IoT Disasters 2019
Though more light was shed around insecure Internet of Things (IoT) devices in 2019 – consequently leading to more calls for regulation– connected devices themselves seemingly stayed just as insecure. From privacy concerns in smart home devices, to botnets evolving to launch stronger and larger Distributed Denial of Service (DDoS) attacks on vulnerable connected devices worldwide, IoT devices continue to pose a top security threat this year. Here are the top 10 IoT disasters of 2019.Continued Mirai Botnet Growth
The infamous Mirai IoT botnet continued growing in 2019 while also changing up its tactics, techniques and procedures. In fact, according to researchers, Mirai activity nearly doubled between the first quarter of 2018 and the first quarter of 2019. Mirai, which first burst on the scene in 2016 in a widescale DDoS attack that knocked several well-known websites offline, has also expanded its techniques over the past year to target more processors and more enterprise-level hardware.Smart Deadbolts Open Homes to Danger
Researchers uncovered vulnerabilities in a popular smart deadbolt could allow attackers to remotely unlock doors and break into homes. The manufacturer behind the smart lock, Hickory Hardware, has deployed patches to the affected apps on the Google Play Store and Apple App Store. It’s not the only smart deadbolt this year to have vulnerabilities – in June, researchers warned that smart door lock Ultraloq, made by U-tec, had a glitch allowing attackers to track down where the device is being used and virtually pick the lock.‘Systemic’ Privacy Flaws Found in Popular IoT Devices
In January, researchers alleged a bevy of popular consumer connected devices sold at major retailers such as Walmart and Best Buy are riddled with security holes and privacy issues. In analyzing 12 different IoT devices, researchers reported security failures that ranged from a lack of encryption for data and missing encryption certificate validations. The devices included smart cameras, plugs and security systems from various manufacturers, including iHome, Merkury, Momentum, Oco, Practecol, TP-Link, Vivitar, Wyze and Zmodo.Privacy Concerns For IoT Hotel Devices
Several incidents involving connected cameras and devices in hotels and Airbnbs spurred privacy concerns in 2019, including a flaw in a hotel’s in-room Tapia robots, used in lieu of human staff, which could be hacked to spy on room guests. In a related incident, Airbnb came under fire in 2019 after guests reported hidden connected cameras recording them in the Airbnb houses they were staying in. Finally, in 2019 four people were arrested for taking secret videos of guests at motels and live-streaming them to paying audiences.All Things Ring
2019 saw an explosion of privacy issues and scandals for Amazon-owned Ring. Researchers found a several flaws in the IoT device, including one that allowed attackers to spy on families, or one that exposed Wi-Fi network passwords. But Ring’s privacy policies also brought the company under fire: Ring has acknowledged that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners, and in November, several U.S. Senators demanded that Amazon disclose how it’s securing Ring home-security device footage – and who is allowed to access that footage.Malware Bricks Thousands of IoT Devices
A 14-year-old hacker used a new strain of malware in June to brick up to 4,000 insecure Internet of Things devices – before abruptly shutting down his command-and-control server. The malware, dubbed Silex, targeted insecure IoT devices and rendered them unusable (much like the BrickerBot malware in 2017). Specifically targeted were Internet of Things (IoT) devices running on the Linux or Unix operating systems, which had known or guessable default passwords. The malware would trash the devices’ storage, remove their firewalls and network configuration, and finally fully halt them.Smart Toys Aren’t So Fun
Connected toys continue to be insecure. In December, researchers said that various connected toys for children had deep-rooted security issues, including missing authentication for device pairing and a lack of encryption for connected online accounts. And at Black Hat USA 2019, researchers showcased glitches in the LeapPad Ultimate, a rugged tablet made by LeapFrog that targets children with an array of education, game and eBook apps, which couldallowbad actors to track the devices, send messages to children or launch man-in-the-middle attacks.IoT Smartwatches’ Continued Creepiness
Even more connected smartwatches for children were discovered exposing personal and location data of kids – opening the door for various insidious threats. That includes the M2 smartwatch, made by Chinese manufacturer Shenzhen Smart Care Technology Ltd., which had flaws that could leak users’ personal and GPS data, and allow attackers to listen in on and manipulate conversations. Smartwatch TicTocTrack was also discovered to be riddled with security issues that could allow hackers to track and call children.Smart Speakers: Employees Listening In
Smart speakers from Amazon, Google and Apple all came under criticism this year after investigations found that employees at the companies can listen in on conversations. In April, Amazon was thrust into the spotlight for a similar reason, after a report revealed the company employs thousands of auditors to listen to Echo users’ voice recordings. Apple’s Siri and Google Home also came under fire for similar reasons, with reports emerging that Google employees could capture audio of domestic violence or confidential business calls.2 Million IoT Devices Vulnerable to Complete Takeover
Researchers say over 2 million IP security cameras, baby monitors and smart doorbells have serious vulnerabilities that could enable an attacker to hijack the devices and spy on their owners — and there’s currently no known patch for the shared flaws. The attack stems from peer-to-peer (P2P) communication technology in all of these Internet of Things (IoT) devices, which allows them to be accessed without any manual configuration. The particular P2P solution that they use, iLnkP2P, is developed by Shenzhen Yunni Technology and contains two vulnerabilities that could allow remote hackers to find and take over vulnerable cameras used in the devices.