Who has never got its computer infected by malware that launches ads in a browser? Is well known that anything connected to the Internet is subject to be infected. Any responsible CSO would ask you to have your corporate very sensitive data, such as your digital signature keys, stored in a device which is NOT connected to the Internet. We mean, not connected to the Internet, at all. This is the only way to keep data 99% secure today.
Internet of Things means, oh surprise, “things connected to the Internet”. In other words, the Internet of Things means, “Things that can be hacked”. And this is where the story gets more interesting because hacking IoT is incredibly more appealing for both ethical and less ethical hackers than hacking computers. The possibilities of having a big social or economic impact in IoT hacking are far higher than the traditional devices hacking.
Let us go through five inglorious Internet of Things security failures:
On Wednesday the 21st of October 2016, a large part of the Internet went down. Sites like PayPal, Spotify, Verizon or others were inaccessible for hours, causing millions of Dollars in revenue lost. The attackers took control of a large number of and surveillance cameras and other devices and generated massive amounts of traffic that overloaded the DNS servers used to route traffic on the Internet. These ended up with the DNS servers crashing and half of the Internet down.
Washington DC city officials confirmed that more than 70% if the city’s CCTV system was infected with “ransomware” two days before the inauguration speech of the newly elected president Trump. Two british people were arrested for it recently.
As any other ransomware attack, the hackers left the devices unusable and requested money for its recovery. City’s CTO confirmed no ransom was paid and the problem was resolved technically after some hours. However, this raised a lot of concerns about potential hackings to surveillance cameras that could affect citizens privacy or security at some point of time.
Voice interfaces and assistants are becoming more and more popular. We are all starting to see people talking with devices without thinking they are crazy. “Hi, Siri”, “OK Google”, “Alexa”? It is interesting to mention that a lot of the words that we pronounce in front of these assistants are sent immediately to a server on the Internet for analysis and response. However, if the right encryption technology is implemented, only the server should be able to “listen” to what you said.
In 2015, Samsung was one of the pioneers of a voice assistant in some of their Smart TV models, sending user words to Samsung Servers through the Internet for management. At that time, engineers were not brilliant enough to put any encryption on them. What does this means? Not only Samsung, any person with basic Internet networking skills could remotely listen to things you said in front of your Smart TV when these travel through the Internet.
One of the verticals that is adopting Internet connection quicker in its “Things”, is the car industry. There are a number of futuristic use cases such as driverless cars or remote car management that requires it. This is what Chrysler thought when designing their brand new UConnect module on its cars.
UConnect used the GSM network to access the Internet, and allow car owners to start their cars remotely, get assistance, navigate, and other nice features. However, in June 2015 two white hat-hackers, Charlie Miller and Chris Valasek, were able to demonstrate to an scared journalist how they were able to, among other things, stop his Jeep Cherokee on the highway. UConnect firmware update system had a hole by which they changed the firmware of UConnect, with one that controlled the engine of the car.
This is one of the IoT security flaws that got more press in recent months. Possibly because it involves our younger generation. “My friend Cayla” claimed to be the first world interactive doll, equipped with a microphone, bluetooth connection, and Internet access: the perfect combination for a hacker.
Through an insecure Bluetooth configuration, it was extremely simple to connect the device and remotely listen to conversations or change the doll database in order to modified pre-recorded sentences. My friend Cayla was banned by the German government, it was qualified as an “espionage device”
Article written by David Purón, Founder and Chief Executive Officer at Barbara IoT.