IoT Security Hacks With a Common Thread

Security of the Internet of Things (IoT) has been in the news lately, for all the wrong reasons. In addition to the recent DDoS takedown of Dyn, there were various hacking, ransomware and DDoS attacks that caught the attention of the security community. Let’s take a look at some of them:

Philips Hue Hack Could Mean Lights Out

Researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada recently created a proof-of-concept attack focused on the popular Philips Hue line of smart light bulbs. The researchers created a worm that can make IoT devices infect one another. Using a flaw in the Zigbee wireless protocol, which the bulbs use to communicate, the worm replaces the lights’ firmware with a malicious version over the air from up to half a mile away. Once the bulbs are infected, a hacker can trigger a blackout, jam wireless communications citywide and even damage the power grid. The researchers said Philips is aware of the issue.

IoT Devices Hacked in Three Minutes or Less

ForeScout Technologies, a network security company, recently released a report that listed seven IoT devices that can be hacked in less than three minutes. The devices were:

• smart lightbulbs
• IP-connected security cameras
• smart energy meters
• connected printers
• VOIP phones
• smart refrigerators
• videoconferencing systems

ForeScout’s research was led by black-hat turned white-hat hacker Samy Kamkar, who provided a video that shows him breaking into an IoT security camera. The unmodified device was running its factory-installed firmware, and Kamkar was easily able to install a backdoor that allowed him to remotely control the device simply by using its default password. While this hack took almost an hour, he pointed out that such attacks can be automated to take much less time. What’s more, once in, the hacker has full root access – even if the owner changes the password and reboots the device.

Well-Known Security Site Taken Down By IoT Botnet

Krebs on Security, the popular and influential website that reports on online security, was knocked offline recently by a massive DDoS attack. Powered by a botnet of IoT devices, the attack pummeled the site with an unprecedented 620-665 gigabits of traffic per second. The devices, mostly security cameras, routers, DVRs and other small low-resource items, were infected with a strain of malware whose source code was leaked last year and spun into dozens of variants.

You may have noticed a common thread among these reports: All the hacks involve constrained devices as targets or weapons. Devices like these can be exploited because they are, in large part, shipping with hardcoded default passwords, open Telnet ports and other security holes.

We’ve suggested some security solutions in our earlier post about the Dyn DDoS attack. To see how Veridify can help you secure IoT devices you may be working on, contact us for an SDK.