Attacks are typically achieved in one of seven different ways, or by using a combination of the seven
An IoT device can be compromised if physical access can be gained to external interfaces, such as USB ports or test ports used in the manufacture, maintenance or test of an IoT device.
Considered to be one of the earliest cyber hacking tools designed to cause physical damage to networked equipment, Stuxnet was a malicious computer worm aimed at industrial control systems. It is believed to have damaged Iranian uranium enriching centrifuges in 2010 after it was introduced to the organisation’s network via a USB stick. The organisation’s network was not connected to the internet.
Known vulnerabilities in an IoT device’s hardware, embedded software and operating system can be exploited to gain access.
These vulnerabilities can range from poor processing or formatting of data to an insecure method for updating the IoT device’s firmware and poor memory management.
In 2017 the US Food and Drug Administration (FDA) recalled 465,000 radio-controlled implantable cardiac pacemakers due to identified cyber security vulnerabilities; there were concerns that hackers could control the implanted devices. A firmware update was issued to address the vulnerabilities, allowing patients whose devices were already fitted to be updated and secured on the next visit to their physician
One of the simplest methods of compromising an IoT device is by using common, hardcoded, easily guessable or weak passwords. Poor configurations of an IoT device may also provide a simple avenue to attack, for example leaving a communications port open or a backdoor login for test purposes.
In 2018 there were reports of an audacious cyber attack that saw a US casino suffer a significant theft of data when its IT networked systems were breached via an IoT smart fish tank controller.
The poor configuration of the casino’s network between the IoT and IT systems led to 10 gigabytes of company data being transferred to Finland before the hack was identified and stopped.
Malware is software designed to infiltrate and damage, control or disable electronics systems, including IoT devices. This can come in many forms including viruses, worms, trojans, ransomware, rootkit, spyware, adware and keyloggers. Malware can be used to form collectives of ‘bots’ (Botnets) for performing automated malicious attacks (see sub-section below).
According to cyber security solutions company McAfee, in the last year there has been a rise of 203% in IoT malware in the form of ‘cryptominers’ that hijack devices for mining cryptocurrency which is currently seen as a more lucrative business than ransomware.
In December 2015, a regional electricity distribution company in Ukraine was attacked. The SCADA system controlling, and monitoring power distribution was targeted, enabling the attacker to switch off several substations. To obtain initial access to the company systems, malware was delivered by email. Two additional power companies were also attacked resulting in 225,000 customers losing power for several hours.
DDoS involves an attacker gaining access into a large number of distributed IoT devices. When access has been obtained, the attacker gains control of the devices (usually by installing malware), turning each of the devices into what is called a ‘Bot’ or Zombie.
The attacker can then instruct a group of ‘Bots’ to act as a ‘Botnet’ to send requests to target internet addresses, such as cloud service providers. The significant amount of internet traffic generated reduces the capacity or prevents the target from servicing other valid users. This can also stop each of the IoT ‘Bot’ devices functioning as originally intended.
An example of this is the 2016 Mirai Botnet. Several high-profile attacks happened that year, including an attack on Dyn, an internet infrastructure company. The attack prevented users from accessing social media accounts and other popular websites in the US and Europe. Mirai was one of the first pieces of software to enable large- scale DDoS attacks. Mirai scans internet addresses to find devices, e.g., digital video recorders and CCTV cameras, with unsafe, easy to guess, default usernames and passwords; then it logs- in and configures the devices to send data to an online target.
With enough of these devices or ‘bots’ sending data, the online target is overloaded with requests from ‘bots’ and is unable to accept requests from legitimate users. More than 100,000 devices were thought to have been targeted, taken over, and used in this attack.
This describes where someone intercepts communications between IoT devices and/or other Internet- connected systems. The attacker poses as the original sender of the data.
This allows eavesdropping and the ability to send data to and receive data from the IoT devices undetected, enabling manipulation of the IoT devices and connected systems.
Cloud system and data centre attacks can be performed in several ways by targeting parts of the system architecture. This may include attacking the web server function used to provide IoT dashboards (displaying data from the IoT devices or providing centralised control of IoT devices), or attacking the database systems used to store gathered IoT data.
As many IoT devices rely on a cloud system to function correctly,as part of the overall IoT solution, this may render the IoT incapacitated or severely limit the ability for the IoT devices to function