Attacking Through the Internet of Things (IoT)

The Internet of Things or IoT is the attachment of physical objects, devices, vehicles, and buldings to the Internet either though a hard-wired connection or through Wi-Fi.  A single item on the IoT is known as a “thing”.   Eventually IoT is projected to consist of billions of things.   In this chapter, we will examine some of those things as an attack path or vector for hacking.

Video Cameras

Most computers these days are equipped with a webcam which means video and audio.  Add a little malware and your own camera can spy on you at the behest of someone half a world away.  The smart hacker can even do it without the red light coming on.  You can even buy a Blackshades hacking kit for $40 (estimated sales between 2010 and 2014 of $350,000)  Why oh why don’t the manufacturer’s put a physical OFF switch on these things?

Own a home security system equipped with a webcam?  How about a video baby monitor that is Internet enabled.  Go to the site shodan.io.  You will find at least 6,940 unprotected webcams.  That means without a password or still set to the factory setting for a password.

Solutions

1) Unplug your video camera when you are not using it or cover the lens with a yellow sticky.

2) Contact your manufacturer of your webcam and learn how to reset the login/ password.

Cell phone Fingerprint Reader

On most of the newer phones a fingerprint reader has been enabled.  It makes logging in much faster and offers some protections.    However, if your fingerprint is on file in any government database, it is possible to 3D print your fingerprint and use the rubber version to fool your phone.  Another downside of using your fingerprint for ID is that when a hacker takes your credit card number, you change it.  When a hacker takes the digital version of your fingerprint, you are done using it for ID.

Solution

1) Use the fingerprint reader AND a login for access.

Medical Sensors

Many wonderful devices will be forthcoming to aid in tracking your medical condition and reporting that live to you, a monitoring facility and/or your doctor.  This data will inevitably be stored somewhere and susceptible to hacking.  Do you want your future hiring company to know you have an irregular heart beat?

Wearables

A wearable could have a medical sensor or it could be an aid to help you with your health goals or running goals.   Smart watches, smart glasses, even high tech headphones would qualify.  Remember if they can be connected to the Internet, they can be hacked.  Eight of the top 10 wearables in 2015 did not even have passwords.  Even your children could hack that.

Appliances

Won’t it be wonderful when your refrigerator can send a list of what you are out of to your store, ready for pickup?  There has already been a case where an Internet connected TV was used to gain access to the home network and thus all the home computers and hard drives.

Automobiles

Automobiles are discovering the value of being connected to the Internet.  As they use a single network throughout the car and cyber security is not the first concern, cars are vulnerable to hacking.   Hackers, in one example, were able to take over the air conditioning, the radio, windshield wipers, digital display, and transmission of a car.  They also claim the ability to kill the engine, cut the brakes, take over steering at low speeds, and track the vehicle.  This was a controlled test using a Jeep(R) but other brands have vulnerabilities as well.  Any number of these items could distract you into a wreck or outright kill you.

Jeep is a registered trademark of Chrysler and also Fiat, their owner.

Summary

Recently a casino was hacked by first hacking it’s Internet-connected aquarium.  Vending machines at a university were hacked and used to mount a denial of service against that university’s web based student services.  What to do?

This is difficult to answer as the “things” connected to the IoT can and will vary so widely.  So this will be a general answer that may not fit every IoT thing.

Think about the data collected or what the “thing” is connected to.  Think about the “thing’s” security and what the risks are if it is breached.  Stay informed by watching news for issues around the “thing” you are using.  If not already, your “thing” will soon be given a security review and a writeup/report.  Think about the potential downside of a breach.  Remember the bad guys have automated tools so the cost of going after your data is very little to them.  Make sure the “thing” you are using has the ability to update it’s software as vulnerabilities are found.

If you are a public figure, a government or military official, or a celebrity your risk is higher than the norm for an IoT breach and you may want to have a cyber security expert consult with you on your individual situation.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s