In the previous text, we talked about the most serious hacker attacks on Internet of Things devices. But left out are not the obvious decisions of the attackers, directed not against corporations, but against ordinary people.
Trend Micro analysts say that hacked IoT devices are usually used:
1. to organize DDOS attacks;
2. as VPN nodes - through them hackers access the network so that they are more difficult to identify.
If the first option is used quite often, then the second is still exotic. Recently, attackers sent phishing emails (about 2 thousand per day) from a network of hacked IoT devices, and the emails were disguised as messages from well-known brands. Then information security experts noted that using IoT devices for attacks is easier and more reliable than VPN servers, since you don’t have to pay for them and they won’t be on the stop list of IP addresses from which spam was sent.
In both cases, analysts say, hackers who gain access to IoT devices often sell that resource to other criminals.
More sophisticated scammers are looking for new methods to attack IoT devices and new ways to monetize them. Some sell access to gas stations on the darknet, others sell specialized firmware for smart water, electricity and gas meters (although no one has yet figured out what else can be done with them other than saving on utilities).
In 2017, German authorities accused the “My Friend Kayla” doll of espionage and banned its sale in the country. Initially, it was positioned as a toy that communicates with the child and answers questions. Soon the intelligence services found out that Kayla was recording all conversations, converting them into text and saving them on the server. At the same time, based on a user message, the company could transfer this information to third parties for targeting advertising. Theoretically, conversations with the toy could have been intercepted by hackers, but it didn’t come to that.
A couple of weeks after this incident, it became known that CloudPets plush toys turned out to be even more dangerous devices. With their help, children could communicate with their parents. But the developers actually left 800 thousand user logins and passwords and two million audio messages exchanged between family members publicly available. In addition, cybersecurity experts have found that anyone located a few meters from the animal can gain access to the toy and play any recording. It is unknown whether any of the attackers took advantage of the vulnerability.
Many devices can lead to the death of the patient. In particular, it is possible to hack automated pumps for introducing insulin into the body (causing an overdose); It is also possible to compromise pacemakers by commanding them to stop the heart. In addition, hackers gain access to patients’ personal data.
Insulin pump
The hackers themselves admit that their main target is medical devices. The point is the high probability of success of such attacks and the scale of the consequences. That is why most manufacturers of such equipment warn patients in advance about possible risks and advise continuous monitoring of their condition and dosage of administered medications. Six months ago, the FDA made an official statement about the high cyber vulnerability of insulin pumps, at the same time some manufacturers recalled products and massively replaced the pumps of devices already used by patients.
An illustrative story took place in 2017 in one of the casinos. The network itself was protected from external threats, but the “smart” thermostat in the aquarium turned out to be the Achilles heel. Through it, the attackers got into the casino’s internal network, after which they stole the database of visitors.
Experts from the German IT company Antago spoke about the dangers of thermostats back in 2016. As part of the experiment, they received access to the remote administration system for rooms at an elite hotel in Dubai. Then the specialists removed one of the rooms, unscrewed the thermostat itself from the wall and connected a special device to the KNX cable, which remembered what actions certain commands on the network were responsible for. After that, a GSM module was added to the device so that it could be controlled via SMS. The gadget itself was hidden behind a thermostat, which experts returned to its place. Thus, they gained access to the entire hotel network. They were able to raise the temperature in the room to the maximum, open and close windows in any room, and turn on and off the lights. The entire hacking procedure took the specialists eight minutes.
Cybersecurity experts say that users of smart gadgets rarely change basic settings (for example, the password to access the device), as a result of which hackers can connect to the network quite easily by quickly guessing the password. Therefore, even if your smart apartment does not have a thermostat, the attacker will still find one of the “things” to cling to.
Trend Micro analysts say that hacked IoT devices are usually used:
1. to organize DDOS attacks;
2. as VPN nodes - through them hackers access the network so that they are more difficult to identify.
If the first option is used quite often, then the second is still exotic. Recently, attackers sent phishing emails (about 2 thousand per day) from a network of hacked IoT devices, and the emails were disguised as messages from well-known brands. Then information security experts noted that using IoT devices for attacks is easier and more reliable than VPN servers, since you don’t have to pay for them and they won’t be on the stop list of IP addresses from which spam was sent.
In both cases, analysts say, hackers who gain access to IoT devices often sell that resource to other criminals.
