There are millions, if not billions of IoT devices globally to capture massive amounts of information in real-time. If an IoT device is exposed to the attackers, the information can provide an attacker with the data about functions of the device, the user’s relevance with the devices, and even sensitive data about the user.
After obtaining all the data, the attackers can exploit login credentials, location data, health data, and other sensitive personal information for their self-interest.
It is just not a saying but happened during some of the IoT attacks, which also this guide is going to discuss here. But before proceeding any further, know that these attacks can be of different types.
So, let’s start with knowing the type of biggest IoT attacks.
Different types of IoT attacks:
Depending on the type of IoT device and the vulnerabilities in it and the method hackers use to access the device, IoT attacks can vary. According to the statistics and methods, here are some types and examples of IoT attacks.
In this attack, the attacker sends malware to the device and opens up the possibilities for them to use it if succeeded. Ransomware, for example, attempts to encrypt our device and then demands a ransom to recover the files. The malware could spread to other network-connected devices.
It is without a doubt one of the most common attacks on IoT devices. Cybercriminals attempt to gain access to them using brute force. They check the most common and widely used passwords to compromise the victims’ teams.
Another most famous attack is spam. An IoT device is most suspected of spam when it is a part of the botnet that sends spam to other computers. However, a device can also directly receive spam from a hacker, if it has vulnerabilities in it. Receiving spam can be dangerous for any IoT device’s security as it can be a portal for malware or the malicious that out the threat for the entire network device is connected to.
DDOS attacks are one of the vicious attacks and common IoT attacks examples to affect IoT devices. A denial of service can affect not only one but all the devices on the network. Through this attack, the device can join a system of bots controlled by cybercriminals to compromise other systems.
Information theft is yet another threat that IoT devices face. In this case, the attacker collects data on the functions of the equipment, browsing history, and so on.
These are some of the common types of IoT device attacks. All of these attacks have been seen on IoT devices on various occasions. And, further, this guide will look at 20 of those attacks.
Top 20 Famous IoT Attack Example
These are the 20 most famous IoT attacks that have happened to this date.
Ripple20 affected the entire series of the low-level TCP/IP library developed by Treck, Inc. It took advantage of the 19 existing vulnerabilities and affected the entire library that existed in the different IoT and embedded devices.
As a result, the problem in one library had a cascading effect on millions of devices throughout the entire network of various sectors. Due to the range of devices affected it is one of the biggest IoT attacks now.
Wired reported on the Rube-Goldberg Attack, an increasingly popular, albeit complex, IoT hack. It exploits a vulnerability known as Devil’s Ivy to factory reset the camera and gain root access, offering the attacker complete control over it.
Meltdown and Specter
The Meltdown attack takes advantage of side effects such as leakages caused by timing differences and data analysis of out-of-order implementation features found in the majority of modern processors. A more detailed explanation can be found in the Meltdown research study mentioned in the reference. It circumvents the memory isolation security feature that guarantees the kernel address range is inaccessible and protected from user access between user application programs. Thus the attack was successful to fetch the data from the operating system and also other programs to pass the information to the other attackers.
The attack targeted the cars and how they operate. During the attack, the attacker targets the car and locks it with the help of the radio signal. And when the owner tries to unlock the car, the attacker reads the signal, decodes it, and uses it in his way to operate the car. The attack was developed by Samy Kamkar with the help of a device named the same as the attack, RollJam.
The attack consists of a family of 18 vulnerabilities. The flaws in BLE implementation came to light as the vulnerabilities spread across various Bluetooth Low Energy software development kits (SDKs) of major systems on chips (SoCs). In specific applications, an adversary within radio range can cause crashes, deadlock, security bypass, buffer overflows, and so on. It impacted various IoT devices from different vendors that used the vulnerable BLE stack.
The researchers found the vulnerabilities in the kids’ toys named CloudPets. The toy includes serious security breaches, which lead anyone under the 10-meter diameter to take control of the toy. Further, the attackers can send and receive messages to/from the children.
Bluetooth attack on Tesla Model X
The attack exposed the vulnerability in the entry system of the model. It turns out that security researchers can break into the car in just 90 seconds. The attack does not cause any serious damage. However, it was a great setback for Tesla and also serious IoT hack examples. The attacker took the benefit of the vulnerability in the key fob firmware update mechanism via Bluetooth, allowing him to infect the key fob with malicious firmware.
Nortek Security & Control Hack
In May 2019, Applied Risk, a cyber security firm, discovered ten vulnerabilities in Nortek Linear eMerge E3 devices that can allow hackers to hijack login details, take control of a device( for example opening/locking doors), install a virus, as well as launch DoS attacks while circumventing existing security measures.
The TRENDnet Webcam Hack
The attack was suspected with the TRENDnet cameras. As they contain faulty software, attackers can hack easily after obtaining their IP. FTC confirmed all the vulnerabilities to the attack. Which further stated that the software can also give access to the attackers of user’s readable information like credentials, and mobile app camera stored over the consumers’ login information.
