4 Ways Cyber Attackers May Be Hacking Your IoT Devices Right Now

/ Written By Megan Van Vlack

Is your refrigerator running… a targeted DDoS attack without your knowledge? If it’s connected to WiFi, it very well might be.

Many (too many) of the connected devices that make up the Internet of Things (IoT) are extremely easy to hack. New IoT devices are being designed and released every day — from consumer items, like light bulbs and automobiles to industrial equipment, like drones and entire power plants. But many of these devices are built little-to-no security in place. “IoT devices are simply computers and can be hacked in any ways that a traditional computer could be hacked,” says Patrick Wardle, director of research for Synack, a cybersecurity company. Even more alarming, because IoT devices are often connected directly to the internet, they can be accessed by attackers all over the world, explained Wardle.

Developers who don’t want to see their creations in the hands of cyber attackers need to make security a top priority from the beginning. “The advice I give our customers,” says Pat Wilbur, chief technology officer at Hologram, a cellular platform for IoT, “is to design your IoT product or platform assuming that the worse possible scenario can happen and may happen.”

To know more about what the worst-case IoT security scenarios are, here are a few common ways that attackers are hijacking IoT devices:

1. Mass Vulnerability Probing
“Internet-connected devices are being churned out of factories and infected by malware, or malicious code, at an alarming rate,” says Jose Nazario, director of security research at Fastly, a content delivery network. Nazario recently conducted an IoT botnet analysis and found that IoT devices are probed for vulnerabilities 800 times per hour by attackers from across the globe. Attackers are literally knocking down the (back)doors of IoT devices, attempting to find a way in.

Nazario also found that there’s an average of over 400 login attempts per device and 66 percent of them on average are successful. Once an IoT device is infected, it can begin launching an attack within 6 minutes of going online. “As non-secure IoT devices amass, cyber criminals will have much greater resources available to launch new attacks more rapidly and at a larger scale,” says Nazario.

2. Exploiting Universal Plug-and-Play (uPNP)
One of the ways that attackers breach devices is through their uPNP, a technology that provides an instant, seamless connection to network-enabled devices. Devices, such as video cameras, use uPNP to talk to your router and accept outside connections. “This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world,” explains Chester Wisniewski, principal research scientist for Sophos, cybersecurity company. And if the outside world can access your devices, sadly attackers can as well.

One way to combat this is to turn off the uPNP on your router and on your IoT devices. “Don’t assume that no one will notice when you hook up your device for the first time. There are specialized search engines that go out of their way to locate and index online devices, whether you wanted them to be found or not,” says Wisniewski.

3. Intercepting the Cellular Network
A number of IoT devices rely on cellular connections to function instead of WiFi. But while connecting a device to the internet can open the door to attackers, using a cellular network instead isn’t a completely secure option either. “When you use your cell phone to make a phone call, you don’t think someone can intercept that, but the reality is that a cellular connection isn’t automatically secure either. For less than $500 or $600 worth of equipment, anybody who is in the vicinity of your call can set up a fake cell site and listen to your calls, read your text messages or breach your IoT devices,” says Wilbur.

Take the Jeep Grand Cherokee, for example, which is a cellular connect car. If the Jeep’s cellular connection was intercepted, an attacker would do things like disable the vehicle and put people’s lives in danger. They would be able to control every function of the Jeep. What made the Jeep so vulnerable is that all of its IP addresses were publicly accessible. Accessing the devices was as easy as visiting a website. Plus, the devices weren’t firewalled from each other, making it easy for attackers to infiltrate the Jeep’s entire system. “For this reason, we made sure that all of the devices on Hologram’s network are firewalled from the broader internet and firewalled from each other,” says Wilbur.

4. Reverse-engineering Firmware
While reverse-engineering may sound complicated to an everyday person, for an engineer or a determined cyber attacker, it’s par for the course. Most technology companies strive to make their products as difficult to reverse-engineer as possible. “Reverse engineering the firmware that runs on a device might reveal hardcoded credentials or software vulnerabilities,” explains Zach Lanier, director of research at Cylance, a cybersecurity company.

In his research, Lanier has found that a number of IoT devices are a little too easy to reverse-engineer. For example, he found that the Belkin WeMo home automation products stored their firmware’s signing key and password, which are used to verify legitimacy, inside the firmware itself. Unfortunately, this could allow attackers to create their own malicious firmware, sign in to make it appear legitimate and upload it to the device — giving them complete control over it.

No one wants to see their IoT devices turn into an army of malicious bots who commit DDoS attacks — especially when those attacks take down internet services we love (like Netflix!). Developers can prevent this by making security a priority from the get-go and exploring all the possible scenarios that could lead to a breach. While consumers can follow security best practices, such as making sure their WiFi router is secure and reading security-specific product reviews, there is only so much they can do. At the end of the day, it’s up to IoT companies to ensure the security of their devices.