IoT Hacking: Three Ways Data and Devices Are Vulnerable

IoT Hacking

Imagine pacemakers that suddenly shut off or robocars that drive to the wrong destination. The Internet of Things poses such security risks. Here’s how:

The Internet of Things is a hot trend. We can see sensor-based applications everywhere and in every domain of the industry and our life: self-driving vehicles, remotely controlled pacemakers, and many other devices that improve quality of life. This is only the start of an era.

While a lot has been said and written about IoT wonders, security is an area of concern. The cybersecurity industry is already addressing the challenges in various ways, but we’ll concentrate on the challenges and leave the solutions for a future article.

We divide the challenges into three types: confusing the sensors, changing the rules of the game, and abusing “things” in general and actuators in particular.

In order to explain the risks, let’s start with some anatomy of IoT applications. The anatomy can be described by the four ‘Ds’: detect, derive, decide, do.

Detect relates to observing the world in a way somewhat equivalent to human sensory perception. All sensors, cameras, tracking devices, and any other device that provide data about what’s going on belong to the detect phase.

In the derive phase, the computer application determines that the data accumulated by the detect phase, and possibly a previous derive phase, creates a situation that requires a decision and/or an action.

The decide phase determines what action should be taken, either in an autonomous way or in collaboration with humans.

The do or “act” phase performs an action either manually or through a computerized actuator.

There are many types of IoT applications in which the derive phase is difficult and may require sophisticated computation such as image processing. In some cases, no decision is needed; in other cases the decision requires solving an optimization problem under uncertainty. There are cases where the action is just notification, and the real actions are outside the scope of the system. In other cases there is a need to apply a sophisticated actuator, like autonomous steering of a vehicle.

With that in mind, let’s get back to the security challenges.

1. IoT Hacking: Confusing the Sensor

The first type of chIoT hackingallenge is the type of “confusing the sensor.” An analogue is the recent “Bloomberg Twitter Hoax,” where a fake Bloomberg news article about a Twitter takeover bid resulted in ill-motivated stock market transactions. In the IoT world, sensors can be hacked to provide wrong results. The driverless car, for example, depends on sensors that detect roads, traffic, and any obstacles that suddenly emerge. It is also dependent on dynamic navigation maps. In this example, “confusing the sensor” might relate to any of them. It may involve ignoring an obstacle, faking the appearance of an obstacle that this not really there, or blocking the sensor’s vision and making it ignore another vehicle or pedestrian. It can also mean changing the navigation map to take the vehicle to the wrong place or along the wrong route.

2. Changing the Rules of the Game

IoT hackingThe fact that many systems are rule-based where the rules are dynamic and easily modifiable provides an opportunity for IoT hacking.

For example, remote healthcare is an emerging area where patients are periodically or constantly monitoring their health through use of sensing devices, and the results may be calling physicians or following some self-treatment protocol. The monitoring type, thresholds, and rules may be personalized per patient. The hacker can get access to the monitoring rules of a patient and add or delete rules to create false alarms. Or the hacker could eliminate true alarms and change thresholds within existing rules.

The hacker can also alter reference and individual data that are used in the system, such as the patient’s previous medical history, age, and even address—thus sending medical help to the wrong place.

3. Abusing Actuators

IoT hacking

A driverless car gets stuck on a curb. Photo: Melody Joy Kramer,

The third type of challenge is one of the scariest: abusing actuators and other “things.”

Let’s take the example of an autonomous vehicle, where all vehicle parts are controlled by the vehicle’s brain, and thus become actuators that can execute computerized commands. Examples of abused orders include:

  • The vehicle’s lights are turned off at night, making visibility difficult both for the vehicle’s sensors and other vehicles.
  • The speedometer can be abused, thus the car will not be able to correctly determine the speed.
  • The GPS can make the navigation system go to the wrong place.
  • The brakes can be activated and make the vehicle slip, or worse deactivated when needed.
  • The engine can be turned off by hackers during the drive, or conversely hackers could increase the rotation of the engine, making the vehicle accelerate.
  • Air bags can be inflated and block the sensor’s vision

Other scenarios of abusing actuators can also be frightening, such as turning off a remotely controlled pacemaker, or shutting down the liquid flow in an autonomous IV drip. All these cases are not just security risks but life-threatening situations.

The abuse can be milder, such as hiding alerts, sending alerts to the wrong address, sending false alerts, or hijacking alerts and their content. For example, self-driving vehicles (or “robocars”) can be sent to a narrow street, creating a traffic jam. In Israel, Technion students performed a successful experiment and hacked Waze, a traffic and navigation app.

The question is whether IoT hacking is a showstopper for the industry. Probably not: Hacking is prolific on the Internet, and we still use the Internet. However, the nature of security problems in some IoT applications may be more acute, due to the autonomic nature of some of the IoT systems, and the ability to control virtually everything by computerized systems, as shown in the vehicle example.

The providers of IoT systems and platforms are becoming aware of these risks, and security solutions are built into such platforms. But as the IoT area is young, the process of analyzing risks and fighting them is also young.

Want more? Check out our most-read content:

Frontiers in Artificial Intelligence for the IoT: White Paper
Research from Gartner: Real-Time Analytics with the Internet of Things
How Real-Time Railroad Data Keeps Trains Running
Operational Analytics: Five Tips for Better Decisions
Why Gateways and Controllers Are Critical for IoT Architecture

Liked this article? Share it with your colleagues!

Dr. Opher Etzion

About Dr. Opher Etzion

Dr. Opher Etzion is professor of information systems and head of the Technological Empowerment Institute in Yezreel Valley College in Israel. He is also a former chief scientist of event processing at the IBM Haifa Research Lab (full bio) . Follow him on Twitter @opheretzion.

Leave a Reply