M2 smartwatch, manufactured by Shenzhen Smart Care Technology Ltd., had flaws that allowed attackers to listen in on and exploit conversations as well as leak users’ personal and GPS data. TicTocTrack, a smartwatch, was also found to have security flaws that allow hackers to track as well as call children.
The attack targeted the four open source TCP/IP attacks and used their weaknesses like lack of memory management and input authentications to perform the remote code execution, DoS attacks, and the information attack. As those four TCP/IP stacks were used in the various IoT devices, the attack came in the range of the serious attack category, the same as the Ripple20.
The BLESA is an abbreviation for the Bluetooth Low Energy Spoofing Attack. It also exploits the BLE software stack implementation vulnerability. Bluetooth Low Energy Spoofing Attack takes advantage of a flaw in the BLE software stack execution. This vulnerability links to BLE’s reconnection procedure, which involves reconnecting two previously network connections.
According to the BLE specification analysis, researchers discovered that the BLE specification does not require authentication all through reconnection. Despite adhering to the specification, the vendor implementation can make the reconnection authentication part optional, making it vulnerable to attack.
Google, Amazon, and Apple all faced criticism last year after research studies revealed that employees at the companies can hear in on conversations. Amazon came into the spotlight in April for a similar reason, after one report revealed that the company employs multitudes of auditors to listen to the recorded conversations of Echo users.
The LeapPad Unlimited Vulnerabilities
Researchers demonstrated flaws in the LeapPad Ultimate, a durable tablet made by LeapFrog that provides products with an array of education, game, as well as eBook apps, which can allow an attacker to track the devices, send messages to children, or release man-in-the-middle threats at Black Hat USA 2019.
The attack was reported by none other than IBM. The report revealed that the researchers were able to get access to the Jeep SUV using the CAN bus.
The report shed the light on how attackers can use the sprint cellular network to exploit the vulnerabilities present in the jeep. By gaining control of the jeep hackers can control the speed and the lock system of the jeep.
Smart Deadbolts Attack
Researchers discovered flaws in a popular smart deadbolt that can allow attackers to wirelessly unlock doors and enter homes. Hickory Hardware, the smart lock’s manufacturer, has released bug fixes to the affected apps on the app stores like Google Play and Apple App Stores. It’s not the only smart deadbolt, researchers warned that U-Ultraloq tec’s smart door lock had a flaw that allowed attackers to hunt down the device’s location.
Attack on Airbnbs Cameras
In 2019, several incidents involving linked cameras and devices in guesthouses and Airbnbs raised privacy concerns, including a flaw in a hotel’s in-room Tapia robots, used in place of human staff. The devices had vulnerabilities that can easily grant access to a hacker. In a related incident, Airbnb was chastised in 2019 after guests claimed that hidden connected cameras were recording them in the Airbnb houses they were residing in.
The botnet used insecure IoT devices with open Telnet ports and weak/default credentials. It targets IoT devices located in inaccessible locations that cannot be remotely patched.
The attackers used the same attack as the DDoS attack on various other platforms like the Brian Krebs website, and on the Dyn Cyberattack. Mostly the attack converted the insecure IoT devices into bots.
The Attack On The Cardiac Devices
FDA prevented and discovered the attack on St. Jude Medical’s implantable cardiac devices. The FDA found that hackers can easily hack the devices to deplete the battery of the device and can also cause incorrect pacing or shock. The attack is one of the many IoT cyber attacks examples that was prevented, but otherwise holds the power to endanger lives.
Researchers discovered several flaws in this IoT device including one that permitted attackers to spy on families and another that exposed Wi-Fi network passwords. However, Ring’s privacy policies also drew criticism: Ring had also acknowledged that it is working with over 600 police agencies to provide them with access to camera footage.
These were the 20 attacks and vulnerabilities that made concerns so far. Now let’s look at some of the important IoT attacks statistics to get a more clear idea about why the experts should be concerned about the security of the IoT devices.
IoT Attacks Statistics
- Almost 30% of the business includes IoT devices in their infrastructure, however, due to the lack of experienced personnel, the companies always face security threats and data breaches.
- The IoT market has grown to 15.8 billion dollars, which leads to the great requirement for security frameworks, as the IoT devices only stay secure until someone finds anomalies in them.
- In the past two years, the IoT industry has faced more than 1.5 billion IoT breaches. Most of the attacks happened on the main protocol used by the IoT devices, the Telnet remote access protocol. The most common reason for most attacks was mining the cryptocurrency.
- Out of all the actors and industries, the industry that has adopted IoT devices on the largest scale (50%) is the financial industry. The adoption of the IoT device becomes inevitable, however, it also puts the industry under the threat of cyber security breaches.
That’s all. The guide has tried to cover important information about the types of most common IoT attacks, the 20 most famous IoT attacks, and the IoT attacks statistics.