As someone who worked on a project with several IoT aquarium devices.
The initial versions we worked on had single core processors and limited memory, with minimal cryptography. I can’t say these devices weren’t secure, but within 5 to 10 years after launch, I bet vulnerabilities will surface as users demand newer devices.
Suck it Jin Yang
Is compromised firmware uploaded to the device relevant?
It shouldn’t be. Devices should verify a cryptographic signature and reject any unauthorized firmware uploads.
Some do skip this check, but it is a basic security measure that reputable vendors should utilize, not just for threat prevention but also to avoid firmware corruption that could brick devices.
Most compromises occur through regular software bugs, similar to any computer or smartphone. Businesses can address this by hiring skilled software engineers, conducting frequent security audits, having a large enough community of users who conduct third-party checks, and acting quickly to solve issues. But all of these actions can be costly—so not everyone takes this route.
(There aren’t a lot of IoT devices with a large user base, so this is a niche area.)
Choose your vendors carefully and weigh the risks. I have IoT devices at home from reputable brands, but I wouldn’t allow them at work.
How would someone outside your network even discover the device?
You should assume that attackers can learn a lot about your network. They might have been on-site before or even worked as a sysadmin with higher privileges. It’s tough to safeguard against insider threats, but they are common, so you can’t ignore those risks.
Make sure to fix all vulnerabilities, not just the obvious ones.
And wouldn’t they need to breach your network first?
Most smart devices communicate wirelessly, so no. With the right radio equipment—not just a regular smartphone antenna—Wi-Fi signals can be captured from behind great distances. The tools aren’t overly expensive or specialized; typically, you only need a larger antenna for long-range reception and additional power to transmit over longer distances.
It’s actually pretty simple to breach networks as well. Surely many desks in your building have ethernet ports right? Wi-Fi is vulnerable to committed attackers unless you have a really strong password setup.
Don’t forget that many smart devices, like light bulbs, are actually meant to be disposable.
I’m hacking a garage door opener that kept all previously connected Wi-Fi networks saved in plaintext on flash memory. It was easy to dump that flash using a Raspberry Pi.
Reasons include:
Weak hardware that can’t support the full TCP/IP stack.
Defaults to certain protocols like telnet, FTP, SMTP with weak passwords.
Poor authentication policies limiting passwords to short, simple combinations due to hardware constraints.
Minimal to no encryption because of weak hardware.
Unmaintained open-source repositories.
No manufacturer updates.
Insecure and poorly designed cloud interfaces.
A compromised device typically doesn’t come with infected firmware but may run a hacked binary. An attacker can enter, upload a harmful program, and run it. It might also involve corrupt firmware if the device fetches updates from expired domains.
Ways to get infected: default open protocols without user control, automatic updates, or compromised networks. Some leave these devices exposed with public IP addresses and fully open ports (check out shodan).
With these devices leaving vulnerabilities, you can’t really call it a breach. Much of this is automated exploitation of devices.
How many of these IoT devices give administrative access? More than you’d think. Some come equipped with hardcoded admin passwords.
Practical IoT hacking
No Starch Press
If you’re curious, consider buying the book and using it as a starting point to learn why most IoT devices are vulnerable.
As with anything—if given enough time and resources, all security measures can be compromised.
Now if I could just remember how to use PHP when I need it instead of just a pentest monkey PHP reverse shell…
I have one smart device at home, and I’m uneasy about it since it’s cloud-managed in a way I don’t find secure. I should probably set up a separate cloud VLAN at least.
The issue is that your smart fridge maker is focused on making fridges. To keep up in the market, they hire some developers, create firmware, add a network card to the fridge, and voila, here’s your smart fridge.
Did you want zero-day exploits and ongoing updates with that? Don’t forget, the original payment is due in 30 days.
Many of these devices (like cameras) are exposed to the internet with NATted ports, since users want to access them on their phones.
Some examples include:
The Mirai Botnet
In October 2016, the largest DDoS attack ever targeted the service provider Dyn, using an IoT botnet. After getting into the Mirai system, machines continually searched online for vulnerable IoT devices and used default usernames and passwords to access them, infecting devices like digital cameras and DVRs.
