As more and more devices become smart and Internet-connected, the risk of cyberattacks increase. Even with a low-powered Internet of Things (IoT) lightbulb or doorbell, enough open ports and hardcoded credentials can turn seemingly harmless devices into a botnet army capable of taking down major services.
Sometimes the risk to IoT products, including routers, smartphones, and home gadgets, is down to our individual failures to update and use strong credentials. In other cases, vendors consider security an afterthought. Either way, now millions of new devices are now online, we are faced with a minefield of new cybersecurity issues.
SAM Seamless Network has published a report on the IoT devices -- US households containing an average of 17 smart devices while EU homes have roughly 14 devices -- most likely to come under attack. TVs, kitchen appliances, and lighting are often targeted, but security cameras now make up 47% of vulnerable devices.
Bashlite malware detections are relatively rare, but in 2019 researchers stumbled across an updated version able to not only target IoT products using default, hardcoded credentials, but also Belkin WeMo home automation switches and any smart device that supports the Belkin WeMo UPnP SDK.
In June, a new strain of malware called Silex appeared on the scene. During its debut, the IoT malware was able to brick thousands of devices. The hacker responsible is thought to be a 14-year-old teenager.
Only a month after, researchers disclosed a batch of 11 vulnerabilities in VxWorks, an operating system used by over two billion connected devices. If exploited, the bugs could be harnessed for information leaks, crashing, and device hijacking.
In July, the FDA warned that Internet-connected Medtronic MiniMed insulin pumps were potentially vulnerable to attack. The pumps, used to administer insulin to patients with diabetes, contained vulnerabilities that could be exploited to over-deliver insulin, or stop insulin delivery altogether.
In August, a new IoT botnet emerged which specializes in infecting Android devices and set-top boxes by exploiting Android Debug Bridge, a testing feature that may accidentally be left open on connected devices. Set-top boxes manufactured by HiSilicon, Cubetek, and QezyMedia are on the target list.
Telestar Digital GmbH Internet of Things (IoT) products were found to contain an undocumented Telnet service on Port 23 that could be accessed externally, leading to remote system hijacking. Over a million IoT devices are believed to be affected.
Keeping an eye on underground forums where discussions of black hat hacking take place can lead to some interesting discoveries. In September, researchers found that Internet-connected gas pumps and the ways to abuse them in the quest to cause destruction or get free fuel are now a hot topic. Tutorials and step-by-step guides have been published.
Research published in September suggested that our smart TVs, including those manufactured by Samsung, Apple, and LG, are sending information from our sets to companies including Google, Apple, and Netflix -- even when the devices are idle. Information leaked included models, IP addresses, and locations.
Satori, an infamous botnet used to enslave IoT devices, routers, and more, has been a thorn in the side of cybersecurity defenders. In September, the 21-year-old creator of the botnet pleaded guilty and he now faces up to ten years behind bars.
Over a year after first being reported, Google and Amazon failed to address security concerns connected to the Alexa and Google Home voice assistant devices. Researchers were able to demonstrate ways to conduct phishing attacks through the IoT products.
A new variant of Gafgyt has been weaponized this year to create a new, IoT-based botnet. The malware has been spotted targeting routers and also replacing rival botnet code -- such as JenX -- with its own malicious offering.
In a form of attack that would likely be appreciated by our cats everywhere, in October, a researcher was accidentally able to take over all FurryTail pet feeders located across the world. Over 10,000 devices were viewable and the researcher said she could tamper with feeding schedules without authentication.