IoT devices can be hacked in minutes, warn researchers

Security company ForeScout has warned that hackers can steal data or cause physical damage, thanks to certain types of inherently insecure connected devices.
Written by Danny Palmer, Senior Writer

Each internet-connected lightbulb is another entrance for hackers looking to break into your network.

Image: iStock

A number of internet-connected devices are so lacking in even the most basic cybersecurity protocols that it's possible to hack them in as little as three minutes, allowing cyberattackers to steal data, conduct espionage on enterprise activities, or even cause physical damage.

The poor security in Internet of Things products -- including IP connected security systems, connected climate control and energy meters, smart video conferencing systems, connected printers, VoIP phones, smart fridges, and even smart lightbulbs -- pose an inherent risk to the security of organisations which deploy them, researchers have warned.

The dangers of such devices are outlined in ForeScout's IoT Enterprise Risk Report, which is based upon research by ethical hacker Samy Kamkar -- and it doesn't make good reading for IoT product vendors or organisations which have deployed such items.

Not only do these devices pose significant risks due to a lack of rudimentary security, but many were found to be operating with out-of-date firmware. These vulnerabilities can be easily exploited to plant backdoors and launch automated IoT botnet DDoS attacks.

And this isn't just theory: it's thought that the recent cyberattacks against domain name service provided Dyn -- which took out the likes of Spotify, Twitter, and Reddit -- were launched using an Internet of Things botnet.

While hacking these devices might be so simple it only takes mere minutes to do so, the consequences could be dire and long-lasting.

IP-connected security systems are listed by researchers as particularly dangerous because they use wireless communication to connect with other smart devices associated with securing a building -- and that could potentially be exploited by hackers.

If hackers were able to break into one of these devices -- something which could be as simple as remotely taking control of it by using the default factory login credentials -- they could aid criminals in performing physical break-ins by turning off cameras and opening and closing doors.

Alternatively, if theft isn't the aim of attackers, but rather just an outright attempt to destroy an organisation, Forescout say hackers could exploit vulnerabilities in connected climate control and energy meters.

Not only are these devices easy points to enter a network -- often sharing it with other internal systems which can be tapped to steal data -- but the very nature of climate control devices means they can be tampered with to change temperatures. That might not sound dangerous, but if attackers are able to force areas like server rooms to overheat, it can cause physical damage which could potentially ruin a targeted enterprise.

The researchers say smart video conferencing systems, connected printers, and VoIP phones all represent easy IoT-connected targets which provide a gateway for hackers to snoop on the targeted organisation by listening into calls or using the insecure systems to reach other parts of the network and make off with private information.

Read more on cybersecurity and the Internet of Things

Editorial standards