Cardiac Devices
In 2017, the FDA confirmed vulnerabilities in St. Jude Medical’s implantable cardiac devices, allowing hackers to take control over battery life or manipulate pacing and shock settings.
This happened due to issues in the data transmitter that relayed device information to doctors. The FDA noted that hackers could manage a device by accessing the transmitter.
Owlet
Hackers managed to intentionally manipulate the output data.
TRENDnet Webcam
Their software flaws allowed anyone with the camera’s IP address to access feeds, and at times, listen as well. TRENDnet sent user login information in clear text, allowing it to be easily intercepted. On their mobile apps, user login details were stored in clear text.
Jeep
Researchers managed to take full control over a Jeep SUV through the vehicle’s CAN bus. By exploiting a firmware update flaw, they hijacked the vehicle via the Sprint cellular network, discovering they could accelerate, brake, and even force the vehicle off course.
Ring Home
Once, due to accidentally disclosing user info to both Facebook and Google through third-party trackers embedded in their Android app, and later due to an IoT security breach where hackers gained access to several families’ doorbell and home security systems.
The way it was done? Hackers used weak, recycled, or default credentials to access live camera feeds and even communicate using the devices’ microphones and speakers.
Nortek Security (smart locks)
There were ten vulnerabilities in Nortek’s Linear eMerge E3 devices that could let hackers hijack user credentials, control devices (lock/unlock doors), deploy malware, and initiate DoS attacks while getting around built-in security.
Even after being alerted to these vulnerabilities, six were graded with a severity of 9.8 or 10 out of 10. Nortek failed to release updates for a long time, having registered tens of thousands of hits daily across 100 countries.
Philips Device
There was a vulnerability in their TASY Electronic Medical Record system, where a successful SQL injection could expose private patient data. Shortly after, three vulnerabilities were found in their MRI software. The worst breach followed with vulnerabilities in their IoT medical interface products.
Lappeenranta
In November 2016, hackers caused two buildings in Lappeenranta, Finland, to lose heating. The attack made the heating system reboot continuously, preventing it from turning on.
Brickerbot
This relied on a DDoS attack and users who neglected to change default usernames and passwords, ultimately disabling the device.
You mean the casino that was hacked through a fish tank?
https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/
Payton said:
You mean the casino that was hacked through a fish tank?
https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/
That link seems to be behind a paywall.
I’ve always wanted to learn more detailed technical information about that hack. Does that article go beyond just saying hackers used an aquarium monitor to get into the casino system? Even a confirmation of whether it was through LAN or WLAN would be useful.
They are not any more or less exploitable than other devices online. The issues with IoT devices are the same with any connected device; they need proper management and upkeep.
Is it compromised firmware being uploaded?
This can be the case but it requires a more complex type of attack (like a MITM firmware server or custom firmware).
More simply, if an IoT device has a network connection, it can be attacked. Discovering a weakness in its software could be the quickest access point.
How would someone from outside your network discover the device?
That doesn’t really matter. Security through obscurity isn’t real security. If a device is online and people don’t know about it, it’s still a weak point—possibly the worst kind, an unknown vulnerability.
And wouldn’t they have to breach your network to exploit it?
Generally yes. A properly secured network will lessen the types of attacks a device faces.
I know this is a forum, but look beyond the headlines at the actual cases of exploitation.
Mirai searched for open Telnet services and executed credential-stuffing attacks. The most commonly exploited devices tended to be network cameras and consumer routers. In that situation, the danger arises from consumer-grade devices that have default credentials set and where users are allowed or encouraged to set weak ones, with services incorrectly listening on outside interfaces and products rushed to market without serious security checks.
Plus, there are ways to find hosts even within vast IPv6 networks, as Shodan showed years ago.
And wouldn’t they have to breach your network first to exploit it?
We follow a zero-trust policy now, so we know that perimeter security has been obsolete for decades, since ordinary users started connecting to random networks at home or common places.
UPnP is definitely a risk. Just use a firewall that blocks it.
Also, talking about IoT, the real name is IoS, standing for Internet of Shit. Most of these devices never receive updates. We’ve had to isolate our door locks and card readers into a separate VLAN due to how broken they are.