Smart devices and the Internet of Things have made life easier. You can control your home’s temperature setting while you’re at work. Your car will tell you when your spare tire is low on air. Likewise, you can tell if a guest in your theme park has an issue with their wearable device from 10,000 miles away. As with all connected devices, IoT security breaches threaten the simplest items.
What Is the CVE-2021-35394 Attack?
As Part I of our IoT series pointed out, you may not be the only one with access to your devices. One of the most notorious recent examples is cyber attacks targeting CVE-2021-35394. It is a remote control execution vulnerability in the Realtek Jungle SDK.
The attacks target devices that rely on a particular Realtek chip found in many manufacturers’ gateways, IP cameras, routers, and Wi-fi repeaters. According to Statista, from August 2021 to December 2022, there were 134 million attacks. Of these, 48.3 percent originated in the U.S.
Once breached, the bug allows unauthorized users to access connected devices and perform arbitrary commands. Correspondent Ionut Arghire of Security Week explains the motive below.
“The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices. This underscores the need for organizations to ensure that these devices are properly protected.”
Realtek fixed the issue in 2021, but old devices remain in use.
Am I Watching Them, or Are They Watching Me?
In June, the FTC revealed that at least 55,000 U.S. customers were victimized in 2019 by hacks targeting Amazon’s Ring home surveillance cameras. In the complaint, details show that hackers worldwide viewed users from their cameras. As a result, some were harassed via the speaker. Others had their images published on a podcast for entertainment.
“Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes,” the complaint reads.
Coffee With Almond Milk and a Routing Number
Yes, a smart coffee machine can be hacked. However, there are no widespread cases of it occurring. Here’s how it could happen. Martin Hron, a senior researcher at cyber software company Avast, realized that the machine acted as a Wi-fi access point. The entry point is, therefore, an unsecured, unencrypted connection to an app.
Hron reverse-engineered the firmware in the Android app, then created a malfunction on the machine. Then, he devised a ransomware attack triggered by the command connecting the device to the network. The user can pay the ransom – or buy a new machine.
“Nowadays, coffee machines can remotely be operated by homeowners with the help of their smartphones or voice commands using a virtual assistant such as Amazon Alexa,” Steckler said in Cybersecurity Insiders. “But the technology used comes with its own disadvantages as the smart appliances are often not secured. [This means] hackers can access them on a remote basis and get hold of personal data such as banking details or passwords.”
Many other devices, such as virtual assistants, fax machines, smart TVs, smart light bulbs, phones, speakers, gas stations, and medical devices, have been targeted.
IoT Security Breach Methods
IoT devices are compromised using various methods. For example, the following are typical:
- Brute Force Attacks: Hackers use automated tools to repeatedly guess a device’s password until they succeed.
- Man-in-the-Middle Attacks: The hacker intercepts communication between a device and the internet, allowing them to intercept and manipulate data.
- Malware Attacks: Cyber thieves use malware to infect IoT devices and take control of them.
- Unsecured Network Connections: Devices that connect to unsecured networks are vulnerable.
Renowned IoT Attacks
A DDoS “Distributed Denial-of-Service (DDoS) attack” is a cybercrime in which the attacker floods a server with internet traffic preventing users from accessing connected services. IoT Solutions names the Mirai Botnet as the broadest DDoS attack on record. In 2016 it affected media outlets, including CNN, Netflix, Reddit, and Twitter.
The security theme continues in the next blog in our IoT series, including recent advances in security. Don’t take your device for granted.