In the last few years, the so-called “Internet of Things” has gotten a reputation as “the Internet of Things That Can Be Hacked.” This year alone, security researchers have hacked baby monitors, skateboards, rifles, and a Jeep— making it undriveable while it was going 70 miles per hour on a highway. One hacker possibly even hacked an airplane while it was in flight.
“The selling point for these well-connected objects is added convenience and better safety,” wrote academic Zeynep Tufecki in a recent New York Times op-ed. “In reality, it is a fast-motion train wreck in privacy and security.”
Concerns about connected devices are hardly new. Security researchers have warned for years that millions of devices are connected to the Internet insecurely and are thus hackable. And according to the branch of the Department of Homeland Security tasked with cyber attack defense, there were just 245 incidents reported to them last year.
But how often are these devices actually getting hacked?
This year, at two annual back-to-back conferences for hackers in Las Vegas, two teams decided to find out. They set up “Internet of Things honeypots” — creating what would look to attackers like Internet-connected gas pumps and medical devices, in order to see who would actually attempt to hack them.
Researchers from cybersecurity firm TrendMicro set up what looked like naive Internet-connected gas stations in 7 countries for six months to see what would happen. (Earlier this year, security researcher HD Moore revealed that there were over 5,000 gas pumps connected to the Internet with no password on them, meaning that an attacker could access them and do serious damage by, say, changing the settings to make it look like a pump is empty when it is actually full, resulting in an overfill.)
They called the project “Gaspot,” and it resulted in 20 total attacks:
Two denial of service attacks, which were performed on a gas station that purported to be in the U.S., came from IP addresses that appeared to be associated with the Syrian Electronic Army, a pro-Syria group of hackers, though the researchers were hesitant to say it was definitely them.
The purported Chevron and BP gas stations in Jordan got a visit from hackers who appeared to be associated with the “Iranian Dark Coders,” an Iran-based hacking group, who simply changed the name of pumps from “unleaded” and “diesel” to “Hacked by IDC-TEAM” and “Ahaad was here.” It’s a type of attack that is serious-seeming but mostly harmless — the digital equivalent of spray-painting their tag on a pump.
None of the attackers tried to change the fuel level settings, the kind of attack that could result in serious damage, but the researchers were not reassured by that.
“It could be a precursor to a more serious attack at a later date,” said Kyle Wilhoit during a presentation at Black Hat.
Meanwhile, at DefCon — the other hacker conference in Las Vegas — researchers revealed that they had put ten systems online that looked like Internet-connected insulin pumps, pacemaker stations, MRI machines and other medical device control systems. For their honeypot test, they mainly used generic username/passwords that can, unfortunately, be found for many of these devices on manufacturers’ websites. But they also created a few unique combinations and put them into a Pastebin file that essentially said, “Here’s some medical device usernames and passwords if anyone wants to hack them.”
The medical devices in the honeypot were logged into over 55,000 times, had malware dropped on them almost 300 times, had 24 commands put inside them, and 8 log-ins using the unique credentials — meaning someone found the Pastebin document and then wanted to go out and take advantage of what was in it.
The majority of the attacks came from the Netherlands, China and Korea. “Most of it was random noise, not targeted attacks,” said lead researcher Scott Erven of Protiviti, who is well-known for his work around medical device security.
Most of the hackers were simply doing “probes,” mapping the Internet of Things. But the unique log-ins were intentional. Erven says that getting into hospitals’ medical devices may be a way hackers get personally-identifiable information from medical facilities; if you get into a cardiogram machine, you can theoretically get the information of the patients who have used it, including in some instances, their names, Social Security numbers and dates of birth.
The malware also concerned him; in a real world scenario, malware might interfere with a medical device’s operation. The FDA says it “receives several hundred thousand medical device reports of suspected device-associated deaths, serious injuries and malfunctions.” “We have no way of knowing if [mass attacks] cause some of those malfunctions,” said Erven.
But like the “Gaspot,” the medical device researchers did not see any explicitly nefarious attacks on their test devices, like someone trying to make a pacemaker go crazy or make someone OD on insulin.
“They had administrative control of the systems,” said Erven. “But they didn’t execute commands on them. They may not have even realized they had a root on an MRI machine.”
So should we be reassured by this? Hackers can get into these systems, but once inside, they don’t seem interested in destroying the equipment or hurting the people using it.
Dan Tentler, a security engineer at Carbon Dynamics, who periodically conducts mass scans of the internet to find devices insecurely connected to it, did not take comfort in the findings.
“To exploit vulnerabilities is hard. To hack a Jeep, the researchers had to buy one and spend a year tinkering with its code,” said Tentler. “When attackers got into these honeypots, they may have just not known what to do to take advantage of them.”