More sophisticated scammers are looking for new methods to attack IoT devices and new ways to monetize them. Some sell access to gas stations on the darknet, others sell specialized firmware for smart water, electricity and gas meters (although no one has yet figured out what else can be done with them other than saving on utilities).
History of toys
Smart toys, whether dolls with speech recognition or cars controlled by a phone, are still considered funny and harmless entertainment. Parents do not take into account that toys can not only steal data about the owner and transfer it to attackers, but also monitor the child, even “attack” him (if the toy is controlled remotely). In many ways, these are still horror stories, but there have already been precedents. In 2017, the FBI officially asked Americans to carefully study the vulnerabilities of smart toys before purchasing them.In 2017, German authorities accused the “My Friend Kayla” doll of espionage and banned its sale in the country. Initially, it was positioned as a toy that communicates with the child and answers questions. Soon the intelligence services found out that Kayla was recording all conversations, converting them into text and saving them on the server. At the same time, based on a user message, the company could transfer this information to third parties for targeting advertising. Theoretically, conversations with the toy could have been intercepted by hackers, but it didn’t come to that.
A couple of weeks after this incident, it became known that CloudPets plush toys turned out to be even more dangerous devices. With their help, children could communicate with their parents. But the developers actually left 800 thousand user logins and passwords and two million audio messages exchanged between family members publicly available. In addition, cybersecurity experts have found that anyone located a few meters from the animal can gain access to the toy and play any recording. It is unknown whether any of the attackers took advantage of the vulnerability.
Doctor Evil
By 2020, there will be 650 million medical IoT devices in the world. However, almost nothing is being done to protect them; the servers of many of them still run almost on Windows 2000.Many devices can lead to the death of the patient. In particular, it is possible to hack automated pumps for introducing insulin into the body (causing an overdose); It is also possible to compromise pacemakers by commanding them to stop the heart. In addition, hackers gain access to patients’ personal data.
Insulin pump
The hackers themselves admit that their main target is medical devices. The point is the high probability of success of such attacks and the scale of the consequences. That is why most manufacturers of such equipment warn patients in advance about possible risks and advise continuous monitoring of their condition and dosage of administered medications. Six months ago, the FDA made an official statement about the high cyber vulnerability of insulin pumps, at the same time some manufacturers recalled products and massively replaced the pumps of devices already used by patients.
Hotels
Cybersecurity experts regularly remind us that equipment connected to the Internet of Things needs protection in the same way as, for example, servers or smartphones. For the average consumer, a kettle connected to the network remains an ordinary kettle. The user does not understand that through this household appliance you can access the entire smart home system and manage all network settings. According to statistics, printers, routers, web cameras and media players are considered the most vulnerable.An illustrative story took place in 2017 in one of the casinos. The network itself was protected from external threats, but the “smart” thermostat in the aquarium turned out to be the Achilles heel. Through it, the attackers got into the casino’s internal network, after which they stole the database of visitors.
Experts from the German IT company Antago spoke about the dangers of thermostats back in 2016. As part of the experiment, they received access to the remote administration system for rooms at an elite hotel in Dubai. Then the specialists removed one of the rooms, unscrewed the thermostat itself from the wall and connected a special device to the KNX cable, which remembered what actions certain commands on the network were responsible for. After that, a GSM module was added to the device so that it could be controlled via SMS. The gadget itself was hidden behind a thermostat, which experts returned to its place. Thus, they gained access to the entire hotel network. They were able to raise the temperature in the room to the maximum, open and close windows in any room, and turn on and off the lights. The entire hacking procedure took the specialists eight minutes.
Cybersecurity experts say that users of smart gadgets rarely change basic settings (for example, the password to access the device), as a result of which hackers can connect to the network quite easily by quickly guessing the password. Therefore, even if your smart apartment does not have a thermostat, the attacker will still find one of the “things” to cling to.
What to prepare for?
Trend Micro analysts, based on analysis of the darknet and discussions about hacking IoT devices, made forecasts for the coming year. Average of them:- Hackers will look for new ways to monetize hacking. In this regard, their interest will switch to both the industrial Internet of things and the most common “smart” devices (both of which can be used for extortion);
- Cybercriminals will be less likely to access the network through vulnerable routers: most attacks today involve changing DNS settings, a vulnerability that developers can easily fix. And when they do this, hackers will have to find new points of entry into the network;
- More complex threats will emerge, such as low-level rootkits or firmware infections.
