Deadly Dolls and Killer Cars: 5 Internet of Things Attacks
by Calyptix. August 9th, 2017
It’s no secret: millions of IoT (Internet of Things) devices have terrible security. Yet people continue to buy them and they continue to surface in cyberattacks. But does the internet of things pose a real threat? What types of IoT attacks are being launched? What vulnerabilities are being found? Let’s look at some of the nastiest threats to emerge from the land of internet-connected gadgets, widgets, and gizmos.
#1. IoT Dolls That Spy on Kids
Parents in Germany were shocked to learn a doll bought for children could be used to spy on them. Federal Network Agency, a telecommunications watchdog in Germany, advised parents in Feb. 2016 to destroy the talking doll, called My Friend Cayla. Cayla could connect to a smartphone via Bluetooth, giving the doll internet access. This connection allowed it to converse with children, answering simple questions such as, “What’s two times two?”
Unfortunately, the IoT doll also recorded children’s conversations and stored them in an online server (yikes!). And it gets worse — the poor security of the doll’s Bluetooth connection could easily allow an attacker to connect and use the toy as a spying device. The U.S. Federal Trade Commission filed a complaint against Cayla’s manufacturer, Genesis Toys, in Dec. 2016.
The U.S. Federal Trade Commission filed a complaint against Cayla’s manufacturer, Genesis Toys, in Dec. 2016. Here’s the first paragraph of the FTC’s complaint:
“This complaint concerns toys that spy. By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States.”
While no evidence of the doll being used in an IoT attack has surfaced, the size of the vulnerability and the potential impact on children are eye-opening. …
#2. Click to Disable a Car’s Brakes
Chrysler recalled 1.4 million vehicles in 2015 after security researchers demonstrated massive security gaps in the computer systems of Jeep Cherokees. From a laptop miles away, Charlie Miller and Chris Valasek seized control of an SUV’s brakes, transmission, and steering, all without physical access to the vehicle.
While a car is too large to consider a “gadget,” its internet connectivity qualifies it for membership in the internet of things. Leveraging zero-day vulnerabilities and an IoT feature that kept the car connected to a cellular network, anyone with the vehicle’s IP address could connect to it, according to Wired. After connecting, the researchers pivoted to a chip in the car’s head unit and rewrote its code. This allowed them to issue commands through the car’s internal computer network and control components such as the engine and brakes. The researchers demonstrated terrifying control of the car – including the ability to disable its brakes, transmission, and engine.
Chrysler issued a patch to resolve the vulnerability and issued a recall – but when is the last time you patched a car’s firmware?
If you operate a business and are interested in utilizing AVAREN for technology support or technical outfitting, please call us during business hours at 214-379-4200.