Creepy Tales from the Internet of Things Crypt

Gather ‘round and we’ll tell you a tale (okay, a few tales) of mystery, murder, intrigue, and…. computers. Big computers, small computers, and most of all computers that aren’t really computers at all – they are coffee machines, or insulin pumps, or traffic lights, or baby monitors, or those frying pans that alert your phone so you can know when you are about to burn your scrambled eggs. Yes, today boys and girls, on this creepiest of all days, Halloween, we are telling unsettling, scary and downright “make-you-want-to-hide-in-your closet-under-a-pile-of-blankets-and-hope-nobody-will-notice-you-there” kind of scary stories of the Internet of Things.

At its core, IoT is the idea that everything, be it a person, place, or thing has an IP address and can transfer data over networks. Including you. And your dog Rexie. And apparently your frying pan. Creepy sounding, yes but when you think about it, connectivity has its privileges – IoT has the potential to vastly improve certain industries, such as health care. In a world of IoT, emergency workers will be able to access critical patient information and share that information with doctors in a blink of an eye. When it comes to industries like manufacturing, wearable tech will help warn workers of hazards like overexertion and machine malfunctions.

Nightmare on IoT Street

This doesn’t mean it’s all rainbows and unicorns. As we saw so clearly in October 21 hack to DNS provider Dyn, internet connected things, like the DVRs and cameras used to commit the massive cyber crimes, are shockingly vulnerable. And when you put that idea of being super-vulnerable together with the realization that, at the rate we are headed, nearly every device in our homes will be connected to the internet in about 5 years time (yes, your shower curtain will cry out and simply beg to be cleaned, don’t say we didn’t warn you) one begins to understand that the implications of IoT are simply huge. And scary to boot, which is perfect, at least in terms of Halloween. So without further ado, we bring you true tales from the IoT side, read them… if you dare (insert evil laugh here).

Ransomware, IoT Style

Researchers at this past summer’s DefCon hacking conference demonstrated how they can infect smart thermostats with ransomware remotely. And at last year’s Black Hat conference, hacking pros showed how to hack and infect wearables with ransomware. At first glance, taking a coffee pot hostage might not seem so bad, after all what information could your coffee pot possible be holding already? That you like to guzzle down your java in one fiendish gulp before slamming your coffee skein down on the counter like Conan the Coffee Barbarian?

But really, it’s a lot scarier than just the prospect of stealing whatever small amount of data that lives within that connection. The real issue here is that once these things are hacked, they can be controlled. Says Rob Conant, CEO of IoT firm Cirrent, “Holding data for ransom is one thing, but shutting down the electricity grid, cars, or traffic lights is quite another. Entire cities or regions could be impacted.”

And while traditional ransomware attacks files, the vast scope of IoT allows this incarnation to cause disruption on a much grander scale. According to Neil Cawse, CEO at Geotab “due to the many practical applications of IoT technology, its ransomware can shut down vehicles, turn off power, or even stop production lines. This potential to cause far more damage means that the potential for hackers can charge much more, ultimately making it an appealing market for them to explore.” Just image if hackers took control of your heating system in the dead of winter or your refrigerator right before Thanksgiving — chances are you would be willing to pay a whole lot of money to get them back under your control ASAP.

Hacked Traffic Lights

Let’s pretend you’re driving down a busy but moving street and you get to a red light. Then in but an instant, it’s green again. And now,  the traffic flowing from the opposite direction begins to drive as well, and then the cars from the lanes that bisect your lane begin to drive. Sounds pretty catastrophic, right? This chaos is what ensues when traffic lights get hacked.

Though it sounds like something out of a movie, it’s actually pretty easy to pull off and requires nothing more than a traffic light and unencrypted radio signals. Traffic lights are often internet-ready so controllers can share information with each other regarding traffic and road conditions. They send their messages using specific Industrial, Scientific and Medical (ISM) bands like  900MHz or 5.8MHz. With the use of these wide open radio frequencies, factory default usernames and passwords and easy-to-attack debugging ports, researchers at The University of Michigan were able to able to take command of the traffic lights used to direct traffic in parts of the state.  This shockingly flawed design is currently used by more than 40 states to direct traffic flow. So remember to drive with caution this Halloween, (and every day, really) — you never know when the lights will pull a trick on you.

Menaced Medical Devices

Hacks to the outside world are scary enough – but what about when hackers try to infiltrate devices inside of people? Researchers at the University of South Alabama wondered about this too and in search of an answer, they hacked pacemakers put into iStan, a medical patient simulator — essentially, a patient who is actually a highly realistic robot.

According to reports from Motherboard, they hacked into iStan’s pacemaker and played around with his heart rate, speeding it up and slowing it down. According to Mike Jacobs, University Director of the simulations program, “It’s not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.”

Using DDoS attacks, brute force attacks (repeatedly attempting to gain access by guessing password combinations) and security control attacks, they were eventually able to kill iStan. Lest you think they were able to off him because he’s not really a “he” and is more of an “it”, think again. The fact that iStan is a robot had nothing to do with how they were able to access and breach his pacemakers, creating a very scary new reality – in The Internet of Things, all someone needs to commit a heinous crime is knowledge of how to hack a setting on their victim’s insulin pump.

IoT – It Ain’t Child’s Play (1 and 2, or even Bride of Chuckie)

So are you planning on sleeping with your lights on? Well, if they are smart lightbulbs like the ones made by camera giant Vivitar, maybe that’s not the best solution. If you really want to mitigate some of the IoT insanity make sure to change all factory default passwords and make sure you’re updating your smart devices on a regular basis. Until then, just turn out all your lights and set a few candles into your creepy-faced jack-o-lantern and tell super scary stories of the days when there was no internet, no Netflix, and people were just bored and disconnected some of the time. That ought to send everyone screaming and back under their pile of blankets. Happy Halloween!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s