IoT Crime Diary

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q1 2017

IoTCrimes.com provides business and technology executives, chief information security officers (CISOs), IT security teams, and the cyber community with a quarterly diary of noteworthy Internet of Things (IoT) hacking and breach activity, and the latest innovations aimed at thwarting IoT crimes.

FIRST EDITION

A future where everyThing is hackable?

All Internet of Things (IoT) devices are at risk of theft, damage or destruction.

bradcaseyheadshotBrad Casey

Menlo Park, Calif. – Apr. 6, 2017

Cyber threats have evolved from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.

What Things are being hacked today? PCs, laptops, tablets, smartphones, medical devices, kitchen appliances, thermostats, TVs, wristwatches, pet collars, webcams, thermostats, you name it.

The first edition of our IoT Crime Diary sheds light on a potential future apocalypse of Things, and the innovations that can prevent that from happening.

IOT DIARY

March

Mar. 30. IoT industry power brokers speculate on what the digital world will look like by 2019.  Most agree that a hyperconnected world will lead to numerous disruptions in Internet connectivity,

Mar. 29. Approximately 90 percent of IoT devices are vulnerable to remote hacking. Latest attack utilizes rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals to acquire root access to smart TVs.

Mar. 28. According to Nokia, 2016 saw a spike of 400 percent in the infection rate of smartphones and IoT devices.  October seemed to be the favorite month for IoT hackers.

Mar. 27. Farmers are are getting into the IoT game as they battle American manufacturer John Deere over the right to use unlicensed software to fix their tractors.

Mar. 24. In a partial effort to combat IoT security issues, the University of Florida plans to open an IoT Institute for Engineers, thanks to a $5 million gift from the Warren B. Nelms Institute for the Connected World.

Mar. 15. University of Michigan researchers hack an IoT device using sound waves. Exploit vulnerabilities are found in hardware.

Mar. 15. Researchers utilize 20 accelerator models from 5 different manufacturers to affect data in 75 percent of tested devices. Test involved using soundwaves against Fitbits and other IoT devices.

Mar. 14. Due to a vulnerability of a Web server in some Dahua devices, security experts are able to hack into devices, and gain full administrative access.  Dahua is the second largest IoT device manufacturer.

Mar. 14. Federal Trade Commission is not seeking to impose regulations specific to the IoT industry at this time. Others claim this is a mistake due to a lack of standards.

Mar. 10. Will hacking of IoT devices lead to an Apocalypse of All Things?  One day, everything may be hackable.

Mar. 10. Companies can better insulate themselves from liability by taking a few extra steps to insulate themselves from IoT hacks.

grayfooterline
RELATED: Wired and Wireless Device Threat Detection from Pwnie Express
grayfooterline

Mar. 08. Mongoose OS is enabling more and more devices to join the IoT community.  OS allows for utilization of the MQTT protocol for communication.

Mar. 07. IoT security is affecting the staffing landscape. A study finds that 90 percent of organizations lack confidence in their IoT security infrastructure.

Mar. 07. Smart home company, Nest, institutes two-factor authentication into its latest software as a means of combatting IoT hacks.

Mar. 06. Commentator opines that ransomware combined with an IoT hack could have devastating effects on enterprise networks.  One scenario involves hacking an HVAC system and turning it off until a ransom is paid.

Mar. 06. As it turns out, good security for IoT devices costs money. Go figure. Author speaks to experts within the security industry to get a sense of just how much money is placed into various products.

Mar. 04. Due to the proliferation of IoT devices, some companies are developing servers that sit on the edge of enterprise networks, and process incoming data before sending the data to core servers.

Mar. 03. Enjoy IoT devices as they can add value to your life, but also take 10 easy steps to improve your security posture.

Mar. 03. House Democrats introduce a bill that will grant additional regulatory powers to the FCC to combat cyberattacks. FCC chairman is skeptical of the bill.

Mar. 02. A hidden backdoor is found in various Chinese IoT devices manufactured by DblTek –allowing users to gain Telnet access to affected devices.

Mar. 02. Nokia and Airtel team up to research 5G connectivity for IoT devices.  This could result in billions more IoT connected devices.

