Internet of Things: five unlikely hacking risks
Posted on 2 Dec 2013 at 10:12
From pacemakers to baby monitors, Davey Winder reveals five hacking targets from connected devices adnd the Internet of Things that you may not have considered to be a risk
The risk: Network-connected pacemakers have been found to be at risk. Infamous security researcher Barnaby Jack - who sadly died before he could demo his findings at the Black Hat conference - documented methods whereby he could remotely send an 830-volt shock to a certain pacemaker model from a distance of up to 50 feet away, enough to kill the user.
Main featureSecuring the Internet of Things
The reality: Any attacker would have to not only know the victim was a user of that particular model, but also get within 50 feet to launch the attack, so isn't the most convenient method of murder for would-be assassins.
A vulnerability, however remote that it may be exploited, remains a risk. The US Center for Internet Security has launched an initiative to increase the security of connected medical devices and is working with device manufacturers in order to develop security guidelines.
The risk: Earlier this year, security experts Trustwave SpiderLabs uncovered a vulnerability that enabled an attacker to exploit the Bluetooth connectivity (with a hardcoded pairing PIN for the Android control app) of a Japanese smart toilet and so remotely raise or lower the lid and activate the bidet.
The reality: Apart from being inconvenient, it's hard to take this particular risk seriously in any way, shape or form - not least as you would need to be so close to the said toilet for the Bluetooth connectivity to have any impact that it would hardly be an exercise in stealth. Hardly surprising, then, that the company making the toilet hasn't been quick to flush out a redesign.
Home automation hubs
The risk: Trustwave SpiderLabs also put some home automation gateways to the test, smart hub devices which provide smart remote management of such things as house lights, door locks and security cameras.
With a single gateway controlling multiple devices, it needs to be secure and researchers found one unit which could be accessed by simply using a secondary UPNP interface to the gateway web controls (in essence, a secure shell connection requiring no username or password) by hacking the local Wi-Fi network of the user.
The reality: This one is a little more serious, as hackers could use this one, if not to break into someone's home and steal stuff, then certainly to harass a target. With remote access to the hub the attacker gets full control of security cameras and door locks, and in the case of the unit Trustwave tested 'remote' doesn't mean in range of the Wi-Fi connection but rather anywhere via a secondary vulnerability in the cloud system also employed by the manufacturer.
The risk: Smart TV is here already, but just how smart is it? You can probably guess the answer is not very smart at all, but rather most likely a cobbled together mixture of hardware, Linux and the internet.
The reality: The more features your TV has, the more opportunity there is for someone to find a flaw amongst them and exploit this. As soon as you start connecting a device like a TV, which in reality is just a computer with a monitor and a camera, to the internet then you are asking for trouble unless it is protected by the same kind of security measures as your other computers in the home.
This kind of connected device is, courtesy of the similarity to your laptop in terms of functionality, probably more at risk of real-world exploits than most.
The risk: Yes, even baby monitors are connected to the Internet of Things and one user of such a device in Texas discovered they could be hacked when a remote user was able to control camera movements and start yelling obscenities through it.
The reality: As this family discovered, the reality is that IP cameras, and that's all this is, have been easily hackable for some time now. Script kiddie hacking tools are readily available in the usual places online, and controlling such cameras has become a hobby for bored teenagers.
Security is also relatively easy to apply though, usually it's as simple as changing the default remote admin settings on both your router and the camera software tools. In the case of the baby monitor in question, registered users could apply an update from the manufacturer to lock down the vulnerability as soon as it had been reported.
Author: Davey Winder
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Google announces the Nexus 6, Nexus 9 and the arrival of Android Lollipop
- Lenovo and Ashton Kutcher launch Yoga Tablet 2 Pro, Yoga Tablet 2 and Yoga 3 Pro
- Lenovo Yoga event live stream: watch Ashton Kutcher's tablet launch live
- HTC shows off Desire Eye selfie phone and periscope-like camera
- Xim: the slideshow app to get excited about
- Adobe has more apps for iOS, but none for Android
- How to download and install Windows 10 Technical Preview
- Windows 10: release date, features, free update and cloud version
- iPhone 6 Plus "less likely to bend than HTC One"
- iPhone 6 Plus: Apple's had nine complaints over "bendgate"
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold