Can IoT Devices Be Hacked?

Have you recently shopped for a refrigerator? If so, you've probably noticed two weird trends. One: why do they need transparent doors when you can open them? And two: what's with putting a screen on them? Why does every dishwasher require wifi these days?

If you own any connected devices, you've probably asked yourself whether they could be hacked. Spoiler alert: they do.

I got the idea for this post because our workplace purchased vending machines and I had to figure out whether these untrusted devices needed to be connected to the office network. I loved a colleague's joke: "The 'S' in IoT stands for security". It takes a few seconds to get it.

So are you putting yourself and your home at risk by purchasing smart lightbulbs or smart toothbrushes? Yes, probably. Are hackers going to take control of them to spook you, as if a ghost haunted your house? That's not how it works in real life.

Let's discover why and how Internet of Things devices get hacked, and what you can do about it.

Why are hackers targeting IoT?

To answer this question, ask yourself: What's the advantage of installing malware on a connected light bulb rather than on your mobile phone? Your phone has much more interesting data about you after all! Sure, but the biggest reason why attackers pick IoT is that they are cheap to hack and easy to monetize.

Here's what's not cheap: security-aware developers. It gets worse. Estimates of the number of IoT devices in 2023 range from 10-14 Billion. Even if you estimate only 1% of them have gaping security holes, it's still at least 100 Million targets!

If all hackers could do with a corrupted device was to ring your bell or watch you shower, the practice would have remained in the realm of pranksters and jealous exes. Which is bad enough, don't get me wrong! However, criminals have figured out how to weaponize infected smart devices with botnets.

A botnet is an immense squad of infected devices under the control of a single entity, the herder.

The story of the infamous Mirai botnet displays how your hacked IoT device can lead to terrible consequences for the economy at large. Its founder first learned about how to destroy a Minecraft server using "distributed denial of service" (DDoS) attacks, which basically means sending millions of requests to a server until it cannot respond anymore. Turns out gamers were ready to actually pay people to orchestrate DDoS attacks on certain Minecraft servers. And then the creator of the botnet learned that others would also pay to take down an artist's or a journalist's website, and so was born "DDoS as a service".  

What's the Mirai botnet's got to do with IoT? Turns out all you need to make a DDoS work is the ability to do a web request on a server, which any "smart" device can handle!

So you get insecure devices that are easy to corrupt, which can be used to sell a criminal service. No wonder our devices are at risk.

But wait, what does it mean to be an "insecure" device?

How do smart devices get hacked?

Here's how botnet operators target IoT devices. Now here's the catch, in cybersecurity, there are two main threat actors: nation-state-backed (governments) and financially motivated (criminals). One has all the skills, time, and budget in the world, but chooses its targets carefully for geopolitical purposes. The other will pick low-hanging fruits to maximize return on investment. Therefore, they attack with a different method.

Nation states such as China use their manufacturing power to implant backdoors into routers and smart appliances. The infected devices become "stepping stones" to target domestic infrastructures by appearing to come from local soil. The "Volt Typhoon" group, which specializes in stealth government operations, likely uses these pre-infected devices.

Entities such as the Lemon Group benefit from the practice of "reflashing" mobile devices. The group provided pre-infected systems to buyers who wanted to start from scratch on an Android device.

Firmware is simple programs that allow the chips and hardware to interact with the software world. It is notoriously hard to update it since the code is coupled with physical chips! Can't update silicon circuits! Look at these recent examples from renowned vendors Asus and HPE who bricked their routers and printers with faulty firmware updates. In the same vein, Fujitsu was a recent victim of a firmware vulnerability in its point-of-sale systems in Japan. Many researchers who discover firmware vulnerabilities sell them instead of telling manufacturers about them, as ethical hackers would.

Most criminals focus on network and software vulnerabilities. Many IoT devices come by default exposed on the internet. Aggregators such as Shodan scan the internet continuously, looking for these devices. All criminals have to do is to look up these aggregators, find the model and maker of the devices, and then Google the user manuals for default passwords, and voilà! They did the deed and they're in. Then there is also the problem that people are notoriously terrible at picking passwords, which means many hackers can even get in using dictionaries of reused passwords.

In summary, IoT flaws permeate every layer of computing:

How can I protect myself from IoT hacking?

This is the part where I should train you on setting up a separate IoT network in your home environment, rotate the passwords on all your devices, and monitor your home network traffic for "phone home" pings from your devices to foreign IP addresses.

But honestly, this is my job to know this stuff and I have struggled to set up the network segmentation in a way that does not drive my family crazy.

The easy answer (and also imperfect) is to not get cheap on your smart devices. This is where you should refrain from purchasing the super-discounted "made-in-China" knockoff. Reputable companies have a, well, reputation to maintain. They are incentivized to deliver quality, secure systems.

Another easy answer (and quite perfect) is to refuse the risk. What does this mean? I had a smart toothbrush. Using a mobile app to track my mouth-washing activities seemed like a chore to me. I've therefore never connected the toothbrush. And then my 2-year-old threw it in the bathtub anyway. Not everything must be connected. Think of the value you're getting out of your connection before actually using it.

I connected my washing machine because I thought it would be cool to show off how many cycles a family of 2 adults and 4 boys can generate in a week (the answer is between 7 and 10). Then the connection was somehow lost last year, I've never bothered to bring it back. I didn't need a connected device, why expose myself?

It all comes down to value. If you believe a connected device can bring your life value: pay the device the amount of value it is worth. If the connectivity is a fun thing or a gadget, that you don't think you will use, do not settle for the cheap trick.

So yeah: I'm pretty sure nobody needs a screen on their refrigerator.

🛡Latest In Information Security

Backup company Veem releases the 2023 ransomware report and its conclusion will NOT surprise you (hint: you need more backups and less insurance). Biais aside, some trends emerge. Cyber insurance companies are less and less likely to pay for ransomware attacks, let alone actual ransoms. 80% of companies do pay the criminals, with 25% of the payers not getting their data back. Story

Declassified documents show the FBI's "compliance incidents" related to surveillance activities around the Jan.6 insurrection. I enjoy these stories because the ideological lines are blurred. How do you feel about government surveillance when they possibly invade the privacy of the QAnon conspiracy theorists? Does your opinion change if the FBI does the same with Black Lives Matter activists? Story

The awesome Citizen Lab reveals the Azerbaijan government allegedly used NSO spyware to target Armenian people of interest. Now, okay, I cannot for the life of me put Azerbaijan on a map. I won't pretend to know anything about what's going on in there. The relevant part is that a government likely purchased spyware from a private company in the context of a violent conflict to carry out human rights abuse. Yes, this means spyware should be treated similarly to actual weapons. Story

❓ Question of the Week

How many IoT devices do you own?