subscribe: Daily Newsletter

 

In the IoT world, products could kill

0 comments

The time where we distinguished between cyberspace, the digital world of machines, and our everyday physical reality, is over. Computers and the Internet are embedded in everything we use, from our household appliances, toys and medical devices, to the cars we drive.
This Internet of things (IoT) has introduced vulnerabilities into our everyday lives, says Robert Brown, CEO of DRS, a Cognosec company. “Security researchers have uncovered vulnerabilities in everything from lighting systems, to insulin pumps and beyond. Fortunately, many of these security holes have not yet been exploited by cyber criminals, but it’s only a matter of time.”
However, he says some of these flaws have been taken advantage of, citing a recent spate of baby monitor hacks. “Parents have been warned that an increasing number of individuals are hacking baby monitors and talking to children as they sleep.”
The New York Department of Consumer Affairs (DCA) issued a public statement earlier this year, warning parents to make sure their video monitors are secure, as the devices are fairly easy to hack. This followed reports by parents who said upon walking into their children’s rooms at night, they were met by the sound of men speaking through the monitors to their children.
“Monitors are supposed to make parents feel secure, and give them peace of mind. The reality is highly disturbing. They are not secure and are providing a conduit through which predators can watch and speak to the children.”
Similarly disturbing, he says, was the discovery that Mattel’s latest Wi-Fi enabled Barbie doll can easily be hacked and transformed into a surveillance tool for spying on children and listening into the conversations of anyone in the vicinity.
“The Hello Barbie doll was dubbed the world’s first ‘interactive doll’ that had the ability to listen to its owner, and respond via voice, much in the same way as Apple’s Siri. The doll connects to the Web via WiFi and features a microphone to record kids and send that data off to third-parties for processing before responding via natural language responses,” explains Brown.
However, US security researcher Matt Jakubowski discovered that the doll, when connected to WiFi, became vulnerable to hacking, and he was easily able to access the toy’s system information, account data, as well as stored audio files. He was also able to access the microphone.
Jakubowski says that with that information, it would be easy to discover an individual’s business or house address, and it was only a matter of time until he would be able to replace their servers with others that would make the toy respond in a way he chose.
Another scary demonstration of what hackers can do, Brown says, was the hack of the Jeep Cherokee, carried out by security researchers Charlie Miller and Chris Valasek.
“The pair turned the concept of automobile safety on its head, when they demonstrated they could remotely hack a 2014 Jeep Cherokee to disable its transmission and brakes. This demo led to Fiat Chrysler issuing an unprecedented recall for 1,4-million vehicles, as well as USB drives containing a patch for the vulnerable infotainment systems.”
Brown says the Jeep hack was only the tip of the iceberg. “During DefCon in August, another security researcher at CloudFlare named Marc Rogers unveiled a slew of vulnerabilities they discovered in the Tesla Model S, that would have enabled a hacker to connect their notebook to the car’s network cable behind the driver’s dashboard, start the car via a software command, and drive off with the vehicle, or alternatively plant a remote access Trojan or RAT on the vehicle’s internal network to cut the engine at a later stage – when someone was driving the car.”
Then there are medical devices. Medical equipment that many depend on for their survival, such as pacemakers and insulin pumps, are also vulnerable to attack. “For example, a fatal shock could be delivered to an individual’s pacemaker, which was the motivation behind Dick Cheney’s cardiologist disabling the WiFi on Cheney’s device,” he says.
In addition, drug infusion pumps which dish out various pharmaceuticals such as antibiotics, morphine, chemotherapy, and similar, are also vulnerable. Security researcher Billy Rios uncovered major vulnerabilities in them that would allow a hacker to furtively and remotely change the dose of drugs administered to patients.
“Let’s face it, manufacturers are adding WiFi to consumer products of every variety, without giving a thought to the security implications. When technology is added willy nilly to products that haven’t featured it before, there will be security issues. Consumer businesses who are thinking of connecting their product to the IoT need to consider this carefully and make security a priority – products can kill, whether the cars we drive, or the medical devices we use to preserve our lives,” Brown concludes.