Hacking the Internet of Things: from smart cars to toilets
Smart devices aren’t such a clever idea if they’re not secure.
The Internet of Things is making our homes, healthcare and cars smarter, connecting everything to everything else. Who doesn’t grin at the idea of smart fridges, automated toilets and self-driving cars? Hackers certainly are.
Think your smart fridge is safe? Trust your automated lighting? It may be time to think again – while it’s worth noting that most of these hacks were carried out by security researchers, if they can do it, so too can criminals.
Or, for that matter, hacktivists: it’s a matter of time until the more playful members of Anonymous and the like get a kick out of switching off the UK’s lights or ransom the contents of your fridge.
Here’s five smart devices that researchers and criminals have already found flaws in – and one that’s not quite what it seemed.
Light it up
LIFX makes connected light bulbs, letting you control your home lighting from your smartphone and change its colours; it’s one of the first firms to work with Nest’s developer programme. The bulbs connect over your home Wi-Fi, with a “master bulb” taking orders and delivering it via a mesh network to the other lights.
Because the bulb communications were unencrypted, security firm Context could see how the system worked and take over the smart light bulbs, and also see key details about the Wi-Fi network itself. However, the hack took a lot of effort and skill, and had little immediate benefit to an attacker.
“Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals,” said Michael Jordon. The product has since been patched.
One of the first devices to go “smart” was the TV – so it’s unsurprisingly one of the first to be hacked.
Columbia University researchers Yossef Oren and Angelos Keromytis revealed a vulnerability in the main spec for the Digital Video Broadcasting consortium, Hybrid Broadcast-Broadband Television (HbbTV), which is used by the vast majority of smart TV makers.
Dubbed the “red-button attack”, this man-in-the-middle hack could be used to intercept data – including sound and pictures – and use the stream to takeover apps being shown on the TV, letting hackers post to your Facebook, for example.
To run the attack, the hacker needs to be local – although the researchers say this could be achieved via driving an antenna-fitted van into the target area, or flying drones over it.
Is it serious? The standards body doesn’t think so, and isn’t bothering to patch it. The researchers disagree, saying a hacker with the right off-the-shelf equipment could easily cover a square-kilometre of homes.
Crashing smart cars
Imagine you’re driving along in your shiny Tesla Model S electric car, and suddenly the doors fly open, the wipers start going, and the horn honks.
That’s what students from Zhejiang University in China managed, picking up a $10,000 bounty from a local security firm. Details of the hack weren’t revealed, but reports suggest the students took over the car by cracking the password to the mobile app.
It’s not the first smart car hack: Charlie Miller and Chris Valasek took over a Prius last year, stopping the brakes from working, fiddling with the gas gauge, turning the steering wheel, honking the horn and tightening the seatbelts – all from a laptop in the backseat while a journalist drives.
The researchers’ giggling alone makes the video worth watching:
Security firm Trustwave hacked a Satis toilet, which is controlled via an Android app, showing that the smart toilet can be easily taken over. The app’s Bluetooth PIN has been hard-coded to the not-very-secure “0000”.
“An attacker could simply download the ‘My Satis’ application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner,” Trustwave’s researchers said.
“Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user,” researchers warned.
Oh baby, that’s scary
From toilets to genuinely terrifying: in the US, there’s been a string of incidents where an exceptionally creepy man hacks into internet connected baby monitors and screams at the child to wake up.
The most recent case was in April in Ohio, targeting a Foscam IP camera, which is used to keep an eye on children when parents are out of the room, connecting over your own Wi-Fi. A previous attack in 2013 targeted the same brand of camera.
The company advised users to update their firmware and not leave passwords set to defaults.
Spam from fridgebots
At the beginning of the year, security firm Proofpoint had quite the press release: a botnet made up of 100,000 smart devices – from PCs to routers, and TVs and even one fridge – was sending out malware.
While the claims grabbed headlines around the world – a spam-sending refrigerator does capture the imagination – the report’s since been questioned. Fellow security firm Symantec said the spam was not being sent by IoT devices, but by boring old Windows PCs on the same network and sharing the same IP address as the smart appliances.
While the first-ever IoT botnet has been debunked, Symantec still thinks it’s a security issue worth worrying about.
“While malware for IoT devices is still in its infancy, IoT devices are susceptible to a wide range of security concerns,” the company said in a blog post. “So don’t be surprised if, in the near future, your refrigerator actually does start sending spam. As with any computer system, keep the software on IoT devices up-to-date, place them securely behind a router, and change all default passwords to something more secure.”