Mar. 01. Not to be outdone, robots have been deemed by some to be just as vulnerable as IoT devices.  A report by IOActive reveals that robots suffer from many of the same maladies that affect IoT devices, such as authentication issues, weak cryptography, etc.

February

Feb. 28. Internet of Things is the backdoor to hacking your home. Website Shodan enables attackers to search the entire Internet for vulnerable IoT devices.

Feb. 28. Weird stuffed animal hack leaves many parents disturbed as their recorded messages are accessed from MongoDB.  Then messages are then locked and held for ransom.

Feb. 21. Going against the grain, Kaspersky decides against utilizing the Linux kernel for its new KasperskyOS. The new OS designed explicitly for IoT security.

Feb. 20. Researcher details 9 new IoT hacks that will rapidly proliferate in the near future. Apparently, not even heart monitors are safe.

Feb. 19. AT&T forms Cyber Security Alliance with IBM, Nokia, Palo Alto, Symantec, and Trustonic as AT&T researchers report a 3,000+ percent increase in attackers scanning for IoT vulnerabilities over the past 3 years.

grayfooterline
RELATED: Detect, Assess, and Respond to IoT, BYOD, and Connected Device Threats
grayfooterline

Feb. 17. 3D printers considered another hackable IoT device. Cheaper, sub-standard on-board computing may be the culprit.

Feb. 14. Verizon finds that an unidentified university victim of a DDoS attack is due to the hack of campus vending machines. The attacker directed victimized machines to random seafood websites.

Feb. 14. Many IoT devices running the Linux kernel may be vulnerable to Linux/DDoS-BI.  This version of malware crawls the Internet and attempts to brute force devices via SSH utilizing default credentials.

Feb. 12. Researchers find that most smart devices used in the enterprise are vulnerable to attack. Default passwords and weak initial designs are becoming an epidemic.

Feb. 06. While vulnerability testing of software and network configurations has spiked over the past decade, hardware vulnerability has fallen by the wayside.  

Feb. 03. Utilizing Tesco Bank’s mobile app, thieves hack into the Tesco Bank system and come away with £2.5 million. The bank was told about the vulnerable app prior to the attack.

Feb. 03. Researchers at RSA Conference 2017 plan an in-depth discussion regarding IoT security and Mirai malware.

Feb. 03. Rapid7 announces that their Metasploit toolkit has been updated to test IoT devices. The framework can now link directly to hardware.

Feb. 03.  Researcher figures out how to hack a coffee maker via the Smarter Coffee app.  He figures out how to access the coffee maker via command prompt, thereby rendering the actual app obsolete.

January

Jan. 24. Healthcare execs aware of the various vulnerabilities in IoT devices, but fail to take action.  Apparently, insulin pumps aren’t considered critical infrastructure.

Jan. 20. Ponemon Institute finds that 80 percent of IoT devices not tested for security flaws.  Study involved a survey of 593 IT and IT security practitioners.

Jan. 19. Need for properly configured firewall is apparent from Samsung SmartCam hack. The hack was discovered in 2014, but not patched until 2016.

grayfooterline
RELATED: So what exactly is the Internet of Evil Things? Read the 2017 Internet of EVIL Things Report
grayfooterline

Jan. 11. Car hacking could be an epidemic by 2021 as Ford plans to launch its own line of fully autonomous cars.

Jan. 6. Symantec dips its toe in the hardware market by developing Norton Core. The device helps secure IoT devices.

Jan. 6. In an effort to improve efficiency, lack of security in IoT devices may begin with the manufacturer.

Jan. 5. Federal Trade Commission agrees to sponsor a patching tool for IoT devices. The best tool will win $25,000.

Jan. 4. Smart meters are deemed fatal due to numerous security vulnerabilities. The devices could be exploited to start fires.

Jan. 3. IoT devices will help law enforcement solve crimes.  Apparently, digital forensic investigation of doorbells could allow investigators to discover who rang the doorbell.

Stay tuned for the Q2 2017 IoT Crime Diary.

Brad Casey is a freelancer writing about any and all things IT and cybersecurity related.

grayfooterline

© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.