The Internet of Things (IoT) is now a sign of the times. We have digitally connected devices all around us – at work, in our cars and homes, and even on our bodies. With the arrival of IPv6 and the wide use of Wi-Fi networks, IoT is expanding at a rapid rate. Researchers estimate that by 2020, the number of active wireless connected devices will be in the tens of billions.
On the positive side, we have the ability to live our lives in a way we never dreamed of, with things like Baby Monitors and Tyres jumping on board the freight train to the connected world. However, with the good, comes the bad – IoT is increasingly becoming a focal point for cyber-criminals. More connected devices mean more paths and opportunities for hackers to target us. We need to ask ourselves, “What could a hacker get access to if they break into this device?”
In this article, we highlight some of the IoT devices that have been hacked over the last six months.
Hacked Cameras & DVRs
In September 2016, unidentified attackers forced the website of security journalist Brian Krebs to go offline after a record-breaking distributed denial of service powered by a multitude of hacked cameras and DVRs. The attack was driven by a new variety of self-spreading malware called Mirai, which aims to turn the Internet of Things devices into botnets. The attack on Krebs’ website was so immense that it blocked some internet routes, effecting some parts of the internet. Shortly after the attack, a hacker released the code for Mirai to the hacking community, sparking a new wave of attacks.
According to Level 3 Communications (an Internet backbone provider), the huge botnet used against Krebs was created mostly from internet-connected security cameras made by DAHUA Technology, a Chinese manufacturer, with a subsidiary in California, of cameras and DVRs.
Reports stated that hackers took advantage of a vulnerability found in most of DAHUA’s cameras, which allows full control of the underlying Linux operating system simply by typing too many characters into a random username. Malware was embedded on the cameras to turn them into bots which were then used for both DDoS attacks and ransomware campaigns.
October 2016 saw another massive Internet attack using hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders and causing outages and network congestion for numerous Web sites.
The target this time was Dyn, an Internet infrastructure company. The attack caused issues for a number of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
It was reported that the attack involved Mirai, the same malware strain that was used in the record attack on Brian Krebs website a month earlier. Mirai modus operandi is to scour the Web for IoT devices that are still using factory-set usernames and passwords, and then use these devices to throw junk traffic at an online target until it overloads and can’t accommodate legitimate visitors or users anymore.
According to researchers at security firm Flashpoint, the hacked IoT devices consisted of mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.
These products from XiongMai and other makers are often inexpensive, mass-produced IoT devices are basically unfixable, because the password is hardcoded into the firmware and a user cannot feasibly change it. This danger will remain until the devices are completely unplugged from the Internet.
In December 2016, German authorities forced an internet-connected doll out of shops, amid warnings to parents that the doll could spy on their children.
Cayla is a blond, bright-eyed doll that chatters about horses and hobbies. She can play games and answers numerous general knowledge questions that a child may ask. She might also be eavesdropping on that child.
Germany’s telecommunications watchdog, the Federal Network Agency, released a statement that said hackers could use an insecure Bluetooth connection via the doll to steal personal data by recording private conversations. They advised that they were pulling the dolls off store shelves and banning them from being sold in Germany.
Internet-connected teddy bears are a brilliant way for kids to exchange loving messages with their far-away parents. However, the fun is taken away if the company that sells the teddies does not protect the data they have collected.
From Christmas Day 2016 until at least the first week of January 2017, Spiral Toys stored customer data, from its CloudPets brand, on a database that was not password protected or behind a firewall. This left more than 800,000 customer credentials, as well as two million recorded messages, completely exposed online for anyone to access.
According to security researchers, it was easy to find and inspect the data using a search engine called Shodan (which finds unprotected website and servers).
The moral of the story – if you’d rather not share your heartfelt messages to your kids with the world, buy an old-fashioned teddy bear that they can cuddle when you are not there.
Wikileaks claims MI5 and CIA developed spyware to turn televisions and smart phones into bugs
According to intelligence documents leaked this month by Wikileaks, MI5 engaged with the CIA to develop spyware to turn televisions and smart phones into listening devices capable of recording conversations and possibly even taking photos.
It was documented that one programme, codenamed Weeping Angel (a Dr Who reference), allowed spies to tap into the Samsung F8000 range of internet-connected televisions. Allegedly, a ‘joint workshop’ was held in June 2014, where the two spy agencies, MI5 and the CIA, developed a ‘Fake Off’ mode. It made the television set appear to be switched off, when actually the power kept running, allowing conversations to be secretly recorded and sent to a CIA operative who was listening in. The smart televisions have a built-in microphone, normally used for voice-activated controls.
It is important to note, that only to Samsung televisions from 2012 and 2013 that feature outdated firmware versions 1111, 1112, and 1116 are at risk. The exploit is likely to impact very few people, but there is a simple way to tell if the TV has been hacked.
When ‘Fake Off’ mode is active, the power remains on, even though the screen appears to be off and the LEDs on the front of the set change colour and dim. A blue LED at the back of the TV set is the giveaway. In ‘Fake Off’ mode, this LED remains illuminated, whereas, in true OFF mode, this blue light is switched off.
Visit our blog next week, when we will detail how these IoT hacks can be avoided by both manufacturers and consumers.