IoT-Hacking Horror Stories: Screaming at Babies & Jamming the Roads

May 05, 2014 By Sarah Vonnegut

In the ‘wonderful world’ of the Internet of Things, two interesting stories – one about hacking traffic systems and another about attackers screaming at babies in their cribs – have recently popped up that should make us stop and think about its current state of security. 

Taking It To The Streets

In the first story, a researcher at IoActive spoke to Wired about a recent vulnerability he found in traffic control systems throughout the U.S.’s biggest cities that could be manipulated “to snarl traffic or force cars onto different streets,” the article says.

Instead of hitting the traffic lights directly, an attack using the flaw would be towards street sensors that wirelessly send unencrypted data to the systems which control traffic lights.  Hackers would be able to send haphazard commands and data to mess with the system, Cesar Cerrudo, the IoActive researcher, says. There are 50,000+ vulnerable wireless detection systems installed in metropolitan areas across the U.S., UK, France and more. A coordinated attack could truly wreak havoc.

The IoActive researcher successfully hacked the sensors using a drone and equipment worth a total of $4,400, so we know the exploit could be done remotely and on the cheap. But when they reported the flaw to the Department of Homeland Security’s ICS-CERT (a division on control system security issues) they responded that the unencrypted data wasn’t serious and in fact was left that way intentionally, owing to customer feedback.

It would be difficult to change it now, anyway, ICS-CERT told Cerrudo. “[W]hile there may be a need for code signing/encryption of firmware for older models of the in-ground sensor, newer versions of the hardware have this capability but older versions cannot be updated without replacement (e.g. digging up the roadbed),” they reasoned.

Hacking: Cribs Edition

The second story is a tad more upsetting, especially for parents. Imagine you’re in bed, sound asleep, when you hear a stranger yelling at your child in his or her room. That’s been the case for not one, but two (horrified) sets of parents, whose houses were virtually visited by hackers who’d accessed Internet cameras (same brand) that both couples were using as baby monitors.

In the first instance, the attacker yelled obscenities at a two-year-old who luckily didn’t have her cochlear implant working. In the most recent attack, the hacker continually yelled “Wake up baby!” to the 10-month-old asleep in her crib. When her dad came rushing in to check on her, the camera turned straight towards him, and the insults continued towards him.

Hackers had apparently gotten into their online accounts using the default credentials the couples hadn’t changed.  “[The software] didn’t prompt us to change our password,” Heather Schreck, the 10-month-old’s mother, told Wired. “We didn’t realize that we should do that. We have our router secured, so we thought it was safe.” Foscam, the company that produces the cameras, says that it’s updated its firmware to include a message telling customers to change the credentials after purchase. Those parents may never forget to switch their credentials, but other parents probably aren’t yet aware of the risks of not doing so.

Security in IoT: We Can Do Better

Both stories pose strikingly different situations in which the Internet of Things is getting misconstrued, but there are two common threads that bind them: a lack of education in how consumers (whether they’re parents or government organizations) are taught to secure their own products, as well as a lack of security being built into the systems from the get-go – or doing what needs to be done to secure them once a flaw is found.

In the case of the traffic lights, the fix is as simple as encrypting the data sent between sensor and system and preventing unauthorized access, but as long as cities don’t want to deal with encrypting their data, it will be open to attack.

In both cases, though, it’s up to the makers of the products to both educate their customers on what should be mandatory protocols like changing default credentials and encrypting important data, as well as testing their products for security thoroughly before deployment.  

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.