Hazards of the Internet of Things 1. Hacking of Devices (Baby Monitors, Freezers, Hospital Ventilators) in Homes and Institutions – Economist Writing Every Day | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

For my birthday this year, someone gave me a “smart” plug-in power socket. You plug it into the wall, and then can plug in something, say a lamp, into the smart socket, which you can then control via the internet. Yay, I am now a part of the Internet of Things (IoT). What could possibly go wrong?

However, my Spidey-sense started to tingle, and I chose to give this device away.  At that point, I was thinking mainly of the potential for such devices to get hacked and then recruited to be part of a vast bot-net which can then (under the control of bad actors) conduct massive attacks on crucial internet components. For instance,

Mirai [way back in 2016] infected IoT devices from routers to video cameras and video recorders by successfully attempting to log in using a table of 61 common hard-coded default usernames and passwords.

The malware created a vast botnet. It “enslaved” a string of 400,000 connected devices. In September 2016, Mirai-infected devices (who became “zombies”) were used to launch the world’s first 1Tbps Distributed Denial-of-Service (DDoS) attack on servers at the heart of internet services.  It took down parts of Amazon Web Services and its clients, including GitHub, Netflix, Twitter, and Airbnb.

But it turns out the hazards with smart devices are widespread indeed. IoT devices are so useful for bad guys that that they are attacked more than either mobile devices or computers. One layer of hazard is the hacking of specific, poorly-secured devices in a home or institution, with subsequent control of devices and infiltration of broader computing systems. This will be the focus of today’s blog post. Another layer of hazard is the use to which masses of (sometimes private and personal) data snooped from “unhacked” smart devices are put by large corporations and state actors; that will be considered in a part 2 post.

Here are results from one study from nearly three years ago:

A study published in July 2020 analyzed over 5 million IoT, IoMT (Internet of Medical Things), and unmanaged connected devices in healthcare, retail, manufacturing, and life sciences. It reveals an astonishing number of vulnerabilities and risks across a stunningly diverse set of connected objects….

The report brings to light disturbing facts and trends:

  • Up to 15% of devices were unknown or unauthorized.
  • 5 to 19% were using unsupported legacy operating systems.
  • 49% of IT teams were guessing or had tinkered with their existing IT solutions to get visibility.
  • 51% of them were unaware of what types of smart objects were active in their network.
  • 75% of deployments had VLAN violations
  • 86% of healthcare deployments included more than ten FDA-recalled devices.
  • 95% of healthcare networks integrated Amazon Alexa and Echo devices alongside hospital surveillance equipment.

…Ransomware gangs specifically target healthcare more than any other domain in the United States. It’s now, by far, the #1 healthcare breach root cause in the country. …The mix of old legacy systems and connected devices like patient monitors, ventilators, infusion pumps, lights, and thermostats with very poor security features are sometimes especially prone to attacks.

So, these criminals understand that stopping critical applications and holding patient data can put lives at risk and that these organizations are more likely to pay a ransom.

I know people in organizations which have been brought to their knees by ransomware attacks. And I have read of the dilemma of the guy who was on vacation in the Caribbean or whatever, and got a text from a hacker instructing him to deposit several hundred dollars in a Bitcoin account, or else his “smart” refrigerator/freezer would be turned off and he would come home to a spoiled, moldy mess.

What brought all this IoT stuff to my attention this week was a talk I ran across from retired MIT researcher Timothy Wallace, titled “Effects, Side Effects and Risks of the Internet of Things”, presented at the 2023 American Scientific Affiliation meeting. The slides for his talk are here. I will paste in a few snipped excerpts from his talk, that are fairly self-explanatory:

(My comment: 10 billion is a really, really big number…)

(My comment: this type of catastrophic compromise of computer systems being enabled by hacking some piddling little IoT device that happens to be in the home or institution local network is not uncommon. Which is why I am reluctant to put IoT devices, especially from no-name foreign manufacturers, on my home wireless network).

Many of these vulnerabilities could in theory be addressed by better practices like always resetting factory passwords on your smart devices, but it is easy for forget to do that.

And just to end on a light note (this cartoon also lifted from Wallace’s slides):


Click Here For The Original Story From This Source.

National Cyber Security