Letter from a Hacker: The New Frontier of the IoT

November 1, 2017 Emily Davidson

Welcome to the (unsecured) Internet of Things (IoT). Companies are embracing Bring Your Own Device (BYOD) with open arms. Their device-laden employees plod to and from the office with app-loaded cell phones, smart watches, fitness bands and tablets ready to connect to your Wi-Fi routers.

What these well-intentioned-but-non-technical folk have little grasp on, is that these devices have blasted open a wild new frontier of exploitation for hackers like me.

WHENEVER SOCIETY GETS A NEW TOY, WE SEE A BEAUTIFUL DARK CLOUD OF EXPLOITATION FLOATING JUST AROUND THE CORNER

In the next 10 years, there will be more smart devices connected to the Internet than computers and mobile phones combined.

That makes the Internet of Things an exploding area of growth in consumer technology. It consists of connecting devices that you would never consider to be internet-enabled. Things like vending machines, digital signage, refrigerators and even cars. By embedding connectivity into these devices, much like you would connect a tablet to a 4G network, these devices instantly have a much broader and more useful life.

THE MORE THESE INFORMATION DEVICES COMMUNICATE, THE MORE BENEFITS THEY OFFER ME. I SHOULDN’T BE TELLING YOU THIS...

The sensors and platforms on connected devices were never designed (for the most part) to deal with people like me. With a traditional computer, I must work to breach encryption, intrusion detection and security event management barriers. However, these new devices don’t have a traditional OS.

Most manufacturers use the same hard-coded crypto or HTTPS keys for all of their IoT devices. This means that if I can get into one device, it’s possible to use bots to get into millions more. I no longer need to hack into the largest, most complicated and well protected networks to leave my mark.

Wait, it gets better. I don’t need to build a bot to control an IoT device myself. All I have to do is visit a Tor-based market like Alpha Bay and buy one; and that’s exactly how hackers brought down the web in September 2016.

THE MANUFACTURERS OF CONNECTED DEVICES PAY ZERO ATTENTION TO SECURITY

First, French hosting provider OVH was taken down by a Dedicated Denial of Service (DDoS) attack from a botnet called Mirai. Mirai’s bots took control of 152,000 compromised CCTV cameras and instructed them to send requests to OVH’s servers in a record-breaking DDoS attack that reached server bandwidth volumes of 1 Terabit per second (Tbps) – a new world record that completely shut down OVH and all the websites they host.

Then, in early October, a seller named loldongs posted an offer of 100,000 bots on Alpha Bay for $7,500 and boasted, “I can take down OVH easily.”

A few days later, Twitter, Amazon Web Services, Netflix, Spotify and other major web companies reported major outages experienced by their customers across North America. Was it Mirai? Did someone take down a handful of internet behemoths with an army of brainwashed IoT devices they purchased on the Dark Web? We don’t know yet - but if Mirai was up for sale recently and this hack looks like Mirai and it acts like Mirai... I’ll leave that assumption up to you.

WHEN’S THE LAST TIME YOU CHANGED THE PASSWORD ON YOUR HOME ROUTER?

What the majority of people need to understand is that the majority of IoT devices can and will get hacked by people like me. I don’t want to hack you in particular, I just want to borrow the computing power of your device for a while... And once I’m finished with it, I’ll sell it to someone else. Right now, this type of hack is so easy that I’d like to help you level the playing field...

First, and foremost, read the *&%^ manual of your connected device. It contains instructions on how to lock the device down. And take its advice on creating a strong password. Second, delete the apps you no longer use, and update the ones you do. Do that right now. Third, don’t rush through app and device set up prompts. You should understand what data is being collected, and how it’s being used. Lastly, use Google to search for recent hacks or vulnerabilities in your product, and make sure to include the manufacture date, batch number and software version.

I’ve already said too much. But I’ll leave you with this thought: As manufacturers create more advanced and connected technologies, ask yourself one thing: do you trust them?

No Previous Articles

Next Article
Under Pressure: The Cloud Security Burden
Under Pressure: The Cloud Security Burden