the device’s transmitter: the transmitter reads the device’s data before sending it remotely to the patient’s physician. The FDA eventually required the company to issue a firmware update immediately to rectify the risk of an attack, and St. Jude recalled over 450,00 devices.

The Infamous Mirai Botnet Attack

Everyone remembers when the Mirai attack happened: our favorite sites crashed immediately, and they stayed down for a few hours while security professionals worked to fix the issue. In late 2016, the Mirai botnet attack became the biggest DDoS attack ever launched. It directly affected the service provider Dyn using a botnet virus on IoT devices. Major sites, like Reddit, Netflix, CNN, and San Francisco-headquartered Twitter, were brought down in the wake of the attack.

Once computers are infected with the Mirai malware, they continuously scour the Internet for other vulnerable IoT devices. After they find them, they use well-known default usernames and passwords to access the device, passing on the Mirai malware. Many of these devices were digital cameras and DVR players.

PC Magazine had four major IoT security takeaways from the Mirai attack: (1) devices that cannot receive updates for their firmware, software, and passwords shouldn’t be implemented; (2) when any device is bought and activated, it should be mandatory for the user to change the default username and password of the device; (3) passwords for IoT devices, especially those connecting to the Internet, should be unique; and (4) make sure to always update your device with the latest firmware and software to avoid future vulnerabilities and hacking attempts.

The Attack on Baby Heart Monitors by Owlet

Owlet’s baby heart monitors were found to be extremely vulnerable to hacking. Cesare Garlati is the Chief Security Strategist at the prpl Foundation. He says that although the device was developed with the “best of intentions”, the device itself could become dangerous in the wrong hands.

Because the heart monitor is a smart device that connects to the Internet, the vulnerability was built-in with the embedded computing system.

Jeeps Are Hacked and Driven Remotely

In 2015, a team of researchers at IBM security intelligence reported that Jeeps could be hacked. A hacker could take complete control over a Jeep using the vehicle’s CAN (Controller Area Network) bus. This is equivalent to saying a hacker could infiltrate the Jeep’s computer system to gain full control over the car.

The Jeep computer was in need of a firmware update, and using the Sprint mobile network, the team figured out they could make the car behave how they wanted: make it run off the road, slow down, and speed up. This vulnerability could kill families and hurt others in the vicinity.

The Baby TRENDnet Webcam Leak

TRENDnet’s SecurView cameras were originally marketed as useful for home security and baby monitoring. But they turned out to be unsecured devices that could allow a hacker to see through the camera. It even allowed the hacker to listen to the video feed.

From 2010 to 2012, TRENDnet also sent user login information through readable text files over the Internet. Additionally, the company sent login information for the mobile app to consumers in clear, readable text to their mobile devices.

Although security experts say encrypting login information and securing IP addresses against hacking are basic practices that every device manufacturer should follow, TRENDnet failed to uphold even the most basic of security protocols.

Cleaning House

Before we start rushing to create new strategies, standards, and regulations for IoT security, we need to take a hard look at the built-in security protocols that devices ship with. These devices are already being used in households, businesses, and even people across the world.

We must take care to update and upgrade these devices in addition to ensuring that new devices are equipped with the highest level of IoT cybersecurity while we develop IoT applications, not afterward.

What do you think was the worst IoT hacking threat in history so far? Let us know your thoughts in the comments below!

Tags: , , , , , , , , , , , ,