Most of us enjoy using some kind of Internet of Things device these days – after all, IoT devices run the whole gamut of smaller gadgets, including smartphones, tablets, cars, homes, wearable devices and home appliances that are connected to the Internet, as they make our lives so much easier.

Unfortunately, as with anything that connects to the Internet, it can be exploited by hackers, and though some of you may think that hacking an Internet connected refrigerator is not a big deal, cybercriminals can use information from that to access your other online accounts.

Internet security firm Proofpoint recently described how it had uncovered the first proven IoT-based attack which involved 750,000 malicious email communications coming from over 100,000 everyday consumer gadgets, including home-networking routers, connected multi-media centers, televisions and at least one refrigerator.

“Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse,” said David Knight, General Manager of Proofpoint’s Information Security division.

“Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them.”

Marc Rogers, head of security for DEF CON and Principal Security researcher at Lookout, explained that IoT is an easy target because manufacturers do little to protect these Internet connected devices stating that those devices that were attacked has the same vulnerability:

“Manufacturers left default accounts with published passwords on these ‘connected things’ to help users with their first time configuration,” Rogers said in an interview with SiliconANGLE.

“Consumers are not aware that these default accounts are vulnerable to attacks and need to be locked. As a result most consumers just connect their new thing and switch it on, leaving it exposed to anyone who knows which default account to use and what the published password is,”

“Part of the problem here is that there are no security standards for the IoT, so oftentimes, manufacturers who may come from an industry that has never had to worry about internet threats are completely unaware that they need to take these precautionary steps.”

But what specific IoT devices are most vulnerable to attacks?

Battle stations: IoT under attack!

Smartphones and tablets

Mobile devices are the number one target for hackers, as these are the most common Internet connected devices that we interact with throughout the day. We use them for all kinds of things – mobile banking, logging into social networking sites, shopping, and communicating with others. According to F-Secure’s latest report, 91.3 percent of all smartphone malware created is directed at those running the Android platform because of its openness. Scammers target Android users who don’t have the latest software version, such as Adobe Flash. The user will be asked to download the latest update, but in the process, malware is injected to the user’s phone. The malware can then intercept personal information such as bank details.

Trustwave security researcher Neal Hindocha revealed a harrowing scenario by building a proof-of-concept that would allow hackers to track every swipe and tap a user does on his smartphone or tablet. By tracking movements on the screen, and getting a screenshot of what the user is seeing, it would be easy for attackers to know your PIN, passwords, account numbers, and other sensitive information of a user.

Wearable devices

There are many wearable devices that now connect to the Internet, such as fitness trackers, lifelogging devices, and even medical implants and tools. The problem with having these connected to the internet is that hackers can know your location at any given time, track your whereabouts, schedule, and if someone wishes to do you physical harm, obtaining this information would make it easy for them to know when and where to attack you. But aside from the, hackers can kill you without even touching you.

The late and legendary hacker Barnaby Jack was supposed to demonstrate how he can remotely send an 830 volt electric shock to anyone wearing a pacemaker from a distance of fifty feet at last year’s Black Hat convention. Though he wasn’t able to do that because of his untimely death, just thinking about how hackers can do harm by attacking medical implants is enough to keep you up at night.

SmartHomes

Connected homes are quite appealing. The promise of lower electric bills, the ability to control connected appliances halfway across the globe, and getting notifications for unexpected occurrences, is enough to make us all want into the whole SmartHome business. The problem with this is that all of this added convenience makes your home a target, not only from physical intruders, but from hackers as well.

Daniel Crowley, a security researcher at Trustwave, stated that, “The easiest [IoT] device to hack is a system that controls door locks, heating, ventilation and air conditioning systems, garage doors, lights, alarm systems, cameras, and a number of other devices.”

Which means home automation hubs are quite vulnerable as it is the brains of the whole operation.

Connected cars

Earlier this month, General Motors announced that some of Chevrolet’s new cars will incorporate 4G LTE technology, which effectively means the cars are a rolling Wi-Fi hotspot. The wireless service will be provided by AT&T, and existing subscribers can add their vehicle to their data plan.

What this means is that passengers on board can use the onboard connection to connect to the Internet. Meanwhile, for the driver, it will be easier for them to use Internet-based apps and services such as GPS, vehicle diagnosis and system information. But connecting your car to the internet may prove lethal.

Last year, security researchers Chris Valasek and Charlie Miller were awarded an $80,000 grant from the Defense Advanced Research Projects Agency (DARPA) to expose the vulnerabilities of connected cars. The two physically jacked a Toyota Prius and Ford Escape to mess with their systems. They then set about disabling the brakes, or applying them at high speeds, blowing the horn, killing the power steering, messing with the GPS, speedometers and odometers. Naturally, Toyota was not impressed with their efforts since the two used physical jacking, researchers at the University of Washington and the University of California, San Diego, were able to pull off the same tricks using wireless access. Stefan Savage, a UCSD professor involved with the research, stated that physical or wireless attack on cars is possible because car manufacturers haven’t fully secured their software.

The vulnerabilities that we found were similar to those that existed on PCs in the early to mid-1990s, when computers were first getting on the Internet,” Savage stated.

Consumers aren’t aware of the vulnerabilities Internet connected devices pose, as most people do not see these devices as ‘computers’ that can be hacked. For them, a car is just a car, a phone is just a phone, and a refrigerator is just a refrigerator, even if it can connect to the Internet.

People need to realize that attacks on IoT devices do happen, and so they need to be aware of the potential implications since manufacturers aren’t really doing everything they can to protect their products.

Main image credit: Profound Whatever via photopin cc