Welcome to the Internet of (hackable) Things, where everything can be hacked

Andrei Mihai

If you haven’t been paying attention, everything around you is getting smarter. It’s not just phones or laptops — cars, appliances, even houses are becoming smarter. This is the so-called Internet of Things (IoT), where objects communicate with the environment and each other and you can control things with a smartphone app.

But as cool and useful as this may be, there’s a downside to it: smart things can also be hacked.

Image in public domain.


The Internet of Things is sweeping the world. The principle is simple: make objects capable of sensing the environment and communicating (with humans and with each other), mostly through the internet. Making things smart can well and truly change the world, but it also brings in a deluge of potential risks, a 2017 arXiv study cautions on the risks of the Internet of hackable Things:

“The Internet of Things makes it possible to connect each everyday object to the Internet, making computing pervasive like never before. From a security and privacy perspective, this tsunami of connectivity represents a disaster, which makes each object remotely hackable,” the study authors write.

While society is starting to take notice of the risks associated with big data (just look at Facebook’s Cambridge Analytica scandal), the risk of hackable objects tends to fly under the radar. Let’s leave things like laptops and smartphones out for a moment — we all (hopefully) know the hacking and data risks that come with those — and look at IoT devices.

Perhaps the most famous IoT devices are digital assistants like Alexa, Google Home, or Siri. As of December 2019, roughly 1 in 4 US homes owned a sort of smart speaker, and the number continues to rise. In other parts of the world, adoption is slower, but it’s still growing. What do all these have in common? Well, in addition to making your life easier and increasing connectivity, they can all be hacked with a laser pointer.

The attack exploits a vulnerability in the devices’ microphones, which can react to light as if it were sound, as explained in this paper and showcased below.

Sure, it’s not the most straightforward hack, but it is a risk — and it’s not the only one. A recent Alexa hack (now fixed) could have exposed users’ voice history to attackers.

Keeping an eye on you

Another household item, security cameras, can also be attacked with relative ease. CNN managed to obtain access to a number of IoT cameras using a search engine for IoT devices. For Japan, this problem is so serious that the country launched a widescale initiative to hack its citizens just to see if it could be done and warn people.

Children can also be exposed to risks. In 2018, one hacker terrorized a family by hacking into their baby monitor camera and threatening to kidnap the baby. Meanwhile, in 2017, Germany banned an interactive doll ‘My Friend Cayla’ and asked parents to destroy existing units.

Cayla was a doll that used speech recognition technology and an Android or iOS mobile app to recognize the child’s speech and have a conversation. The problem is, Cayla could be hacked. The doll was so easily hackable that it became a sort of prank in the IoT world. By simply using Bluetooth to use it as a remote speaker and microphone, Cayla could become a hacker’s spying device.

Cayla is now a piece of Io(h)T history. Image credits: Rhys Jones.

Wearable devices like smartwatches also come with a set of problems of their own, even though they’re not the easiest things to hack. Researchers have shown that some smartwatches can be hacked to send notifications to their wearers (to take pills, for instance — a dementia sufferer might not recall that they had already taken their medication). To make matters even worse, many wearable devices work with Bluetooth technology, which comes with inherent security issues. Wireless networks aren’t much better either: many such networks can be cracked relatively simply. This is not just a hypothetical scenario, it’s already happening.

From toothbrushes to entire buildings

Medical devices like insulin pumps or pacemakers can also potentially be hacked. Two hackers unveiled a number of startling vulnerabilities in some insulin pumps, showing that a simple app could kill a person. In 2017, the US Food and Drug Administration confirmed that St. Jude Medical’s implantable cardiac devices could be easily hacked, and the list goes on.

When everything becomes smart, vulnerabilities also follow. Even toothbrushes now want to know where you are.

Sometimes, it’s not individual objects that get hacked, but industrial ones. In 2016, the residents of two apartment buildings in Lappeenranta, Finland found themselves without heat after hackers launched a DDoS attack against their buildings’ smart thermostats.

The approach is simple but effective: botnet malware scans for IoT devices that still use their default password and enslave them, using them for DDoS attacks. The practice is so common that IoT devices have become one of the driving forces between DDoS botnet attacks for some time.

Cars, of course, aren’t exempt from these risks. The expanding smart capability of cars are exciting, and the prospect of self-driving cars is just around the corner (bonus points for synchronized, smart traffic lights) — but this also comes with security problems. The 2015 hacking of a Jeep car is already famous, and it’s just the tip of the iceberg when it comes to smart cars.

Even something seemingly inconspicuous like agriculture is at risk from hacks. We’ve previously written that smart agriculture and IoT could help feed the world sustainably, but in order to do so, farmers would need to create and use lots of data, and most of the time, they don’t really control or secure that data. Realistically speaking, most farmers probably aren’t even aware of these risks, and experts warn that the risks do exist.

Don’t freak out, but pay attention

Smart cities are already here. Image credits: Laboratorio Linux.

It’s important to keep things in perspective. In most fields, hacks remain exceedingly rare, and potential vulnerabilities don’t eliminate the potential that IoT can bring. Smart things make our lives easier and nicer, they can save energy and resources — and they’re probably here to stay.

But from crockpots to vacuum cleaners, “things” can be attacked, and malicious actors are always on the lookout for ways to exploit technology. As consumers, the most important thing is to stay informed and be careful with the devices we bring into our homes. You may want to check if that cheap security camera has any form of protection against cyber-attacks or Google existing vulnerabilities on your devices. If you value privacy and security, buy accordingly.

Ultimately, this issue won’t go away anytime soon. As the above-mentioned 2017 study concludes:

“In order to tackle this issue, we need to address a new challenge in security: education.”

The post Welcome to the Internet of (hackable) Things, where everything can be hacked originally appeared on the HLFF SciLogs blog.