Every Halloween, parents check their kids’ candy hauls to be sure their bags are filled with treats, not tricks. But do they have the same vigilance when checking if the IoT devices in their homes are compromised? Millions of people are buying doorbell cameras, smart speakers, and baby monitors (just to name a few) by the boatload, and these devices are targets for attacks. Businesses are no different, as they welcome smart sensors, smart HVAC systems, and even robots to their workspace. Although these devices are intended to make everyday life more efficient and interconnected, they can easily turn your home into a haunted mansion.
Threat actors have taken a page out of Dracula’s book, sinking their teeth into the necks of more and more vulnerable IoT devices. IoT attacks have pointedly increased in the last few years—2023 saw a 400% increase in IoT malware. As the number of IoT devices out there grows, the number of attacks will grow with it.
It’s not all doom and gloom! Even though the number of hardware-focused threat actors is increasing, there are also more ethical hackers focused on securing IoT devices than ever. With their wizardry and a good understanding of IoT attacks, we can fortify our IoT defenses.
Haunted tales of IoT attacks past
There have been more than a few hair-raising stories of IoT attacks in action. We’ll shine our spotlight on just a few of these horrors.
Pacemakers
The US FDA recalled 500,000 pacemakers in 2017 due to their lax cybersecurity. Vulnerabilities in the firmware would have let threat actors waste the pacemakers’ batteries or even alter patients’ heartbeats. In the end, the risk remained hypothetical as the supplier fixed the vulnerabilities before any hacks happened. But pacemakers (and medical devices at large), vital as they are to keeping humans alive, continuously require the most intense levels of cybersecurity vigilance to prevent incidents from ever happening.
Jeep Cherokees
Researchers found critical vulnerabilities in Jeep Cherokees in 2015. These vulnerabilities, had they not been patched, would have let threat actors cut the brakes on thousands of Jeeps at once, wirelessly. These researchers worked with Chrysler on the research so they recalled and patched 1.4 million affected vehicles. As carmakers attach more and more smart functionality to cars, the cybersecurity risk grows. Thankfully, these same carmakers are also prioritizing cybersecurity.
Schneider Electric power meters
Power meters on homes measure and regulate the power usage of a home, helping divert electricity on a grid to where it is most needed. Last year saw the disclosure of a vulnerability in Schneider Electric power meters. This vulnerability would have allowed threat actors to reboot the meter or even to execute arbitrary code on the meter. In a worst-case scenario, with enough device shutdowns, an entire electric grid could have been taken out. These vulnerabilities were patched by Schneider Electric promptly after the disclosure.
Eaton smart security alarm systems
Security researchers found a vulnerability in Eaton’s cloud-based system which allowed them to remotely access, manage, and arm and disarm their security alarm systems from a mobile app. This IDOR vulnerability is common in IoT devices and can have huge repercussions. Eaton fixed the vulnerability. If the bug had not been patched, threat actors potentially could have disarmed security alarm systems remotely.
Why are IoT devices being hacked?
We’ve seen that more IoT devices are being hacked, but why? What makes them such a big target to threat actors? Well, like a witch’s brew, a few powerful ingredients combine to make IoT devices such tempting targets: prevalence, lax security, and patching difficulty.
IoT devices are everywhere. At the end of 2023, there were 16.6 billion IoT devices in the world, many of them being used in trusted environments (such as on factory floors, in residential homes, and even within human hearts). IoT devices are also concentrated—millions of devices may have come from the same supplier and so will have the same firmware. Finding one vulnerability in that firmware lets threat actors hack all of those devices at scale.
IoT devices don’t always have the best security measures. For one, everyday consumers usually don’t have good security protocols for their IoT devices. They’ll reuse the same passwords or forget to update their devices for months on end, leaving their devices with more cobwebs than the local haunted house. That makes these devices easy targets. Device makers also have a lot on their cybersecurity plate. The usual software risks, such as supply chain and remote code execution vulnerabilities, apply. Hardware vulnerabilities are also in play, which requires different skillsets and tools. So, for both the device consumer and the device maker, it’s hard to be secure.
Lastly, fixing vulnerabilities poses a dilemma to device makers. Firmware updates are convenient but themselves introduce a vulnerability. If device makers enable firmware patching for a device, then threat actors can take advantage of the fact the device can change its firmware. This opens up the possibility of new, monstrous vulnerabilities being created. If device makers want to avoid this exploit, then the only way to patch vulnerabilities is through a recall. But, by disabling firmware updates, zero-days become impossible to patch en masse.
These factors combine to make it hard to identify and patch vulnerabilities in the billions of IoT devices out there. Threat actors simply take advantage of that.
Dark forces at play: Common IoT device attacks
To prevent IoT attacks, we need to know what they look like. We’ll paint a picture of three of the most common ones.
Remote code execution
Remote code execution (RCE) is when threat actors can run unauthorized code on a device from afar—they don’t need physical access to the device. Usually, threat actors run RCEs by exploiting weak APIs or authentication. The Schneider Electric power meter case is an example of an RCE attack.
Botnets
Botnets are an example of using IoT devices to perform attacks. Threat actors can gain access to thousands of IoT devices (usually by using default passwords or other common exploits) and then use those devices to run DDoS attacks on other systems. These compromised IoT devices can also scan networks to find other devices to infect, effectively raising an army of the dead. A famous example is the Mirai botnet which grew to 600,000 compromised devices at its peak. This botnet brought down a major DNS service provider in 2016, rendering websites like Amazon inaccessible for a few hours.
Physical tampering
Since IoT devices physically exist, threat actors can attack them in-person. They can modify the hardware components, access debug ports, or even load new firmware. This is not a scalable attack vector since threat actors would need to physically go to every device they wanted to hack, but it still remains a security vulnerability.
IoT security defense: How crowdsourced hardware hackers keep the monsters at bay
IoT security is a true cat-and-mouse game where both threat actors and companies are scurrying from attack vector to attack vector, trying to find one before the other. It can be hard for companies to play this game well because it requires a lot of different skillsets.
Hardware is a completely different (Frankenstein’s) monster from software. The right hardware hacker can exorcise vulnerabilities from an IoT device, shrinking the attack surface dramatically. All the IoT hack examples we listed earlier didn’t result in actual consequences for customers because the companies worked with hardware hackers and security researchers to root out vulnerabilities.
Working with hardware hackers can take many different forms. Organizations may engage with them via private managed bug bounty programs. Other organizations take it a step further and work with Bugcrowd to host a Bug Bash. A Bug Bash is a live hacking event that is fully managed by Bugcrowd. These 1-2 day events bring hackers and customers together in a high-intensity, highly collaborative bug bounty-style program. It’s a great opportunity for hackers to come and tinker with hardware in person, finding key vulnerabilities before threat actors do.
To collaborate with a hardware hacker, it’s important to understand how they work and how they can help you. They use completely different tools and look for completely different vulnerabilities from their software counterparts. Their work is undoubtedly more physical, with hardware hackers needing to disassemble devices, sometimes down to the chips on a motherboard, to leave no (silicon) rock unturned in their hunt for vulnerabilities.
Want to leverage hardware hackers to protect your IoT devices? Download our 2024 Inside the Mind of a Hacker report to discover what drives these digital locksmiths, how they find vulnerabilities others miss, and how to effectively partner with them in your security program.
