Written by Jo Vanwell, at Conosco
In the last decade, we’ve seen a surge in the quantity and quality of interconnected technologies, often known as IoT (Internet of Things), in both the consumer and corporate worlds. Whilst this has driven rapid growth and accelerated innovation, IoT security breaches are on the rise.
Connected smart devices are everywhere – they have become ingrained into our personal and professional networks. From remotely controlled security systems to thermostats that can be adjusted from our mobile devices, and from voice-activated peripherals that allow those less capable to live independently to cutting edge innovations such as self-driving cars that will reduce the amount of congestion and collisions on the roads – the benefits are numerous.
However, with more than 26.66 billion IoT devices active in 2020 and this expected to grow to 75 billion by 2025 IoT does not come without its risks. Sensitive data, cloud technologies, and huge numbers of smart devices are connected via the internet, providing a large attack surface for cybercriminals.
Unfortunately, many IoT devices are not securely configured by default when shipped from manufacturers, and due to their often embedded nature, they are not regularly patched and secured once in production. Any network vulnerabilities can be easily exploited by hackers and targeted with malware. Therefore businesses need to ensure that they put robust security and compliance governance in place across all IoT touchpoints.
In this blog, we dive into four real-world examples of IoT security breaches and detail the dangers of adding these devices to your networks without proper security measures in place.
How did they do it? By using a variety of weak, recycled and default credentials, hackers were able to access live feeds from the cameras around customers’ homes and were even able to communicate remotely using the devices integrated microphones and speakers. In fact, more than 30 people in 15 families reported that hackers were verbally harassing them.
Lessons we can learn
The IoT security breach, whilst not directly the fault of Ring, is a reminder to users to always remember to change admin credentials when receiving new ‘smart’ hardware and to adhere to basic cyber security rules such as creating unique login details. Many people use the same username and password for multiple accounts and subscriptions, making it easier for criminals to use stolen or leaked credentials from one service to gain access to another service.
All Ring users have since been encouraged to add Shared Users to their accounts (instead of sharing login details), use strong passwords which are regularly changed and implement two-factor authentication giving an added layer of security.
Now if securing your home with smart devices isn’t your cup of tea, how about the office? Many businesses have recently transitioned from the traditional lock and key to digital building access systems, reliant on physical key cards, access codes and even biometric technologies to allow employees access to building complexes without the need for a keychain the size of a small dog.
However, these systems are not exempt from IoT security breaches. In May 2019 research by Applied Risk (a cyber security firm) identified 10 vulnerabilities in the Nortek Linear eMerge E3 devices that would allow hackers to hijack credentials, take control of devices (opening/locking doors), install malware, and launch DoS (Denial of Service) attacks all whilst circumventing the security measures in place.
Despite being made aware of these vulnerabilities, six of which had a severity score of 9.8 or 10 out of 10, NSC failed to provide patches for quite some time, during which ten’s of thousands of hits were being identified daily across 100 countries.
Lessons we can learn
The Nortek IoT security breach highlights how vulnerable systems can be an entry point into corporate networks and how quickly hackers can use connected IoT smart devices to target multiple businesses. The key lesson for providers of these systems is to work closely with cyber risk and research organisations to proactively identify and remediate these vulnerabilities before they can be exploited by cybercriminals.
Something a little less scary, but just as concerning is the risk of attacks on seemingly innocuous devices, such as smart fridges and washing machines. Household appliances such as these don’t usually hold particularly sensitive data, or have potential privacy breaching attachments like cameras and microphones. So why would hackers want to target them?
As we begin to connect an increasing number of household appliances via IoT we present a new attack surface. Hackers that once had to penetrate the advanced cyber defences of a business, can now leverage gaps in the security of the products and appliances not previously considered by manufacturers. Investigations by various cyber security researchers globally have identified a staggering number of these devices connected to botnets.
What is a botnet? For those not familiar with this term, a botnet is a form of malware that can infect appliances and often go unnoticed by the owner, having almost zero impact on the owner’s security. However, botnets can be used by hackers to perform attacks via the web. According to Wired Magazine, if hackers controlled a botnet which had silently hacked thousands of large loT household appliances (such as air conditioners and water heaters), cybercriminals could de-stabilise an entire power grid. Although an attack on this scale has only ever been simulated for research, there have already been many real-world examples of IoT security breaches on fridges and even fish tanks.
Lessons we can learn
Whilst the majority of attacks on IoT household appliances is due to default admin credentials and compromised passwords, many regulators are now calling for manufacturers to be held accountable for improving product security. In the UK policymakers are considering regulatory frameworks and calling for IoT products to be secure by design taking the burden off of consumers.
Our final IoT security breach highlights the growing concern around hackers accessing medical IoT devices.
The nature of IoT devices means that data is constantly being transmitted, processed and collected in the cloud, often without any encryption. If a hacker was able to access a medical IoT device, they could use it to manipulate information and transmit false signals. If a healthcare practitioner were to act on one of these signals it could have a significant impact on the patient’s treatment.
Even more terrifying, what would happen if a hacker could take control of an IoT pacemaker or defibrillator? Research given to the FDA found that St Jude Medical’s implantable cardiac devices have vulnerabilities. If hackers were able to gain access they could deplete the battery or administer incorrect pacing or shocks.
Thankfully no patients have been harmed as a result of the vulnerabilities and St Jude has since developed a software patch to fix the problem that occurred in the devices’ transmitter.
Lessons we can learn
This type of IoT security breach could be the difference between life and death. Once again it shows us the importance of encrypting data and running regular vulnerability assessments to identify any weaknesses in our defences. It is highly likely that as IoT advances are made, sectors that hold sensitive information or provide critical public services will undergo more stringent checks by governing bodies. We can also expect to see more guidance being published to help manufacturers proactively address cyber security risks.
IoT has evolved rapidly over recent years, connecting technology, driving business insights, powering innovation and improving people’s lives. But it’s not all good news. As IoT solutions become more prevalent in society, cybercriminals have found new opportunities to exploit the lack of built-in security currently associated with IoT devices. Each day hundreds of millions of smart devices are manufactured and sent out, only to be implemented in our homes and offices without us realising the inherent risks. As we’ve seen from the four examples in this blog some of the top reasons for IoT security breaches include:
Conosco’s Security Division is made up of analysts, consultants and a dedicated Security Operations Centre (SOC) with the skills and expertise to identify vulnerabilities, secure your endpoints and ensure you have a robust IoT infrastructure that doesn’t compromise your business integrity. Get in touch with our team for more information about IoT solutions and cyber security services.